Millions still exposed despite available fixes
Although KEV catalog vulnerabilities are frequent targets of APT Groups, a large and exploitable attack surface remains due to software vendors’ lack of awareness and action, according to Rezilion.
The Known Exploited Vulnerabilities (KEV) catalog, maintained by the Cybersecurity and Infrastructure Security Agency (CISA), provides an authoritative source of information on vulnerabilities that have been exploited in the past or are currently under active exploitation by attackers.
In a recent study, the Rezilion research team analyzed all vulnerabilities currently included in the KEV catalog and identified over 15 million vulnerable instances, with the majority being vulnerable Microsoft Windows instances.
The CISA KEV catalog currently contains 896 vulnerabilities, adding new entries almost weekly. Most KEVs are rated as CRITICAL or HIGH (250 marked as CRITICAL and 535 marked as HIGH). Still, researchers found the vulnerabilities in the CISA KEV catalog are only a fraction (less than 1%) of the vulnerabilities discovered each year by organizations.
Yet these vulnerabilities are often the most actively exploited by APT groups and financially motivated threat actors and should be highly prioritized. The groups exploiting them are often identified with or sponsored by various nation-states, such as Russia, Iran, China, and North Korea.
Rezilion’s research reveals that millions of systems remain exposed to Known Exploited Vulnerabilities, even though patches already exist to address them.
“Despite the availability of patches for these vulnerabilities, millions of systems remain exposed to attacks. This leaves organizations vulnerable to exploitation from threat actors and Advanced Persistent Threat (APT) groups who often target publicly known vulnerabilities,” said Yotam Perkal, Director of Vulnerability Research with Rezilion.
The study also revealed that while security teams prioritize new vulnerabilities, and ones that make headlines, threat actors tend to target publicly known vulnerabilities that have been around for years.
In this context, prioritization based on the likelihood of exploitability can help security teams focus their triage and patching efforts effectively.
The Rezilion research team recommends prioritizing the vulnerability backlog with a two-step process:
- First, identify which vulnerabilities are even exploitable through runtime validation. Since most vulnerabilities in code are never loaded to memory or executed, this step eliminates 85% of the initial backlog.
- Use the CISA KEV catalog or other threat intelligence sources as part of an ongoing vulnerability management strategy to identify vulnerabilities that require immediate patching as attackers exploit them.
In other words: use runtime validation to understand what matters to your unique environment and then use KEV to identify what’s imminent since attackers are leveraging it in the wild.
“It is crucial that organizations prioritize patching vulnerabilities that have already been exploited in the wild. The KEV catalog provides an excellent starting point for this. Combined with runtime validation it narrows down huge backlogs to a handful of patches that must be applied as quickly as possible,” Perkal added.