New Research Reveals Millions of Systems Remain Exposed to Known Exploited Vulnerabilities
BE’ER SHEVA, Israel — Rezilion announced today the release of the company’s new research, titled “Do you know KEV? You should (because hackers do)!” The report finds that although KEV catalog vulnerabilities are frequent targets of APT Groups, a large and exploitable attack surface remains due to software vendors’ lack of awareness and action. The research also identified thousands of ongoing exploitation attempts targeting KEV vulnerabilities.
The Known Exploited Vulnerabilities (KEV) catalog, maintained by the Cybersecurity and Infrastructure Security Agency (CISA), provides an authoritative source of information on vulnerabilities that have been exploited in the past or are currently under active exploitation by attackers. In a recent study, the Rezilion research team analyzed all vulnerabilities currently included in the KEV catalog and identified over 15 million vulnerable instances, with the majority being vulnerable Microsoft Windows instances.
The CISA KEV catalog currently contains 896 vulnerabilities, adding new entries almost weekly. Most KEVs are rated as CRITICAL or HIGH (250 marked as CRITICAL and 535 marked as HIGH), but Rezilion’s research finds the vulnerabilities in the CISA KEV catalog are only a fraction (less than 1%) of the total vulnerabilities discovered each year by organizations. Yet these vulnerabilities are often the most actively exploited by APT groups and financially motivated threat actors and should be highly prioritized. The groups exploiting them are often identified with or sponsored by various nation-states, such as Russia, Iran, China, and North Korea. Rezilion’s research reveals that millions of systems remain exposed to Known Exploited Vulnerabilities, even though patches already exist to address them.
“Despite the availability of patches for these vulnerabilities, millions of systems remain exposed to attacks. This leaves organizations vulnerable to exploitation from threat actors and Advanced Persistent Threat (APT) groups who often target publicly known vulnerabilities,” said Yotam Perkal, Director of Vulnerability Research with Rezilion.
The study also revealed that while security teams prioritize new vulnerabilities, and ones that make headlines, threat actors tend to target publicly known vulnerabilities that have been around for years. In this context, prioritization based on the likelihood of exploitability can help security teams focus their triage and patching efforts effectively.
The Rezilion research team recommends prioritizing the vulnerability backlog with a two-step process:
- First, identify which vulnerabilities are even exploitable through runtime validation. Since most vulnerabilities in code are never loaded to memory or executed, this step eliminates 85% of the initial backlog.
- Use the CISA KEV catalog or other threat intelligence sources as part of an ongoing vulnerability management strategy to identify vulnerabilities that require immediate patching as attackers exploit them.
In other words: use runtime validation to understand what matters to your unique environment and then use KEV to identify what’s imminent since attackers are leveraging it in the wild.
“It is crucial that organizations prioritize patching vulnerabilities that have already been exploited in the wild. The KEV catalog provides an excellent starting point for this. Combined with runtime validation it narrows down huge backlogs to a handful of patches that must be applied as quickly as possible,” Perkal added.
To download the full report, please visit https://info.rezilion.com/rezilion-2023-kev-research.
Rezilion’s software supply chain security platform automatically assures that the software you use and deliver is free of risk. Rezilion detects third-party software components on any layer of the software stack and understands the actual risk they carry, filtering out up to 95% of identified vulnerabilities. Rezilion then automatically mitigates exploitable risk across the SDLC, reducing vulnerability backlogs and remediation timelines from months to hours, while giving DevOps teams time back to build.
Learn more about Rezilion’s platform at www.rezilion.com and get a 30-day free trial.