The US Cybersecurity and Infrastructure Security Agency (CISA) has added four security vulnerabilities exploited in zero-day attacks to its list of bugs known to be abused in the wild.

Two of them impact Microsoft products and allow attackers to achieve remote execution (CVE-2023-21823) and elevate privileges (CVE-2023-23376) on unpatched Windows systems by exploiting vulnerabilities in the common log file system driver and graphical components.

A third (CVE-2023-21715) can be exploited to circumvent Microsoft Office macro policies to deliver malicious payloads via untrusted files.

Microsoft patched all three earlier this week as part of the February 2022 Patch Tuesday and classified them as zero days that were abused in attacks before a fix was available.

The fourth, a WebKit-like confusing issue (CVE-2023-23529) that could lead to the execution of arbitrary code, was addressed by Apple on Monday and has been labeled as actively exploited in the wild.

THE list of devices impacted by this zero-day WebKit is quite extensive, affecting older and newer models, including iPhone 8 and later, Macs running macOS Ventura, all iPad Pro models, and more.

Federal agencies have three weeks to correct

According to a November 2021 Binding Operational Directive (BOD 22-01)all federal civilian executive branch (FCEB) agencies are required to secure their systems against security bugs added to the CISA catalog Known exploited vulnerabilities.

CISA has now given US federal agencies three weeks, until March 7, to patch Apple and Microsoft’s four security vulnerabilities and thwart attacks that could target their networks.

Even though the directive only applies to US federal agencies, the cybersecurity agency urges all organizations to fix security bugs to block any attack attempt to compromise their Windows or iOS devices.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.

Since the release of BOD 22-01, CISA has included hundreds of new security vulnerabilities known to be exploited in the wild to its bug list, ordering federal agencies to patch their systems to prevent violations.

Today, CISA added another flawa critical pre-authorization command injection bug (CVE-2022-46169) in the Cacti network exploit that was abused by malicious actors deliver malware.