The US Cybersecurity and Infrastructure Security Agency (CISA) maintains a catalog of Known Exploited Vulnerabilities (KEV), and according to a report from vulnerability intelligence company VulnCheck, there were 557 CVEs added to the catalog in 2022. An average of 10 exploited flaws were added to the KEV list every week, with 93 CVEs having a 2022 identifier. Of the bugs added to the KEV last year, 22 were named vulnerabilities, including EternalBlue, Shellshock, and Heartbleed. Operating systems and IoT accounted for the highest percentages of the vulnerabilities added to the list in 2022.
VulnCheck also found that 241 of the 2022 additions have been exploited by threat actors (APTs), 122 by ransomware groups, and 69 by botnets. The company’s analysis also showed that it would be a mistake for organizations to treat CISA’s KEV list as an early warning system, as 10 of the flaws were added on the same day or even before a public exploit or exploitation details came to light.
Overall, the data shows a significant increase in the number of vulnerabilities CISA added to its catalog in 2022, as well as a wide range of products impacted by the security holes. Organizations should take note of this trend and ensure they are taking steps to properly patch and protect their systems.
Key Points:
- The US Cybersecurity and Infrastructure Security Agency (CISA) maintains a catalog of Known Exploited Vulnerabilities (KEV)
- 557 CVEs were added to the KEV list in 2022
- 22 of the bugs added to the list last year were named vulnerabilities, including EternalBlue, Shellshock, and Heartbleed
- Operating systems and IoT accounted for the highest percentages of the vulnerabilities added to the list in 2022
- Organizations should take note of this trend and ensure they are taking steps to properly patch and protect their systems