June 14, 2023 By Jonathan Reed 4 min read

CISA’s Known Exploited Vulnerabilities (KEV) catalog is the authoritative source of information on past or currently exploited vulnerabilities. In a new report, the Rezilion research team analyzed vulnerabilities in the current KEV catalog. The results revealed a whopping 15 million vulnerable instances. And the majority of the occurrences were Microsoft Windows instances.

Rezilion notes that KEV catalog vulnerabilities are frequent targets of advanced persistent threat (APT) Groups. And this wide-open attack surface remains unaddressed largely due to a lack of awareness and action.

Massive security gap

The CISA KEV catalog currently has 896 vulnerabilities, with new entries added regularly. Most of these vulnerabilities are considered highly dangerous, with 250 marked as critical and 535 marked as high risk. Rezilion’s research also discovered that the vulnerabilities listed in the catalog are just a fraction (less than 1%) of the total vulnerabilities discovered each year.

KEVs are frequently exploited by APT groups and other financially motivated attackers. Typical attackers targeting KEVs are linked to nation-states, such as China, Russia, Iran and North Korea. The report’s findings show that millions of systems remain vulnerable to these exploits, even though patches exist to fix them.

KEV research methodology

The Rezilion study analyzed common vulnerabilities and exposures (CVEs) contained in the CISA KEV catalog. They used resources such as GreyNoise and Shodan to identify past and present attack surfaces. These include:

  • CISA KEV: Maintained by CISA, the catalog is an authoritative source regarding vulnerabilities in various software and hardware products. The vulnerabilities have either been exploited in the past or are still under active exploitation.
  • Shodan.io: A search engine for internet-connected devices. Shodan gathers information about internet devices and collects data from banners (metadata about software running on a device).
  • GreyNoise.io: GreyNoise collects packets from internet protocols (IPs) scanning the internet every day. GreyNoise analyzes and enriches this data to identify behavior, methods and intent. This provides insight into exploitation attempts.

Important CVEs to stay aware of

It’s important to consider two factors regarding CVEs. First, CVE severity is measured by a common vulnerability scoring system (CVSS) score. CVSS provides a standardized way to address the severity of vulnerabilities, using a numerical score from zero to 10. The score is based on metrics that assess the exploitability and impact of the vulnerability, as well as the availability of mitigations.

However, the CVSS score is based on the potential impact of the vulnerability, not on whether the vulnerability is being actively exploited or not. For this reason, Rezilion also reports on GreyNoise results and exploitation attempts.

For example, in the following chart, you can see that CVE-2022-26134 is a highly dangerous CVE. It had a high GreyNoise score and the most exploitation attempts. CVE-2022-26134 also ranked as Critical (9.8) using CVSS scoring.

Source: Rezilion (Top 10 Vulnerabilities)

The Rezilion report also provided a list of the top vulnerable products ranked by the number of vulnerabilities per product.

Source: Rezilion (Top Vulnerable Products)

Beware of these KEVs

Some KEVs are particularly notorious for their level of severity and frequency of real-world exploitation. Some of the more notable KEVs, as per Rezilion, include:

ProxyShell — CVE-2021-34523, CVE-2021-34473, CVE-2021-31207

  • Iranian hackers are known to be hacking these CVEs. They affect Microsoft Exchange Servers that can be linked together and enable a remote attacker to execute code. The vulnerability is found in the Microsoft Client Access Service using the 443 port. This port is commonly exposed to the internet as it enables users to access email via mobile devices and browsers.

ProxyLogon — CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065

  • These vulnerabilities are being exploited by Russian state-sponsored APT actors and Chinese APT actors. This CVE group affects Microsoft Exchange Servers that can be chained together and cause an unauthenticated attacker to achieve remote code execution. Intruders can gain full control over the Exchange Servers, access sensitive information and fake a trusted identity over the network.

Log4Shell — CVE-2021-44228

  • The vulnerability affects the Log4J2 package versions 2.0-beta9 up to and excluding 2.17.0. Attackers that have control over log messages or log message parameters can then trigger the creation of a crafted log that will execute code on a server. To check for vulnerable machines, you need to check the server itself. Iranian APT and Chinese APT Actors are responsible for these hacks.

Start patching now

Many KEVs are severe, and they are being actively exploited — but the vast majority also have an existing patch. So how many unpatched systems are out there? To find out, Rezilion used Shodan to identify publicly facing assets still vulnerable to CVEs in the CISA KEV catalog.

Unfortunately, the analysis identified publicly facing vulnerable instances for over 200 CVEs from the catalog. This equals over 15 million vulnerable instances. The majority of these instances were vulnerable Microsoft Windows instances. Furthermore, these Windows vulnerabilities represent the highest risk in terms of applicable attack surface, with over 7 million vulnerable publicly facing instances.

Apart from Microsoft Windows vulnerabilities, 40% of the top 10 CVEs are more than five years old. This means that over 800,000 machines are still exposed to these CVEs. Rezilion identified over 4.5 million internet-facing devices as vulnerable to KEVs discovered between 2010 and 2020. What’s worse is that these relevant published updates have not been patched for years, even though patches have been released.

Take action to secure KEVs

Rezilion advises organizations to focus on remediating environment components that both contain KEVs and are loaded to memory. They recommend the following two-step process:

  1. Identify which vulnerabilities are exploitable through runtime validation. Since most vulnerabilities in code are never loaded to memory or executed, this step eliminates 85% of the initial backlog.
  2. Use the CISA KEV catalog or other threat intelligence sources as part of an ongoing vulnerability management strategy. Identify vulnerabilities that require immediate patching as attackers are actively exploiting them.

An actionable software bill of materials (SBOM) and a vulnerability management strategy are essential tools to gain visibility into your attack surface. Priority should be based on CVSS score, proven exploitation activity and mission-critical instances.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today