Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Vulnerabilities in CISA KEV Are Not Equally Critical: Report

New report says organizations should always consider environmental context when assessing the impact of vulnerabilities in CISA KEV catalog.

CISA

Security flaws in CISA’s Known Exploited Vulnerabilities (KEV) catalog should be treated with urgency based on environmental context assessments, according to a new report from Israeli startup Ox Security.

With approximately 1,300 vulnerabilities flagged as exploited in the wild, the KEV catalog is a trusted source for defenders, but the broad areas it covers means that these bugs should not be treated with equal urgency.

A “patch everything” approach, Ox says in its report, is ineffective, as it creates unnecessary workloads and diverts resources from important issues. Instead, organizations should rely on context to determine the criticality of these security defects and their impact on their environments.

Ox Security said it analyzed the impact of the KEV list on cloud containerized environments and found that 10 of the 25 bugs in KEV that impact cloud native applications (out of 10,000 most common CVEs) do not represent an actual threat to them.

Examining more than 200 separate environments, the report concluded that these 10 vulnerabilities are either technically unexploitable or require specific conditions to exploit in cloud containerized environments (although some of these were detected tens of thousands of times in open source containers).

Of the 10 vulnerabilities, six require Android-specific environments, physical access, or terminal access (albeit two impact all platforms using Linux kernel and can be chained with other flaws), three impact Chrome, and one affects Apple’s Safari browser.

Advertisement. Scroll to continue reading.

Four of the six Android defects are not exploitable on cloud environments, while the other two require a fix only if local access or internet access is available. The Chrome flaws can be exploited only if the service is used for image, video, or font processing, while the Safari bug can be ignored on non-browser platforms.

According to Ox Security, the software defects listed in CISA’s KEV catalog should not be ignored, as they represent significant threats, many impacting cloud environments, and their remediation should remain a high priority. Instead, each CVE should be treated based on its relevancy to the organization.

Defenders should never strip a CVE of its original context but carefully assess the need for patching and its urgency based on the impact it has on their organizations’ environment, as some vulnerabilities could prove entirely harmless, Ox says.

Identifying the platforms impacted by a CVE, identifying publicly available exploits, understanding how the bug can be exploited in real-world scenarios, assessing its relationship to sensitive information, and understanding the outcome of successful exploitation are essential in determining the impact of a vulnerability.

“This additional contextual information would enable security teams to implement a more precise and efficient workflow when handling critical vulnerabilities in their environments, reducing alert fatigue and focusing resources where they matter most,” the company said.

The security firm, which breaks down each of these vulnerabilities and explains why they have no or little impact on containerized environments, suggests that platform-specific relevance indicators, CVE origin information, and context on attack paths and attack chains could enhance the KEV catalog.

The report comes one week after CISA and NIST proposed LEV (Likely Exploited Vulnerabilities), a new cybersecurity metric meant to enhance KEV by assessing the likelihood that a security defect has been exploited in attacks.

Related: Exploitation Long Known for Most of CISA’s Latest KEV Additions

Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative

Related: EU Cybersecurity Agency ENISA Launches European Vulnerability Database

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.