What are Known Exploited Vulnerabilities?

What are Known Exploited Vulnerabilities?

Known Exploited Vulnerabilities (KEVs) are weaknesses in software, hardware, applications, or systems that are being actively exploited by attackers. KEVs represent a clear and present danger because they offer attackers a proven path to gain access to systems.

Characteristics of Known Exploited Vulnerabilities

The Cybersecurity Infrastructure Security Agency (CISA) maintains a public catalog of KEVs to help organizations prioritize which vulnerabilities to address first. This catalog, in conjunction with the National Vulnerability Database (NVD), offers security professionals a comprehensive perspective about these potentially critical cyber risks. CISA classifies KEVs based on three criteria:

1. Tracked and Reported – Each KEV has a unique Common Vulnerabilities and Exposures (CVE) ID for standardized tracking and reporting within the cybersecurity community.
2. Actively Exploited – There is verifiable evidence that attackers have successfully exploited (or attempted to exploit) the vulnerability. This evidence typically involves attackers executing malicious code on targeted systems without authorization. The CISA KEV catalog considers both successful and attempted exploits. 
3. Patchable or Mitigatable – A solution exists to address the vulnerability, like a security patch provided by the software vendor. This solution can either completely fix the vulnerability or mitigate its impact.

Identifying Known Exploited Vulnerabilities

Security stakeholders can identify Known Exploited Vulnerabilities (KEVs) by using:

• CISA KEV Catalog – The CISA catalog is the primary source for confirmed and actively exploited vulnerabilities. Security teams can regularly review this catalog to identify KEVs relevant to their systems and prioritize remediation efforts.
• Vulnerability Scanners – Security stakeholders can use automated vulnerability scanners to analyze their systems for known weaknesses. These scanners compare system configurations against vulnerability databases, including the NVD and the CISA KEV catalog. If the scanner identifies a CVE ID that matches a KEV, it flags the vulnerability for high-priority attention.
• Security Feeds and Alerts – Many security vendors and organizations offer threat intelligence feeds and vulnerability alerts, which provide notifications about newly discovered or actively exploited vulnerabilities, including KEVs.
• Vendor Security Advisories – Software and hardware vendors play a crucial role in identifying and patching vulnerabilities. Security stakeholders should actively monitor vendor security advisories for information about vulnerabilities that impact their products. These advisories often highlight whether a vulnerability is actively exploited, aiding in KEV identification.

Managing and Mitigating Known Exploited Vulnerabilities

Organizations can better manage and mitigate Known Exploited Vulnerabilities (KEVs) with a multi-pronged approach:

• Prioritization: Security teams leverage the CISA KEV catalog to identify and prioritize critical vulnerabilities. In addition to the catalog ranking of KEVs based on risk level, organizations can further refine prioritization using third-party risk management platforms.
• Patch Management:  DevOps and DevSecOps need to apply updates and patches promptly, especially for widely used software. Vendors frequently release patches to address vulnerabilities, so staying updated is crucial.
• Remediation Actions: IT teams should implement recommended actions listed in the KEV catalog. These actions can include patching, updating software based on vendor instructions, or even discontinuing unsupported software with no available patches. 
• Software Lifecycle Management: IT stakeholders need to remove unused or software that has reached end-of-life. Since these programs lack security updates, they are easy targets for attackers.
• Software Bill of Materials (SBOM): Security and DevOps teams can leverage SBOMs to understand the software components in a given system and each component’s origin.
• Third-party Risk Management: Organizations should implement strong third-party risk management practices. This includes solutions that provide alerts, clear prioritization of risks, and concrete remediation plans for vulnerabilities identified across third-party networks.

KEVs and CTEM

Known Exploited Vulnerabilities (KEVs) and Continuous Threat Exposure Management (CTEM) are closely linked. KEVs represent the most immediate threats as they are actively exploited by attackers. CTEM focuses on identifying and prioritizing these high-risk vulnerabilities. Here’s how they work together:

• CTEM Leverages KEV Catalog: CTEM utilizes the CISA KEV catalog as a primary source to pinpoint actively exploited vulnerabilities within an organization’s systems.
• Prioritization for Remediation: As opposed to traditional vulnerability management that often prioritizes based on theoretical risk, CTEM prioritizes KEVs based on their severity, helping security teams focus on the most critical issues first. 
• Faster Patching: By focusing on KEVs, CTEM enables organizations to patch vulnerabilities exploited in the wild much faster, significantly reducing the attack window for cybercriminals.
• Reduced Risk: This targeted approach to vulnerability management offered by CTEM, fueled by KEV data, helps organizations significantly reduce their overall cyber risk.

CTEM utilizes real-world exploit data (KEVs) to prioritize and address the most critical threats, leading to a more effective and efficient cybersecurity strategy.

How Mature is Your Exposure Management  Program? Discover Where You Stand 

To effectively implement a robust Known Exploited Vulnerabilities (KEV) program, organizations should leverage an exposure management framework. By integrating KEV management with Continuous Threat Exposure Management (CTEM), organizations can systematically identify, prioritize, and mitigate high-risk vulnerabilities. We recommend using our comprehensive maturity model, which transitions from Vulnerability Management (VM) to Exposure Management (EM). This approach helps elevate an organization’s security posture, ensuring they stay ahead of actively exploited threats and maintain a resilient defense against cyberattacks.