In 2022, the number of Known Exploited Vulnerabilities more than doubled by the end of the year, from 311 CVEs to 868. Although operating systems and IoT devices were targeted the most, IoMT (Internet of Medical Things) and ICS/OT (Industrial Control Systems and Operating Technology) were also frequent targets, highlighting the increasingly blurred lines between physical and digital security. These exploitations occur through denial of service attacks, unauthenticated data leaks, compromised credentials, remote compromise and more.

Increasing numbers of Known Exploited Vulnerabilities (KEVs) are being discovered across all industries. As they are both easy to exploit and rank among one of the top third-party risks, it’s vital to address them to minimize potential threats along the digital supply chain

With the number of these critical and high vulnerabilities steadily increasing, how can organizations prioritize and remediate risk?

What are Known Exploited Vulnerabilities (KEVs)?

A Known Exploited Vulnerability (KEV) is a vulnerability in a software, hardware, application, or system that is actively being exploited by threat actors. Because of their exposed weaknesses, KEVs are easily exploited by cyber attackers, making it crucial for security teams to address these vulnerabilities to prevent a wide variety of cyber incidents.

To infiltrate as many devices as possible, threat actors often take advantage of widely used products such as Apple IoS, Windows or Google Chrome. Products reported by the vendor to be at the end of life, such as Adobe Flash Player, also carry significant risks.

Examples of Known Exploited Vulnerabilities include:

  • CVE-2023-2033. This Google Chrome vulnerability allows a remote attacker to potentially exploit heap corruption via a crafted HTML page, which can cause systems to crash.
  • CVE-2022-4262. This Google Chrome V8-type confusion vulnerability directs users to a specific HTML site to achieve code execution or execute a denial of service attack on a system.
  • CVE-2022-26134.This vulnerability allows unauthenticated attackers to execute arbitrary code on organizations using Confluence Server andData Center.
  • CVE-2021-44228. Also known as LogShell, this critical zero-day vulnerability affects Log4J2 packages and is exploited by Iranian and Chinese APT actors. It allows attackers to execute code on a server.
  • CVE-2023-32434. A zero-day Apple vulnerability targeting ApplieIoS, iPadIoS, MacOS and watchOS that allows attackers to perform remote code execution.
  • CVE-2023-27997. This Fortinet Heap-Based Buffer Overflow Vulnerability was added to the CISA KEV catalog in June of this year. It is noteworthy as it was identified as being actively exploited and has the potential to cause significant damage to federal agencies.

How Actors Potentially Exploit Heap Corruption

One of the more powerful KEVs is a result of heap corruption, or more specifically, Use After Free vulnerability. This type of vulnerability was found in Safari Webkit in CVE-2020-9783. 

Heap corruption occurs when the heap, or dynamically-allocated memory, is damaged or exploited. This could be the result of a program that attempts to free memory or one that tries to free it again after it’s already freed, or uses many memory blocks that are connected together, etc.

The Use after Free (UAF) vulnerability allows attackers to pass arbitrary code by using a dangling pointer. These pointers help the program detect the different assigned areas of memory. Damage from exploited UAF vulnerabilities includes program crashes, arbitrary code execution, data leaks, the bypassing of authentication and data corruption and takeover of your organization’s system. Attackers exploit UAFs to achieve privilege escalation or execute malicious code.

Organizations can help defend against UAF exploitation by ensuring pointers are set to null every time memory is freed or by using smart pointers in C++.

The Cybersecurity Infrastructure Security Agency (CISA) and KEVs

The Cybersecurity Infrastructure Security Agency, (CISA) is the U.S. cyber defense agency and is also responsible for critical infrastructure security and resilience. To help organizations’ vulnerability management efforts, and gain a more objective understanding of cyber risks, CISA introduced Known Exploited Vulnerabilities (KEVs) into its catalog in late 2021 and made it available to the private sector. CISA recommends organizations implement the KEV catalog to their vulnerability management prioritization framework, addressing KEVs as critical findings and prioritizing their remediation. It often requires federal agencies to patch the latest known vulnerability exploits.

CISA maintains a catalog of KEVs to assist organizations in understanding and addressing the critical risks posed by these vulnerabilities. When used alongside the National Vulnerability Database (NVD), the CISA KEV catalog arms teams with a detailed picture of rising risks.

CISA assigns KEVs based on 3 benchmarks

  1. The vulnerability is assigned a Common Vulnerabilities and Exposures (CVE) ID. This ensures standardized tracking and reporting of each vulnerability. 
  2. The vulnerability has beenactively exploited. In this case, there is reliable evidence that the execution of malicious code was performed by an attacker without the permission of the system owner. The KEV catalog includes cases of both attempted exploitation and successful exploitation. 
  3. There is aclear remediation or mitigation action for the vulnerability, such as a vendor-provided update. 

In 2021 CISA issued a Binding Operational Directive that required the Federal Civilian Executive Branch (FCEB) to remediate high-risk CEVs from before 2023 within six months, and others within two weeks. In addition, it strongly urges all other organizations to take similar precautions to reduce their risk of exposure to cyberattacks.

How Can Organizations Remediate Vulnerabilities?

According to CISA, 50% of KEVs are exploited within two days of being identified and 75% are exploited in less than a month. As companies face these critical risks, vulnerability management is critical. 

