Security Experts:

Connect with us

Hi, what are you looking for?



CISA Says ‘HiveNightmare’ Windows Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 16 new CVE identifiers to its list of known exploited vulnerabilities, including a Windows flaw that federal agencies are required to patch within two weeks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 16 new CVE identifiers to its list of known exploited vulnerabilities, including a Windows flaw that federal agencies are required to patch within two weeks.

A majority of the 15 flaws added by CISA to its “Known Exploited Vulnerabilities Catalog” on Thursday are old — they were disclosed in 2014, 2015, 2016, 2017, 2018 and 2020. They impact Windows, Jenkins, Apache Struts and ActiveMQ, Oracle’s WebLogic, Microsoft Office, D-Link routers, and Apple’s OS X operating system.

CISA adds new vulnerabilities to list of actively exploited security flawsThe 16th vulnerability, a WebKit zero-day patched by Apple this week in iOS and macOS, was added to the list on Friday.

The most recent vulnerability of the ones added on Thursday is CVE-2021-36934, a Windows local privilege escalation vulnerability that Microsoft patched in August 2021. The tech giant initially released workarounds and mitigations in July 2021, when the issue was disclosed.

The flaw, named HiveNightmare and SeriousSam, can allow a local user with low privileges to achieve SYSTEM privileges. Cybersecurity experts warned at the time of disclosure that the vulnerability could pose a serious risk due to the fact that it’s easy to exploit.

Technical details and proof-of-concept (PoC) exploits for the vulnerability were made public even before Microsoft released patches.

There do not appear to be any recent public reports about active exploitation of CVE-2021–36934. However, CISA recently confirmed for SecurityWeek that it’s aware of real world attacks for each flaw included in the catalog, even if in some cases there do not appear to be any public reports of malicious exploitation. The agency said it does not publicly provide details about exploitation.

[ READ: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes ]

Microsoft confirms that details of the vulnerability are public and assigns it an “exploitation more likely” exploitability rating, but the company’s advisory (last updated in August 2021) currently says it’s not aware of attacks. Microsoft told SecurityWeek on Friday that it has nothing to share beyond its advisory and additional guidance.

It’s possible that CISA added CVE-2021–36934 to the list of known exploited vulnerabilities based on information from a blog post published by SentinelOne in early August 2021. The endpoint security firm noted at the time that it had seen several malware samples uploaded to the VirusTotal scanning service that had incorporated the available HiveNightmware exploits. SentinelOne said the vulnerability could help attackers simplify the process of exfiltrating credentials.

SecurityWeek has reached out to SentinelOne to find out if CISA’s warning might be related to its older blog post and if it has actually seen those malware samples being used in the wild. However, the company was not able to share any information on Friday.

When CISA launched the list of known exploited vulnerabilities, it also announced Binding Operational Directive (BOD) 22-01, which requires federal civilian agencies to identify and address known exploited vulnerabilities within defined timeframes — newer flaws need to be patched within two weeks while older issues must be fixed within six months.

As instructed by the BOD, HiveNightmware will need to be patched until February 24, while the other flaws will need to be fixed by August 10.

As for CVE-2022-22620, the WebKit vulnerability that CISA added to its list on Friday, Apple says it has been exploited, but it has not shared any information about the attacks. CISA has given federal agencies until February 25 to patch the flaw.

While the BOD only applies to federal civilian agencies, CISA “strongly urges” all organizations to prioritize the vulnerabilities in its “must patch” list to reduce exposure to attacks.

Related: CISA Adds Recent iOS, SonicWall Vulnerabilities to ‘Must Patch’ List

Related: CISA Adds 15 Recent and Older Vulnerabilities to ‘Must-Patch’ List

Related: CISA Urges Organizations to Patch Exploited Windows Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.