Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

CISA Clarifies Criteria for Adding Vulnerabilities to ‘Must Patch’ List

The US Cybersecurity and Infrastructure Security Agency (CISA) has provided clarifications on the criteria for adding vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

The US Cybersecurity and Infrastructure Security Agency (CISA) has provided clarifications on the criteria for adding vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

The KEV catalog was launched in November 2021 with roughly 300 entries. There are now more than 730 entries and the database continues to grow as CISA becomes aware of other new or old vulnerabilities that have been exploited in the wild.

The catalog is accompanied by Binding Operational Directive 22-01, which instructs federal agencies to patch the vulnerabilities before a specified deadline. Other types of government organizations, as well as private companies, are advised to leverage the catalog to prioritize vulnerability patching and strengthen their security. This is why the catalog is referred to by many as CISA’s “Must Patch” list.CISA Known Exploited Vulnerabilities Catalog

Some of the vulnerabilities added by CISA to its Must Patch list were discovered more than a decade ago and for some flaws there do not appear to be any public reports describing malicious exploitation.

Earlier this year, CISA confirmed for SecurityWeek that all vulnerabilities added to the catalog have been exploited in real world attacks, and the agency has now updated its documentation to provide further clarifications regarding the criteria for adding new flaws, as well as its process.

CISA has three main criteria for adding vulnerabilities to the KEV catalog: it needs to have a CVE identifier, there has to be reliable evidence of exploitation in the wild, and there needs to be clear remediation action for the vulnerability (a patch, workaround, or mitigation).

The agency says it updates the list within 24 hours of exploitation evidence. That evidence can come from security vendors, researchers, and partners, but CISA itself also conducts research to find evidence of exploitation.

“CISA analysts perform daily open-source searches for vulnerabilities. Active exploitation information obtained from vendor security advisories are trusted sources and considered accurate. When cybersecurity news outlets, academic papers, cybersecurity company press releases (not from the affected vendor), etc., report active exploitation, CISA reviews wording and original source citations for the exploitation for accuracy and reliability. If the information is reliable, CISA adds the vulnerability to the KEV catalog; if CISA does not consider the information 100% accurate, CISA does not add the vulnerability to the KEV catalog (however, CISA internally notes the vulnerability and will add it to the catalog should further exploitation evidence come to light that justifies its inclusion).


CISA also has purchased subscription services for threat intelligence platforms that contain information on vulnerabilities, including honeypot detection, malware observations in the wild, threat intelligence reports, etc. Similar to the open-source research procedures, CISA reviews the information from the platforms and adds the vulnerability to the KEV catalog, if the information is reliable.”

Attempted exploitation, which can fail due to the system being a honeypot or the system not being vulnerable, is also considered active exploitation and the vulnerability gets added to the Must Patch list. However, scanning, proof-of-concept (PoC) exploits, and exploit research do not count as active exploitation.

The agency clarified that old CVEs are also added to the list even if there is no evidence of active exploitation. Old CVEs and vulnerabilities affecting products that have reached end of life (EOL) are added because the organization does not assume that all EOL products have been decommissioned.

“The absence of evidence of exploitation currently occurring does not preclude a vulnerability from being exploited in the future. If an actor is targeting your network and you have a vulnerable legacy product, they may use that vulnerability to their advantage,” CISA said.

CISA noted that the KEV data can be fed into automated vulnerability and patch management tools from several major vendors, including Palo Alto Networks, Runecast, Tenable, Qualys, and Wiz.

Related: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes

Related: CISA Adds 66 Vulnerabilities to ‘Must Patch’ List

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.