Here are a few recommendations: 

  • Prioritize remediation. According to data compiled since 2019, less than 5.5% of known vulnerabilities have have been exploited in the wild. CISA recommends using the KEV catalog to prioritize remediation efforts for organizations across all industries. The catalog helps organizations do this by listing KEVs according to their risk level. However, it’s best for any organization to also manage KEVs through a third-party risk management platform as well.
  • Apply updates or patches as needed. Many KEVs are actively exploited on old versions of software, devices, or products of Google Chrome, IoS and Windows Explorer. In response, vendors are constantly announcing new patches for vulnerabilities online.
  • Implement the remediation action recommended on the KEV list. This could involve patch management, applying updates per vendor instructions, or discontinuing the use of the product if no updates or patches are available.
  • Remove software that is no longer in use or at the end of life. Sincethese software programs no longer provide updates or patches, they can be easily exploited by malicious threat actors. They may also cause crashes or bugs when using them with other services and applications  as they no longer support these software programs.
  • Use an SBOM. SBOMs list software components and their origins to help organizations remediate any risk before entering into a new business relationship with a customer, supplier, partner or third party. Although they are most commonly used for software companies that have business relationships with the U.S. federal government, they are becoming more widely accepted across other industries as well.

With proper third-party risk management, security teams can work to reduce these risks by implementing solutions that enable alerts, remediation plans, and clear risk prioritization across their third-party management workflow. With a KEV risk-based approach, teams can ensure they stay ahead of potential KEV exploitation so that they can tackle these issues as soon as they are detected and reduce cyber incidents.

How Panorays Incorporates KEVs For Third-Party Risk Detection

With an ever-expanding and complex attack surface, CISOs struggle with pressure and intensity to manage cyber risk. Panoray’s latest research shows that most organizations manage over 500 third parties, significantly increasing their exposure to potential threats. Many risk management platforms use outdated methods of prioritizing risks, letting KEVs slip through the radar, posing a danger to an organization’s security posture

Panorays helps organizations manage their third-party risks by continuously monitoring and detecting technologies used by third parties to present companies with a detailed view of potential risks based on CVE findings. Any KEV found automatically gets prioritized as critical, allowing it to be handled immediately in collaboration with the third party to whom it belongs. 

Panorays also incorporated alerts on any new KEVs that arise across a company’s third and fourth-party attack surface. Through its Risk Insights and Response Portal, organizations can view a complete breakdown of a KEV’s impact on their security posture as well as which of their third and fourth parties are exposed to the vulnerability. With real-time alerts, risk managers can rest assured that they will be notified of KEVs, and have the tools in Panorays to prioritize, remediate and report these risks with ease. 

Want to learn more about how to prioritize your remediation efforts? Get started with a Free Account today.

FAQs

What are Known Exploited Vulnerabilities (KEVs)?

Known exploited vulnerabilities are vulnerabilities in software or hardware that have been exploited by malicious threat actors in the past or are still being exploited. Each one is assigned its own identity, a Common Vulnerabilities and Exposures (CVE) ID for tracking and reporting purposes. The majority of KEVs are rated as critical or high, but even those with lower risk can be easily exploited by threat actors, particularly when they are found in widely-used products such as Chrome Browners, IoS phones or Windows operating systems and should be remediated whenever possible.

What is an example of an exploited vulnerability?

An example of an exploited vulnerability is CVE-2021-26855, or the ProxyLogon KEV, which is particularly severe as it allows unauthenticated attackers to infiltrate an organization using remote code execution. Once these attackers gain control over the Microsoft Exchange Servers, they can gain access to sensitive information, enter using a fake identity or take over the Exchange Servers. Once these vulnerabilities are exploited, malicious cyber actors can launch denial of service and malware attacks, take over a system, gain unauthorized access or execute a data breach. These attacks can cause tremendous damage to organizations in terms of reputational loss, fines from auditors, lost business deals and the need to allocate IT workers to deal with cybersecurity incidents rather than perform their usual day-to-day activities.

What is the CISA Known Exploited Vulnerabilities catalog?

The CISA Known Exploited Vulnerabilities catalog is a list of vulnerabilities that are either actively exploited or have been exploited in the past. In the catalog, you can see the vulnerabilities listed by date added, CVE identifier, a short description of the vulnerability, name of the vendor and product, the due date and the action needed to remediate and significantly strengthen your organization’s cyber posture. It does not, however, list the threat actor responsible for exploiting the vulnerability. The CISA KEVs catalog is one of the steps for organizations looking to prioritize remediation for vulnerabilities and implement a vulnerability management program.

Which vulnerabilities are exploited the most?

A few of the most exploited vulnerabilities in 2023 are:
ChatGPT (CVE-2023-28858). This vulnerability targeted OpenAI payment accounts and leaked user data. Although it had a fairly low CVE score of 3.7, it had the potential for a large amount of damage as many organizations were relying on the OpenAI service.
ProxyShell. A Microsoft Exchange vulnerability comprising three separate vulnerabilities: ProxyShell, ProxyLogon and ProxyNotShell to allow unauthenticated users to perform remote code execution on its servers.
PaperCut (CVE-2023-27350). This vulnerability allowed attackers to bypass authentication in print management software and caused widespread damage as it was exploited by different APTs and ransomware groups.
MoveIt (CVE-2023-34362). MovIt is a Windows-Server-based managed file transfer (MFT) service and the vulnerability allows attackers unauthorized access to its database.
Fortinet (CVE-2022-41328). With this vulnerability, attackers use malware to exploit remote servers and steal data. CISA specifically issued warnings about this vulnerability to federal agencies.
Many of these vulnerabilities, such as Fortinet and ProxyShell were exploited in 2022 and continue to be exploited today.