All articles tagged with #cisa
CISA is shrinking and largely sidelined as the White House forges a multi-agency AI cyber response, raising concerns about protection of critical infrastructure amid fears that AI-enabled attackers could exploit gaps. The agency has faced staffing and budget cuts, leaving leadership and bench strength diminished, even as plans surface for a staffing surge and a coordinated vulnerability-management role in the broader effort.
Lawmakers from both parties pressed CISA for answers after KrebsOnSecurity reported a contractor publicly posted plaintext credentials and AWS GovCloud keys to a GitHub account, triggering ongoing credential rotation and breach containment. Experts warn that exposed keys could enable access to code, CI/CD pipelines, and sensitive systems. CISA says it is rotating leaked credentials and coordinating with vendors, while lawmakers demand answers about internal policies amid leadership turnover and broader concerns about the agency’s security culture.
Microsoft released patches for two Defender zero-days—CVE-2026-41091 (privilege escalation in Malware Protection Engine) and CVE-2026-45498 (DoS in Antimalware Platform)—to stop active exploits. The updates install automatically by default, but admins should verify the Malware Protection Engine and Antimalware Platform versions are current. CISA added these flaws to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by June 3 under BOD 22-01. The piece also notes mitigations for a Windows BitLocker flaw nicknamed YellowKey.
Sen. Maggie Hassan has asked for an urgent classified briefing from acting CISA director Nick Andersen after reports that an exposed private contractor GitHub repository contained internal CISA and DHS credentials, logs and keys. Hassan seeks details on how the exposure happened, what was exposed, which contractor was responsible, and what steps are being taken to mitigate, with the briefing requested before June 5. CISA says there’s no indication sensitive data was compromised and is implementing additional safeguards.
Security researchers revealed that a public GitHub repo named Private-CISA exposed plaintext passwords, SSH private keys, tokens, and other sensitive CISA assets since at least November 2025, potentially enabling high-privilege access to AWS GovCloud; the repo is now offline and reportedly managed by Nightwing, a CISA contractor, which has not publicly commented, following earlier CISA missteps including a director uploading sensitive docs to ChatGPT.
CISA unveiled the CI Fortify guidance urging water utilities, transportation and other critical infrastructure sectors to plan for geopolitical cyber outages by building isolation measures to protect OT and preparing recovery procedures, including system backups and manual operation, with targeted assessments and a renewed hiring push.
CISA's CI Fortify guidance explains how Industrial Automation Control System vendors, service providers, security vendors, and volunteers should proactively identify blockers to isolation and recovery, prepare for telecom outage failure states, support backups and recovery documentation, and establish crisis communication paths with CISA (including contact details) to improve resilience during crises.
CISA warns that the Copy Fail vulnerability (CVE-2026-31431) in the Linux kernel’s algif_aead interface is being exploited to obtain root privileges on unpatched systems, with a PoC shown for Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. Patches are rolling out across major distros; CISA added the flaw to the Known Exploited Vulnerabilities catalog and urges prompt patching per vendor guidance under BOD 22-01, following earlier patches like Pack2TheRoot.
CISA has added CVE-2026-32202 to the Known Exploited Vulnerabilities list and ordered U.S. federal agencies to patch Windows endpoints and servers by May 12 under Binding Operational Directive (BOD) 22-01. The flaw is described as a zero-click NTLM hash-leak vulnerability that can be exploited in pass-the-hash attacks and may stem from an incomplete fix for CVE-2026-21510, which APT28-linked actors used in attacks against Ukraine and EU targets. Microsoft also flagged the vulnerability as exploited in the wild, and security teams are urged to apply vendor mitigations or discontinue the product if mitigations aren’t available. The alert comes as three other Windows flaws (BlueHammer, RedSun, UnDefend) are also being actively exploited to gain SYSTEM or higher privileges.
U.S. CISA and U.K. NCSC warn that Firestarter malware persists on Cisco Firepower/ASA/FTD devices after patches, maintaining persistence by hooking into the LINA process and re‑launching after reboots or firmware updates; attackers used Line Viper to gain initial access before deploying Firestarter. Cisco provides mitigations and recommends reimaging, with cold restart as a last resort (risking disk damage); CISA has released YARA rules to aid detection.
CISA has ordered U.S. federal agencies to patch CVE-2026-33825, a Microsoft Defender privilege-escalation flaw nicknamed BlueHammer that was exploited as a zero-day before Microsoft released a fix on April 14. Agencies have two weeks (until May 7) to secure Windows systems, with CISA warning of ongoing exploitation and advising mitigations or product discontinuation if fixes aren’t available. The report also notes related flaws (RedSun, UnDefend) disclosed by Chaotic Eclipse and evidence of active intrusion including hands-on-keyboard activity and suspicious FortiGate VPN activity tied to Russia. CISA added the flaw to the Known Exploited Vulnerabilities catalog and highlighted broader risks from similar Windows zero-days.
Anthropic's Mythos Preview is being piloted by several U.S. federal agencies for finding and patching security vulnerabilities, with the Commerce Department and NSA reportedly testing it and discussions for broader access by the administration; however CISA reportedly did not gain access, highlighting questions about prioritizing the central cybersecurity agency amid budget and staffing constraints.
Sean Plankey withdraws from consideration to lead the Cybersecurity and Infrastructure Security Agency after 13 months, as Senate gridlock—driven largely by Sen. Rick Scott—prevents his confirmation, leaving CISA with acting leadership and ongoing turnover ahead of a new White House nominee.
CISA has labeled CVE-2025-60710 a actively exploited Windows Task Host privilege-escalation flaw, urging all organizations to patch within two weeks under Binding Operational Directive 22-01. The link-following vulnerability affects Windows 11 and Windows Server 2025 and can be exploited by users with basic permissions to gain SYSTEM-level control; Microsoft patched the issue in November 2025, but Microsoft’s advisory has not yet confirmed active exploitation, so defenders should apply vendor mitigations or discontinue the affected component per CISA guidance.
CISA added six vulnerabilities to its Known Exploited Vulnerabilities catalog due to active exploitation: CVE-2026-21643 (Fortinet FortiClient EMS SQL injection), CVE-2020-9715 (Adobe Acrobat Reader use-after-free), CVE-2023-36424 (Windows CLFS out-of-bounds read), CVE-2023-21529 (Exchange Server deserialization leading to remote code execution), CVE-2025-60710 (Windows Task Scheduler local privilege escalation), and CVE-2012-1854 (VBA insecure library loading enabling remote code execution). Defused Cyber reported exploitation of CVE-21643 since March 24, 2026; Storm-1175 has weaponized CVE-2023-21529 to deliver Medusa ransomware; CVE-2012-1854 had targeted-attack activity in 2012. No public exploitation yet for the other three. FCEB agencies must patch by April 27, 2026, with FortiClient EMS fixes due by April 16, 2026.