CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2010-3333

Microsoft Office Stack-based Buffer Overflow Vulnerability

Vendor: Microsoft

Product: Office

Added: 2022-03-03

Due Date: 2022-03-24

Description:

A stack-based buffer overflow vulnerability exists in the parsing of RTF data in Microsoft Office and earlier allows an attacker to perform remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-119

CVE-2010-0232

Microsoft Windows Kernel Exception Handler Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-03-03

Due Date: 2022-03-24

Description:

The kernel in Microsoft Windows, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-264

CVE-2010-0188

Ransomware

Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability

Vendor: Adobe

Product: Reader and Acrobat

Added: 2022-03-03

Due Date: 2022-03-24

Description:

Unspecified vulnerability in Adobe Reader and Acrobat allows attackers to cause a denial of service or possibly execute arbitrary code.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-94

CVE-2009-3129

Microsoft Excel Featheader Record Memory Corruption Vulnerability

Vendor: Microsoft

Product: Excel

Added: 2022-03-03

Due Date: 2022-03-24

Description:

Microsoft Office Excel allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-94

CVE-2009-1123

Microsoft Windows Improper Input Validation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-03-03

Due Date: 2022-03-24

Description:

The kernel in Microsoft Windows does not properly validate changes to unspecified kernel objects, which allows local users to gain privileges via a crafted application.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-20

CVE-2008-3431

Oracle VirtualBox Insufficient Input Validation Vulnerability

Vendor: Oracle

Product: VirtualBox

Added: 2022-03-03

Due Date: 2022-03-24

Description:

An input validation vulnerability exists in the VBoxDrv.sys driver of Sun xVM VirtualBox which allows attackers to locally execute arbitrary code.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-264

CVE-2008-2992

Ransomware

Adobe Reader and Acrobat Input Validation Vulnerability

Vendor: Adobe

Product: Acrobat and Reader

Added: 2022-03-03

Due Date: 2022-03-24

Description:

Adobe Acrobat and Reader contain an input validation issue in a JavaScript method that could potentially lead to remote code execution.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-119

CVE-2004-0210

Microsoft Windows Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-03-03

Due Date: 2022-03-24

Description:

A privilege elevation vulnerability exists in the POSIX subsystem. This vulnerability could allow a logged on user to take complete control of the system.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-120

CVE-2002-0367

Microsoft Windows Privilege Escalation Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-03-03

Due Date: 2022-03-24

Description:

smss.exe debugging subsystem in Microsoft Windows does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges.

Required Action:

Apply updates per vendor instructions.

CVE-2022-24682

Ransomware

Synacor Zimbra Collaborate Suite (ZCS) Cross-Site Scripting Vulnerability

Vendor: Synacor

Product: Zimbra Collaborate Suite (ZCS)

Added: 2022-02-25

Due Date: 2022-03-11

Description:

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability in the Calendar feature that allows an attacker to execute arbitrary code.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-79 CWE-116

CVE-2017-8570

Microsoft Office Remote Code Execution Vulnerability

Vendor: Microsoft

Product: Office

Added: 2022-02-25

Due Date: 2022-08-25

Description:

A remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory.

Required Action:

Apply updates per vendor instructions.

CVE-2017-0222

Microsoft Internet Explorer Remote Code Execution Vulnerability

Vendor: Microsoft

Product: Internet Explorer

Added: 2022-02-25

Due Date: 2022-08-25

Description:

A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-119

CVE-2014-6352

Microsoft Windows Code Injection Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2022-02-25

Due Date: 2022-08-25

Description:

Microsoft Windows allow remote attackers to execute arbitrary code via a crafted OLE object.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-94

CVE-2022-23131

Zabbix Frontend Authentication Bypass Vulnerability

Vendor: Zabbix

Product: Frontend

Added: 2022-02-22

Due Date: 2022-03-08

Description:

Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-290

CVE-2022-23134

Zabbix Frontend Improper Access Control Vulnerability

Vendor: Zabbix

Product: Frontend

Added: 2022-02-22

Due Date: 2022-03-08

Description:

Malicious actors can pass step checks and potentially change the configuration of Zabbix Frontend.

Required Action:

Apply updates per vendor instructions.

CWEs:

CWE-284