Homeland Security Secretary Alejandro Mayorkas participates in the swearing in of new Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly at CISA Headquarters in Arlington, VA. (DHS)

Based on evidence of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added 95 new bugs to its Known Exploited Vulnerabilities Catalog.

CISA said these types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to federal agencies. The agency has been prioritizing software updates that address known exploited vulnerabilities as part of its recent Shields Up program.

Although these additions to the Known Exploited Vulnerabilities Catalog only apply to Federal Civilian Executive Branch (FCEB) agencies, CISA strongly urges all organizations to reduce their exposure via timely patches of the vulnerabilities.

It’s unusual for CISA to add more than a handful of vulnerabilities to their catalog at a time, so the addition of nearly 100 at once is noteworthy, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said while most of them are recent, the oldest in this batch (CVE-2002-0367) dates to 2002, and many of the others are over five years old.

“CISA has their own criteria for adding specific vulnerabilities to their catalog, and usually only adds a few at a time,” Parkin said. “However, with the current state of conflict in Ukraine, these additions are likely an effort to prevent cyberwarfare activities spilling into U.S. organizations covered by CISA directives.”

Bud Broomhead, CEO at Viakoo, added that these new vulnerabilities have a very short timeframe for being remediated – all within the month of March. Broomhead said to meet this remediation mandate, federal agencies will need to use automated approaches for remediation at scale. 

“Because of the range of systems and devices impacted, a third-party remediation solution will provide advantages for meeting these deadlines,” Broomhead said. “About 14% of these newly-added vulnerabilities are in open-source components. The risk this presents is that there may be multiple vendors providing multiple patches. This will take much longer and more effort to remediate than in closed-source environments.”