Current Activity

The Cybersecurity and Infrastructure Security Agency (CISA), through the Joint Cyber Defense Collaborative (JCDC), enabled proactive coordination and information sharing to bolster cybersecurity ahead of the 2024 Olympic and Paralympic Games in Paris. Recognizing the potential for cyber threats targeting the Games, CISA worked to strengthen U.S. private sector ties and facilitate connections with key French counterparts to promote collective defense measures.

Utilizing its role as a key facilitator between public and private sector partners, JCDC established monitoring channels and launched cyber threat information-sharing forums to prepare for significant incidents. Throughout the Games, JCDC industry partners remained vigilant, promptly alerting CISA to any potential impacts on Olympic and Paralympic activities. This allowed CISA to provide prompt updates and share critical information with the French Agence Nationale de la Sécurité des Systèmes d'Information to aid swift response efforts.

This collaboration underscores JCDC’s essential role in uniting global partners to defend against cyber challenges that threaten national security and international events. The partnership highlights the value of voluntary information sharing to build trust and strengthen the protection of critical infrastructure in an evolving threat landscape. For more information about JCDC’s initiatives, visit the JCDC Success Stories webpage and CISA.gov/JCDC. 

Ivanti released security updates to address vulnerabilities in Ivanti Endpoint Manager (EPM), Ivanti Avalanche, Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Security Access Client.

CISA encourages users and administrators to review the following Ivanti security advisories and apply the necessary guidance and updates:

• Ivanti Security Advisory EPM
• Ivanti Security Advisory Avalanche
• Ivanti Security Advisory Connect Secure, Ivanti Policy Secure, and Ivanti Security Access Client

Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and international partners released joint Cybersecurity Advisory, 2023 Top Routinely Exploited Vulnerabilities.

This advisory supplies details on the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors and their associated Common Weakness Enumeration(s) (CWE) to help organizations better understand the impact of exploitation. International partners contributing to this advisory include:

• Australian Signals Directorate’s Australian Cyber Security Centre
• Canadian Centre for Cyber Security
• New Zealand National Cyber Security Centre and New Zealand Computer Emergency Response Team
• United Kingdom’s National Cyber Security Centre

The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory. The advisory provides vendors, designers, and developers a guide for implementing secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations mitigations. Following this guidance will help reduce the risk of compromise by malicious cyber actors.

Vendors and developers are encouraged to take appropriate steps to provide products that protect their customers’ sensitive data. To learn more about secure by design principles and practices, visit CISA’s Secure by Design.

CISA released five Industrial Control Systems (ICS) advisories on November 12, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-317-01 Subnet Solutions PowerSYSTEM Center
• ICSA-24-317-02 Hitachi Energy TRO600
• ICSA-24-317-03 Rockwell Automation FactoryTalk View ME
• ICSA-23-306-03 Mitsubishi Electric MELSEC Series (Update A)
• ICSA-23-136-01 Snap One OvrC Cloud (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-43093 Android Framework Privilege Escalation Vulnerability
• CVE-2024-51567 CyberPanel Incorrect Default Permissions Vulnerability
• CVE-2019-16278 Nostromo nhttpd Directory Traversal Vulnerability
• CVE-2024-5910 Palo Alto Expedition Missing Authentication Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released three Industrial Control Systems (ICS) advisories on November 7, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-312-01 Beckhoff Automation TwinCAT Package Manager
• ICSA-24-312-02 Delta Electronics DIAScreen
• ICSA-24-312-03 Bosch Rexroth IndraDrive

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability
• CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has received multiple reports of a large-scale spearphishing campaign targeting organizations in several sectors, including government and information technology (IT). The foreign threat actor, often posing as a trusted entity, is sending spearphishing emails containing malicious remote desktop protocol (RDP) files to targeted organizations to connect to and access files stored on the target’s network. Once access has been gained, the threat actor may pursue additional activity, such as deploying malicious code to achieve persistent access to the target’s network. 

CISA, government, and industry partners are coordinating, responding, and assessing the impact of this campaign. CISA urges organizations to take proactive measures:

•  Restrict Outbound RDP Connections:
  • Forbid or significantly restrict outbound RDP connections to external or public networks. This measure is crucial for minimizing exposure to potential cyber threats.
  • Implement a Firewall along with secure policies and access control lists.
• Block RDP Files in Communication Platforms:
  • Prohibit RDP files from being transmitted through email clients and webmail services. This step helps prevent the accidental execution of malicious RDP configurations.
• Prevent Execution of RDP Files: 
  • Implement controls to block the execution of RDP files by users. This precaution is vital in reducing the risk of exploitation.
• Enable Multi-Factor Authentication (MFA):
  • Enable MFA wherever feasible to provide an essential layer of security for remote access.
  • Avoid SMS MFA whenever possible.
• Adopt Phishing-Resistant Authentication Methods:
  • Deploy phishing-resistant authentication solutions, such as FIDO tokens. It is important to avoid SMS-based MFA, as it can be vulnerable to SIM-jacking attacks.
• Implement Conditional Access Policies:
  • Establish Conditional Access Authentication Strength to mandate the use of phishing-resistant authentication methods. This ensures that only authorized users can access sensitive systems.
• Deploy Endpoint Detection and Response (EDR):
  • Implement Endpoint Detection and Response (EDR) solutions to continuously monitor for and respond to suspicious activities within the network.
• Consider Additional Security Solutions:
  • Evaluate, in conjunction with EDR, the deployment of anti-phishing and antivirus solutions to bolster their defenses against emerging threats.
• Conduct User Education:
  • Have a user education program that highlights how to identify and report suspicious emails. Robust user education can help mitigate the threat of social engineering and phishing emails.
  • Recognize and Report Phishing: Avoid phishing with these simple tips.
• Hunt For Activity Using Referenced Indicators and TTPs:
  • Utilize all indicators that are released in relevant articles and reporting to search for possible malicious activity within your organization’s network.
  • Search for unexpected and/or unauthorized outbound RDP connections within the last year.

