CISA added two new vulnerabilities to its list of exploited-in-the-wild security bugs today, including a Windows privilege escalation vulnerability and an arbitrary code execution flaw affecting iPhones and Macs.

The elevation of privilege bug in the Windows Common Log File System driver is tracked as CVE-2022-37969, allowing local attackers to gain SYSTEM privileges after a successful exploit.

Microsoft has fixed the vulnerability discovered and reported by researchers from DBAPPSecurity, Mandiant, CrowdStrike and Zscaler during the September 2022 Patch Tuesday.

“We found this 0Day bug during a proactive exploit hunting mission by the Offensive Task Force. A Privilege Escalation (EOP) exploit was found in the wild, exploiting this vulnerability in the Common Log File System ( CLFS),” Dhanesh Kizhakkinan, Principal Vulnerability Engineer at Mandiant, told BleepingComputer.

“The exploit appears to be self-contained and not part of a chain (like browser + EOP).”

apple too fixed arbitrary code execution vulnerability (CVE-2022-32917) on Monday and confirmed it was being exploited in attacks as a zero-day bug in the iOS and macOS kernel.

This was the eighth day zero used in the wild that Apple has tackled since the start of the year, all most likely used only in highly targeted attacks.

Federal agencies ordered to patch within three weeks

A Binding Operational Directive (BOD 22-01) published in November 2021 states that all Federal Civilian Executive Branch (FCEB) agencies must secure their networks against bugs added to CISA’s CISA Catalog Known exploited vulnerabilities (KEV).

CISA has given Federal Civilian Executive Branch (FCEB) agencies three weeks, until October 10, to fix these two security flaws and block attacks that could target their systems.

Even though the directive only applies to US federal agencies, the cybersecurity agency strongly encouraged all organizations to patch Windows elevation of privilege and Apple Kernel code execution flaws to thwart exploit attempts.

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise,” CISA warned today.

Since the release of BOD 22-01, CISA has added more than 800 security vulnerabilities to the catalog of bugs exploited in the wild, forcing federal agencies to address them on a tighter schedule to block attacks and potential security vulnerabilities. .