CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2016-4523

Trihedral VTScada (formerly VTS) Denial-of-Service Vulnerability

Vendor: Trihedral

Product: VTScada (formerly VTS)

Added: 2022-04-15

Due Date: 2022-05-06

Description:

The WAP interface in Trihedral VTScada (formerly VTS) allows remote attackers to cause a denial-of-service (DoS).

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-119

CVE-2014-0780

InduSoft Web Studio NTWebServer Directory Traversal Vulnerability

Vendor: InduSoft

Product: Web Studio

Added: 2022-04-15

Due Date: 2022-05-06

Description:

InduSoft Web Studio NTWebServer contains a directory traversal vulnerability that allows remote attackers to read administrative passwords in APP files, allowing for remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-22

CVE-2010-5330

Ubiquiti AirOS Command Injection Vulnerability

Vendor: Ubiquiti

Product: AirOS

Added: 2022-04-15

Due Date: 2022-05-06

Description:

Certain Ubiquiti devices contain a command injection vulnerability via a GET request to stainfo.cgi.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-77

CVE-2007-3010

Alcatel OmniPCX Enterprise Remote Code Execution Vulnerability

Vendor: Alcatel

Product: OmniPCX Enterprise

Added: 2022-04-15

Due Date: 2022-05-06

Description:

masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server allows remote attackers to execute arbitrary commands.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2022-22954

Ransomware

VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability

Vendor: VMware

Product: Workspace ONE Access and Identity Manager

Added: 2022-04-14

Due Date: 2022-05-05

Description:

VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-94

CVE-2022-24521

Ransomware

Microsoft Windows CLFS Driver Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-04-13

Due Date: 2022-05-04

Description:

Microsoft Windows Common Log File System (CLFS) Driver contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-787 CWE-1285

CVE-2018-7602

Ransomware

Drupal Core Remote Code Execution Vulnerability

Vendor: Drupal

Product: Core

Added: 2022-04-13

Due Date: 2022-05-04

Description:

A remote code execution vulnerability exists within multiple subsystems of Drupal that can allow attackers to exploit multiple attack vectors on a Drupal site.

Required Action:

Apply updates per vendor instructions.

CVE-2018-20753

Ransomware

Kaseya VSA Remote Code Execution Vulnerability

Vendor: Kaseya

Product: Virtual System/Server Administrator (VSA)

Added: 2022-04-13

Due Date: 2022-05-04

Description:

Kaseya VSA RMM allows unprivileged remote attackers to execute PowerShell payloads on all managed devices.

Required Action:

Apply updates per vendor instructions.

CVE-2015-5123

Adobe Flash Player Use-After-Free Vulnerability

Vendor: Adobe

Product: Flash Player

Added: 2022-04-13

Due Date: 2022-05-04

Description:

Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player allows remote attackers to execute code or cause a denial-of-service (DoS).

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CWEs:

CWE-416

CVE-2015-5122

Adobe Flash Player Use-After-Free Vulnerability

Vendor: Adobe

Product: Flash Player

Added: 2022-04-13

Due Date: 2022-05-04

Description:

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player allows remote attackers to execute code or cause a denial-of-service (DoS).

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CWEs:

CWE-416

CVE-2015-3113

Adobe Flash Player Heap-Based Buffer Overflow Vulnerability

Vendor: Adobe

Product: Flash Player

Added: 2022-04-13

Due Date: 2022-05-04

Description:

Heap-based buffer overflow vulnerability in Adobe Flash Player allows remote attackers to execute code.

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CWEs:

CWE-119

CVE-2015-2502

Microsoft Internet Explorer Memory Corruption Vulnerability

Vendor: Microsoft

Product: Internet Explorer

Added: 2022-04-13

Due Date: 2022-05-04

Description:

Microsoft Internet Explorer contains a memory corruption vulnerability that allows an attacker to execute code or cause a denial-of-service (DoS).

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-119

CVE-2015-0313

Adobe Flash Player Use-After-Free Vulnerability

Vendor: Adobe

Product: Flash Player

Added: 2022-04-13

Due Date: 2022-05-04

Description:

Use-after-free vulnerability in Adobe Flash Player allows remote attackers to execute code.

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CWEs:

CWE-416

CVE-2015-0311

Adobe Flash Player Remote Code Execution Vulnerability

Vendor: Adobe

Product: Flash Player

Added: 2022-04-13

Due Date: 2022-05-04

Description:

Unspecified vulnerability in Adobe Flash Player allows remote attackers to execute code.

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CVE-2014-9163

Adobe Flash Player Stack-Based Buffer Overflow Vulnerability

Vendor: Adobe

Product: Flash Player

Added: 2022-04-13

Due Date: 2022-05-04

Description:

Stack-based buffer overflow in Adobe Flash Player allows attackers to execute code remotely.

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.