CISA catalog passes 1,000 known-to-be-exploited vulnerabilities. Celebration time, or is it?

On September 18, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) announced that its Known Exploited Vulnerabilities (KEV) catalog has reached the milestone of covering more than 1,000 vulnerabilities since its launch in November 2021.

This may seem like a lot, but with over 25,000 new vulnerabilities released in 2022 alone, it helps organizations to focus on the vulnerabilities that matter the most.

Many organizations are running a plethora of software and internet-facing devices, and vulnerabilities that can be used to exploit them are found every day. Everybody knows they need to patch, but deciding what to patch when, and then finding the time and resources to do it, are significant challenges.

CISA says that one of the reasons to launch the KEV catalog was to help organizations prioritize which vulnerabilities to address first.

“As a starting point, we know that the majority of vulnerabilities are never exploited by malicious actors.”

CISA issued Binding Operational Directive 22-01 in November 2021 which established the catalog and bound everyone operating federal information systems to abide by it.

Federal Civilian Executive Branch (FCEB) agencies are handed specific—and very tight—deadlines for when vulnerabilities must be dealt with. Specifically, the Directive requires those agencies to remediate internet-facing listed vulnerabilities within 15 days and all others within 25 days. 

For everyone else it’s an opportunity to filter out the vulnerabilities by something even more relevant than CVSS scores where the exploitability of a vulnerability is only a sub score.

Because it’s based on what criminals are actually exploiting, your organization might still want to feed the catalog into its patch management strategy.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. To be considered for the catalog, the first criterium a vulnerability has to meet is to have a unique CVE ID so organizations can know precisely which vulnerability it concerns. This is not as straightforward as it may seem. CISA works with vendors, open-source projects, and the CVE program to ensure that every vulnerability that is exploited in the wild is properly identified with a CVE ID.

The second criterium is proof of the active exploitation. This evidence needs to be from a credible source – a known industry partner, a trusted security researcher, or a government partner. Even then, sorting through vast amounts of data to distinguish genuine, malicious exploitation can prove to be a daunting task.

“We can find ourselves chasing whispers of exploitation in the wild that circulate online. Adding to the challenge is that some adversaries are elusive and sophisticated, leaving barely a trace of their digital footprints.”

And last but not least, an effective mitigation needs to be available. After all, it’s no use listing a vulnerability with a due date when there is no cure at hand.

It’s hard to find metrics to show what the effect of the KEV catalog is on malware infections and ransomware attacks, but what is clear is that the mean-time-to-remediate listed vulnerabilities was an average of nine days faster than for non-listed – and 36 days faster for internet-facing vulnerabilities.

CISA says it’s exploring options to add more informative fields, such as noting whether a specific vulnerability is being used by ransomware actors, which may be of particular use to sectors such as healthcare and education. It may help you further prioritize based on your threat model.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.