In 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) continued its efforts to enhance cybersecurity by updating its Known Exploited Vulnerabilities (KEV) catalog. This catalog, considered a critical tool for IT security teams worldwide, saw the addition of 185 new vulnerabilities this year, bringing the total count to 1,238 vulnerabilities that are at high risk of exploitation by cybercriminals. These vulnerabilities pose significant dangers to critical infrastructure, data security, and operations across various sectors.
The expansion of the KEV catalog, initiated in November 2021, underscores the persistent threat of cyberattacks. The trends observed in the catalog for 2024 reveal important insights into the common vulnerabilities and the vendors grappling with software flaws.
The consistent growth of the KEV catalog has been notable since its inception. While 185 vulnerabilities were added in 2024, slightly fewer than the 187 added in the previous year, the rate of new entries has stabilized compared to the explosive growth seen in the early stages of the catalog. It is interesting to note that the catalog not only expanded in terms of new vulnerabilities but also in the inclusion of older vulnerabilities that continue to be actively exploited. Some vulnerabilities, such as CVE-2002-0367 dating back to 2002, remain a risk and are utilized in ransomware attacks. The oldest vulnerability added to the 2024 catalog was CVE-2012-4792, a Use-After-Free vulnerability found in Microsoft Internet Explorer versions 6 through 8.
Within the KEV catalog for 2024, certain software weaknesses known as Common Weakness Enumerations (CWEs) were prevalent. These vulnerabilities, such as CWE-78 (OS Command Injection) and CWE-502 (Deserialization of Untrusted Data), expose critical flaws that can be leveraged by cybercriminals for unauthorized access and system disruption.
Leading vendors faced varying levels of vulnerability entries in the KEV catalog. Microsoft, with 36 vulnerabilities added in 2024, remained at the top of the list. Ivanti followed as the second most affected vendor, with 11 vulnerabilities, including critical flaws exploited in a breach of CISA. Other major vendors, including Google Chromium, Adobe, and Apple, also encountered multiple vulnerabilities in the catalog. Noteworthy is CVE-2024-39717, a significant vulnerability in Versa Director that was exploited in supply chain attacks targeting ISPs and MSPs, showcasing that vulnerability severity may not always align with its exposure or CVSS score.
In conclusion, the continual update and expansion of the KEV catalog by CISA reflect the ongoing cybersecurity challenges faced by organizations globally. By identifying and addressing known vulnerabilities, stakeholders can strengthen their defenses against cyber threats and safeguard their critical assets effectively.