Reducing the Significant Risk of Known Exploited Vulnerabilities (2023)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild: the Known Exploited Vulnerability (KEV) catalog. CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors.

All federal civilian executive branch (FCEB) agencies are required to remediate vulnerabilities in the KEV catalog within prescribed timeframes under Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities. Although not bound by BOD 22-01, every organization, including those in state, local, tribal, and territorial (SLTT) governments and private industry can significantly strengthen their security and resilience posture by prioritizing the remediation of the vulnerabilities listed in the KEV catalog as well. CISA strongly recommends all stakeholders include a requirement to immediately address KEV catalog vulnerabilities as part of their vulnerability management plan. Doing so will build collective resilience across the cybersecurity community.

(Video) All About CISA Known Exploited Vulnerabilities (CISA KEV Catalog)

How should organizations use the KEV catalog?

The KEV catalog sends a clear message to all organizations to prioritize remediation efforts on the subset of vulnerabilities that are causing immediate harm based on adversary activity. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework. Vulnerability management frameworks—such as the Stakeholder-Specific Vulnerability Categorization (SSVC) model—consider a vulnerability's exploitation status and the KEV catalog serves as the authoritative repository of that information. Organizations should also consider using automated vulnerability and patch management tools that automatically incorporate and flag or prioritize KEV vulnerabilities. Examples of such tools include CISA's cyber hygiene services, Palo Alto Networks Cortex, Tenable Nessus, Runecast, Qualys VMDR, Wiz, Rapid7 InsightVM, and Rapid7 Nexpose. Organizations with additional tools that are incorporating the KEV vulnerabilities can be added to this list by emailing CISA.JCDC@CISA.DHS.GOV.

The following sections detail the criteria behind each of the three thresholds for KEV catalog updates, which are:
• The vulnerability has an assigned Common Vulnerabilities and Exposures (CVE) ID.
• There is reliable evidence that the vulnerability has been actively exploited in the wild.
• There is a clear remediation action for the vulnerability, such as a vendor-provided update.

Criteria #1 – Assigned CVE ID

The first criteria for adding a vulnerability to the KEV catalog is the assignment of a CVE ID. A CVE ID—also known as CVE identifier, CVE record, CVE name, CVE number, and CVE—is a unique, common identifier for a publicly known cybersecurity vulnerability. (See https://www.cve.org/ResourcesSupport/FAQs.)

The CVE Program is sponsored by CISA and run by a non-profit, federally funded, research and development center (FFRDC), which is operated by The MITRE Corporation. The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. (See https://www.cve.org/About/Overview.)

The process of obtaining a CVE ID begins with the discovery of a potential cybersecurity vulnerability. The information is then assigned a CVE ID by a CVE Numbering Authority (CNA). (See https://www.cve.org/About/Process#CVERecordLifecycle.) A CNA is an organization authorized to assign and populate CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope. Becoming a CNA is voluntary. A CNA can be a software vendor, open-source project, coordination center, bug bounty service provider, or research group. (See https://www.cve.org/ProgramOrganization/CNAs.)

(Video) Reducing Cyber Risk from Exploited Vulnerabilities and Weak Passwords

After the CNA creates the CVE record, including a description and references, MITRE posts it on the CVE website. (See https://www.cve.org/About/Process#CVERecordLifecycle.)

The MITRE CVE® List website https://cve.mitre.org/cve and the National Vulnerability Database (NVD) https://nvd.nist.gov/ website, maintained by the National Institute of Standards and Technology (NIST), provide a running list of all assigned CVEs. The NVD is synchronized with CVE such that any updates to CVE appear immediately on the NVD. It augments information provided by CVE List with a database of security checklist references, security related software flaws, misconfigurations, product names, impact metrics, and a search engine. (See https://nvd.nist.gov/general/FAQ-Sections/General-FAQs.)

According to https://www.cve.org/About/Process#CVERecordLifecycle, a CVE entry can be in one of three states:

  1. Reserved: The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA. If the CVE record shows as reserved, visitors/users can submit a CVE Request to MITRE via https://cveform.mitre.org/ to request the CVE record be published. In the form, select ”Request Type” as “Other” and ”Type of comment” as “Issue.”
  2. Published: When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
  3. Rejected: If the CVE ID and associated CVE Record should no longer be used, the CVE Record is placed in the Rejected state. A Rejected CVE Record remains on the CVE List so that users can know when it is invalid.


