The US Cybersecurity and Infrastructure Security Agency has established today a public catalog of vulnerabilities known to be exploited in the wild and has issued a binding operational directive ordering US federal agencies to patch affected systems within specific timeframes and deadlines.
The catalog —available online here— currently lists 306 vulnerabilities, with some as old as 2010, that are still being exploited in the wild.
This includes vulnerabilities for products from Cisco, Google, Microsoft, Apple, Oracle, Adobe, Atlassian, IBM, and many other companies, small and large alike.
For the vulnerabilities disclosed this year (with a CVE code of CVE-2021-*****), CISA has ordered US federal civilian agencies to apply patches by November 17, 2021.
For older vulnerabilities, agencies have to patch systems by May 3, 2022.
“These vulnerabilities pose significant risk to agencies and the federal enterprise. It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents,” CISA said in a binding operational directive today.
In a tweet today announcing the agency’s new effort, CISA Director Jen Easterly said that while the binding operational directive is can only force US federal agencies to take action, all organizations should take action and patch the listed vulnerabilities, as the same exploits are also used to attack private entities as well.
The BOD applies to federal civilian agencies; however, ALL organizations should adopt this Directive and prioritize mitigating vulnerabilities listed on our public catalog, which are being actively used to exploit public and private organizations: https://t.co/Urafj9lYmh
— Jen Easterly (@CISAJen) November 3, 2021
In a press release, CISA also said they plan to add new entries to the database as new vulnerabilities come under active exploitation.
An RSS feed was provided for this purpose—to allow IT and security teams to keep an eye on new entries to the database.