U.S. federal agencies have until Dec. 12 to patch vulnerable Linux devices on their networks after researchers discovered an actively exploited security flaw.

The Cybersecurity and Infrastructure Security Agency added the “Looney Tunables” vulnerability, tracked as CVE-2023-4911, to its catalog of known exploited vulnerabilities Tuesday and mandated federal civilian branch agencies to download patches to protect government networks against active threats.

The Looney Tunables flaw was first disclosed in October, and Kinsing threat actors – otherwise known as Money Libra – subsequently used it to target cloud environments with malware attacks. Researchers have spotted Kinsing, a Linux executable and linking format malware program, deployed against containerized environments for cryptocurrency mining.