Dozens of Exploited Vulnerabilities Missing From CISA ‘Must Patch’ List

Dozens of security flaws that have likely been exploited in the wild are missing from the Known Exploited Vulnerabilities (KEV) catalog maintained by the US Cybersecurity and Infrastructure Security Agency (CISA), according to vulnerability intelligence company VulnCheck.

VulnCheck recently conducted an analysis of the vulnerabilities added by CISA to its catalog in 2022. While the agency added more than 550 security holes last year, VulnCheck found that 42 vulnerabilities that have likely been exploited in malicious attacks and assigned CVE identifiers in 2022 were not present as of March 3.

CISA’s KEV catalog is often referred to as a ‘must patch’ list because government organizations are required to patch the flaws within specified timeframes and private companies are strongly encouraged to do so.

Of the vulnerabilities that VulnCheck believes have been exploited in attacks but have not been added to CISA’s KEV catalog, 64% are related to botnets, followed by threat actors (12%) and ransomware (10%) — the rest are unattributed. 

One of the missing flaws is CVE-2017-20149, which impacts Mikrotik routers. Information about this issue emerged in 2017, when WikiLeaks published Vault7 documents, which describe hacking tools allegedly developed by the CIA. The vulnerability was only assigned a CVE identifier in 2022, but it was backdated to 2017. 

Another missing CVE was CVE-2022-28810, a ManageEngine ADSelfService Plus vulnerability linked to Chinese APT activity. CISA did add this flaw to its catalog just before the VulnCheck report came out, along with CVE-2022-35914, a GLPI bug, and CVE-2022-33891, an Apache Spark vulnerability whose exploitation was spotted in December 2022 by Microsoft. The GLPI vulnerability was also among the 42 vulnerabilities mentioned in VulnCheck’s report.   

CISA last year clarified the criteria for adding vulnerabilities to the KEV catalog. There are three main conditions that need to be met: the flaw needs to have a CVE identifier, there has to be reliable evidence of exploitation in the wild, and patches, mitigations or workarounds need to be available. 

It’s unclear why dozens of apparently exploited vulnerabilities have yet to be added to the KEV catalog. SecurityWeek has reached out to CISA for clarifications and will update this article if the agency responds. 

VulnCheck’s analysis, which provides links to reliable sources reporting exploitation of the neglected flaws, shows that three-quarters of the bugs can be exploited for initial access. In addition, 31 of the vulnerabilities have public exploits. 

The list of missing vulnerabilities includes CVE-2022-2003, which Cisco Talos believes has been exploited in attacks involving the Truebot malware, and CVE-2022-2003, which industrial cybersecurity firm Dragos has seen being exploited by a programmable logic controller (PLC) password cracking tool.

“​​The CISA KEV Catalog is undoubtedly helpful and a driving force in our industry. Still, as long as it’s missing actively exploited vulnerabilities, it cannot be treated as the authoritative catalog of exploited vulnerabilities,” VulnCheck said. “Practitioners should augment vulnerability management programs by seeking out additional sources or finding a source with a more complete dataset.”

Related: Exploited Control Web Panel Flaw Added to CISA ‘Must-Patch’ List