The US Government has published a list of security vulnerabilities that must be patched on all government systems within the next 2 weeks. Developed by the Cybersecurity and Infrastructure Security Agency (CISA) – the binding operational directive provides a list of vulnerabilities that are being exploited to attack government systems. Under the terms of the directive, all vulnerabilities identified this year must be installed within the next 6 months, while all older vulnerabilities have to be mitigated within 2 weeks.
Although the directive only mandates action by Federal agencies (because those are the only ones the CISA has power to control) – it strongly advises businesses to pay attention to the list and make sure all their systems have the listed vulnerabilities patched – because these are the vulnerabilities most used by threat actors.
CISA will keep the list of known exploited vulnerabilities updated, and Security Managers may want to add the catalogue to their regular reading list as it provides an insight into the tools and techniques currently being used by threat actors and APT groups.