CMS Hybrid Cloud Launches the 2025 Q3 CMS Enterprise Security Campaign

Summary

Starting August 7th, 2025, the CMS Hybrid Cloud Team will begin the Q3 2025 CMS Enterprise Security Campaign.

Any findings will be tracked via Jira tickets and assigned to the respective teams to remediate risks. The Q3 CMS Enterprise Security Campaign is targeting a list of 21 Common Vulnerabilities and Exposures (CVEs) sourced from Cybersecurity & Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog.

On August 20th, 2025, new AWS Security Hub GuardRails will be added to all accounts to prevent the reintroduction of certain findings back into the CMS environment.

Benefits

Resolving findings in customers' Jira tickets ensures CMS systems remain secure. Participating in proactive, routine security activities, such as this CMS Enterprise Security Campaign, reduces the risk of unauthorized and/or malicious activity.

The CMS Enterprise Security Campaign will target and identify the following CVEs from CISA's KEV catalog:

Targeted Known Exploited Vulnerabilities (KEVs)

CVEs on KEV List	Plugin ID	Description	Severity
CVE-2025-33053	238092	KB5061010: Windows 10 Version 1607 / Windows Server 2016 Security Update (June 2025)	High
CVE-2025-27363	233903	RHEL 7: freetype (RHSA-2025:3395)	High
CVE-2025-27363	233678	RHEL 8: freetype (RHSA-2025:3421)	High
CVE-2025-27363	233901	RHEL 9: freetype (RHSA-2025:3407)	High
CVE-2025-27363	233690	Amazon Linux 2: freetype (ALAS-2025-2806)	Medium
CVE-2025-24813	234293	RHEL 8: tomcat (RHSA-2025:3683)	Critical
CVE-2025-24813	234618	Oracle Database Server (April 2025 CPU)	Low
CVE-2025-6554	241151	Microsoft Edge (Chromium) < 138.0.3351.65 Multiple Vulnerabilities	High
CVE-2025-6554	240977	Google Chrome < 138.0.7204.96 Vulnerability	High
CVE-2024-53150	234676	RHEL 8: kernel (RHSA-2025:3893)	High
CVE-2024-44308, CVE-2024-44309	234624	Oracle Java SE Multiple Vulnerabilities (April 2025 CPU)	Critical
CVE-2024-38226	206892	Security Updates for Microsoft Publisher Products (September 2024)	High
CVE-2024-20399	201218	Cisco NX-OS Software CLI Comm Injection (cisco-sa-nxos-cmd-injection-xD9OhyOP)	Medium
CVE-2024-20399	193896	Cisco Adaptive Security Appliance Software Privilege Escalation (cisco-sa-asaftd-persist-rce-FLsNXF4h)	Medium
CVE-2021-1789,CVE-2021-1870, CVE-2021-1871, CVE-2021-30661, CVE-2021-30663, CVE-2021-30665, CVE-2021-30666, CVE-2021-30761, CVE-2021-30762, CVE-2022-22620, CVE-2022-32893, CVE-2022-42856, CVE-2023-23529, CVE-2023-28204, CVE-2023-28205, CVE-2023-32373, CVE-2023-32435, CVE-2023-32439, CVE-2023-37450, CVE-2023-41993, CVE-2023-42916, CVE-2023-42917, CVE-2024-23222, CVE-2024-44308, CVE-2024-44309, CVE-2025-24201	241427	RHEL 7: webkitgtk4 (RHSA-2025:10364)	Critical
CVE-2020-11023	136929	JQuery 1.2 < 3.5.0 Multiple XSS	Medium
CVE-2020-11023	216435	RHEL 7: gcc (RHSA-2025:1601)	Medium
CVE-2020-11023	216109	RHEL 8: gcc (RHSA-2025:1301)	Medium
CVE-2020-11023	216204	RHEL 9: gcc (RHSA-2025:1346)	Medium
CVE-2020-11023	184247	F5 Networks BIG-IP: jQuery vulnerability (K66544153)	Medium
CVE-2013-3900	166555	WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation (EnableCertPaddingCheck)	Medium

Note: Operating System (OS)-level findings are remediated by the CMS Hybrid Cloud Team for customers who receive regular CMS Gold Image patching services. Please note that CMS customers are responsible for patching any software installed on top of the provided CMS Gold Image.

For all accounts, CMS Hybrid Cloud will deploy auto-remediation for the following Security Hub controls:
- GuardRails / auto-remediations (Security Hub controls):
  CloudFront.12 - CloudFront distributions should not point to non-existent S3 origins
  - - GuardDuty.1 - GuardDuty should be enabled
- CMS customer teams with existing findings for these Security Hub controls will receive a Jira ticket.
  - Teams will either need to resolve the finding or obtain an exemption.

Expected Actions

CMS customer teams with findings will receive a Jira ticket.
- If you would like to obtain an exemption, you will need to complete an attestation.
CMS customers should resolve all received Jira tickets as soon as possible.
- For help, please refer to the "Questions or Concerns" section below for instructions on how to submit a Hybrid Cloud Support Ticket.
Failure to resolve findings can lead to compromised systems that result in greater risks for unauthorized and/or malicious activity.
Unresolved system flaws will result in Plan of Action and Milestones (POA&Ms) being issued against the Federal Information Security Modernization Act (FISMA) boundary.

Timeline

May 5th, 2025: CMS customers with findings will receive Jira tickets for the finding noted in the "Benefits" section above.
May 21st, 2025: CMS Hybrid Cloud will add new AWS Security Hub GuardRails to all accounts to protect CMS systems from reintroducing findings back into the environment.

Additional Information

Questions or Concerns

We look forward to helping you and your team. Reach out to your IUSG Hosting Coordinator with any questions. For further help, please fill out a Hybrid Cloud Support ticket specifying Service as "Security Hub" and Request as "Security Hub Findings".

You are subscribed to receive email messages about CMS Cloud Operations, Changes, and Outages from the Centers for Medicare & Medicaid Services (CMS).

To update your subscription(s), preferences or to stop receiving messages from the CMS Cloud Operations, Changes, and Outages Updates- distribution list, please go to our Subscriber Preferences Page.

This email was sent to NPrm5pk4s@niepodam.pl using GovDelivery Communications Cloud 7500 Security Boulevard · Baltimore MD 21244