The US Cybersecurity and Infrastructure Security Agency (CISA) has just added the latest Ivanti weakness to its KEV (Known Exploited Vulnerability) directory, a situation that is sure to annoy some – given that it's yet another bug on the way .

After a series of high-profile bugs that hit IT vendors this year, the US National Cyber Agency felt the need to appeal to the infosec community to root out this class of vulnerability.

CISA complained earlier this year that these bugs have been around since the nineties, noting that since then methods to ensure they don't appear in software have become well established and should be universally implemented by now.

That May warning followed an announcement in February of a maximum severity vulnerability in ConnectWise's ScreenConnect (CVE-2024-1708). Some researchers described it as "embarrassingly easy to exploit." Just weeks later, Cisco disclosed CVE-2024-20345, affecting its AppDynamics Controller. Both flaws were used to compromise users of the vendors' software, including on critical infrastructure platforms used in the healthcare and public sector, hence the CISA alert.