CISA gives US federal agencies three days to fix a VPN bug under attack by a ransomware gang
The Cybersecurity and Infrastructure Security Agency (CISA) issued a directive on November 1, 2023, mandating US federal agencies to patch a critical vulnerability in Check Point VPN products within three days. This urgent action follows reports from Check Point that a ransomware gang has been actively exploiting this flaw to breach dozens of organizations, including government entities. The vulnerability, identified as CVE-2023-26360, allows for remote code execution, enabling attackers to gain unauthorized access and deploy ransomware. CISA's directive emphasizes the severe risk posed by this unpatched vulnerability, particularly given the ongoing attacks. Federal agencies are required to implement the necessary security updates by November 4, 2023, to mitigate the threat and prevent further compromise of sensitive data and systems. The agency also advised agencies to disconnect affected VPN devices from their networks if patching is not immediately feasible, underscoring the severity of the situation.
Original source — read the full reporting at the publisher:
Read on TechCrunch