At the BSides Las Vegas conference on August 7th, an analysis presented highlighted that organizations relying on the Known Exploited Vulnerabilities (KEV) catalog to prioritize patching may be overlooking crucial changes that could indicate a shift in the severity of certain issues. The KEV catalog currently includes more than 1,140 vulnerabilities known to have been exploited in the wild. These vulnerabilities are tracked by their Common Vulnerabilities and Exposures (CVE) identifier, with the date of confirmation of exploitation and an indicator of ransomware group usage.
The analysis pointed out that specific modifications to the data, such as unusually quick remediation times and alterations to the ransomware status, can provide valuable insights for security teams. However, Glenn Thorpe, the senior director of security research and detection engineering at GreyNoise Intelligence, noted that the Cybersecurity and Infrastructure Security Agency (CISA), the entity in charge of managing the list, does not always highlight these changes and outliers, potentially leading to oversight by organizations utilizing the catalog for prioritization.
Introduced in November 2021 with 290 exploited vulnerabilities, the KEV catalog serves as a resource for organizations to focus on patching flaws currently under attack. Despite its usefulness, the catalog does not rank vulnerabilities by severity, and there is often a delay in adding vulnerabilities even after evidence of exploitation emerges.
Over the years, the KEV catalog has gone through several phases. In one period during the Russia-Ukraine conflict, there was a surge in exploited vulnerabilities, totaling 396 issues with an average age of 1,898 days. Despite the perception that the conflict’s duration may have reduced the number of vulnerabilities, Thorpe warned that once the conflict ends, both sides are likely to resume seeking vulnerabilities for exploitation.
Five major organizations — Microsoft, Apple, Cisco, Adobe, and Google — account for approximately half of all vulnerabilities on the KEV list, showcasing cyber attackers’ preference for targeting prominent software platforms.
In recent years, changes in CISA’s policies regarding the KEV catalog have been observed. For instance, CISA started setting shorter remediation deadlines for specific critical vulnerabilities. This shift is evident in the case of severe vulnerabilities affecting appliances connected to networks, such as Ivanti and Juniper routers, Cisco devices, and Atlassian’s Confluence server.
Moreover, CISA has been updating the known ransomware usage field without explicit notifications, indicating the increased use of these vulnerabilities by ransomware groups. To assist organizations in prioritizing issues, Thorpe advised paying attention to updates released on Fridays, vulnerabilities with due dates less than 21 days away, and modifications to the known ransomware usage field.
By analyzing the patterns and signals provided by CISA’s updates to the KEV catalog, organizations can better understand the agency’s prioritization of critical vulnerabilities. Being aware of these changes can help security teams stay proactive in addressing potential threats and enhancing their overall cybersecurity posture.