CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2022-30525

Zyxel Multiple Firewalls OS Command Injection Vulnerability

Vendor: Zyxel

Product: Multiple Firewalls

Added: 2022-05-16

Due Date: 2022-06-06

Description:

A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2022-22947

VMware Spring Cloud Gateway Code Injection Vulnerability

Vendor: VMware

Product: Spring Cloud Gateway

Added: 2022-05-16

Due Date: 2022-06-06

Description:

Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-94

CVE-2022-1388

Ransomware

F5 BIG-IP Missing Authentication Vulnerability

Vendor: F5

Product: BIG-IP

Added: 2022-05-10

Due Date: 2022-05-31

Description:

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-306

CVE-2021-1789

Apple Multiple Products Type Confusion Vulnerability

Vendor: Apple

Product: Multiple Products

Added: 2022-05-04

Due Date: 2022-05-25

Description:

A type confusion issue affecting multiple Apple products allows processing of maliciously crafted web content, leading to arbitrary code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-843

CVE-2019-8506

Apple Multiple Products Type Confusion Vulnerability

Vendor: Apple

Product: Multiple Products

Added: 2022-05-04

Due Date: 2022-05-25

Description:

A type confusion issue affecting multiple Apple products allows processing of maliciously crafted web content, leading to arbitrary code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-843

CVE-2014-4113

Microsoft Win32k Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Win32k

Added: 2022-05-04

Due Date: 2022-05-25

Description:

Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-264

CVE-2014-0322

Microsoft Internet Explorer Use-After-Free Vulnerability

Vendor: Microsoft

Product: Internet Explorer

Added: 2022-05-04

Due Date: 2022-05-25

Description:

Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute code.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2014-0160

OpenSSL Information Disclosure Vulnerability

Vendor: OpenSSL

Product: OpenSSL

Added: 2022-05-04

Due Date: 2022-05-25

Description:

The TLS and DTLS implementations in OpenSSL do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-125

CVE-2022-29464

Ransomware

WSO2 Multiple Products Unrestrictive Upload of File Vulnerability

Vendor: WSO2

Product: Multiple Products

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-22

CVE-2022-26904

Microsoft Windows User Profile Service Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-362

CVE-2022-21919

Microsoft Windows User Profile Service Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-1386

CVE-2022-0847

Linux Kernel Privilege Escalation Vulnerability

Vendor: Linux

Product: Kernel

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Linux kernel contains an improper initialization vulnerability where an unprivileged local user could escalate their privileges on the system. This vulnerability has the moniker of "Dirty Pipe."

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-665

CVE-2021-41357

Microsoft Win32k Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Win32k

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CVE-2021-40450

Microsoft Win32k Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Win32k

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.

Required Action:

Apply updates per vendor instructions.

CVE-2019-1003029

Jenkins Script Security Plugin Sandbox Bypass Vulnerability

Vendor: Jenkins

Product: Script Security Plugin

Added: 2022-04-25

Due Date: 2022-05-16

Description:

Jenkins Script Security Plugin contains a protection mechanism failure, allowing an attacker to bypass the sandbox.

Required Action:

Apply updates per vendor instructions.