The US Cybersecurity and Infrastructure Security Agency (CISA) has provided clarifications on the criteria for adding vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
The KEV catalog was launched in November 2021 with roughly 300 entries. There are now more than 730 entries and the database continues to grow as CISA becomes aware of other new or old vulnerabilities that have been exploited in the wild.
The catalog is accompanied by Binding Operational Directive 22-01, which instructs federal agencies to patch the vulnerabilities before a specified deadline. Other types of government organizations, as well as private companies, are advised to leverage the catalog to prioritize vulnerability patching and strengthen their security. This is why the catalog is referred to by many as CISA’s “Must Patch” list.
Some of the vulnerabilities added by CISA to its Must Patch list were discovered more than a decade ago and for some flaws there do not appear to be any public reports describing malicious exploitation.
Earlier this year, CISA confirmed for SecurityWeek that all vulnerabilities added to the catalog have been exploited in real world attacks, and the agency has now updated its documentation to provide further clarifications regarding the criteria for adding new flaws, as well as its process.
CISA has three main criteria for adding vulnerabilities to the KEV catalog: it needs to have a CVE identifier, there has to be reliable evidence of exploitation in the wild, and there needs to be clear remediation action for the vulnerability (a patch, workaround, or mitigation).
The agency says it updates the list within 24 hours of exploitation evidence. That evidence can come from security vendors, researchers, and partners, but CISA itself also conducts research to find evidence of exploitation.
“CISA analysts perform daily open-source searches for vulnerabilities. Active exploitation information obtained from vendor security advisories are trusted sources and considered accurate. When cybersecurity news outlets, academic papers, cybersecurity company press releases (not from the affected vendor), etc., report active exploitation, CISA reviews wording and original source citations for the exploitation for accuracy and reliability. If the information is reliable, CISA adds the vulnerability to the KEV catalog; if CISA does not consider the information 100% accurate, CISA does not add the vulnerability to the KEV catalog (however, CISA internally notes the vulnerability and will add it to the catalog should further exploitation evidence come to light that justifies its inclusion).
CISA also has purchased subscription services for threat intelligence platforms that contain information on vulnerabilities, including honeypot detection, malware observations in the wild, threat intelligence reports, etc. Similar to the open-source research procedures, CISA reviews the information from the platforms and adds the vulnerability to the KEV catalog, if the information is reliable.”
Attempted exploitation, which can fail due to the system being a honeypot or the system not being vulnerable, is also considered active exploitation and the vulnerability gets added to the Must Patch list. However, scanning, proof-of-concept (PoC) exploits, and exploit research do not count as active exploitation.
The agency clarified that old CVEs are also added to the list even if there is no evidence of active exploitation. Old CVEs and vulnerabilities affecting products that have reached end of life (EOL) are added because the organization does not assume that all EOL products have been decommissioned.
“The absence of evidence of exploitation currently occurring does not preclude a vulnerability from being exploited in the future. If an actor is targeting your network and you have a vulnerable legacy product, they may use that vulnerability to their advantage,” CISA said.
CISA noted that the KEV data can be fed into automated vulnerability and patch management tools from several major vendors, including Palo Alto Networks, Runecast, Tenable, Qualys, and Wiz.
Related: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes