Privacy Ninja

CISA Orders Agencies to Patch Chrome, D-Link Flaws Used in Attacks

CISA Orders Agencies to Patch Chrome, D-Link Flaws Used in Attacks

CISA has added 12 more security flaws to its list of bugs exploited in attacks, including two critical D-Link vulnerabilities and two (now-patched) zero-days in Google Chrome and the Photo Station QNAP software.

The Google Chrome zero-day (CVE-2022-3075) was patched on September 2nd via an emergency security update after the company was made aware of in-the-wild exploitation.

On Monday, QNAP network-attached storage (NAS) appliance maker warned its customers that it patched a zero-day bug in the widely used Photo Station software, tracked as CVE-2022-27593, and actively exploited in widespread DeadBolt ransomware attacks.

Also Read: The Top 10 Best And Trusted List Of Lawyers In Singapore

Last but not least, the two critical D-Link security flaws (CVE-2022-28958 and CVE-2022-26258) are being targeted by the Mirai-based Moobot botnet to gain remote code execution and take over unpatched devices.

After being added to CISA’s to its Known Exploited Vulnerabilities (KEV) catalog, all Federal Civilian Executive Branch Agencies (FCEB) agencies now must patch their systems against these security bugs exploited in the wild according to a binding operational directive (BOD 22-01) published in November.

The federal agencies were given three weeks, until September 29th, to ensure that exploitation attempts would be blocked.

CVEVulnerability NameDue Date
CVE-2022-3075Google Chromium Insufficient Data Validation Vulnerability2022-09-29
CVE-2022-28958D-Link DIR-816L Remote Code Execution Vulnerability2022-09-29
CVE-2022-27593QNAP Photo Station Externally Controlled Reference Vulnerability2022-09-29
CVE-2022-26258D-Link DIR-820L Remote Code Execution Vulnerability2022-09-29
CVE-2020-9934Apple iOS, iPadOS, and macOS Input Validation Vulnerability2022-09-29
CVE-2018-7445MikroTik RouterOS Stack-Based Buffer Overflow Vulnerability2022-09-29
CVE-2018-6530D-Link Multiple Routers OS Command Injection Vulnerability2022-09-29
CVE-2018-2628Oracle WebLogic Server Unspecified Vulnerability2022-09-29
CVE-2018-13374Fortinet FortiOS and FortiADC Improper Access Control Vulnerability2022-09-29
CVE-2017-5521NETGEAR Multiple Devices Exposure of Sensitive Information 2022-09-29
CVE-2011-4723D-Link DIR-300 Router Cleartext Storage of a Password Vulnerability2022-09-29
CVE-2011-1823Android OS Privilege Escalation Vulnerability2022-09-29

All U.S. organizations urged to prioritize these security updates

Although DHS’ BOD 22-01 only applies to U.S. FCEB agencies, the cybersecurity agency also strongly urges U.S. organizations in the private and public sectors to prioritize patching these bugs.

Also Read: The Importance Of Knowing Personal Data Protection Regulations

Taking this advice to heart and applying patches as soon as possible will likely significantly decrease the attack surface attackers could use in attempts to breach their networks.

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise,” the US cybersecurity agency explained Thursday.

Since this binding directive was issued in November, CISA has added more than 800 security flaws to its catalog of bugs exploited in attacks, requiring federal agencies to patch them on a tighter schedule to block security breaches.

It is strongly recommended that all security professionals and admins review CISA’s KEV catalog and patch listed bugs within their environment.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.

Powered by WhatsApp Chat

× Chat with us