The BOD is for all federal civilian agencies, “however, all organizations should adopt this directive and prioritize mitigating vulnerabilities listed on our public catalog,” Easterly said in a tweet. The listed vulnerabilities can be found in federal networks, as well as private.  
CISA will continue to add vulnerabilities to its catalog as long as they meet the agency’s thresholds. The vulnerabilities have to: 
The catalog removes focus from vulnerabilities that only “carry a specific CVSS score,” the agency said. The BOD changes CISA’s existing vulnerability management strategy by targeting the bugs known to have active exploits
The catalog stands as a reference guide for public and private organizations to “establish a more aggressive turnaround time to protect their networks against urgent, active threats,” CISA said. Companies can sign up for notifications to know when new CVEs have been added. 
September research from SpiderLabs found that more than half of servers have weak security postures, despite available patches. High-profile vulnerabilities on internet-facing services, including Microsoft Exchange Server, Apache Tomcat, QNAP NAS and VMware vCenter had minimal security improvements after weeks of the remediation being published by the vendors. 
When CVEs are dated back to 2017, it indicates companies have a difficult time locating the instances. And in some cases, security teams may not have the authority to issue updates for business-critical tools that could cause a disruption or take tools offline for a period.  
Bad actors rely on common CVEs because it can help obscure attribution, and in 2021 the most common CVEs were found in Microsoft Exchange, Pulse Secure, Accellion, VMware and Fortinet. 
CISA is giving federal agencies until Nov. 17 to issue vendor updates for Accellion CVEs, which are mentioned in the catalog four times. Microsoft Exchange-related vulnerabilities are listed nine times, with update due dates ranging from Nov. 17 to May 3, 2022. 
Follow on Twitter
Corporate boards are no longer rubber-stamping assurances from CIOs or CISOs but are bringing in outside experts, asking more questions and preparing for the risk of personal liability.
If the vulnerability remains unpatched, it's a ripe target for malicious actors to escalate privileges and the perfect ingredient for an exploit kit.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Corporate boards are no longer rubber-stamping assurances from CIOs or CISOs but are bringing in outside experts, asking more questions and preparing for the risk of personal liability.
If the vulnerability remains unpatched, it's a ripe target for malicious actors to escalate privileges and the perfect ingredient for an exploit kit.
Get the free daily newsletter read by industry experts
The free newsletter covering the top industry headlines

source