Criteria #2 – Active Exploitation

The term “exploitable” refers to how easily an attacker can take advantage of a vulnerability. It evaluates various aspects such as: availability of a public proof-of-concept (PoC), network accessibility, unprivileged access, wormability, and skill-level needed to carry out the exploit. Wormability refers to a cyberattack that can spread from one machine to another without user interaction. An analysis of a vulnerability's exploitability can assist in determining the severity of the vulnerability.

However, a vulnerability's exploitability is not considered as criteria for inclusion in the KEV catalog. Rather, the main criteria for KEV catalog inclusion, is whether the vulnerability has been exploited or is under active exploitation. These two terms refer to the use of malicious code by an individual to take advantage of a vulnerability. In reference to the KEV catalog, active exploitation and exploited are synonymous.

(Video) Using CISA KEV for Vulnerability Management

A vulnerability under active exploitation is one for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner.

Active exploitation, in reference to the KEV catalog, also includes attempted exploitation and successful exploitation.

  • Attempted exploitation occurs when an attacker executes code on a target system, but the code does not execute due to the system not being vulnerable, or the system being a honeypot, etc.A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Successful malicious code execution on a honeypot is considered attempted exploitation because the attacker does not obtain actual target information.
  • Successful exploitation occurs when an attacker successfully exploits vulnerable code on a target system, allowing them to perform additional, unauthorized actions on that system or network.

The two key takeaways for active exploitation are: the intent of the actor is to succeed in exploitation and the attack(s) occurred in real time, or “in the wild.”

Events that do not constitute as active exploitation, in relation to the KEV catalog, include:

  • Scanning
  • Security research of an exploit
  • Proof of Concept (PoC)

PoC is the code for a vulnerability that, when executed, would allow for exploitation. Exchange of PoC between security researchers and vendors occurs regularly to demonstrate how the vulnerability can be exploited and to assist vendors in developing a patch for the vulnerability. Making PoC publicly available can increase the likelihood of an attacker exploiting the vulnerability in the wild. However, the public availability of a PoC does not automatically indicate the vulnerability has been or will be exploited. Having a publicly available PoC is not a requirement for a vulnerability to be included in the KEV catalog.

(Video) See vulnerability management in action to reduce cyber exposure risk


Criteria #3 – Clear Remediation Guidance

CISA adds known exploited vulnerabilities to the catalog when there is a clear action for the affected organization to take. The remediation action referenced in BOD 22-01 requires federal civilian executive branch (FCEB) agencies to take the following actions for all vulnerabilities in the KEV, and CISA strongly encourages all organizations to do the same:

  • Apply updates per vendor instructions. There is an update available from the security vendor, and users should apply it.
  • Remove from agency networks if the impacted product is end-of-life or cannot be updated otherwise.

Mitigations are temporary solutions users can implement to prevent a vulnerability's exploitation. For an example, see Mitigating Attacks Against Uninterruptible Power Supply Devices, which provides best practice guidance to prevent exploitation of uninterruptible power supply (UPS) devices.

A workaround involves implementing manual changes to an affected product to protect a vulnerable system from exploitation until the vendor releases a formal security patch. It is a best practice for users to transition from a workaround to an official patch, when available. However, implementing a workaround is recommend as opposed to leaving a product vulnerable.

Note: CISA relies on stakeholder feedback to improve its services to the cybersecurity community. To provide feedback on the KEV catalog criteria and process, email CISA.JCDC@CISA.DHS.GOV.

FAQs

What will happen if a vulnerability is exploited and who exploits vulnerabilities? ›

A vulnerability is a weakness that can be exploited by cybercriminals to gain unauthorized access to a computer system. After exploiting a vulnerability, a cyberattack can run malicious code, install malware, and even steal sensitive data.

How a vulnerability can be exploited? ›

Some vulnerabilities can only be exploited by an attacker working locally, either with direct access to the device itself or over a local network. In these cases, the attacker may be an authorized user trying to gain unauthorized privileges or access, or an on-the-spot intruder.

What is CISA known exploited vulnerabilities? ›

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.

