The Cybersecurity and Infrastructure Security Agency (CISA) added three more security flaws to its list of bugs exploited in attacks, including a Bitbucket Server RCE and two Microsoft Exchange zero-days.

CISA Known exploited vulnerabilities (KEV) now includes two Microsoft Exchange vulnerabilities (CVE-2022-41040 and CVE-2022-41082) being exploited in limited targeted attacks, according to Microsoft.

Although Microsoft has yet to release security updates to address this pair of actively exploited bugs, it shared mitigation measures requiring customers to add an IIS server blocking rule that would block attack attempts.

“Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated schedule to release a fix,” Microsoft said earlier today.

The third security vulnerability that CISA added to its KEV list today (tracked as CVE-2022-36804) is Critical Severity command injection vulnerability in Atlassian’s Bitbucket server and data centerwith publicly available proof-of-concept exploit code.

Attackers can achieve remote code execution by exploiting the flaw via malicious HTTP requests. However, they must have access to a public repository or read permissions on a private repository.

This RCE vulnerability affects all versions of Bitbucket Server and Data Center after 6.10.17, including 7.0.0 and up to 8.3.0.

BinaryEdge and GreyNoise have confirmed that attackers are scanning and attempting to exploit CVE-2022-36804 in the wild [1, 2] since at least September 20.

We at @SolveCyberRisk @binaryedgeio observed active analysis and exploitation of the just announced CVE-2022-36804 – This CVE affects Atlassian Bitbucket, go patch: https://t.co/YYG1qY9uUg pic.twitter.com/Jy12W9ZB3E

—Tiago Henriques (@Balgan) September 23, 2022

Federal agencies urged to mitigate

All Federal Civilian Executive Branch (FCEB) Agencies are applying patches or mitigations for these three actively exploited bugs after they have been added to the CISA KEV Catalog, as required by a Binding Operational Directive (BOD 22-01) from November.

Federal agencies were given three weeks, until October 21, to ensure that the exploit attempts would be blocked.

The US Cybersecurity Agency also urged all private and public sector organizations worldwide to prioritize patching these vulnerabilities, although BOD 22-01 only applies to US FCEB agencies.

Applying patches as soon as possible will help them reduce the attack surface that potential attackers could target when attempting to breach.

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise,” CISA Explain Thursday.

Since issuing binding directive BOD 22-01 last year, CISA has added more than 800 security vulnerabilities to its catalog of bugs exploited in attacks while forcing federal agencies to fix them on a tighter schedule. .