DHS CISA KEVs Weekly Edition 3: Patch Before you Hit the Deadline
Posted on Apr 29, 2022 | By Pavithra Shankar
The US Cybersecurity and Infrastructure Security Agency has again raised the alarm about known exploited vulnerabilities by adding new CVEs to the growing list of KEV catalog. This blog brings you all the DHS CISA KEVs that need to be prioritized for patching this week (April 25 to April 30, 2022).
A total of 7 known exploited vulnerabilities from the DHS CISA catalog should be fixed by federal agencies this week before April 25 to April 30, 2022. We further analyzed these 7 KEVs and found that -
Our ML and AI model predicts that four out of seven CVEs are potentially 38 times more likely to be exploited. So patch them now before they become problems.
How Far Back Do They Go?
Of the 7 KEVs, 4 CVEs are old vulnerabilities dating from 2017 to 2021 with a patch deadline of April 25 and April 30, 2022.
CVE-2017-0148 is a remote code execution vulnerability that exists in Microsoft Server Message Block 1.0 (SMBv1) service, is tied to multiple threat groups. An attacker who successfully exploited the vulnerabilities would be able to execute code on the target server. This CVE carries a CVSS v3 score of 8.1 (High) and is classified under CWE-20 (Improper Input Validation).
Most notably, CVE-2017-0148 is associated with seven notorious ransomware groups (WannaCry, Petya, Conti, Muhstik, Ryuk, Sata, UIWIX) and three APT threat groups that include Wizard Spider, The Shadow Brokers, and Threat Group-3390.
We strongly recommend that all security professionals and administrators review the Known Exploited Vulnerabilities Catalog and patch any vulnerabilities in their environment.
Which Vendors Are Affected?
These 7 CVEs that have a patch deadline of April 25 and April 30, 2022, affect major vendors such as Microsoft, D-link, Vmware, Apple, and Sudo.
Looking further, we found that the well-known Spring4Shell vulnerability (CVE-2022-22965) has a deadline of March 25, 2022. Click here to know our detailed analysis on Spring4Shell.
Four out of the seven KEVs with a patch due date of April 25 or April 30, 2022 fall under the Top 40 Most Dangerous Software Weaknesses, and three of these KEVs fall under OWASP Top 10:2021.
With the seven new CVEs added this week, CISA's catalog of actively exploited bugs for federal agencies to address has a total of 654 CVE entries. Therefore, the priority should be applying security updates as soon as they are available for public and private organizations alike.
We strongly encourage all organizations to resolve all the security issues in its KEV catalog in order to reduce their exposure to cyberattacks.
Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!