These patches were released months ago, so how can threat actors continue to exploit the same vulnerabilities today?
Many organizations outside of the Federal realm are not operating within frameworks that ensure they patch and test vulnerabilities in a timely fashion. IT teams can be reluctant to apply patches in the worry that they’ll cause bugs and disrupt business. Applying patches can be time consuming, tedious, and worst of all, it is a cycle that never ends.
Yet it’s essential to make it a priority. Leaving CVEs unpatched allows easy entry for threat actors to infiltrate your network and install malware, spyware, ransomware and other dangers to systems.
CISA publishes a catalog of Known Exploited Vulnerabilities. The list contains significant CVEs going back months and years that threat actors still actively exploit today. The Federal government obligates their organizations to patch the CVEs listed in the catalog by a certain date to protect their networks from active threats, but in the private sector this is not instantly mandated. Both the list and the remediation date can be used as a goal by all organizations. Unfortunately, attackers also have access and will zone in on and target organizations that lag behind on fixing these publicized threats.
CISA added 5 new threats to the list this week:
CVE Number | CVE Title | Remediation Due Date |
CVE-2020-11261 | Qualcomm Multiple Chipsets Improper Input Validation Vulnerability | 06/01/2022 |
CVE-2018-14847 | MikroTik Router OS Directory Traversal Vulnerability | 06/01/2022 |
CVE-2021-37415 | Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability | 12/15/2021 |
CVE-2021-40438 | Apache HTTP Server-Side Request Forgery (SSRF) | 12/15/2021 |
CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution | 12/15/2021 |
It turns out that patching vulnerable software, hardware, and applications, if implemented consistently, would stop most hackers in their tracks and significantly reduce risk. Ensuring you have patched all existing CVEs as well as staying up to date with new vulnerability solutions, strengthens the health and security of your systems, your data, and ultimately your customers.
Here are our top 6 recommendations to implement a good patch management process:
- Take inventory of assets, systems and networks, you need to know exactly what you are protecting.
- Gather information about new patches and vulnerabilities. The CISA Known Exploited Vulnerabilities list and the NIST Vulnerabilities Database are both great resources for this. [https://www.cisa.gov/known-exploited-vulnerabilities-catalog] [https://nvd.nist.gov/]
- Determine which assets should apply which updates.
- Implement, monitor and mitigate patch management.
- Test patches to ensure they are functional.
- Keep a record of patching and ensure you are up to date with the latest versions.
The Centraleyes risk management platform automatically ingests real time vulnerability data from both your vulnerability scanners as well as public vulnerability databases, connecting the data to your risk and compliance assessments. Setting up the Centraleyes platform only takes minutes and allows you to start conducting your cyber security risk assessment with immediate insights and reports.
Take a free 30 day test drive and see for yourself how the platform can save you hundreds of hours of work. You need to see it to believe it!
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days