CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2002-0367

Microsoft Windows Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-03-03

Due Date: 2022-03-24

Description:

smss.exe debugging subsystem in Microsoft Windows does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges.

Required Action:

Apply updates per vendor instructions.

CVE-2022-24682

Ransomware

Synacor Zimbra Collaborate Suite (ZCS) Cross-Site Scripting Vulnerability

Vendor: Synacor

Product: Zimbra Collaborate Suite (ZCS)

Added: 2022-02-25

Due Date: 2022-03-11

Description:

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability in the Calendar feature that allows an attacker to execute arbitrary code.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-79 CWE-116

CVE-2017-8570

Microsoft Office Remote Code Execution Vulnerability

Vendor: Microsoft

Product: Office

Added: 2022-02-25

Due Date: 2022-08-25

Description:

A remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory.

Required Action:

Apply updates per vendor instructions.

CVE-2017-0222

Microsoft Internet Explorer Remote Code Execution Vulnerability

Vendor: Microsoft

Product: Internet Explorer

Added: 2022-02-25

Due Date: 2022-08-25

Description:

A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-119

CVE-2014-6352

Microsoft Windows Code Injection Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-02-25

Due Date: 2022-08-25

Description:

Microsoft Windows allow remote attackers to execute arbitrary code via a crafted OLE object.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-94

CVE-2022-23131

Zabbix Frontend Authentication Bypass Vulnerability

Vendor: Zabbix

Product: Frontend

Added: 2022-02-22

Due Date: 2022-03-08

Description:

Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-290

CVE-2022-23134

Zabbix Frontend Improper Access Control Vulnerability

Vendor: Zabbix

Product: Frontend

Added: 2022-02-22

Due Date: 2022-03-08

Description:

Malicious actors can pass step checks and potentially change the configuration of Zabbix Frontend.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-284

CVE-2022-24086

Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability

Vendor: Adobe

Product: Commerce and Magento Open Source

Added: 2022-02-15

Due Date: 2022-03-01

Description:

Adobe Commerce and Magento Open Source contain an improper input validation vulnerability which can allow for arbitrary code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2022-0609

Google Chromium Animation Use-After-Free Vulnerability

Vendor: Google

Product: Chromium Animation

Added: 2022-02-15

Due Date: 2022-03-01

Description:

Google Chromium Animation contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-416

CVE-2019-0752

Ransomware

Microsoft Internet Explorer Type Confusion Vulnerability

Vendor: Microsoft

Product: Internet Explorer

Added: 2022-02-15

Due Date: 2022-08-15

Description:

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-843

CVE-2018-8174

Ransomware

Microsoft Windows VBScript Engine Out-of-Bounds Write Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-02-15

Due Date: 2022-08-15

Description:

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution"

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-787

CVE-2018-20250

Ransomware

WinRAR Absolute Path Traversal Vulnerability

Vendor: RARLAB

Product: WinRAR

Added: 2022-02-15

Due Date: 2022-08-15

Description:

WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-36

CVE-2018-15982

Ransomware

Adobe Flash Player Use-After-Free Vulnerability

Vendor: Adobe

Product: Flash Player

Added: 2022-02-15

Due Date: 2022-08-15

Description:

Adobe Flash Player com.adobe.tvsdk.mediacore.metadata Use After Free Vulnerability

Required Action:

The impacted product is end-of-life and should be disconnected if still in use.

CWEs:

CWE-416

CVE-2017-9841

PHPUnit Command Injection Vulnerability

Vendor: PHPUnit

Product: PHPUnit

Added: 2022-02-15

Due Date: 2022-08-15

Description:

PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-94

CVE-2014-1761

Microsoft Word Memory Corruption Vulnerability

Vendor: Microsoft

Product: Word

Added: 2022-02-15

Due Date: 2022-08-15

Description:

Microsoft Word contains a memory corruption vulnerability which when exploited could allow for remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-119