The vendors disclosed and patched the defects last summer, but not before advanced attackers exploited the vulnerabilities to likely gain prolonged access for espionage, according to Amazon.

The tech giant addressed a record-high number of defects for the year in its latest update.

The agency, which issued an emergency directive to federal agencies Thursday, said it took months to determine the root cause and mitigate the activity.

Cisco said it was investigating state-sponsored espionage attacks in May. CISA did not explain why it waited four months to issue an emergency directive.

The actively exploited defect, triggered by an attacker’s use of a publicly available sample machine key, underscores the vendor and customers’ poor configuration practices.

The vendor, which has been widely targeted, said the memory-overflow vulnerability can result in remote-code execution or denial of service.

The defect, which affects the company’s most popular devices, has been exploited in an “extremely sophisticated attack against specific targeted individuals,” Apple said.

The China-affiliated espionage group, which CrowdStrike tracks as Murky Panda, has been linked to more than a dozen incident response cases since late spring.

Despite serious alarm raised by officials, organizations have not applied the patch for Microsoft Exchange servers en masse.

The initiative seeks to patch vulnerabilities in open-source code before they are exploited by would-be attackers. Now comes the hard part — putting the systems to the…