CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2021-20038

Ransomware

SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability

Vendor: SonicWall

Product: SMA 100 Appliances

Added: 2022-01-28

Due Date: 2022-02-11

Description:

SonicWall SMA 100 devies are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-121

CVE-2020-5722

Grandstream Networks UCM6200 Series SQL Injection Vulnerability

Vendor: Grandstream

Product: UCM6200

Added: 2022-01-28

Due Date: 2022-07-28

Description:

Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. Exploitation can allow for code execution as root.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-89

CVE-2020-0787

Ransomware

Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-01-28

Due Date: 2022-07-28

Description:

Microsoft Windows BITS is vulnerable to to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-level privileges.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-269 CWE-59

CVE-2017-5689

Intel Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability Privilege Escalation Vulnerability

Vendor: Intel

Product: Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability

Added: 2022-01-28

Due Date: 2022-07-28

Description:

Intel products contain a vulnerability which can allow attackers to perform privilege escalation.

Required Action:

Apply updates per vendor instructions.

CVE-2014-1776

Microsoft Internet Explorer Memory Corruption Vulnerability

Vendor: Microsoft

Product: Internet Explorer

Added: 2022-01-28

Due Date: 2022-07-28

Description:

Microsoft Internet Explorer contains a memory corruption vulnerability that allows remote attackers to execute code in the context of the current user.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2014-6271

GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability

Vendor: GNU

Product: Bourne-Again Shell (Bash)

Added: 2022-01-28

Due Date: 2022-07-28

Description:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2014-7169

GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability

Vendor: GNU

Product: Bourne-Again Shell (Bash)

Added: 2022-01-28

Due Date: 2022-07-28

Description:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code. This CVE correctly remediates the vulnerability in CVE-2014-6271.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78

CVE-2006-1547

Apache Struts 1 ActionForm Denial-of-Service Vulnerability

Vendor: Apache

Product: Struts 1

Added: 2022-01-21

Due Date: 2022-07-21

Description:

ActionForm in Apache Struts versions before 1.2.9 with BeanUtils 1.7 contains a vulnerability that allows for denial-of-service (DoS).

Required Action:

Apply updates per vendor instructions.

CVE-2012-0391

Apache Struts 2 Improper Input Validation Vulnerability

Vendor: Apache

Product: Struts 2

Added: 2022-01-21

Due Date: 2022-07-21

Description:

The ExceptionDelegator component in Apache Struts 2 before 2.2.3.1 contains an improper input validation vulnerability that allows for remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2018-8453

Ransomware

Microsoft Win32k Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Win32k

Added: 2022-01-21

Due Date: 2022-07-21

Description:

Microsoft Windows Win32k contains a vulnerability that allows an attacker to escalate privileges.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-404

CVE-2021-35247

SolarWinds Serv-U Improper Input Validation Vulnerability

Vendor: SolarWinds

Product: Serv-U

Added: 2022-01-21

Due Date: 2022-02-04

Description:

SolarWinds Serv-U versions 15.2.5 and earlier contain an improper input validation vulnerability that allows attackers to build and send queries without sanitization.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2021-32648

October CMS Improper Authentication

Vendor: October CMS

Product: October CMS

Added: 2022-01-18

Due Date: 2022-02-01

Description:

In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-287

CVE-2021-25296

Nagios XI OS Command Injection

Vendor: Nagios

Product: Nagios XI

Added: 2022-01-18

Due Date: 2022-02-01

Description:

Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78 CWE-138

CVE-2021-25297

Nagios XI OS Command Injection

Vendor: Nagios

Product: Nagios XI

Added: 2022-01-18

Due Date: 2022-02-01

Description:

Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78 CWE-138

CVE-2021-25298

Nagios XI OS Command Injection

Vendor: Nagios

Product: Nagios XI

Added: 2022-01-18

Due Date: 2022-02-01

Description:

Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-78 CWE-138