What is the first step in a vulnerability exploitation? ›

Security teams and hackers find new vulnerabilities regularly, such as Log4Shell, so it's important to scan often. The first step of the vulnerability remediation process, therefore, is to scan for and find security vulnerabilities.

Which vulnerability is exploited the most? ›

The top 5 most routinely exploited vulnerabilities of 2021
  1. Log4Shell. CVE-2021-44228, commonly referred to as Log4Shellor Logjam. ...
  2. CVE-2021-40539. ...
  3. ProxyShell. ...
  4. ProxyLogon. ...
  5. CVE-2021-26084.
29 Apr 2022

What is exploit with example? ›

transitive verb. : to make productive use of : utilize. exploiting your talents. exploit your opponent's weakness. : to make use of meanly or unfairly for one's own advantage.

How can we prevent vulnerability? ›

5 Ways to Feel Less Vulnerable
  1. Stop Giving Away Your Power. ...
  2. Examine Why It's "Good" to Be a Victim. ...
  3. Develop Your Core Self. ...
  4. Align Yourself with the Flow of Evolution, or Personal Growth. ...
  5. Trust in a Power that Transcends Everyday Reality.
4 Aug 2016

What are the 4 main types of vulnerability examples? ›

According to the different types of losses, the vulnerability can be defined as physical vulnerability, economic vulnerability, social vulnerability and environmental vulnerability.

What are some vulnerability examples? ›

11 examples of vulnerability
  • Telling someone when they've upset you, respectfully but honestly.
  • Sharing something personal about yourself that you normally wouldn't.
  • Admitting to mistakes you have made in the past.
  • Being willing to feel difficult emotions like shame, grief, or fear.
30 Jul 2022

What are the 4 main types of security vulnerability? ›

Security Vulnerability Types
  • Network Vulnerabilities. These are issues with a network's hardware or software that expose it to possible intrusion by an outside party. ...
  • Operating System Vulnerabilities. ...
  • Human Vulnerabilities. ...
  • Process Vulnerabilities.

What are the 3 vulnerabilities? ›

Here are three system vulnerabilities you should be lookout for on your systems.
...
3 Vulnerabilities to be on the Lookout for to protect your data
  • Security Misconfigurations. What is a security misconfiguration? ...
  • Sensitive Data Exposure. ...
  • Cross-Site Request Forgery (CSRF)

What type of vulnerabilities can cyber crime exploit? ›

Out-of-date or Unpatched Software

These unpatched vulnerabilities can be exploited by attackers to steal sensitive information. To minimize these kinds of risks, it is essential to establish a patch management schedule so that all the latest system patches are implemented as soon as they are released.

What are the three 3 types of network service vulnerabilities? ›

At the broadest level, network vulnerabilities fall into three categories: hardware-based, software-based, and human-based.

What is a vulnerability strategy? ›

A robust vulnerability management strategy allows a business to identify potential security gaps in their cybersecurity systems, including access points hackers can use to gain entry into their networks.

How do I complete a vulnerability assessment? ›

Steps to conducting a proper vulnerability assessment
  1. Identify where you store your most sensitive data.
  2. Uncover hidden sources of data.
  3. Identify which servers run mission-critical applications.
  4. Identify which systems and networks to access.
  5. Review all ports and processes and check for misconfigurations.
20 Nov 2020

What is vulnerability exploit threat? ›

A threat refers to the hypothetical event wherein an attacker uses the vulnerability. The threat itself will normally have an exploit involved, as it's a common way hackers will make their move. A hacker may use multiple exploits at the same time after assessing what will bring the most reward.

What is a vulnerability an exploit and a risk? ›

A threat exploits a vulnerability and can damage or destroy an asset. Vulnerability refers to a weakness in your hardware, software, or procedures. (In other words, it's a way hackers could easily find their way into your system.) And risk refers to the potential for lost, damaged, or destroyed assets.

What does exploits mean mean? ›

As a verb, exploit commonly means to selfishly take advantage of someone in order to profit from them or otherwise benefit oneself. As a noun, exploit means a notable or heroic accomplishment.

What is the meaning of exploit in security? ›

An exploit is a code that takes advantage of a software vulnerability or security flaw. It is written either by security researchers as a proof-of-concept threat or by malicious actors for use in their operations.

