Skip to Content

CISA Known Exploited Vulnerabilities

Recently there’s been quite a few updates to CISA’s Known Exploited Vulnerabilities list, and lots of news surrounding some of the more recent exploits.  I want to take a closer look at some of the more recent additions, as well as dive a little deeper into the purpose of this list, and why it is something we all need to keep an update.

August 2022 Updates to CISA Known Exploited Vulnerabilities

It has been a busy month out there for vulnerabilities.

The one everyone is talking about right now is Palo Alto Networks’ CVE-2022-0028.  In this particular CVE, attackers can perform a denial of service attack against devices running PAN-OS.

While this is making the rounds right now, this month alone there were also 11 more vulnerabilities added for software by vendors such as Microsoft, SAP, Apple, Google, Zimbra, and RARLAB.

Not all of these vulnerabilities are against products found in the data center, some target everyday consumer products like iOS and Google Chrome, not to mention Microsoft Windows is almost always on the list (sorry not sorry, Microsoft).

In August 2022 there has already been 12 vulnerabilities added to this list, so let’s take a look at why that matters.

What is the Known Exploited Vulnerabilities list?

This list maintained by CISA highlights the vulnerabilities that have known exploits.  That means that the vulnerability is more than just theoretically, there are examples in the wild of how the vulnerability can be used, making it more dangerous and critical.

Once a CVE number is given to a vulnerability, it is considered for the list once either attempted or successful exploration has occurred.  After all, if you don’t succeed, try try again, right?  With many exploits that can have a large impact, it can be just a matter of time before they are exploited.  After exploitation, a CVE is added to the list once the remediation is available – whether it is a workaround or a true fix for the exploit.

This means there can be a lag between the time the vulnerability is released and it is added to the list.  Let’s take a recent example from this month’s additions.

Microsoft CVE-2022-26923 was first available on May 10, 2022, but was added to the Known Exploited Vulnerabilities list on August 18, 2022.  It is also interesting to know that patches were available on the day the vulnerability was released.  This particular CVE is related to privilege escalation Active Directory, which we know is used just about everywhere.

The timing of this is interesting.  While many organizations may have mitigated this CVE via their normal patching activities, enough have not that it is now listed on the KEV list.  Even if organizations are not keeping up to date on CVEs, malicious actors are so that they know their potential attack vectors.

With a list of this impact, it is important that remediation guidance is given.  Sure, it is easy to spin up response activities over a vulnerability, but the knowledge on how to reduce the risk in the environment is essential to the response process.

CISA Known Exploited Vulnerabilities or KEV Catalog

The CISA Known Exploited Vulnerabilities List or KEV Catalog is something that can be important to monitor.  One of the simplest ways to do this is to subscribe to alerts and be notified when the catalog is updated.

It is also important that organizations keep up to date on CVEs for the software running in their environment, and feed this information into their vulnerability management practices in order to reduce risk where possible.