CISA’s Known Exploited Vulnerabilities (KEV) catalog is the authoritative source of information on past or currently exploited vulnerabilities. In a new report, the Rezilion research team analyzed vulnerabilities in the current KEV catalog. The results revealed a whopping 15 million vulnerable instances. And the majority of the occurrences were Microsoft Windows instances.

Rezilion notes that KEV catalog vulnerabilities are frequent targets of advanced persistent threat (APT) Groups. And this wide-open attack surface remains unaddressed largely due to a lack of awareness and action.

Massive security gap

The CISA KEV catalog currently has 896 vulnerabilities, with new entries added regularly. Most of these vulnerabilities are considered highly dangerous, with 250 marked as critical and 535 marked as high risk. Rezilion’s research also discovered that the vulnerabilities listed in the catalog are just a fraction (less than 1%) of the total vulnerabilities discovered each year.

KEVs are frequently exploited by APT groups and other financially motivated attackers. Typical attackers targeting KEVs are linked to nation-states, such as China, Russia, Iran and North Korea. The report’s findings show that millions of systems remain vulnerable to these exploits, even though patches exist to fix them.

KEV research methodology

The Rezilion study analyzed common vulnerabilities and exposures (CVEs) contained in the CISA KEV catalog. They used resources such as GreyNoise and Shodan to identify past and present attack surfaces. These include:

• CISA KEV: Maintained by CISA, the catalog is an authoritative source regarding vulnerabilities in various software and hardware products. The vulnerabilities have either been exploited in the past or are still under active exploitation.
• Shodan.io: A search engine for internet-connected devices. Shodan gathers information about internet devices and collects data from banners (metadata about software running on a device).
• GreyNoise.io: GreyNoise collects packets from internet protocols (IPs) scanning the internet every day. GreyNoise analyzes and enriches this data to identify behavior, methods and intent. This provides insight into exploitation attempts.

Important CVEs to stay aware of

It’s important to consider two factors regarding CVEs. First, CVE severity is measured by a common vulnerability scoring system (CVSS) score. CVSS provides a standardized way to address the severity of vulnerabilities, using a numerical score from zero to 10. The score is based on metrics that assess the exploitability and impact of the vulnerability, as well as the availability of mitigations.

However, the CVSS score is based on the potential impact of the vulnerability, not on whether the vulnerability is being actively exploited or not. For this reason, Rezilion also reports on GreyNoise results and exploitation attempts.

For example, in the following chart, you can see that CVE-2022-26134 is a highly dangerous CVE. It had a high GreyNoise score and the most exploitation attempts. CVE-2022-26134 also ranked as Critical (9.8) using CVSS scoring.

Source: Rezilion (Top 10 Vulnerabilities)

The Rezilion report also provided a list of the top vulnerable products ranked by the number of vulnerabilities per product.

Source: Rezilion (Top Vulnerable Products)

Beware of these KEVs

Some KEVs are particularly notorious for their level of severity and frequency of real-world exploitation. Some of the more notable KEVs, as per Rezilion, include:

ProxyShell — CVE-2021-34523, CVE-2021-34473, CVE-2021-31207

• Iranian hackers are known to be hacking these CVEs. They affect Microsoft Exchange Servers that can be linked together and enable a remote attacker to execute code. The vulnerability is found in the Microsoft Client Access Service using the 443 port. This port is commonly exposed to the internet as it enables users to access email via mobile devices and browsers.

ProxyLogon — CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065

• These vulnerabilities are being exploited by Russian state-sponsored APT actors and Chinese APT actors. This CVE group affects Microsoft Exchange Servers that can be chained together and cause an unauthenticated attacker to achieve remote code execution. Intruders can gain full control over the Exchange Servers, access sensitive information and fake a trusted identity over the network.

Log4Shell — CVE-2021-44228

• The vulnerability affects the Log4J2 package versions 2.0-beta9 up to and excluding 2.17.0. Attackers that have control over log messages or log message parameters can then trigger the creation of a crafted log that will execute code on a server. To check for vulnerable machines, you need to check the server itself. Iranian APT and Chinese APT Actors are responsible for these hacks.

Start patching now

Many KEVs are severe, and they are being actively exploited — but the vast majority also have an existing patch. So how many unpatched systems are out there? To find out, Rezilion used Shodan to identify publicly facing assets still vulnerable to CVEs in the CISA KEV catalog.

Unfortunately, the analysis identified publicly facing vulnerable instances for over 200 CVEs from the catalog. This equals over 15 million vulnerable instances. The majority of these instances were vulnerable Microsoft Windows instances. Furthermore, these Windows vulnerabilities represent the highest risk in terms of applicable attack surface, with over 7 million vulnerable publicly facing instances.

Apart from Microsoft Windows vulnerabilities, 40% of the top 10 CVEs are more than five years old. This means that over 800,000 machines are still exposed to these CVEs. Rezilion identified over 4.5 million internet-facing devices as vulnerable to KEVs discovered between 2010 and 2020. What’s worse is that these relevant published updates have not been patched for years, even though patches have been released.

Take action to secure KEVs

Rezilion advises organizations to focus on remediating environment components that both contain KEVs and are loaded to memory. They recommend the following two-step process:

1. Identify which vulnerabilities are exploitable through runtime validation. Since most vulnerabilities in code are never loaded to memory or executed, this step eliminates 85% of the initial backlog.
2. Use the CISA KEV catalog or other threat intelligence sources as part of an ongoing vulnerability management strategy. Identify vulnerabilities that require immediate patching as attackers are actively exploiting them.

An actionable software bill of materials (SBOM) and a vulnerability management strategy are essential tools to gain visibility into your attack surface. Priority should be based on CVSS score, proven exploitation activity and mission-critical instances.