CISA Says Recent Cisco Router Vulnerabilities Exploited in Attacks
CISA Warns of 60 Exploited Vulnerabilities Affecting Cisco, Microsoft Products
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday announced adding 95 security flaws to its list of known exploited vulnerabilities, including more than 60 affecting Cisco and Microsoft products.
Only five of the vulnerabilities added this week to CISA’s catalog have a 2022 CVE identifier, namely flaws patched last month in Cisco’s Small Business RV160, RV260, RV340, and RV345 series routers.
The Cisco vulnerabilities are all rated “critical severity” and they can be exploited for arbitrary code/command execution and privilege escalation. Some of the flaws can be exploited remotely and without authentication.
When it disclosed the vulnerabilities, Cisco warned that it had been aware of the availability of proof-of-concept (PoC) exploits, but did not mention any attacks. The company’s advisory still does not mention active exploitation and there do not appear to be any public reports of malicious attacks.
However, CISA told SecurityWeek in the past that it’s aware of real world attacks for each of the vulnerabilities added to its catalog.
MDR firm Deepwatch assessed with moderate confidence in mid-February that one of the vulnerabilities, CVE-2022-20699, would be exploited to install cryptocurrency miners or to gain an initial foothold into an organization. SecurityWeek has also found a recent blog post titled “Hackers Exploiting Cisco RV VPN Routers,” which references these vulnerabilities, but it does not describe any actual attacks.
SecurityWeek has reached out to Cisco for information on in-the-wild exploitation and will update this article if the networking giant responds.
As per Binding Operational Directive (BOD) 22-01, which instructs federal civilian agencies to patch vulnerabilities included in CISA’s catalog within defined timeframes, these Cisco router flaws will need to be patched by March 17.
One of the vulnerabilities added this week to CISA’s “Must Patch” list is CVE-2021-41379, a privilege escalation weakness in Windows that has been exploited since November 2021, particularly by malware.
The remaining vulnerabilities added by CISA to its list this week are older: two are from 2020 and the rest have CVE identifiers ranging between 2002 and 2019.
Of the 95 new CVEs, 38 are for Cisco vulnerabilities and 27 for Microsoft vulnerabilities. There are also 16 flaws affecting Adobe products, and seven impacting Oracle products.
While BOD 22-01 only applies to federal agencies, CISA has advised all organizations to use its catalog to prioritize vulnerability patching.