Download Ransomware Index Update Q1 2022

DHS CISA KEVs Weekly Edition 5: Patch Before you Hit the Deadline

Posted on May 20, 2022 | By Pavithra Shankar

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its list of actively exploited bugs this week, a code injection vulnerability in Spring Cloud Gateway and a command injection vulnerability in Zyxel firmware for business firewalls and VPN devices. This blog lists all of the DHS CISA KEVs that need to be patched this week (May 16 to May 22, 2022).

The federal agencies are expected to patch 7 known exploited vulnerabilities in the DHS CISA catalog this week in time for the May 16 to May 22, 2022 deadline. Based on our analysis of these  KEVs, we found that -

Our ML and AI model predicts that all of these seven CVEs are potentially 38 times more likely to be exploited. So patch them now before they become problems.

How Far Back Do They Go?

Of the 7 KEVs, 3 CVEs are old vulnerabilities dating from 2019 to 2021, with a patch deadline of May 16 to May 22, 2022. 

Which Vendors Are Affected?

These 7 CVEs that have a patch deadline of May 16 to May 22, 2022, affect 4 vendors such as Microsoft, Linux, WSO2, and Jenkins.

Severity Scores

Software Weaknesses

5 out of the 7 KEVs with a patch due date between May 1 to May 7, 2022, fall under the Top 40 Most Dangerous Software Weaknesses, and 4 of these KEVs fall under OWASP Top 10:2021.

Table: DHS CISA KEVs

Patch management is a continuous and difficult process for most organizations. That’s why we go the extra mile to analyze the data and provide security teams with easy lists of prioritized vulnerabilities from the catalog.

Subscribe to our blogs and let us decode the CISA KEV for you.

Test your defense to know how secure you are…