Anyone working in vulnerability management would have experienced the pain of dealing with ever-growing number of vulnerabilities discovered each year, all vying for their attention for remediation. Teams constantly face challenges in prioritising vulnerabilities, often without a clear understanding of which ones are being exploited in the wild, posing the most immediate threat, and should therefore be addressed first.

This is where the CISA KEV becomes invaluable. In this article, we will delve deeper into understanding what CISA KEV is and how it can help you to strategically improve your vulnerability management practices. We will discuss how by providing a prioritised list of vulnerabilities known to be exploited, CISA KEV helps streamline the focus of vulnerability management teams, enabling them to address the most critical threats first. So lets get started!

What is CISA KEV?

CISA KEV, or Known Exploited Vulnerability Catalogue, launched in November 2021, is a comprehensive list of vulnerabilities known to be exploited in the wild, and is maintained by the Cybersecurity and Infrastructure Security Agency (CISA).

The catalogue serves as an essential resource for cybersecurity professionals and network defenders, enabling them to prioritise remediation on a specific subset of vulnerabilities that pose an immediate threat, based on real-world threat activity. The aim is to help organisations improve their vulnerability management programs and enhance their security posture against known threats.

The KEV catalogue is a key component of the U.S. government’s Binding Operational Directive (BOD) 22–01, Reducing the Significant Risk of Known Exploited Vulnerabilities, issued by CISA. The BOD mandates all federal civilian executive branch (FCEB) agencies to remediate listed vulnerabilities within certain timeframes. While the directive directly applies to FCEB agencies, CISA strongly recommends that all organisations, including those in state, local, tribal, territorial governments, and the private sector, use KEV as part of their vulnerability management strategy to bolster defences against known exploits.

Significance of CISA KEV

With a surge in Common Vulnerabilities and Exposures (CVEs) that has persisted since 2016, and with over 28,000 new CVE entries in the year 2023 alone as shown in the diagram below, cybersecurity teams face a constant challenge of prioritising vulnerabilities for remediation, with an ever-increasing number of vulnerabilities going unresolved at any one time.

The situation gets even worse when ~57% of the vulnerabilities in the National Vulnerability Database (NVD) are marked High or Critical severity without further context or organisational awareness, as per the diagram below, posing further challenges to vulnerability prioritisation and remediation efforts.

Source: https://nvd.nist.gov/general/nvd-dashboard

A number of studies conducted in this space have shown that generally less than 5% of the total number of CVEs get exploited. An analysis conducted by Qualys through their 2023 Vulnerability Threat Landscape study highlighted that less than 1% of all known vulnerabilities were exploited in that year, implying that over 99% of these may have never been exploited, or have a very slight chance of ever being exploited by threat actors. The exploited vulnerabilities are the ones that have a weaponised exploit that is being used by ransomware groups, malwares, or threat actors for exploitation activities.

As per the diagram below, from over 26,000 published vulnerabilities at the time of this study, only 7033 (26.5%) had a PoC, whereas only 206 (0.77%) had been weaponised for exploitation in that year.

Source: Qualys 2023 Threat Landscape study

CISA KEV adds value by highlighting the vulnerabilities that have been weaponised for real-world exploitation. CISA KEV serves as an authoritative source, providing a curated list of vulnerabilities that have been known to be exploited (or are being exploited) in the wild. The principle behind CISA KEV is that while not all vulnerabilities are exploited, those that pose an immediate threat should be given remediation priority.

At the time of this writing, CISA KEV has recorded 1098 vulnerabilities in the catalogue. The catalogue had surpassed 1000 vulnerabilities in September 2023, where CISA had published an article on the progress made since inception and the lessons learned.

By prioritising remediation for vulnerabilities that are known to be exploited, organisations can allocate their limited resources more effectively to address the most pressing threats over others to strategically improve their cybersecurity risk posture.

CISA KEV Criteria

The CISA KEV sends a clear message to all organisations to prioritise remediation on a subset of vulnerabilities that are causing immediate harm based on adversary activity.

CISA uses a rigorous criteria to decide which vulnerabilities to include in the KEV catalogue, as described below:

1. **Assigned CVE ID —**a vulnerability must have a Common Vulnerabilities and Exposures (CVE) ID assigned, so that the organisations can easily identify vulnerabilities that have been added to the KEV catalogue.

2. **Active Exploitation —**there needs to be credible evidence that the vulnerability has been exploited or is under active exploitation. For a vulnerability to be included in the KEV catalogue, an active exploitation means both an attempted exploitation and a successful exploitation. This evidence for exploitation activity must come from reliable sources such as industry partners, security researchers, or government entities. Activities such as scanning, availability of a PoC, or security research on an exploit do not qualify a vulnerability to be included in the catalogue.

3. **Clear Remediation Guidance —**there must be effective mitigation available for the issue, such as a patch or official mitigation guidance. This ensures that the catalogue only includes vulnerabilities for which organisations can take actionable steps to vulnerability remediation.

CISA KEV and CWE Top 10 Mapping

Analysing the KEV catalogue through the lens of Common Weakness Enumeration (CWE) provides further insights into the types of weaknesses that adversaries are most likely to exploit.

In 2023, alongside CWE Top 25, an analysis on entries in the KEV catalogue was conducted and the 2023 CWE Top 10 KEV Weaknesses list was published. By examining the CWE root cause mappings of KEV-listed vulnerabilities, it’s possible to identify common patterns in weaknesses that lead to exploitation.

The pie chart below shows the Top 10 KEV vulnerabilities and their percentages based on the exploitation activity in the wild.

