CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2019-1130

Ransomware

Microsoft Windows AppX Deployment Service Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-05-23

Due Date: 2022-06-13

Description:

A privilege escalation vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-59

CVE-2018-5002

Adobe Flash Player Stack-based Buffer Overflow Vulnerability

Vendor: Adobe

Product: Flash Player

Added: 2022-05-23

Due Date: 2022-06-13

Description:

Adobe Flash Player have a stack-based buffer overflow vulnerability that could lead to remote code execution.

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CWEs:

CWE-787

CVE-2018-8589

Microsoft Win32k Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Win32k

Added: 2022-05-23

Due Date: 2022-06-13

Description:

A privilege escalation vulnerability exists when Windows improperly handles calls to Win32k.sys. An attacker who successfully exploited this vulnerability could run remote code in the security context of the local system.

Required Action:

Apply updates per vendor instructions.

CVE-2022-30525

Zyxel Multiple Firewalls OS Command Injection Vulnerability

Vendor: Zyxel

Product: Multiple Firewalls

Added: 2022-05-16

Due Date: 2022-06-06

Description:

A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2022-22947

VMware Spring Cloud Gateway Code Injection Vulnerability

Vendor: VMware

Product: Spring Cloud Gateway

Added: 2022-05-16

Due Date: 2022-06-06

Description:

Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-94

CVE-2022-1388

Ransomware

F5 BIG-IP Missing Authentication Vulnerability

Vendor: F5

Product: BIG-IP

Added: 2022-05-10

Due Date: 2022-05-31

Description:

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-306

CVE-2021-1789

Apple Multiple Products Type Confusion Vulnerability

Vendor: Apple

Product: Multiple Products

Added: 2022-05-04

Due Date: 2022-05-25

Description:

A type confusion issue affecting multiple Apple products allows processing of maliciously crafted web content, leading to arbitrary code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-843

CVE-2019-8506

Apple Multiple Products Type Confusion Vulnerability

Vendor: Apple

Product: Multiple Products

Added: 2022-05-04

Due Date: 2022-05-25

Description:

A type confusion issue affecting multiple Apple products allows processing of maliciously crafted web content, leading to arbitrary code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-843

CVE-2014-4113

Microsoft Win32k Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Win32k

Added: 2022-05-04

Due Date: 2022-05-25

Description:

Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-264

CVE-2014-0322

Microsoft Internet Explorer Use-After-Free Vulnerability

Vendor: Microsoft

Product: Internet Explorer

Added: 2022-05-04

Due Date: 2022-05-25

Description:

Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute code.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2014-0160

OpenSSL Information Disclosure Vulnerability

Vendor: OpenSSL

Product: OpenSSL

Added: 2022-05-04

Due Date: 2022-05-25

Description:

The TLS and DTLS implementations in OpenSSL do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-125

CVE-2022-29464

Ransomware

WSO2 Multiple Products Unrestrictive Upload of File Vulnerability

Vendor: WSO2

Product: Multiple Products

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-22

CVE-2022-26904

Microsoft Windows User Profile Service Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-362

CVE-2022-21919

Microsoft Windows User Profile Service Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-1386

CVE-2022-0847

Linux Kernel Privilege Escalation Vulnerability

Vendor: Linux

Product: Kernel

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Linux kernel contains an improper initialization vulnerability where an unprivileged local user could escalate their privileges on the system. This vulnerability has the moniker of "Dirty Pipe."

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-665