On May 4, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) added five “new” vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog. Three of the entries were originally disclosed in 2014, including the infamous Heartbleed vulnerability (CVE-2014-0160).
CISA adds the Heartbleed vulnerability
Before Log4Shell, there was Heartbleed, a third-party library vulnerability that still poses a challenge to organizations: five years since its discovery, it was the third-most exploited issue. Now with its inclusion in the Known Exploited Vulnerabilities Catalog, it seems that security teams will have to triage their systems once again. However, determining which IoT, ICS, or other devices may be vulnerable may prove difficult.
Organizations have only three weeks to remediate
The other most recent vulnerability exploits that CISA has added are CVE-2021-1789 and CVE-2019-8506.
Initially starting off as a zero-day vulnerability, CVE-2021-1789 first captured headlines in 2021, and then again at the start of this year after reportedly being used against pro-democracy Hong Kong residents.
Although there is little in the way of publicly disclosed active exploitation for these two issues, CISA still has given Federal Civilian Executive Branch (FCEB) agencies only three weeks to remediate all of the issues added on May 4th. As such, organizations should assume that threat actors still keep them in their repertoire and should proceed accordingly.
Remediate effectively with Flashpoint
In order to remediate risk effectively, organizations need the full vulnerability intelligence picture. And when it comes to classic issues like Heartbleed, security teams can easily become overwhelmed with the information out there. Sign up for a free VulnDB trial to get all known details for Heartbleed, as well as every other issue identified in the KEV Catalog.