CISA has identified and added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog due to evidence of active exploitation. These vulnerabilities include issues such as Adobe ColdFusion deserialization (CVE-2023-38203 and CVE-2023-29300), Apache Superset insecure initialization (CVE-2023-27524), Apple products code execution (CVE-2023-41990), D-Link DSL-2750B devices command injection (CVE-2016-20017), and Joomla! improper access control (CVE-2023-23752).
Such vulnerabilities are frequently targeted by malicious cyber actors and present substantial risks to federal enterprises. CISA emphasizes the significance of timely remediation and encourages all organizations, not just Federal Civilian Executive Branch agencies, to prioritize addressing these vulnerabilities to reduce exposure to cyber threats.
The identification of these vulnerabilities aligns with Binding Operational Directive (BOD) 22-01, which aims to reduce significant risks posed by known exploited vulnerabilities. BOD 22-01 establishes the Known Exploited Vulnerabilities Catalog as a dynamic list of Common Vulnerabilities and Exposures (CVEs) with active threats, requiring Federal Civilian Executive Branch agencies to remediate these vulnerabilities promptly. CISA stresses the importance of this directive in protecting federal networks against active threats. While BOD 22-01 specifically targets Federal Civilian Executive Branch agencies, CISA strongly urges all organizations to adopt a proactive approach to vulnerability management and promptly address vulnerabilities listed in the Catalog.
As part of its commitment to enhancing cybersecurity, CISA will continue to add vulnerabilities meeting specified criteria to the Known Exploited Vulnerabilities Catalog. This ongoing effort emphasizes the dynamic nature of the cybersecurity landscape and the necessity for organizations to stay vigilant and responsive to evolving threats.
