The Cybersecurity and Infrastructure Security Agency has issued an emergency directive requiring all federal civilian agencies to patch a critical vulnerability in a widely used asset management platform within 48 hours. The flaw, rated 9.8 on the CVSS scale, allows unauthenticated remote code execution.
CISA's directive indicates that active exploitation has been observed in the wild, with at least two federal agencies confirming indicators of compromise. The vulnerability affects versions 8.0 through 8.4 of the software, and the vendor released a patch on April 12.
Agencies that cannot apply the patch within the mandated timeframe must disconnect affected systems from federal networks and implement compensating controls. CISA is providing technical assistance teams to agencies requiring support with remediation efforts.
