The Heightened Risk of Exploitations: Insights from Fortra’s Tyler Reguly
In the realm of cybersecurity, the recent discourse around the Common Vulnerabilities and Exposures (CVE) system and its correlation with the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog has sparked significant attention. One of the focal points of this conversation comes from Tyler Reguly, the Associate Director of Security Research and Development at Fortra. Reguly’s insights shed light on the current state of vulnerabilities, particularly in relation to Oracle’s WebLogic platform.
Reguly contends that the inclusion of particular CVEs in the CISA KEV catalog indicates active exploitation. He points out that since Oracle had proactively patched the associated vulnerabilities in its July 2024 Critical Patch Update (CPU), it is reasonable to assume that most system administrators would have already implemented these necessary fixes. Given the nature of the vulnerability—specifically a WebLogic exploit—it is noteworthy that prior to the inclusion of this CVE, there were already numerous other vulnerabilities identified in the KEV catalog related to WebLogic. This raises questions about the overall security practices within organizations operating on this platform.
The KEV catalog is essentially a tool designed to prioritize vulnerabilities that are actively being targeted by cyber adversaries. Reguly highlights a concerning trend: a notable percentage of the vulnerabilities listed in the KEV catalog are not recent. Through a preliminary analysis, he notes that only about 41% of the CVEs added to this list were incorporated in the same year they were released. This percentage increases to around 58% when considering vulnerabilities that were added the following year. Alarmingly, this means that more than 40% of the CVEs included in the CISA KEV catalog have been recognized as threats two or more years after their initial disclosure.
Reguly argues that this trend may reflect an underlying truth in the cybersecurity landscape: organizations that fail to keep their systems updated and patched are often more vulnerable to attacks. An organization that has not applied patches for several years is likely seen as a more attractive target for cybercriminals compared to one that regularly maintains its systems. The act of consistent patching indicates an organization that prioritizes security, suggesting a more robust defense posture.
The implications of this observation are profound for cybersecurity practitioners and organizations of all sizes. Reguly’s comments raise vital awareness about the dangers of neglecting older vulnerabilities. The cybersecurity community must grapple with the reality that outdated systems can invite threats even years after a vulnerability has been disclosed and patched. This dynamic poses a significant challenge, as it compels organizations to not only address current vulnerabilities but also revisit older ones that may still pose a risk.
Moreover, as Reguly’s observations suggest, organizations should adopt a more proactive approach to vulnerability management. Instead of merely responding to the latest threats or patching only those vulnerabilities that are explicitly flagged as being under active exploitation, IT managers and security teams must develop a comprehensive patch management strategy. This strategy should encompass timely updates and continuous monitoring of all software applications, regardless of their perceived immediacy or threat level.
Organizations that take a holistic approach to their cybersecurity infrastructure are more likely to succeed in mitigating risks posed by diverse threats, including those that linger from years past. This involves staying up-to-date with the latest patches and updates from software vendors, as well as actively monitoring the KEV catalog for any new entries.
In conclusion, Tyler Reguly’s insights serve as a crucial reminder for organizations to reassess their security policies and practices. The evolving landscape of cybersecurity underscores the importance of vigilance and proactivity, especially when it comes to older vulnerabilities that can still have a haunting presence in the digital realm. As organizations strive to bolster their defenses, recognizing the realities of the threat landscape can help them remain one step ahead in the ongoing battle against cybercrime.