CISA's Known Exploited Vulnerabilities catalog added 557 CVEs in 2022, but according to a new report from threat intelligence vendor VulnCheck, the list is missing 42 flaws that have been exploited in the wild.
The CISA KEV catalog was launched in 2021 as a means for the U.S. government's cyber agency to provide a list of flaws known to be actively exploited. According to CISA's website, the KEV catalog is "the authoritative source of vulnerabilities that have been exploited in the wild," and organizations should "review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors."
However, VulnCheck claimed in its report Thursday that it identified 42 vulnerabilities "that were assigned CVEs in 2022 and reported to have been, or likely to have been, exploited in the wild that were not added to the CISA KEV Catalog." The list of missing 2022 flaws included a number of major vendors such as Citrix, Veeam and Zyxel. The sources for reported exploitation in the wild included Cisco Talos, ESET Research, Avast and others.
"The CISA KEV Catalog is undoubtedly helpful and a driving force in our industry," the report read. "Still, as long as it's missing actively exploited vulnerabilities, it cannot be treated as the authoritative catalog of exploited vulnerabilities. Practitioners should augment vulnerability management programs by seeking out additional sources or finding a source with a more complete dataset."
The majority of the 42 flaws were used for botnets (64%), while 10% were exploited in ransomware attacks, and 12% were attributed to being part of a threat actor's arsenal. In addition, 76.2% of the flaws could be used for initial access to a victim environment.
One example of a vulnerability that was used for both initial access and ransomware is CVE-2022-31199, a remote code execution flaw in Netwrix Auditor that was first disclosed in July. Cisco Talos published a report in December that observed exploitation of the flaw in TrueBot infections that later included data theft and the deployment of Clop ransomware.
"The fact that an attacker chose to weaponize this vulnerability and it was exploited in the wild shows how valuable initial access vulnerabilities are to attackers," VulnCheck wrote in its report, noting that Netwrix is a small data security vendor with fewer than a dozen internet-facing instances.
VulnCheck additionally referenced other missing flaws -- critical MVPower CCTV DVR flaw CVE-2016-20016 was mentioned specifically -- that have been exploited for years and continue to have significant numbers of potential vulnerable targets.
VulnCheck security researcher Jacob Baines told TechTarget Editorial that it's difficult to say why the flaws haven't been added, in part because "CISA never cites its source for exploited-in-the-wild data."
"It's unclear where CISA gets its information or what type of public data would persuade them to add to the catalog," he said. "The vulnerabilities in this report are all sourced from well-known security companies. I suspect it's a matter of getting the right information and right person in front of CISA. However, it further proves how the influx of vulnerabilities impacts the ability of teams to keep up and prioritize protection."
Baines said VulnCheck has not contacted CISA regarding the Thursday report, though he added that the company had discussed "a couple of vulnerabilities" with the agency privately in the past, but "the conversations have yet to lead to meaningful changes to the KEV catalog."
In a blog post last week, VulnCheck noted how the size of the KEV catalog nearly tripled last year, with CISA adding 557 CVEs to the list for a total of 868 exploited vulnerabilities. The blog post also credited CISA with doing a "respectable" job of adding vulnerabilities to the KEV catalog in a timely manner -- typically within a week of exploitation reports -- though it noted that some exploited CVEs were absent.
And VulnCheck's Thursday report is not the first time a vendor has noted potential weaknesses in the KEV catalog. A February report published by Cyber Security Works, Cyware, Ivanti and Securin identified 131 exploited vulnerabilities that were yet to be included, with 111 first discovered in 2019 or prior.
At the time, Ivanti chief product officer Srinivas Mukkamala told TechTarget Editorial that one possible reason for the exclusion was that many of the 131 didn't have remediations -- a requirement to join the catalog.
The other two requirements for a flaw to be included in CISA's KEV catalog are that it had been exploited in the wild and that it had been granted a CVE. VulnCheck's report referenced the latter requirement in regard to one of the 42 vulnerabilities, CVE-2017-20149, which affects MikroTik routers. Despite being discovered in 2017 and eventually being exploited, it only received a proper CVE last year.
"This vulnerability has been exploited in the wild for approximately five years, and no one saw fit to request a CVE," the report read. "Having a CVE is a requirement to be included in the CISA KEV Catalog, and, sadly, appears to be the only way to remain in the vulnerability historical record."
CISA has not responded to TechTarget Editorial's request for comment at press time.
Alexander Culafi is a writer, journalist and podcaster based in Boston.