The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian agencies to patch two critical Firefox security vulnerabilities exploited in attacks within the next two weeks.
According to a Mozilla advisory published over the weekend, the two bugs (tracked as CVE-2022-26485 and CVE-2022-26486) are Use After Free flaws that allow attackers to trigger crashes and execute maliciously crafted code on targeted devices.
They’re rated as critical severity because they could let attackers execute almost any command on systems running vulnerable versions of Firefox, including downloading malware that would give them further access to the device.
Mozilla said it received “reports of attacks in the wild” abusing the two vulnerabilities, likely used for remote code execution (CVE-2022-26485) and escaping the browser sandbox (CVE-2022-26486).
According to a binding operational directive (BOD 22-01) issued in November, Federal Civilian Executive Branch Agencies (FCEB) agencies are now required to secure their systems against these vulnerabilities, with CISA giving them until March 21st to apply patches.
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,” the US cybersecurity agency explained.
CISA added nine other vulnerabilities to its Known Exploited Vulnerabilities Catalog based on evidence that threat actors are also actively exploiting them in the wild.
One of them tracked as CVE-2021-21973, impacts VMware vCenter servers, leads to information disclosure, and also has to be patched within two weeks.
| CVE ID | Vulnerability Name | Due Date |
| CVE-2022-26486 | Mozilla Firefox Use-After-Free Vulnerability | 03/21/22 |
| CVE-2022-26485 | Mozilla Firefox Use-After-Free Vulnerability | 03/21/22 |
| CVE-2021-21973 | VMware vCenter Server, Cloud Foundation Server Side Request Forgery (SSRF) | 03/21/22 |
| CVE-2020-8218 | Pulse Connect Secure Code Injection Vulnerability | 09/07/22 |
| CVE-2019-11581 | Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability | 09/07/22 |
| CVE-2017-6077 | NETGEAR DGN2200 Remote Code Execution Vulnerability | 09/07/22 |
| CVE-2016-6277 | NETGEAR Multiple Routers Remote Code Execution Vulnerability | 09/07/22 |
| CVE-2013-0631 | Adobe ColdFusion Information Disclosure Vulnerability | 09/07/22 |
| CVE-2013-0629 | Adobe ColdFusion Directory Traversal Vulnerability | 09/07/22 |
| CVE-2013-0625 | Adobe ColdFusion Authentication Bypass Vulnerability | 09/07/22 |
| CVE-2009-3960 | Adobe BlazeDS Information Disclosure Vulnerability | 09/07/22 |
Even though BOD 22-01 only applies to FCEB agencies, CISA strongly urged all other private and public sector orgs to reduce their exposure to ongoing cyberattacks by prioritizing mitigation of these security flaws.
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,” CISA added.
CISA has added hundreds of vulnerabilities to its catalog of actively exploited bugs this year, ordering federal agencies to patch them as soon as possible to avoid security breaches.
Just last week, on Friday, the agency added 95 bugs to the list, eight of them with high critical severity scores of at least 9.8 and impacting Cisco, Apache, and Exim products.
