According to the latest Broadcom Threat Bulletin, old vulnerabilities don’t disappear—they just get added to the patching list.

The Cybersecurity and Infrastructure Security Agency (CISA) recently added a three-year-old vulnerability to its catalog of known exploited vulnerabilities (KEV). This update mandates that all federal civilian executive branch (FCEB) agencies install necessary patches and mitigations for the newly added vulnerability within a specified timeframe.

CISA routinely adds both old and new vulnerabilities to this catalog when they are found to be actively exploited. While new vulnerabilities are common additions, older ones also make the list. For instance, in May 2024, CISA added a vulnerability from 2020 for Apache Flink, a stream-processing and batch-processing framework. This directory traversal vulnerability (CVE-2020-17519) allows an attacker to remotely access files from the JobManager machine via the REST API. Although a patch has been available since December 2020, it remains a concern.

Additionally, an even older flaw from 2014 was added to the KEV catalog in mid-May 2024. This is the D-Link DIR-600 Router Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2014-100005).

Experience shows that attackers often exploit old vulnerabilities because some systems remain unpatched. A report on the top routinely exploited vulnerabilities of 2022 underscores this issue, revealing that many of the top 12 vulnerabilities were over a year old, with one dating back to 2018.

Staying vigilant and ensuring timely patching is crucial to mitigate these persistent threats.