Source URL: https://www.cisa.gov/news-events/alerts/2025/03/26/cisa-adds-two-known-exploited-vulnerabilities-catalog
Source: Alerts
Title: CISA Adds Two Known Exploited Vulnerabilities to Catalog
Feedly Summary: CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
AI Summary and Description: Yes
Summary: The text provides crucial updates from CISA regarding two newly identified vulnerabilities in Sitecore CMS, emphasizing the risks they pose and the directive for federal agencies to address them. This information is particularly significant for security and compliance professionals tasked with vulnerability management in federal and other organizations.
Detailed Description:
– CISA has identified two new vulnerabilities in the Sitecore CMS and Experience Platform, specifically:
– **CVE-2019-9874**: A deserialization vulnerability.
– **CVE-2019-9875**: Another deserialization vulnerability.
– These vulnerabilities are categorized as frequent attack vectors that malicious cyber actors exploit, indicating a high risk to security domains.
– The vulnerabilities have been included in the **Known Exploited Vulnerabilities (KEV) Catalog**, which is governed by **Binding Operational Directive (BOD) 22-01**, aimed at reducing risks from known vulnerabilities.
– **BOD 22-01** specifically:
– Establishes the KEV Catalog as a dynamic repository of Common Vulnerabilities and Exposures (CVEs).
– Requires Federal Civilian Executive Branch (FCEB) agencies to remediate any listed vulnerabilities by a specific deadline to safeguard their networks.
– Although BOD 22-01 directly applies to FCEB agencies, CISA encourages all organizations to:
– Prioritize the remediation of these vulnerabilities to mitigate exposure to cyber threats.
– Integrate vulnerability management practices as a critical component of their cybersecurity strategies.
– CISA’s proactive approach includes:
– Continuously updating the catalog to reflect new vulnerabilities that meet specific criteria of risk.
This update highlights the critical need for ongoing vigilance and adherence to established directives in cybersecurity practices, making it essential for professionals in the security and compliance fields to actively monitor and address vulnerabilities in their systems.