National Cyber Warfare Foundation (NCWF)

U.S. CISA adds an Aquasecurity Trivy flaw to its Known Exploited Vulnerabilities catalog
0 user ratings		2026-03-27 10:43:48
milo
Blue Team (CND)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds an Aquasecurity Trivy flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Aquasecurity Trivy flaw, tracked as CVE-2026-33634 (CVSS score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog. On March 19, 2026, attackers used compromised credentials to release a malicious […


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds an Aquasecurity Trivy flaw to its Known Exploited Vulnerabilities catalog.





The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Aquasecurity Trivy flaw, tracked as CVE-2026-33634 (CVSS score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog.





On March 19, 2026, attackers used compromised credentials to release a malicious version of Trivy (v0.69.4) and tamper with related GitHub Actions, turning them into tools for stealing sensitive data. This incident is part of an ongoing supply chain attack that began in late February. Although credentials were rotated after the initial breach, the process was not done simultaneously, likely allowing attackers to retain access and exploit newly generated secrets.





Several components were affected, including Trivy binaries, container images, and GitHub Actions. Safe versions have since been identified, but any system that ran the compromised versions should be treated as exposed.





Organizations are advised to remove affected artifacts, rotate all secrets, and review logs for suspicious activity, especially around March 19–20. To reduce risk, GitHub Actions should always be pinned to immutable commit hashes rather than version tags.





According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.





Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.





CISA orders federal agencies to fix the vulnerability by April 9, 2026.





Pierluigi Paganini





Follow me on Twitter: @securityaffairs and Facebook and Mastodon





(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)



Source: SecurityAffairs
Source Link: https://securityaffairs.com/190044/security/u-s-cisa-adds-an-aquasecurity-trivy-flaw-to-its-known-exploited-vulnerabilities-catalog.html

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Blue Team (CND)


Copyright 2012 through 2026 - National Cyber Warfare Foundation - All rights reserved worldwide.