Dozens of security flaws that have likely been exploited by malicious actors in the wild have been left off the Known Exploited Vulnerabilities (KEV) catalog maintained by the US Cybersecurity and Infrastructure Security Agency (CISA). According to vulnerability intelligence company VulnCheck, CISA has not yet added 42 vulnerabilities to its catalog that have been assigned CVE identifiers in 2022, despite the fact that they have likely been exploited in malicious attacks.
CISA’s KEV catalog is often referred to as a ‘must patch’ list because government organizations are required to patch the flaws within specified timeframes and private companies are strongly encouraged to do so. Of the vulnerabilities that VulnCheck believes have been exploited and have not been added to CISA’s KEV catalog, 64% are related to botnets, followed by threat actors (12%) and ransomware (10%).
One of the missing CVEs was CVE-2017-20149, which impacts Mikrotik routers and was linked to CIA hacking tools in 2017. Another missing CVE was CVE-2022-28810, a ManageEngine ADSelfService Plus vulnerability linked to Chinese APT activity. CISA also did not add CVE-2022-35914, a GLPI bug, and CVE-2022-33891, an Apache Spark vulnerability, to its catalog until after the VulnCheck report came out.
CISA last year clarified the criteria for adding vulnerabilities to the KEV catalog, yet dozens of apparently exploited vulnerabilities have yet to be added to the list. It is unclear why these flaws have been left off, but VulnCheck’s analysis provides links to reliable sources reporting exploitation of the neglected flaws.
Overall, the list of missing vulnerabilities includes CVEs linked to Truebot malware, PLC password cracking tools, and other malicious activity. Consequently, practitioners should augment vulnerability management programs by seeking out additional sources or finding a source with a more complete dataset.
Key Points:
• Dozens of security flaws that have likely been exploited in the wild have been missing from the Known Exploited Vulnerabilities (KEV) catalog maintained by CISA.
• CISA’s KEV catalog is often referred to as a ‘must patch’ list because government organizations are required to patch the flaws within specified timeframes and private companies are strongly encouraged to do so.
• CISA clarified the criteria for adding vulnerabilities to the KEV catalog, but several flaws have yet to be added to the list.
• VulnCheck’s analysis provides links to reliable sources reporting exploitation of the neglected flaws.
• Practitioners should augment vulnerability management programs by seeking out additional sources or finding a source with a more complete dataset.