Microsoft released patches for 84 vulnerabilities on Patch Tuesday, July 12, 2022. One of the CVEs was a critical zero-day vulnerability affecting the Windows CSRSS devices. CISA added this vulnerability to the KEV list last week, bringing the total KEVs to 788. This week, CISA has recommended that patches should be applied for 15 vulnerabilities by July 21, 2022. Let us see what they are:
How Far Back Do They Go?
Of the 15 KEVs, the oldest vulnerability, an Apache Struts 1 ActionForm denial-of-service vulnerability, dates back to 2006.
Which Vendors Are Affected?
Several prominent vendor products are affected by the vulnerabilities that need to be patched by July 21, 2022.
Severity Scores
Patching these vulnerabilities is of high priority, as most of them rank high on the CVSS.
Software Weaknesses
The following CWEs have caused the 15 vulnerabilities that need to be patched this week.
Table: DHS CISA KEVs
Most of these vulnerabilities are weaponized, meaning they have been actively used in attacks. CVE-2018-8453 has associations with more than five critical ransomware. Hence, all federal agencies and private organizations should immediately patch this CVE and all the above-listed CVEs, as they are highly susceptible to attacks.