The high-severity vulnerabilities that CISA has added to its patch-now list include SeriousSAM privilege escalation and SMB remote code execution. The US Cybersecurity and Infrastructure Security Agency (CISA) has added 15 more vulnerabilities to its catalog of flaws that are actively exploited in the wild by hackers. Some are older dating back to 2014, but two are from the past two years and are in Windows components.“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,” the agency said in its advisory. The CISA Known Exploited Vulnerabilities Catalog is updated regularly based on observations from real world attacks and each flaw receives a deadline by which federal agencies have an obligation to patch it on their systems.SeriousSAM and privilege escalationOne of the flaws that were just added to the list is CVE-2021-36934, which is also known in the security community as SeriousSAM because it’s located in the Microsoft Windows Security Accounts Manager (SAM). This vulnerability has a CVSS severity score of 8 out of 10 and its impact is described as privilege escalation on Windows 10 systems.The flaw stems from improper file access permissions on the file that stores the SAM database, allowing attackers with low privilege access to extract password hashes for other accounts, including the SYSTEM one and execute code with elevated privileges. The flaw was reported publicly in July 2021, forcing Microsoft to issue an out-of-band patch at the time. Researchers also showed that it’s possible to exploit CVE-2021-36934 to extract hashes which could then allow the remote execution of code with SYSTEM privileges on other systems, making the flaw a serious risk for lateral movement inside environments.CISA assigned a patch deadline of February 24 for it despite being the newest vulnerability on the list and despite the other ones receiving a patch deadline of August 10. This suggests that the agency sees this as an immediate high risk even though it’s a privilege escalation flaw. Privilege escalation vulnerabilities have lower severity scores than remote code execution ones because they require the attacker to already obtain some level of access to a system. However, this is a low bar considering the multitude of ways in which attackers could get their code to execute on a system: email phishing, drive-by downloads, exploitation of vulnerabilities in low-privileged apps and services, social engineering, etc. Privilege escalation flaws are an essential part of modern exploit chains and should be treated just as seriously as remote code execution ones.SMB remote code executionThe second most recent flaw added to the list by CISA is CVE-2020-0796 and is rated critical. This flaw was patched by Microsoft in March 2020 and stems from the way the SMBv3 protocol handles certain requests with compression. It can result in remote code execution, both from clients to a server or from a server to clients and impacts Windows 10 and Windows Server core installations.SMB remote code execution flaws are dangerous because SMB is the main protocol that sits at the core of all Windows networks, enabling file sharing, printer sharing, network browsing and service-to-service communication. In the past, SMB exploits like EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0145) enabled global ransomware warms like WannaCry that caused billions in damages. In fact, EternalBlue and EternalRomance are also among the 15 flaws that were added to the catalog.The other flawsThe list of vulnerabilities added to the catalog impact a variety of common enterprise software, from operating systems like Windows and Apple’s OS X, to automation servers like Jenkins, development frameworks like Apache Struts, web application servers like Oracle WebLogic, the Apache ActiveMQ open-source message broker and even router firmware. The full list is:CVE-2021-36934 – Microsoft Windows SAM Local Privilege Escalation VulnerabilityCVE-2020-0796 – Microsoft SMBv3 Remote Code Execution VulnerabilityCVE-2018-1000861 – Jenkins Stapler Web Framework Deserialization of Untrusted Data VulnerabilityCVE-2017-9791 – Apache Struts 1 Improper Input Validation VulnerabilityCVE-2017-8464 – Microsoft Windows Shell (.lnk) Remote Code Execution VulnerabilityCVE-2017-10271 – Oracle Corporation WebLogic Server Remote Code Execution VulnerabilityCVE-2017-0263 – Microsoft Win32k Privilege Escalation VulnerabilityCVE-2017-0262 – Microsoft Office Remote Code Execution VulnerabilityCVE-2017-0145 – Microsoft SMBv1 Remote Code Execution VulnerabilityCVE-2017-0144 – Microsoft SMBv1 Remote Code Execution VulnerabilityCVE-2016-3088 – Apache ActiveMQ Improper Input Validation VulnerabilityCVE-2015-2051 – D-Link DIR-645 Router Remote Code ExecutionCVE-2015-1635 – Microsoft HTTP.sys Remote Code Execution VulnerabilityCVE-2015-1130 – Apple OS X Authentication Bypass VulnerabilityCVE-2014-4404 – Apple OS X Heap-Based Buffer Overflow Vulnerability Related content news UK Cyber Security Council CEO reflects on a year of progress Professor Simon Hepburn sits down with broadcaster ITN to discuss Council’s work around cybersecurity professional standards, careers and learning, and outreach and diversity. By Michael Hill Sep 27, 2023 3 mins Government Government Government news FIDO Alliance certifies security of edge nodes, IoT devices Certification demonstrates that products are at low risk of cyberthreats and will interoperate securely. By Michael Hill Sep 27, 2023 3 mins Certifications Internet Security Security Hardware news analysis Web app, API attacks surge as cybercriminals target financial services The financial services sector has also experienced an increase in Layer 3 and Layer 4 DDoS attacks. By Michael Hill Sep 27, 2023 6 mins Financial Services Industry Cyberattacks Application Security news Immersive Labs adds custom 'workforce exercising' for each organizational role With the new workforce exercising capability, CISOs will be able to see each role’s cybersecurity readiness, risk areas, and exercise progress. By Shweta Sharma Sep 27, 2023 3 mins Security Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe