Source URL: https://www.cisa.gov/news-events/alerts/2025/03/19/cisa-adds-three-known-exploited-vulnerabilities-catalog
Source: Alerts
Title: CISA Adds Three Known Exploited Vulnerabilities to Catalog
Feedly Summary: CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
AI Summary and Description: Yes
Summary: The text discusses recent additions to CISA’s Known Exploited Vulnerabilities Catalog, highlighting specific vulnerabilities that have been actively exploited. It emphasizes the importance of timely remediation to mitigate risks associated with cyber threats, particularly for federal agencies but also advising all organizations to prioritize these vulnerabilities.
Detailed Description: The text outlines significant updates from CISA regarding vulnerabilities that have been actively exploited and have been documented in their Known Exploited Vulnerabilities Catalog. This catalog is crucial for identifying and mitigating risks associated with potential cyber threats.
Key points include:
– **New Vulnerabilities Listed**: CISA has added three specific CVEs to the catalog:
– **CVE-2025-1316**: Vulnerability in Edimax IC-7100 IP Camera with OS command injection.
– **CVE-2024-48248**: NAKIVO Backup and Replication has an absolute path traversal vulnerability.
– **CVE-2017-12637**: Directory traversal vulnerability found in SAP NetWeaver.
– **Attack Vectors**: The text stresses that these vulnerabilities represent common attack vectors exploited by cyber criminals, posing substantial risks to federal enterprises.
– **Binding Operational Directive (BOD) 22-01**:
– This directive outlines the necessity for Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities promptly.
– It emphasizes the establishment of the Known Exploited Vulnerabilities Catalog as an essential tool for maintaining cybersecurity within federal networks.
– **Broader Recommendations**: While BOD 22-01 is specifically aimed at FCEB agencies, CISA advocates for all organizations to prioritize the remediation of these vulnerabilities in their security practices to protect against active threats.
This information is vital for security professionals in both the federal and private sectors, alerting them to specific risks and reinforcing the need for effective vulnerability management strategies to safeguard against exploitation. As vulnerabilities are continuously added to the catalog, organizations should stay informed and responsive to ensure their defenses remain robust.