The US Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its list of actively exploited bugs this week, a code injection vulnerability in Spring Cloud Gateway and a command injection vulnerability in Zyxel firmware for business firewalls and VPN devices. This blog lists all of the DHS CISA KEVs that need to be patched this week (May 16 to May 22, 2022).
The federal agencies are expected to patch 7 known exploited vulnerabilities in the DHS CISA catalog this week in time for the May 16 to May 22, 2022 deadline. Based on our analysis of these KEVs, we found that –
Our ML and AI model predicts that all of these seven CVEs are potentially 38 times more likely to be exploited. So patch them now before they become problems.
How Far Back Do They Go?
Of the 7 KEVs, 3 CVEs are old vulnerabilities dating from 2019 to 2021, with a patch deadline of May 16 to May 22, 2022.
Which Vendors Are Affected?
These 7 CVEs that have a patch deadline of May 16 to May 22, 2022, affect 4 vendors such as Microsoft, Linux, WSO2, and Jenkins.
5 out of the 7 KEVs with a patch due date between May 1 to May 7, 2022, fall under the Top 40 Most Dangerous Software Weaknesses, and 4 of these KEVs fall under OWASP Top 10:2021.
Table: DHS CISA KEVs
Patch management is a continuous and difficult process for most organizations. That’s why we go the extra mile to analyze the data and provide security teams with easy lists of prioritized vulnerabilities from the catalog.