Cybersecurity Alert: CISA Flags Three More Exploited Vulnerabilities – Patch Now!

Fortinet, Ivanti, Nice—sounds like a cybersecurity law firm, but it’s just the latest trio in CISA’s ‘Most Wanted’ Vulnerabilities Catalog. Patch ’em up, folks, or the hackers will RSVP to your network’s ‘open house’ event!

Hot Take:

Looks like CISA’s playing whack-a-mole with cyber vulnerabilities— and the moles are winning. They’ve slapped three more digital gremlins onto the Wanted list, each promising to wreak more havoc than a caffeinated squirrel in a data center. So, if you’re in charge of cybersecurity, it might be time to cancel your weekend plans and start patching up those digital potholes!

Key Points:

  • CISA updates its cyber Most Wanted list, aka the Known Exploited Vulnerabilities Catalog, with three new entries.
  • The rogue’s gallery includes a Fortinet FortiClient vulnerability, an Ivanti Endpoint Manager issue, and an antique 2019 flaw in Nice Linear eMerge E3-Series.
  • BOD 22-01 is not just a catchy government acronym, it’s the directive that says “Patch or Perish” to federal agencies.
  • While BOD 22-01 is like an RSVP for the FCEB party, CISA recommends everyone crash the patching fiesta to keep the cyber boogeymen at bay.
  • CISA will keep adding villains to their catalog, presumably because cyber baddies have more sequels than a superhero franchise.
Cve id: CVE-2019-7256
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 01/05/2023
Cve description: Linear eMerge E3-Series devices allow Command Injections.

Cve id: CVE-2021-44529
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/18/2023
Cve description: A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).

Cve id: CVE-2023-48788
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 03/12/2024
Cve description: A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.

Need to know more?

There's a Hole in My Bucket List

Just when you thought your digital fortress was impenetrable, CISA comes along and adds more items to your never-ending cybersecurity grocery list. The latest additions to the Known Exploited Vulnerabilities Catalog are like unwelcome guests at a LAN party— and they've brought friends. With names like CVE-2023-48788, CVE-2021-44529, and CVE-2019-7256, they sound like droids from a low-budget Star Wars knockoff, but they're much less friendly.

Time-Traveling Troublemakers

These vulnerabilities aren't just fresh out of the oven; some have been fermenting like a fine wine or a forgotten gym sock. Take CVE-2019-7256, for example. It's been lurking in the shadows since the Before Times, waiting for its moment to shine. If you thought procrastination was a problem, wait until you meet the federal agencies who now have to explain why they haven't fixed a four-year-old issue.

Party Like It's BOD 22-01

Binding Operational Directive 22-01 might not sound like the life of the party, but it's the bouncer at the door of the federal network nightclub, making sure everyone's vulnerabilities are checked before they hit the dance floor. This living list of cyber no-nos ensures that federal agencies keep their systems tighter than their budgets.

Don't Wait for an Invite

While BOD 22-01 has a VIP list limited to Federal Civilian Executive Branch agencies, CISA is the inclusive type and suggests that everyone should join in the vulnerability remediation rave. It's like when your neighbor throws a bash, and you weren't invited but show up anyway because, hey, free food and better safe than sorry, right?

More Sequels Than a Comic Book Movie

Just like your favorite superhero movies, the Known Exploited Vulnerabilities Catalog is bound to have part two, three, and infinity. CISA will keep tossing in more vulnerabilities, because in the cyber world, every day is a premiere, and the villains are always looking for their spotlight. So, keep your popcorn ready and your software updated, or you'll find your network starring in the next blockbuster disaster flick.

Tags: CVE-2019-7256, CVE-2021-44529, CVE-2023-48788, eMerge E3-Series, Fortinet security, Ivanti software, vulnerability management