Source: cwe.mitre.org — Percent of 2023 CWE Top 10 KEV Weaknesses by CWE Category.

The treemap chart below demonstrates the individual CWE categories in the Top 10 list. It is worth noting that the top three entries below are related to memory safety, followed by lack of data validation checks.

Source: cwe.mitre.org — 2023 CWE Top 10 KEV Weaknesses List Insights

These insights can help organisations with strategic decision making on where to focus their security improvement efforts and how to develop systems that are secure-by-design.

How Organisations can Leverage CISA KEV

CISA’s KEV catalogue can significantly enhance an organisation’s vulnerability management practices by focusing their efforts on vulnerabilities that pose an immediate and real-world threat.

Here’s how organisations can leverage the KEV catalogue to strategically improve their vulnerability management practices:

1. Prioritisation of Remediation Efforts: The KEV catalogue lists vulnerabilities that have been actively exploited in the wild, which helps organisations prioritise these for remediation over others that may not yet pose an immediate threat. This is especially useful in environments where resources are limited, and not all vulnerabilities can be addressed at once.

2. Informed Decision-Making: By analysing the root causes of the vulnerabilities listed in the KEV catalogue through frameworks like CWE as shown above, organisations can gain insights into common patterns and weaknesses. This knowledge can guide strategic decisions about where to focus security improvement efforts and how to develop more secure systems.

3. Compliance with Directives and Enhancing Security Posture: For U.S. federal agencies and even for private sector organisations, aligning with the KEV catalogue can also be part of compliance with cybersecurity directives. By remediating KEV-listed vulnerabilities, organisations not only improve their security posture but also align with best practices and recommendations from a leading cybersecurity authority.

4. Integration into Vulnerability Management Programs: Organisations can integrate the KEV catalogue into their existing vulnerability management frameworks. The catalogue can serve as a critical input, enabling organisations to prioritise vulnerabilities based on actual exploitation trends. This integration ensures that the vulnerability management process is dynamic and aligned with evolving threat landscapes.

5. Leveraging Community and Vendor Support: The KEV catalogue is recognised and supported by various security communities and vendors, meaning that there are often readily available patches, mitigation advice, and community support for addressing these vulnerabilities. Many commercial vendors have incorporated KEV into their products to highlight vulnerabilities for prioritisation.

6. Enhancing Risk Management: By focusing on vulnerabilities that are known to have been exploited, organisations can better manage their cybersecurity risks. The KEV catalogue helps in identifying and addressing the vulnerabilities that are most likely to be used by adversaries, thus directly contributing to reducing the organisation’s overall risk exposure.

CISA KEV Limitations

While CISA KEV can prove to be a valuable resource for organisations that incorporate it within their vulnerability management practices, it also has certain limitations that organisations need to be aware of.

Some of these limitations may include —

1. Lack of Transparency — CISA has mentioned that it makes use of sources such as industry partners, security researchers, or government entities to identify exploitation activity, however, the process and the resources used to gain access to threat intelligence on vulnerability exploitation activity has not been very transparent.

2. Discrepancy on Coverage — The catalogue has missed certain vulnerabilities that have been demonstrated to be exploited by other studies. e.g. the study form Qualys above shows that CISA KEV had missed 97 vulnerabilities in their catalogue, whereas another study conducted by the Cyentia Institute has highlighted that the KEV catalogue covers a much lower number of vulnerabilities that have been identified to be exploited in the wild. Again, this may come down to the process followed by CISA, or the U.S. government centric focus of the KEV catalogue.

3. Recency Bias — The study conducted by the Cyentia Institute also highlights that there’s a recency bias for vulnerabilities included in the KEV catalogue. What this means is that even though the earliest vulnerability appearing in the catalogue is CVE-2002–0367, the KEV is skewed towards recent vulnerabilities, whereas as per this study, there is much more uniform distribution of vulnerabilities identified over the years that are currently being exploited by threat actors.

4. Static Resource — The KEV catalogue functions as a static resource, meaning once a vulnerability is listed, it remains there indefinitely, even if the exploitation activity has stopped after a while. This could lead to a catalogue filled with outdated entries where no recent exploitation activity has been observed, rendering some listings potentially irrelevant over time. This highlights the need for periodic review to ensure the relevance of vulnerabilities in the catalogue.

5. Prevalence or Frequency of Exploitation — The KEV catalogue does not indicate the prevalence or frequency of exploitation for a given vulnerability; it does not specify whether a vulnerability was exploited just once or if it was targeted hundreds of thousands of times. This lack of detailed information can impact an organisation’s ability to assess the actual risk and urgency associated with each listed vulnerability.

6. Prioritisation within KEV — As the KEV catalogue exceeds 1,000 vulnerabilities, organisations want to understand how to prioritise vulnerabilities within the catalogue. As per CISA, the answer to this question is nuanced and highly dependent on how a vulnerable product is utilised within an organisation’s specific environment. This context-driven approach is crucial for effectively addressing the most critical vulnerabilities as per organisation’s unique operational needs.

Final Thoughts

It goes without doubt that the CISA KEV can act as a valuable resource for any vulnerability management program, empowering organisations to focus on and proactively address the most severe threats. Organisations should seriously consider incorporating KEV into their existing vulnerability management practices to derive immediate benefits and to strategically reduce cybersecurity risks.

Simultaneously, it is crucial for organisations to balance their approach to implementing KEV by recognising its limitations and understanding how to best utilise it within their comprehensive vulnerability management strategy. This will optimise its value while avoiding excessive reliance on the KEV catalogue alone.