CISA urges users and administrators to remain vigilant against spearphishing attempts, hunt for any malicious activity, report positive findings to CISA, and review the following articles for more information:

• Microsoft: Midnight Blizzard conducts large-scale spearphishing campaign using RDP files
• AWS Security: Amazon identified internet domains abused by APT29
• The Centre for Cybersecurity Belgium: Warning: Government-themed Phishing with RDP Attachments
• Computer Emergency Response Team of Ukraine: RDP configuration files as a means of obtaining remote access to a computer or "Rogue RDP"

CISA released four Industrial Control Systems (ICS) advisories on October 31, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-305-01 Rockwell Automation FactoryTalk ThinManager
• ICSA-24-030-02 Mitsubishi Electric FA Engineering Software Products (Update A)
• ICSA-24-135-04 Mitsubishi Electric Multiple FA Engineering Software Products (Update A)
• ICSA-23-157-02 Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (Update B)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Fortinet has updated their security advisory addressing a critical FortiManager vulnerability (CVE-2024-47575) to include additional workarounds and indicators of compromise (IOCs). A remote, unauthenticated cyber threat actor could exploit this vulnerability to gain access to sensitive files or take control of an affected system. At this time, all patches have been released.

CISA previously added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, as confirmed by Fortinet.

CISA strongly encourages users and administrators to apply the necessary updates, hunt for any malicious activity, assess potential risk from service providers, report positive findings to CISA, and review the following articles for additional information: 

• Fortinet Advisory FG-IR-24-423, 
• CISA alert on the Fortinet FortiManager Missing Authentication Vulnerability, 
• Google Threat Intelligence article Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575).

CISA, through the Joint Cyber Defense Collaborative (JCDC), enabled swift, coordinated response and information sharing in the wake of a significant IT outage caused by a CrowdStrike software update. This outage, which impacted government, critical infrastructure, and industry across the globe, led to disruptions in essential services, including air travel, healthcare, and financial operations.

Leveraging its unique ability to bring together public and private sector partners, JCDC facilitated virtual engagements with over 1,000 federal agency representatives. In close collaboration with CrowdStrike, a JCDC partner, CISA provided critical updates, mitigation guidance, and analysis on the potential for malicious exploitation of the outage. This rapid coordination enabled key information to be quickly disseminated across federal networks, helping to expedite mitigation and protect U.S. government systems.

This successful response underscores JCDC’s essential role in uniting industry and government partners to address cyber challenges that could impact national security and resilience. For more information about JCDC’s efforts, visit the JCDC Success Stories webpage and CISA.gov/JCDC.

Apple released security updates to address vulnerabilities in multiple Apple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.  

CISA encourages users and administrators to review the following advisories and apply necessary updates: 

• iOS 18.1 and iPadOS 18.1
• iOS 17.7.1 and iPadOS 17.7.1
• macOS Sequoia 15.1
• macOS Sonoma 14.7.1
• macOS Ventura 13.7.1
• Safari 18.1
• watchOS 11.1
• tvOS 18.1
• visionOS 2.1

CISA released three Industrial Control Systems (ICS) advisories on October 29, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-303-01 Siemens InterMesh Subscriber Devices
• ICSA-24-303-02 Solar-Log Base 15
• ICSA-24-303-03 Delta Electronics InfraSuite Device Master

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Today, CISA—along with U.S. and international partners—released joint guidance, Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers. This guide aids software manufacturers in establishing secure software deployment processes to help ensure software is reliable and safe for customers. Additionally, it offers guidance on how to deploy in an efficient manner as part of the software development lifecycle (SDLC).

A well-designed software deployment process can help guarantee customers receive new features, security, and reliability while minimizing unplanned outages. 

CISA encourages software and service manufacturers review this guide, evaluate their software deployment processes, and address them through a continuous improvement program.

To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage.

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-20481 Cisco ASA and FTD Denial-of-Service Vulnerability
• CVE-2024-37383 RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Cisco released its October 2024 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication to address vulnerabilities in Cisco ASA, FMC, and FTD. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.   

CISA encourages users and administrators to review the following advisory and apply the necessary updates:  

• Cisco Event Response: October 2024 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication

CISA released four Industrial Control Systems (ICS) advisories on October 24, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-298-01 VIMESA VHF/FM Transmitter Blue Plus
• ICSA-24-298-02 iniNet Solutions SpiderControl SCADA PC HMI Editor
• ICSA-24-298-03 Deep Sea Electronics DSE855
• ICSA-24-268-06 OMNTEC Proteus Tank Monitoring (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, as confirmed by Fortinet.

• CVE-2024-47575 Fortinet FortiManager Missing Authentication Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA encourages users and administrators to see Fortinet Advisory FG-IR-24-423 and apply necessary patches and mitigations. Additionally, see Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) from Google Threat Intelligence for more information. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-38094 Microsoft SharePoint Deserialization Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released one Industrial Control Systems (ICS) advisory on October 22, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-296-01 ICONICS and Mitsubishi Electric Products

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.