Connect with us

Hi, what are you looking for?


Management & Strategy

CISA Clarifies Criteria for Adding Vulnerabilities to ‘Must Patch’ List

The US Cybersecurity and Infrastructure Security Agency (CISA) has provided clarifications on the criteria for adding vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

The US Cybersecurity and Infrastructure Security Agency (CISA) has provided clarifications on the criteria for adding vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

The KEV catalog was launched in November 2021 with roughly 300 entries. There are now more than 730 entries and the database continues to grow as CISA becomes aware of other new or old vulnerabilities that have been exploited in the wild.

The catalog is accompanied by Binding Operational Directive 22-01, which instructs federal agencies to patch the vulnerabilities before a specified deadline. Other types of government organizations, as well as private companies, are advised to leverage the catalog to prioritize vulnerability patching and strengthen their security. This is why the catalog is referred to by many as CISA’s “Must Patch” list.CISA Known Exploited Vulnerabilities Catalog

Some of the vulnerabilities added by CISA to its Must Patch list were discovered more than a decade ago and for some flaws there do not appear to be any public reports describing malicious exploitation.

Earlier this year, CISA confirmed for SecurityWeek that all vulnerabilities added to the catalog have been exploited in real world attacks, and the agency has now updated its documentation to provide further clarifications regarding the criteria for adding new flaws, as well as its process.

CISA has three main criteria for adding vulnerabilities to the KEV catalog: it needs to have a CVE identifier, there has to be reliable evidence of exploitation in the wild, and there needs to be clear remediation action for the vulnerability (a patch, workaround, or mitigation).

The agency says it updates the list within 24 hours of exploitation evidence. That evidence can come from security vendors, researchers, and partners, but CISA itself also conducts research to find evidence of exploitation.

“CISA analysts perform daily open-source searches for vulnerabilities. Active exploitation information obtained from vendor security advisories are trusted sources and considered accurate. When cybersecurity news outlets, academic papers, cybersecurity company press releases (not from the affected vendor), etc., report active exploitation, CISA reviews wording and original source citations for the exploitation for accuracy and reliability. If the information is reliable, CISA adds the vulnerability to the KEV catalog; if CISA does not consider the information 100% accurate, CISA does not add the vulnerability to the KEV catalog (however, CISA internally notes the vulnerability and will add it to the catalog should further exploitation evidence come to light that justifies its inclusion).


Advertisement. Scroll to continue reading.

CISA also has purchased subscription services for threat intelligence platforms that contain information on vulnerabilities, including honeypot detection, malware observations in the wild, threat intelligence reports, etc. Similar to the open-source research procedures, CISA reviews the information from the platforms and adds the vulnerability to the KEV catalog, if the information is reliable.”

Attempted exploitation, which can fail due to the system being a honeypot or the system not being vulnerable, is also considered active exploitation and the vulnerability gets added to the Must Patch list. However, scanning, proof-of-concept (PoC) exploits, and exploit research do not count as active exploitation.

The agency clarified that old CVEs are also added to the list even if there is no evidence of active exploitation. Old CVEs and vulnerabilities affecting products that have reached end of life (EOL) are added because the organization does not assume that all EOL products have been decommissioned.

“The absence of evidence of exploitation currently occurring does not preclude a vulnerability from being exploited in the future. If an actor is targeting your network and you have a vulnerable legacy product, they may use that vulnerability to their advantage,” CISA said.

CISA noted that the KEV data can be fed into automated vulnerability and patch management tools from several major vendors, including Palo Alto Networks, Runecast, Tenable, Qualys, and Wiz.

Related: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes

Related: CISA Adds 66 Vulnerabilities to ‘Must Patch’ List

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.