Exploited Vulnerabilities Can Take Months to Make KEV List

Exploited Vulnerabilities Can Take Months to Make KEV List

November 20, 2023 at 06:40PM

The Cybersecurity and Infrastructure Security Agency (CISA) has been criticized for delays in updating its Known Exploited Vulnerabilities (KEV) catalog. The catalog, which lists vulnerabilities that attackers are actively exploiting, often lags behind public disclosure of vulnerabilities and the release of proof-of-concept (PoC) code. CISA’s requirement for clear remediation guidance before adding a vulnerability to the catalog has also been cited as a reason for delays. Organizations are advised not to rely solely on the KEV catalog for vulnerability management and to consider other sources of information.

Key takeaways from the meeting notes:

1. The Cybersecurity and Infrastructure Security Agency (CISA) recently updated the Known Exploited Vulnerabilities (KEV) catalog with five software flaws, including a use-after-free vulnerability in Adobe’s Acrobat and Reader PDF-viewing applications.
2. The vulnerabilities in Adobe’s PDF-viewing products and Juniper’s EX and SRX series network appliances were disclosed and exploited before being added to the KEV list.
3. The KEV catalog should not be the sole source of information for vulnerability management programs. It should be used as one component in a risk-based vulnerability prioritization strategy.
4. Determining if a vulnerability is being used by attackers “in the wild” is challenging. Proof-of-concept (PoC) code and scanning for vulnerabilities do not automatically trigger the “in the wild” criteria.
5. CISA may delay adding a vulnerability to the KEV if there is no clear guidance for remediation. The agency requires a “clear remediation action” to be available for a vulnerability before adding it to the catalog.
6. Companies are advised to not solely rely on the KEV catalog and to consider other databases and sources for prioritizing patching, such as FIRST’s Exploit Prediction Scoring System, ransomware prediction models, and Flashpoint’s VulnDB exploit classification. However, even these sources have their challenges in terms of verification and accuracy.

Full Article