Current Activity

Today, CISA and FBI released a Secure by Design Alert, Eliminating Cross-Site Scripting Vulnerabilities, as a part of our ongoing effort to reduce the prevalence of vulnerability classes at scale. Vulnerabilities like cross-site scripting (XSS) continue to appear in software, enabling threat actors to exploit them. However, cross-site scripting vulnerabilities are preventable and should not be present in software products.

CISA and FBI urge CEOs and other business leaders at technology manufacturers to direct their technical leaders/teams to review past instances of these defects and create a strategic plan to prevent them in the future.

Visit our website to learn more about the principles of Secure by Design, take the Secure by Design Pledge, and stay informed on the latest Secure by Design Alerts.

Today, the Cybersecurity and Infrastructure Security Agency (CISA) released the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan. Developed in collaboration with FCEB agencies, this plan provides standard, essential components of enterprise operational cybersecurity and aligns the collective operational defense capabilities across the federal enterprise.

Currently, federal agencies maintain their own networks and system architectures—and they independently manage their cyber risk. CISA’s FOCAL plan aligns the federal enterprise, empowering agencies to better address the dynamic cyber threat environment collectively. The plan recommends actions that substantively advance operational cybersecurity improvements and alignment goals. 

For additional guidance, visit CISA’s Securing Networks web page. 

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-43461 Microsoft Windows MSHTML Platform Spoofing Vulnerability
• CVE-2024-6670 Progress WhatsUp Gold SQL Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Ivanti has released a security update addressing an OS command injection vulnerability (CVE-2024-8190) affecting Ivanti Cloud Services Appliance (CSA) 4.6 (all versions before patch 519). A cyber threat actor could exploit this vulnerability to take control of an affected system.  

At this time, Ivanti has confirmed limited exploitation and urges its customers using the affected versions to upgrade to CSA version 5.0. Ivanti no longer supports CSA 4.6 (end-of-life). 

CISA recommends users and administrators review CISA and FBI's joint guidance on eliminating OS command injections and the Ivanti security advisory and apply the recommended updates. 

Note: CISA has added CVE-2024-8190 to its Known Exploited Vulnerabilities Catalog, which, per Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the specified due date to protect FCEB networks against active threats. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-8190 Ivanti Cloud Services Appliance OS Command Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has released an analysis and infographic detailing the findings from the 143 Risk and Vulnerability Assessments (RVAs) conducted across multiple critical infrastructure sectors in fiscal year 2023 (FY23).

The analysis details a sample attack path including tactics and steps a cyber threat actor could follow to compromise an organization with weaknesses representative of those CISA observed in FY23 RVAs. The infographic highlights the most successful techniques for each tactic that RVAs documented. Both the analysis and infographic map threat actor behavior to the MITRE ATT&CK® framework.

CISA encourages network defenders to review the analysis and infographic and apply the recommended mitigations to protect against the observed tactics and techniques.

Adobe released security updates to address multiple vulnerabilities in Adobe software. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.   

CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates:  

• Security update available for Adobe Media Encoder | APSB24-53
• Security update available for Adobe Audition | APSB24-54
• Security update available for Adobe After Effects | APSB24-55
• Security update available for Adobe Premiere Pro | APSB24-58
• Security update available for Adobe Illustrator | APSB24-66
• Security update available for Adobe Acrobat Reader | APSB24-70
• Security update available for Adobe ColdFusion | APSB24-71
• Security update available for Adobe Photoshop | APSB24-72

CISA released twenty-five Industrial Control Systems (ICS) advisories on September 12, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-256-01 Siemens SINEMA Remote Connect Server
• ICSA-24-256-02 Siemens SINUMERIK ONE, SINUMERIK 840D and SINUMERIK 828D
• ICSA-24-256-03 Siemens User Management Component (UMC)
• ICSA-24-256-04 Siemens SINUMERIK Systems
• ICSA-24-256-05 Siemens Mendix Runtime
• ICSA-24-256-06 Siemens Automation License Manager
• ICSA-24-256-07 Siemens SIMATIC RFID Readers
• ICSA-24-256-08 Siemens Industrial Products
• ICSA-24-256-09 Siemens SIMATIC, SIPLUS, and TIM
• ICSA-24-256-10 Siemens SINEMA
• ICSA-24-256-11 Siemens Industrial Edge Management
• ICSA-24-256-12 Siemens Tecnomatix Plant Simulation
• ICSA-24-256-13 Siemens SCALANCE W700
• ICSA-24-256-14 Siemens SIMATIC SCADA and PCS 7 Systems
• ICSA-24-256-15 Siemens Industrial Products
• ICSA-24-256-16 Siemens Third Party Component in SICAM and SITIPE Products
• ICSA-24-256-17 AutomationDirect DirectLogic H2-DM1E
• ICSA-24-256-18 Rockwell Automation ControlLogix/GuardLogix 5580 and CompactLogix/Compact GuardLogix 5380
• ICSA-24-256-19 Rockwell Automation OptixPanel
• ICSA-24-256-20 Rockwell Automation AADvance Trusted SIS Workstation
• ICSA-24-256-21 Rockwell Automation 5015-U8IHFT
• ICSA-24-256-22 Rockwell Automation FactoryTalk Batch View
• ICSA-24-256-23 Rockwell Automation FactoryTalk View Site
• ICSA-24-256-24 Rockwell Automation Pavilion8
• ICSA-24-256-25 Rockwell Automation ThinManager

