CISA Adds Four Security Vulnerabilities to Known Exploited List
February 16, 2023
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four security vulnerabilities exploited in attacks as zero-day to its list of bugs known to be abused in the wild. Two of them impact Microsoft products (CVE-2023-21823 and CVE-2023-23376) and allow attackers to gain remote execution and escalate privileges on unpatched Windows systems. A third one (CVE-2023-21715) can be exploited to bypass Microsoft Office macro policies to deliver malicious payloads via untrusted files. The fourth, a WebKit type confusion issue (CVE-2023-23529) that could lead to arbitrary code execution, was addressed by Apple on Monday and was tagged as actively exploited in the wild.
CISA has issued a binding operational directive (BOD 22-01) requiring all Federal Civilian Executive Branch Agencies (FCEB) to secure their systems against security bugs added to CISA's catalog of Known Exploited Vulnerabilities. CISA has given U.S. federal agencies three weeks, until March 7th, to patch the four Apple and Microsoft security vulnerabilities and thwart attacks that could target their networks. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said.
Today, CISA added another flaw, a critical pre-auth command injection bug (CVE-2022-46169) in the Cacti network operations framework that threat actors abused to deliver malware. CISA urges all organizations to fix the security bugs to block any attack attempts to compromise their Windows or iOS devices.
- Apple Patches Zero-Day Vulnerability Used in iPhone, iPad, and Mac Attacks
- Microsoft Fixes Three Actively Exploited Zero-Day Vulnerabilities
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.