The Cybersecurity & Infrastructure Security Agency (CISA) has issued a new directive that requires federal agencies to patch known vulnerability exploits. They are also publishing a list of these exploits to aid the effort. This list is available to the private sector and can be found at https://www.cisa.gov/known-exploited-vulnerabilities-catalog.
The directive itself can be found at https://www.cisa.gov/known-exploited-vulnerabilities.
This list will be updated on a regular basis and intended to be used as a list of ‘top risks’ that should be immediately addressed. A good vulnerability scanner or managed vulnerability solution can automate vulnerability detection, but if you do not have this type of solution in place, CISA’s list will give you the high-risk issues to look for manually. Today’s list contains 290 vulnerabilities, (going back to 2017), that are currently active in attacks detected and reported by Internet monitoring and security operations centers.
A quick review of the list shows a wide variety of software/hardware exploits that may or may not apply to you, Adobe Flash is an example of a software that has reached the end of life and is actively being exploited to gain a foothold on devices. Apple iOS for phones is another example that is listed several times.
If you find something that needs further investigation, you can click the link to the CVE on the left. The CVE will provide affected versions and also provide vendor links for further information and solutions.
If you are not using an active vulnerability scanning solution or a managed vulnerability partner like Mainstream, please take a moment to review the list of vendors and products you use. Apply the recommended updates and patches, or remove the software altogether if it’s no longer in use. Being proactive will drastically reduce your risk of being attacked successfully.
Daniel Weatherly, CISSP
Mainstream Technologies Inc.