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Cisco released security updates to address vulnerabilities in Cisco ISO XR software. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the following advisories and apply the necessary updates: 

• September 2024 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication

Cisco released security updates to address two vulnerabilities (CVE-2024-20439 and CVE-2024-20440) in Cisco Smart Licensing Utility. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the following advisory and apply the necessary updates: 

• Cisco Smart Licensing Utility Vulnerabilities

Ivanti released security updates to address multiple vulnerabilities in Ivanti Endpoint Manager, Cloud Service Application 4.6, and Workspace Control. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the following Ivanti advisories and apply the necessary guidance and updates: 

• Ivanti Endpoint Manager
• Ivanti Cloud Service Application 4.6
• Ivanti Workspace Control

(Updated September 25, 2024)
CISA has removed one vulnerability from its Known Exploited Vulnerabilities Catalog, based on information found in the FAQ section of Microsoft's Security Update Guide for CVE-2024-43491. 

• CVE-2024-43491 Microsoft Windows Update Remote Code Execution Vulnerability

(End of Update)

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-38226 Microsoft Publisher Security Feature Bypass Vulnerability
• CVE-2024-38014 Microsoft Windows Installer Privilege Escalation Vulnerability
• CVE-2024-38217 Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Microsoft released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following and apply necessary updates:

• Microsoft Security Update Guide for September

CISA released four Industrial Control Systems (ICS) advisory on September 10, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-254-01 Viessmann Climate Solutions SE Vitogate 300
• ICSA-24-254-02 iniNet Solutions SpiderControl SCADA Web Server
• ICSA-24-254-03 Rockwell Automation SequenceManager
• ICSMA-24-254-01 BPL Medical Technologies PWS-01-BT and BPL Be Well Android Application

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Citrix released security updates to address multiple vulnerabilities in the Citrix Workspace App for Windows. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the following and apply necessary updates: 

• Citrix Workspace app for Windows Security Bulletin for CVE-2024-7889 and CVE-2024-7890

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2016-3714 ImageMagick Improper Input Validation Vulnerability
• CVE-2017-1000253 Linux Kernel PIE Stack Buffer Corruption Vulnerability
• CVE-2024-40766 SonicWall SonicOS Improper Access Control Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released four Industrial Control Systems (ICS) advisory on September 5, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-249-01 Hughes Network Systems WL3000 Fusion Software
• ICSMA-24-249-01 Baxter Connex Health Portal
• ICSA-20-303-01 Mitsubishi Electric MELSEC iQ-R, Q, and L Series (Update E)
• ICSA-22-356-03 Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series (Update E)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Today, the Federal Bureau of Investigation (FBI)—in partnership with CISA, the National Security Agency (NSA), and other U.S. and international partners—released a joint Cybersecurity Advisory Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. This advisory provides overlapping cybersecurity industry cyber threat intelligence, tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IOCs) associated with Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) cyber actors, both during and succeeding their deployment of the WhisperGate malware against Ukraine.

These cyber actors are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. The authoring agencies encourage organizations to review this advisory for recommended mitigations against such malicious activity.

For additional information on Russian state-sponsored malicious cyber activity and related indictments, see the recent U.S. Department of Justice (DOJ) press release for June 26, 2024, and Sept. 5, 2024, FBI’s Cyber Crime webpage, and CISA’s Russia Cyber Threat Overview and Advisories webpage.

CISA released one Industrial Control Systems (ICS) advisory on September 3, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-247-01 LOYTEC Electronics LINX Series

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2021-20123 Draytek VigorConnect Path Traversal Vulnerability
• CVE-2021-20124 Draytek VigorConnect Path Traversal Vulnerability
• CVE-2024-7262 Kingsoft WPS Office Path Traversal Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.