Why is reducing vulnerability important? ›

Vulnerability reduction aims to decrease community susceptibility and increase community resilience, and can focus on emergencies thus preventing many disasters. Vulnerability reduction protects human development, and prepared communities can maintain and improve their level of development.

How will you reduce the effects of risk factors underlying disasters? ›

Prevent new and reduce existing disaster risk through the implementation of integrated and inclusive economic, structural, legal, social, health, cultural, educational, environmental, technological, political and institutional measures that prevent and reduce hazard exposure and vulnerability to disaster, increase ...

How can I improve my vulnerability at work? ›

4 ways to practise vulnerability at work
  1. Model emotional vulnerability. ...
  2. Start small and learn to read the room. ...
  3. Get comfortable with being uncomfortable. ...
  4. Focus on building relationships more than building the business.
3 Aug 2020

What is vulnerability and why is it important? ›

“Vulnerability allows up to open up about how we feel and in turn helps us feel less alone or isolated. Sometimes we just need to be heard and other times we need advice or support/accountability.”

What are the causes of vulnerability? ›

  • Underlying causes. Poverty.
  • Dynamic pressures. Lack of.
  • Unsafe conditions. Fragile physical environment.
  • Trigger event. Earthquake.

What is the most common vulnerability? ›

What Are the OWASP Top 10 Vulnerabilities for 2022?
  1. Broken access control. ...
  2. Cryptographic failures. ...
  3. Injections. ...
  4. Insecure design. ...
  5. Security misconfigurations. ...
  6. Vulnerable and outdated components. ...
  7. Identification and authentication failures. ...
  8. Software and data integrity failures.
31 May 2022

What are the four steps to vulnerability management? ›

The vulnerability management process can be broken down into the following four steps:
  1. Identifying Vulnerabilities.
  2. Evaluating Vulnerabilities.
  3. Treating Vulnerabilities.
  4. Reporting Vulnerabilities.

What is vulnerability in a sentence? ›

Vulnerability sentence example. I see weakness and vulnerability as I do everyone. I will not be a vulnerability the Others can exploit, she said. This is more common in women, given the increased vulnerability of a shorter urethra.

What is your vulnerability? ›

Being vulnerable means living your most authentic life, no matter how difficult or terrifying it might be. You must show up as your true self with all of your hopes, desires, fear, and flaws. Only then can you experience the acceptance that we all need to feel a genuine sense of belonging.

How does vulnerability affect a person's life? ›

Vulnerability is characterised by a range of emotional and practical consequences, including heightened stress levels, time pressures, a lack of perspective, poor decision-making, an inability to plan ahead and foresee problems, and changing attitudes towards risk-taking.

What is the most common cause of vulnerability in a system? ›

One of the most common process vulnerabilities is an authentication weakness, where users, and even IT administrators, use weak passwords. Human vulnerabilities are created by user errors that can expose networks, hardware, and sensitive data to malicious actors.

What are the 5 types of vulnerability? ›

One classification scheme for identifying vulnerability in subjects identifies five different types-cognitive or communicative, institutional or deferential, medical, economic, and social. Each of these types of vulnerability requires somewhat different protective measures.

What are the 6 types of vulnerability? ›

In a list that is intended to be exhaustively applicable to research subjects, six discrete types of vulnerability will be distinguished—cognitive, juridic, deferential, medical, allocational, and infrastructural.

Can you give me an example of common security vulnerabilities? ›

The most common software security vulnerabilities include: Missing data encryption. OS command injection. SQL injection.

What is vulnerability and its types? ›

Types of vulnerability include social, cognitive, environmental, emotional or military. In relation to hazards and disasters, vulnerability is a concept that links the relationship that people have with their environment to social forces and institutions and the cultural values that sustain and contest them.

What is threat and vulnerability with example? ›

A threat and a vulnerability are not one and the same. A threat is a person or event that has the potential for impacting a valuable resource in a negative manner. A vulnerability is that quality of a resource or its environment that allows the threat to be realized. An armed bank robber is an example of a threat.

Where can you find common vulnerabilities and exploits? ›

The latest version of the CVE list can always be found on cve.mitre.org. While the CVE list is free, it can be hard to know which vulnerabilities affect your organization without additional tools. This is why many organizations now use tools that monitor for changes in the CVE list that affect them.

