CISA issues emergency order requiring agencies to patch critical Windows bug

The order gives federal civilian agencies roughly 24 hours to act.
CISA, DHS, Department of Homeland Security, RSA 2019
The DHS and CISA booth at the 2019 RSA conference in San Francisco. (Scoop News Group photo)

The Department of Homeland Security’s cybersecurity division on Thursday ordered federal civilian agencies to apply a security fix for a newly revealed Microsoft Windows vulnerability, citing the “unacceptable significant risk” posed by the flaw to agencies’ security.

The emergency order — only the third ever issued by DHS’s Cybersecurity and Infrastructure Security Agency — gave agencies roughly 24 hours to either patch Windows servers used for domain name system purposes or apply another mitigation. Organizations with affected servers that aren’t for DNS have until July 24 to patch.

The urgency of the directive is “based on the likelihood of the vulnerability being exploited, the widespread use of the affected software across the federal enterprise, the high potential for a compromise of agency information systems, and the grave impact of a successful compromise,” CISA said in its directive. The agency said it wasn’t aware of any active exploitation of the vulnerability — yet.

“[I]t is only a matter of time for an exploit to be created for this vulnerability,” CISA Director Chris Krebs said.


Microsoft on Tuesday issued a patch for the vulnerability, which is “wormable,” meaning malware abusing the vulnerability could move from infected system to infected system on its own. Security researchers immediately sounded the alarm about the potential impact of the bug because it could allow hackers who exploit it to intercept and tamper with network traffic and steal users’ credentials.

Some of the more dangerous software vulnerabilities in recent memory have been wormable, including the Windows flaw exploited by the 2017 WannaCry malware, which infected over 200,000 machines in 150 countries, costing Britain’s National Health Service alone more than $100 million.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts