CISA's catalog of must-patch vulnerabilities crosses the 1,000 bug mark after 2 years

The Cybersecurity and Infrastructure Security Agency (CISA) added the 1,000th bug to its Known Exploited Vulnerability catalog this week after nine new issues were spotlighted.

The list – known colloquially as KEV – has become the go-to repository for vulnerabilities actively being exploited by hackers around the world.

CISA officials explained in a statement this week that the list was created in 2021 primarily because there are too many vulnerabilities for defenders to patch – there were more than 25,000 new bugs released in 2022 alone.

“The purpose of the KEV is simple: while focusing on vulnerabilities that have been exploited isn’t sufficient, it’s absolutely necessary – so let’s start there,” they said. “Every organization should be prioritizing mitigation of KEVs as part of a vulnerability management program that enables prioritization based on organizational attributes such as how a vulnerable product is being used and the exploitability of the relevant system.”

To add a vulnerability to the list, CISA needs three things: a CVE identifier, credible reports of exploitation from researchers or agencies, and an effective mitigation available for defenders.

CISA has found that federal civilian agencies have remediated “more than 12 million KEV findings, including over 7 million this calendar year alone.”

Federal agencies have seen a 72% decrease in the percentage of KEVs exposed for 45 or more days – a development heralded by CISA as one of the original goals of the list.

CISA officials noted that state, local, tribal, and territorial (SLTT) governments and critical infrastructure entities enrolled in their vulnerability scanning service demonstrated a 31% decrease in the percentage of KEVs exposed for 45 or more days since the list was created. As the list has grown, some defenders have asked whether there needs to be an even further pared-down list so that budget-strapped cybersecurity experts know what issues are most important to patch.

CISA officials said the importance of a vulnerability is “highly dependent on how the vulnerable product is being used in a specific instance.”

“As an example: a KEV in an Internet-facing web server providing privileged access to customer accounts would, reasonably, be a much higher priority for mitigation than the exact same KEV in an internal system providing unprivileged access to the organization’s cafeteria menu,” they said.

“Our goal is simple: avoid one-size-fits-all prioritization criteria while providing organizations with information that can drive rigorous prioritization through models like the Stakeholder Specific Vulnerability Categorization (SSVC) decision model.”

Going forward, CISA is hoping to make a range of improvements to the list – including optimizations that make it easier to use.

Federal agencies are currently able to see the KEV bugs that have not been resolved in their Continuous Diagnostics and Mitigation (CDM) Dashboard and several leading cybersecurity companies – like Palo Alto Networks, Tenable, Wiz, and Rapid7 – now incorporate the KEV list into their products. But CISA is hoping for more companies to include the KEV list in their products.

CISA also wants to address one key complaint of cybersecurity experts – that the KEV list includes no information about how a bug is being exploited. CISA officials said they plan to expand the “notes” field of the list to include information like whether a bug is being used by ransomware groups or whether it is being targeted at certain industries.

CISA wants to reach a point where additions to the catalog “transition from a normal event to a surprising anomaly” – a process they said would be helped by their renewed focus on a “Secure by Design” campaign aimed at technology manufacturers.

“The KEV is a clear example of the security burden falling on the customer – but we can do better,” they said.