CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2019-11708

Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability

Vendor: Mozilla

Product: Firefox and Thunderbird

Added: 2022-05-23

Due Date: 2022-06-13

Description:

Mozilla Firefox and Thunderbird contain a sandbox escape vulnerability that could result in remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2019-8720

WebKitGTK Memory Corruption Vulnerability

Vendor: WebKitGTK

Product: WebKitGTK

Added: 2022-05-23

Due Date: 2022-06-13

Description:

WebKitGTK contains a memory corruption vulnerability which can allow an attacker to perform remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-119

CVE-2019-18426

WhatsApp Cross-Site Scripting Vulnerability

Vendor: Meta Platforms

Product: WhatsApp

Added: 2022-05-23

Due Date: 2022-06-13

Description:

A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-79

CVE-2019-1385

Ransomware

Microsoft Windows AppX Deployment Extensions Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-05-23

Due Date: 2022-06-13

Description:

A privilege escalation vulnerability exists when the Windows AppX Deployment Extensions improperly performs privilege management, resulting in access to system files.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-59

CVE-2019-1130

Ransomware

Microsoft Windows AppX Deployment Service Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-05-23

Due Date: 2022-06-13

Description:

A privilege escalation vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-59

CVE-2018-5002

Adobe Flash Player Stack-based Buffer Overflow Vulnerability

Vendor: Adobe

Product: Flash Player

Added: 2022-05-23

Due Date: 2022-06-13

Description:

Adobe Flash Player have a stack-based buffer overflow vulnerability that could lead to remote code execution.

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CWEs:

CWE-787

CVE-2018-8589

Microsoft Win32k Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Win32k

Added: 2022-05-23

Due Date: 2022-06-13

Description:

A privilege escalation vulnerability exists when Windows improperly handles calls to Win32k.sys. An attacker who successfully exploited this vulnerability could run remote code in the security context of the local system.

Required Action:

Apply updates per vendor instructions.

CVE-2022-30525

Zyxel Multiple Firewalls OS Command Injection Vulnerability

Vendor: Zyxel

Product: Multiple Firewalls

Added: 2022-05-16

Due Date: 2022-06-06

Description:

A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2022-22947

VMware Spring Cloud Gateway Code Injection Vulnerability

Vendor: VMware

Product: Spring Cloud Gateway

Added: 2022-05-16

Due Date: 2022-06-06

Description:

Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-94

CVE-2022-1388

Ransomware

F5 BIG-IP Missing Authentication Vulnerability

Vendor: F5

Product: BIG-IP

Added: 2022-05-10

Due Date: 2022-05-31

Description:

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-306

CVE-2021-1789

Apple Multiple Products Type Confusion Vulnerability

Vendor: Apple

Product: Multiple Products

Added: 2022-05-04

Due Date: 2022-05-25

Description:

A type confusion issue affecting multiple Apple products allows processing of maliciously crafted web content, leading to arbitrary code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-843

CVE-2019-8506

Apple Multiple Products Type Confusion Vulnerability

Vendor: Apple

Product: Multiple Products

Added: 2022-05-04

Due Date: 2022-05-25

Description:

A type confusion issue affecting multiple Apple products allows processing of maliciously crafted web content, leading to arbitrary code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-843

CVE-2014-4113

Microsoft Win32k Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Win32k

Added: 2022-05-04

Due Date: 2022-05-25

Description:

Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-264

CVE-2014-0322

Microsoft Internet Explorer Use-After-Free Vulnerability

Vendor: Microsoft

Product: Internet Explorer

Added: 2022-05-04

Due Date: 2022-05-25

Description:

Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute code.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2014-0160

OpenSSL Information Disclosure Vulnerability

Vendor: OpenSSL

Product: OpenSSL

Added: 2022-05-04

Due Date: 2022-05-25

Description:

The TLS and DTLS implementations in OpenSSL do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-125