CISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.
The Common Vulnerabilities and Exposures (CVE®) Program announced today it is granting authority to the Cybersecurity and Infrastructure Security Agency (CISA) for managing the assignment of CVE Identifiers (IDs) for the CVE Program.
An open redirect – which can be used to give off-site malicious content the appearance of legitimacy – may not be on par with a fire, yet serious vulnerabilities in internet systems cause real-world, negative impacts every day. In many instances, a trained eye can spot critical deficiencies and yet have no one to report it to. It shouldn’t be hard to tell the government of potential cybersecurity issues — but it will be unless we’re intentional about making it easier.
On June 30, 2020, F5 Networks, Inc. (F5) disclosed a remote code execution (RCE) vulnerability in the BIG-IP Traffic Management User Interface (TMUI) that allows for file system manipulation and arbitrary code execution. The Cybersecurity and Infrastructure Security Agency (CISA) advises all BIG-IP users to update their devices to the F5 fixed software version as soon as possible.
CISA’s Vulnerability Disclosure Policy (VDP) Platform will support agencies with the option to use a centrally-managed system to intake vulnerability information from and collaborate with the public to improve the security of the agency’s internet-accessible systems.
While agencies are responsible for managing risk to their networks, CISA is responsible for safeguarding and securing the Federal enterprise. We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary – indeed, this is only the second time CISA has ever issued an emergency directive.
CISA’s CVD program coordinates the remediation and public disclosure of newly identified cybersecurity vulnerabilities in products and services with the affected vendor(s). This includes new vulnerabilities in industrial control systems (ICS), Internet of Things (IoT), and medical devices, as well as traditional information technology (IT) vulnerabilities.
At CISA, we work to do good things. Some are easy, like eating pineapple on pizza. Some are hard, like managing risks in 5G. Yet we know that if it’s hard to do good things, most people won’t do them – and reporting a vulnerability on a government system shouldn’t be so hard.