Source URL: https://www.cisa.gov/news-events/alerts/2025/02/24/cisa-adds-two-known-exploited-vulnerabilities-catalog
Source: Alerts
Title: CISA Adds Two Known Exploited Vulnerabilities to Catalog
Feedly Summary: CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2017-3066 Adobe ColdFusion Deserialization Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
AI Summary and Description: Yes
Summary: The text discusses recent updates from CISA regarding two newly recognized vulnerabilities added to their Known Exploited Vulnerabilities Catalog. It emphasizes the significance of these vulnerabilities and the necessity for Federal agencies to remediate them promptly, highlighting the broader implications for cybersecurity in various organizations.
Detailed Description:
– The text primarily addresses two specific vulnerabilities, CVE-2017-3066 related to Adobe ColdFusion and CVE-2024-20953 linked to Oracle Agile Product Lifecycle Management (PLM). Both are categorized as deserialization vulnerabilities, which are common attack vectors that cybercriminals exploit.
– The identification and cataloging of these vulnerabilities occur within the framework established by Binding Operational Directive (BOD) 22-01, which aims to mitigate risks presented by Known Exploited Vulnerabilities.
– This directive creates a known list of vulnerabilities that pose significant risks to federal agencies, enforcing that they must remediate these vulnerabilities by specified deadlines.
– Although the directive is mandated for Federal Civilian Executive Branch (FCEB) agencies, CISA encourages all organizations to actively apply similar risk reduction strategies to safeguard against cyberattacks.
– The continual addition of vulnerabilities to the catalog indicates an ongoing effort to bolster national cybersecurity measures, aligning with broader security protocols.
Key Points:
– CISA’s Known Exploited Vulnerabilities Catalog strengthens vulnerability management practices across organizations.
– Timely remediation of known vulnerabilities is crucial for protecting networks from exploitation.
– Cybersecurity professionals are urged to prioritize the mitigating actions outlined by CISA to prevent potential breaches.
This information is vital for security and compliance professionals as it emphasizes the importance of adhering to established guidelines and the proactive management of vulnerabilities within an organization’s security framework. The ongoing updates from CISA also showcase the dynamic nature of cybersecurity threats that require vigilant attention.