The CISA has added 95 vulnerabilities in actively exploited security flaws. This is one of the largest chunks of CVEs added to its Known Exploited Vulnerabilities Catalog since the issue of the binding operational directive in November last year.
The actively exploited flaws
According to the CISA, federal agencies are given around three weeks to patch the newly added 95 security flaws. Around eight of these flaws have high critical severity scores of 9.8.
Most of these vulnerabilities, in which some are two decades old, have a due date of March 24. Around 27 vulnerabilities have a deadline for March 17, mainly because they are recent.
The other products impacted include Microsoft (Office/Windows), Adobe, Mozilla, Siemens, Oracle, Linux, Treck TCP/IP stack, and ChakraCore.
The old security vulnerabilities
The list further includes bugs in old products that have already reached the end of life, such as Adobe Flash Player. According to the report, most organizations are still using such old software products, posing a risk of exploitation.
Some of the Flash Player flaws mentioned in the catalog have a critical-severity score of 9.8 out of 10 and are more than five years old, such as CVE-2016-1019 and CVE-2016-4117.
The oldest vulnerability is from 2002, a privilege escalation vulnerability known as CVE-2002-0367, that impacts smss[.]exe debugging subsystem in Windows NT and Windows 2000.
The cybersecurity agency recommends all entities fix the security issues added to its known vulnerabilities catalog. Moreover, applying security updates should be a priority for firms in both the public and private sectors. Doing so limits the exposure to cyberattacks and stops attackers from accessing a network.