CISA adds eight KEV flaws

CISA added eight software flaws to its Known Exploited Vulnerabilities list on April 20, putting federal agencies on a new patch clock. (cisa.gov) The Cybersecurity and Infrastructure Security Agency said the additions were based on evidence of active exploitation. The eight CVEs span PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE SMA, Synacor Zimbra Collaboration Suite, and three Cisco Catalyst SD-WAN Manager bugs. (cisa.gov) CISA’s Known Exploited Vulnerabilities catalog is the federal government’s running list of bugs already being used in real attacks. Under Binding Operational Directive 22-01, federal civilian executive branch agencies must fix cataloged flaws by CISA’s deadline. (cisa.gov 1) (cisa.gov 2) A binding operational directive is a mandatory order for civilian agencies, not a recommendation. CISA says the directive applies to software and hardware on agency systems, including systems hosted by third parties on an agency’s behalf. (cisa.gov) The new entries increase patch pressure because they cover tools that often sit deep inside business networks: print management, build servers, endpoint management, email collaboration, and wide-area network controllers. CISA says organizations outside the federal government should also prioritize KEV-listed bugs in their own vulnerability programs. (cisa.gov 1) (cisa.gov 2) Two of the newly listed flaws are older, high-profile cases that still show up in intrusions. JetBrains said CVE-2024-27199 could let an unauthenticated attacker gain administrative control of an on-premises TeamCity server, and PaperCut said CVE-2023-27351 could expose user data without a login. (jetbrains.com) (papercut.com) Cisco’s three newly listed CVEs are part of a broader March advisory on Catalyst SD-WAN Manager. Cisco said the affected product could let an attacker access the system, elevate privileges to root, obtain sensitive information, and overwrite arbitrary files, and said customers should move to fixed software because no workarounds address the bugs. (cisco.com) The KEV catalog has grown to 1,569 entries, according to CISA’s live catalog page. Each new addition also carries a due date, which is how CISA turns an exploit notice into a federal remediation deadline. (cisa.gov) For agencies, the immediate task is simple and narrow: check whether any of the eight affected products are in use, apply vendor fixes, and meet the KEV due dates CISA assigned after the April 20 listing. (cisa.gov)