Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

CISA Adds Recent iOS, SonicWall Vulnerabilities to ‘Must Patch’ List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week announced the addition of eight more vulnerabilities to the list of security flaws known to be exploited in malicious attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week announced the addition of eight more vulnerabilities to the list of security flaws known to be exploited in malicious attacks.

Released in November 2021, CISA’s Known Exploited Vulnerabilities Catalog has more than 350 entries, and the agency is periodically adding new bugs.

On Monday, CISA expanded the list with both new and old security issues, including vulnerabilities recently patched in Apple iOS and SonicWall SMA 100 appliances.

Tracked as CVE-2022-22587, the iOS flaw is a memory corruption security defect impacting the oft-targeted iOS kernel extension IOMobileFrameBuffer that could be exploited to execute arbitrary code with kernel privileges.

Apple patched the vulnerability last week, with the release of iOS 15.3 and iPadOS 15.3. Right from the start, the Cupertino, Calif.-based tech giant warned that it received a report of this bug being exploited in malicious attacks.

[READ: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes]

The SonicWall Secure Mobile Access (SMA) 100 appliances vulnerability, which is tracked as CVE-2021-20038, was patched in December 2021. It is described as a critical-severity (CVSS score of 9.8) stack-based buffer overflow leading to complete device takeover.

At least one proof-of-concept (PoC) exploit was publicly available when the patch was released, and in-the-wild exploitation attempts were confirmed last week.

Federal agencies have until February 11 to apply the available fixes. As per BOD 22-01, which was published along CISA’s “Must Patch” list, federal agencies have to patch the issues in the catalog within a specific timeframe and to report on the status of the patches.

The remaining six vulnerabilities that CISA added to the list this week are older flaws affecting GNU Bash (CVE-2014-7169 and CVE-2014-6271), Microsoft Windows (CVE-2020-0787), Internet Explorer (CVE-2014-1776), Grandstream UCM6200 series (CVE-2020-5722), and Intel AMT, SBT, and Standard Manageability (CVE-2017-5689).

CISA gave federal organizations until July 11 to address these vulnerabilities within their environments. However, the agency told SecurityWeek that those organizations that fail to meet the established deadlines will not be penalized.

Furthermore, the agency clarified that the catalog was created to help organizations both patch high-risk flaws within their networks and to create and improve their vulnerability management processes.

Related: CISA Releases Final IPv6 Security Guidance for Federal Agencies

Related: CISA Expands ‘Must-Patch’ List With Log4j, FortiOS, Other Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.