CISA Adds Five Known Exploited Vulnerabilities to Catalog
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog with five additional flaws affecting Hikvision, Rockwell, and Apple products based on evidence of active exploitation. Organizations, particularly federal agencies under BOD 22-01, are urged to prioritize remediation to reduce their exposure to cyberattacks.
Authors: CISA
Source:
CISA
Key Takeaways
- CISA added five new vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog due to active exploitation.
- Affected vendors include Hikvision, Rockwell, and Apple.
- Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate these vulnerabilities under BOD 22-01.
- All organizations are strongly urged to prioritize patching these vulnerabilities to reduce cyberattack exposure.
Affected Systems
- Hikvision Multiple Products
- Rockwell Multiple Products
- Apple iOS
- Apple iPadOS
- Apple Multiple Products
Vulnerabilities (CVEs)
- CVE-2017-7921
- CVE-2021-22681
- CVE-2021-30952
- CVE-2023-41974
- CVE-2023-43000
Attack Chain
Malicious cyber actors are actively exploiting specific vulnerabilities in Hikvision, Rockwell, and Apple products to compromise targeted systems. The exact attack chains vary per vulnerability, ranging from improper authentication and insufficient protected credentials to integer overflows and use-after-free memory corruption.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules are provided in the alert; the focus is on vulnerability management and patching.
Detection Engineering Assessment
EDR Visibility: Low — The alert focuses on vulnerability announcements rather than specific post-exploitation telemetry or malware execution that EDR would capture. Network Visibility: Low — No specific network indicators of compromise (IOCs) or C2 infrastructure are provided. Detection Difficulty: Moderate — Detection relies on accurate asset inventory and vulnerability scanning rather than behavioral threat hunting.
Required Log Sources
- Vulnerability Management Scanners
- Asset Inventory Logs
- Mobile Device Management (MDM) Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Identify unpatched Hikvision, Rockwell, or Apple devices communicating with unexpected external IP addresses, potentially indicating post-exploitation C2 activity. | Network Flow Logs | Command and Control | Medium |
Control Gaps
- Lack of timely patch management
- Incomplete asset inventory for IoT/OT devices (Hikvision, Rockwell) and mobile endpoints (Apple)
Key Behavioral Indicators
- Vulnerable software or firmware versions present in asset inventory scans
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Patch or update affected Hikvision, Rockwell, and Apple products immediately.
- Review the CISA KEV catalog for specific remediation deadlines if operating as an FCEB agency.
Infrastructure Hardening
- Ensure IoT devices like Hikvision cameras and OT devices like Rockwell products are not directly exposed to the public internet.
- Implement strict network segmentation for vulnerable or legacy devices.
User Protection
- Update Apple iOS and iPadOS devices to the latest available versions via Mobile Device Management (MDM) or user prompts.
Security Awareness
- Incorporate CISA KEV catalog updates into standard vulnerability management and patching workflows.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1068 - Exploitation for Privilege Escalation