Organizations patch CISA KEV list bugs 3.5 times faster than others, researchers find

Researchers have found that a catalog of exploited vulnerabilities maintained by the federal government  is having a tangibly positive effect on organizations both within and outside of the federal government.

The Cybersecurity and Infrastructure Security Agency (CISA) has run its Known Exploited Vulnerabilities (KEV) catalog for nearly three years and it has quickly become the go-to repository for software and hardware bugs actively being exploited by hackers around the world.

Experts at cybersecurity scanning company Bitsight posed the question, “do organizations remediate KEVs faster than vulnerabilities not in the KEV catalog?”

“The answer is a clear ‘yes,’” they said. Their data shows that the median time to patch vulnerabilities listed on the catalog is 3.5 times faster than non-KEV bugs.

Put another way, the median time for remediation of KEV-listed bugs is 174 days, while the time for non-KEV-list vulnerabilities is 621 days. 

Those numbers come from Bitsight scanning for vulnerabilities within more than 1 million entities — companies, schools, local governments and more. 

The researchers also tracked a new feature within the KEV list, in which CISA says whether ransomware gangs are specifically targeting a certain vulnerability. 

“If we average out the relative drops, ransomware KEVs are fixed 2.5x faster (on average) than KEVs not known to be used in ransomware,” Bitsight said. 

Bitsight researchers also confirmed that the KEV list was having a tangible effect by helping companies and local governments sort through the deluge of vulnerabilities to address the bugs that truly matter.  

Thirty-five percent of all organizations observed by Bitsight dealt with a KEV in 2023, with the vast majority having more than one.  

Time to patch

Every vulnerability added to the KEV list comes with a deadline that varies based on the severity of the bug and the urgency of the targeting. The deadline officially applies to federal agencies, but for organizations outside of the U.S. government, it can serve as a guideline for the severity of a bug.

Bitsight found that federal civilian agencies accountable to CISA’s binding directive are 63% more likely to remediate KEVs by the deadline than other organizations. About 40% of all organizations — those outside of the federal government that do not have to abide by CISA rules — are able to resolve bugs by the CISA’s deadline.

The report notes that throughout the existence of the KEV list, the deadlines given to patch have changed drastically. When it was first created, CISA typically gave federal civilian agencies either one week, two weeks or six months to patch a bug. But by the spring of 2022, they shifted to three week deadlines. 

It is only in the last few months that one week deadlines have been reintroduced. 

“Why the shift? Those early vulnerabilities tended to be older when they were added to the KEV catalog. Given that they may have been around for a while, it seems logical to give organizations time to address issues,” the researchers said. 

“Deadlines seem to be influenced by whether a vulnerability is used in ransomware: 1 week deadline vulnerabilities are nearly twice as likely to have been used in ransomware. This likely is because these vulnerabilities are particularly urgent and likely to cause significant damage if exploited on an agency system.”

Technology firms were the fastest to remediate vulnerabilities — in part because they topped Bitsight’s list of sectors that had the most exposure. Educational organizations and local governments were the worst off among the sectors tracked by Bitsight, with both having a high exposure to KEV list bugs and a slow remediation time.  

Insurance companies, credit unions and engineering firms had relatively low exposure to KEV list vulnerabilities and typically fixed issues quickly. 

New on the list

CISA added two vulnerabilities to the KEV list this week. On Tuesday, the agency added CVE-2024-29988 to the list. 

The vulnerability was unveiled by Microsoft as part of the Patch Tuesday releases in April and affects Microsoft SmartScreen — a cloud-based anti-phishing and anti-malware component included in several Microsoft products.

Ben McCarthy, lead cyber security engineer at Immersive Labs, said the SmartScreen is a large popup that warns the user about running an unknown file and is often the endpoint of phishing attacks as it scares the user enough to not continue opening it.

He added that the bug is popular among attackers that use a file download as part of their attack techniques for gaining initial access because they “want to find ways to bypass the security features such as SmartScreen.”

CISA noted that the vulnerability can be chained with CVE-2024-21412 during attacks. Tenable’s Satnam Narang explained that the same Zero Day Initiative researcher that discovered CVE-2024-21412 also found CVE-2024-29988. 

“Social engineering through direct means (email and direct messages) that requires some type of user interaction is a typical route for exploitation for this type of flaw,” he said. 

“CVE-2024-21412 was used as part of a DarkGate campaign that leveraged fake software installers impersonating Apple’s iTunes, Notion, NVIDIA and more. Microsoft Defender SmartScreen is supposed to provide additional protections for end users against phishing and malicious websites. However, as the name implies, these flaws bypass these security features, which leads to end users being infected with malware.”

Bleeping Computer reported last month that the bug was used by a financially-motivated hacking group to target forex trading forums and stock trading Telegram channels.

CISA also added CVE-2023-7028 to the KEV list on Wednesday. It affects Gitlab — a popular open source code repository and collaborative software development platform.

The bug, found in GitLab Community and Enterprise Editions, allows an attacker to “trigger password reset emails to be sent to an unverified email address to ultimately facilitate an account takeover.”

Debrup Ghosh, senior staff product manager at Synopsys Software Integrity Group, warned that the ability to compromise platforms like GitLab that are inherently trusted would allow attackers to “launch attacks that are difficult to detect and can have rippling effects downstream.” 

“Additionally, it appears that although the patch was issued in January, more than 40% of GitLab instances are not patched almost four months later,” Ghosh said.