What is the example of exploit in cyber security? ›

Types of computer exploits

Some of the most common web-based security vulnerabilities include SQL injection attacks, cross-site scripting and cross-site request forgery, as well as abuse of broken authentication code or security misconfigurations.

What is the relationship between a vulnerability and an exploit? ›

As we've written before, a vulnerability is a weakness in a software system. And an exploit is an attack that leverages that vulnerability. So while vulnerable means there is theoretically a way to exploit something (i.e., a vulnerability exists), exploitable means that there is a definite path to doing so in the wild.

What is the possibility when a threat exploits vulnerability? ›

Risk – The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is the intersection of assets, threats, and vulnerabilities.

Is a possible danger that might exploit a vulnerability? ›

In computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm. A vulnerability is a weakness which allows an attacker to reduce a system's information assurance.

What is an example of an exploit? ›

Exploit is defined as to use someone or something to achieve one's own purposes. An example of exploit is to pretend to befriend an intelligent student in class for the sole purpose of copying his homework.

What is the impact of vulnerability? ›

Vulnerability is characterised by a range of emotional and practical consequences, including heightened stress levels, time pressures, a lack of perspective, poor decision-making, an inability to plan ahead and foresee problems, and changing attitudes towards risk-taking.

What is an example of exploit in a sentence? ›

Example Sentences

Top athletes are able to exploit their opponents' weaknesses. She said the tragedy had been exploited by the media.

What is vulnerability Short answer? ›

What does Vulnerability mean? Vulnerability is the inability to resist a hazard or to respond when a disaster has occurred. For instance, people who live on plains are more vulnerable to floods than people who live higher up.

What is an example of a vulnerability? ›

Below are some examples of vulnerability: A weakness in a firewall that can lead to malicious hackers getting into a computer network. Lack of security cameras. Unlocked doors at businesses.

What is risk threat and vulnerability examples? ›

– Vulnerability---password is vulnerable for dictionary or exhaustive key attacks – Threat---An intruder can exploit the password weakness to break into the system – Risk---the resources within the system are prone for illegal access/modify/damage by the intruder. Who is the enemy?

What is more important to focus on threats or vulnerabilities? ›

It is a truth that it is always better to try and eliminate vulnerabilities in any security system rather than merely focus on perceived threats.

What are the benefits of facing your vulnerabilities? ›

Being vulnerable can help us to work through our emotions easier (rather than pushing them away). Vulnerability fosters good emotional and mental health. Vulnerability also is a sign of courage. We become more resilient and brave when we embrace who we truly are and what we are feeling.

Who all can exploit cyber vulnerabilities? ›

A person who is knowledgeable in process equipment, networks, operating systems and software applications can use these and other electronic means to gain access to the CS. Wireless access points that allow unauthorized connection to system components and networks present vulnerabilities.

Videos

1. Performing Vulnerability Assessments
(Crashtest Security)
2. Highlight: THM: OWASP Top 10 - [Severity 9] Components With Known Vulnerabilities
(Mike Warner (MSec))
3. The Known Exploited Vulnerabilities List: Expert interview Series, Jim Cook, Velta Technology
(Industrial CyberSecurity Pulse)
4. CISA Adds Another 95 Flaws to its Actively Exploited Vulnerabilities Catalog
(The3thEye)
5. Top Exploited Cyber Vulnerabilities Of 2021 + How To Protect Yourself From Hackers
(StudioSec)
6. Episode 1142 - The Known Exploited Vulnerabilities Catalog What Is It
(Security In Five)
Top Articles
Latest Posts
Article information

Author: Kareem Mueller DO

Last Updated: 01/28/2023

Views: 5830

Rating: 4.6 / 5 (66 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Kareem Mueller DO

Birthday: 1997-01-04

Address: Apt. 156 12935 Runolfsdottir Mission, Greenfort, MN 74384-6749

Phone: +16704982844747

Job: Corporate Administration Planner

Hobby: Mountain biking, Jewelry making, Stone skipping, Lacemaking, Knife making, Scrapbooking, Letterboxing

Introduction: My name is Kareem Mueller DO, I am a vivacious, super, thoughtful, excited, handsome, beautiful, combative person who loves writing and wants to share my knowledge and understanding with you.