Rezilion Uncovers High-Risk Vulnerabilities Missing from CISA KEV Catalog, Challenging Current Patching Prioritization Standards
NEW YORK, July 26, 2023 – Rezilion, an automated software supply chain security platform, today announced a new report, “CVSS, EPSS, KEV: The New Acronyms – And The Intelligence – You Need For Effective Vulnerability Management,” detailing the critical importance of the Exploitability Probability Prediction Score (EPSS) for enhancing patch prioritization and effective vulnerability management.
Earlier this year, Rezilion identified the glaring issue of millions of systems being exposed to Known Exploited Vulnerabilities (KEVs) despite available patches in a report on the CISA KEV catalog. The new research report furthers Rezilion’s 2023 KEV Research, demonstrating that knowing the KEV catalog is insufficient information for holistic vulnerability management because newly discovered vulnerabilities are not quickly added to the database.
Throughout the new research, Rezilion’s vulnerability researchers unveiled more than 30 actively exploited vulnerabilities with a high EPSS score that were not listed in the CISA KEV catalog, highlighting the coverage gap within the CISA KEV catalog. The report establishes that the likelihood of exploitation is empirically higher for vulnerabilities that received a high EPSS score than those with low EPSS scores. It further underscores that relying solely on Common Vulnerability Scoring System (CVSS) for patching prioritization is suboptimal.
“These findings accentuate the need for considering more than just one metric for effective vulnerability management,” said Yotam Perkal, Director of Vulnerability Research with Rezilion. “Our research shows that the interplay of CVSS, CISA’s KEV, and EPSS offers the most comprehensive approach to managing vulnerabilities. Ignoring any of these components can lead to gaps in an organization’s security posture. The right blend of these tools allows for accurate prioritization, ensuring the most dangerous vulnerabilities are addressed promptly.”
Key takeaways from the report include:
- The conventional method of prioritizing vulnerabilities often falls short. A holistic approach, including CVSS, CISA’s KEV, and EPSS, paired with runtime validation to determine the exploitability of detected vulnerabilities in the contexts in which they appear, offers the best defense.
- The KEV catalog alone is insufficient due to the delay in adding newly discovered vulnerabilities.
- Vulnerabilities with a high EPSS score are more likely to be exploited, emphasizing the importance of this information in prioritization.
This research underpins the launch of Rezilion’s new Enrichment Feeds feature, providing organizations with crucial intelligence to understand their exploitability based on EPSS scores. Rezilion’s new Enrichment Feeds feature offers this critical EPSS data as a signal for prioritization. Rezilion urges organizations to take a comprehensive approach to vulnerability management using layers of context like CVSS, CISA’s KEV, and EPSS.
To download the full report, please visit https://info.rezilion.com/high-risk-vulnerabilities-missing-from-cisa-kev-catalog.
For further insights on hidden vulnerabilities and vulnerability management, learn more at Rezilion’s session at the upcoming Black Hat, BSides, and DEFCON 2023 events.
Rezilion’s software supply chain security platform automatically assures that the software you use and deliver is free of risk. Rezilion detects third-party software components on any layer of the software stack and understands the actual risk they carry, filtering out up to 95% of identified vulnerabilities. Rezilion then automatically mitigates exploitable risk across the SDLC, reducing vulnerability backlogs and remediation timelines from months to hours, while giving DevOps teams time back to build.