The Cybersecurity and Infrastructure Security Agency (CISA) has identified and added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. The first vulnerability, CVE-2023-7024, is associated with Google Chromium WebRTC and involves a Heap Buffer Overflow. The second vulnerability, CVE-2023-7101, relates to Spreadsheet::ParseExcel and poses a risk of Remote Code Execution. Such vulnerabilities are commonly targeted by malicious cyber actors, presenting a significant threat to federal enterprises. CISA’s Binding Operational Directive (BOD) 22-01 mandates Federal Civilian Executive Branch agencies to promptly remediate identified vulnerabilities to safeguard networks against ongoing cyber threats.
BOD 22-01, titled “Reducing the Significant Risk of Known Exploited Vulnerabilities,” established the Known Exploited Vulnerabilities Catalog as a dynamic list of Common Vulnerabilities and Exposures (CVEs) with substantial risk to the federal enterprise. The directive necessitates Federal Civilian Executive Branch agencies to address these vulnerabilities within specified timelines. Although BOD 22-01 specifically applies to these agencies, CISA strongly advises all organizations to prioritize the timely remediation of vulnerabilities listed in the catalog as part of their broader vulnerability management practices. CISA emphasizes its commitment to updating the catalog with vulnerabilities meeting the specified criteria to ensure comprehensive cybersecurity readiness.
