Cybersecurity and Infrastructure Security Agency (CISA) It has added nine more vulnerabilities to its list of active bugs, including the VMware Privilege Enhancement Vulnerability and the Google Chrome Zero-Day Vulnerability, which can be used to execute code remotely.

security bug VMware (CVE-2022-22960) It was fixed on April 6 and allows attackers to elevate root privileges on vulnerable servers due to incorrect permissions in support scripts.

Chrome Zero Day is also included in the CISA Catalog of Known Exploited Vulnerabilities (KEV), a bug tracked as CVE-2022-1364 that allows remote code execution due to a V8-type confusion vulnerability.

All Federal Civil Enforcement Agencies (FCEBs) must correct their systems for these security failures after CEVA has been added to the KEV list in accordance with the November Operational Directive (BOD 22-01).

Today, CISA has added seven more vulnerabilities to its catalog, all used in ongoing attacks.

All US organizations are advised to prioritize these security updates.

While BOD 22-01 only applies to US FCEBs, CISA also urges all US private and public sector organizations to give higher priority to correcting these actively used bugs.

If you take this advice seriously, it will significantly reduce the number of surface threats organizations can use to hack their networks.

“These types of vulnerabilities are a common attack vector for attackers of all types and pose a significant risk to the federal organization,” the US cybersecurity agency explains.

Since the mandatory BOD 22-01 directive was issued, CISA has added hundreds of flaws to its catalog of actively exploited bugs and has ordered US federal agencies to fix them as soon as possible to prevent security breaches. Source