Connect with us

Hi, what are you looking for?



CISA Says ‘HiveNightmare’ Windows Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 16 new CVE identifiers to its list of known exploited vulnerabilities, including a Windows flaw that federal agencies are required to patch within two weeks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 16 new CVE identifiers to its list of known exploited vulnerabilities, including a Windows flaw that federal agencies are required to patch within two weeks.

A majority of the 15 flaws added by CISA to its “Known Exploited Vulnerabilities Catalog” on Thursday are old — they were disclosed in 2014, 2015, 2016, 2017, 2018 and 2020. They impact Windows, Jenkins, Apache Struts and ActiveMQ, Oracle’s WebLogic, Microsoft Office, D-Link routers, and Apple’s OS X operating system.

CISA adds new vulnerabilities to list of actively exploited security flawsThe 16th vulnerability, a WebKit zero-day patched by Apple this week in iOS and macOS, was added to the list on Friday.

The most recent vulnerability of the ones added on Thursday is CVE-2021-36934, a Windows local privilege escalation vulnerability that Microsoft patched in August 2021. The tech giant initially released workarounds and mitigations in July 2021, when the issue was disclosed.

The flaw, named HiveNightmare and SeriousSam, can allow a local user with low privileges to achieve SYSTEM privileges. Cybersecurity experts warned at the time of disclosure that the vulnerability could pose a serious risk due to the fact that it’s easy to exploit.

Technical details and proof-of-concept (PoC) exploits for the vulnerability were made public even before Microsoft released patches.

There do not appear to be any recent public reports about active exploitation of CVE-2021–36934. However, CISA recently confirmed for SecurityWeek that it’s aware of real world attacks for each flaw included in the catalog, even if in some cases there do not appear to be any public reports of malicious exploitation. The agency said it does not publicly provide details about exploitation.

[ READ: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes ]

Advertisement. Scroll to continue reading.

Microsoft confirms that details of the vulnerability are public and assigns it an “exploitation more likely” exploitability rating, but the company’s advisory (last updated in August 2021) currently says it’s not aware of attacks. Microsoft told SecurityWeek on Friday that it has nothing to share beyond its advisory and additional guidance.

It’s possible that CISA added CVE-2021–36934 to the list of known exploited vulnerabilities based on information from a blog post published by SentinelOne in early August 2021. The endpoint security firm noted at the time that it had seen several malware samples uploaded to the VirusTotal scanning service that had incorporated the available HiveNightmware exploits. SentinelOne said the vulnerability could help attackers simplify the process of exfiltrating credentials.

SecurityWeek has reached out to SentinelOne to find out if CISA’s warning might be related to its older blog post and if it has actually seen those malware samples being used in the wild. However, the company was not able to share any information on Friday.

When CISA launched the list of known exploited vulnerabilities, it also announced Binding Operational Directive (BOD) 22-01, which requires federal civilian agencies to identify and address known exploited vulnerabilities within defined timeframes — newer flaws need to be patched within two weeks while older issues must be fixed within six months.

As instructed by the BOD, HiveNightmware will need to be patched until February 24, while the other flaws will need to be fixed by August 10.

As for CVE-2022-22620, the WebKit vulnerability that CISA added to its list on Friday, Apple says it has been exploited, but it has not shared any information about the attacks. CISA has given federal agencies until February 25 to patch the flaw.

While the BOD only applies to federal civilian agencies, CISA “strongly urges” all organizations to prioritize the vulnerabilities in its “must patch” list to reduce exposure to attacks.

Related: CISA Adds Recent iOS, SonicWall Vulnerabilities to ‘Must Patch’ List

Related: CISA Adds 15 Recent and Older Vulnerabilities to ‘Must-Patch’ List

Related: CISA Urges Organizations to Patch Exploited Windows Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.