Glossary Glossary

CISA KEV Catalog




The Known Exploited Vulnerabilities (KEV) Catalog maintained by the Cybersecurity and Infrastructure Security Agency (CISA) is an authoritative source of vulnerabilities that have already been exploited in the wild. It was created for the benefit of the cybersecurity community and network defenders and helps organizations better manage vulnerabilities and keep pace with threat activity.

Organizations are advised to use the CISA KEV Catalog as an input to their vulnerability management prioritization framework, making it critical to effective external attack surface management (EASM).

Table of Contents

Known Exploited Vulnerabilities Catalog: A Deep Dive

What Are the Benefits of Using the CISA KEV Catalog for Security Teams

The CISA KEV catalog is a great tool for risk-based vulnerability management. In combination with the vulnerability’s CVSS score, it allows for a realistic assessment of the risk that a vulnerability poses to the organization.

If a vulnerability is known to be actively exploited in the wild, it means that the likelihood of exploitation in the organization’s network is high, and security teams should prioritize remediation efforts for it higher than for non-exploitable vulnerabilities.

The CVSS score alone is not enough for prioritization, as some critical vulnerabilities do not always have an exploit available in the wild, and some medium-severity vulnerabilities can be widely exploited and pose a much higher risk to the organization.

What Are Some of the Most-Exploited Vulnerabilities Included in the CISA KEV Catalog?

Three zero-days in the KEV Catalog have been dubbed the most exploited in 2023. What dangers can their exploitation lead to?

A Closer Look at CVE-2023-34362

CVE-2023-34362 is a high-risk SQL injection vulnerability in MOVEit Transfer. If successfully exploited, it could allow unauthenticated users to gain unauthorized access to MOVEit Transfer’s database. Attackers may be able to gather information about the structure and contents of a database apart from executing SQL statements that can alter or delete database elements.

To date, CVE-2023-34362 has been abused in several ransomware campaigns, notably by the CL0P Ransomware Gang. In this particular case, the ransomware operators infected Internet-connected MOVEit Transfer web applications with the web shell LEMURLOOT, allowing them to steal data from underlying MOVEit Transfer databases.

It has been added to CISA KEV catalog on 2023-06-02, which means .

A Closer Look at CVE-2022-21587

CVE-2022-21587, a critical unauthenticated file upload vulnerability in Oracle E-Business Suite, allows unauthenticated users with network access via HTTP to compromise Oracle Web Applications Desktop Integrator.

CVE-2022-21587 has been abused by threat actor Prophet Spider or UNC961. After exploitation by placing a Perl-based web shell on the target system, the attacker dumped credentials and attempted to exfiltrate ntds.dit, which serves as the primary database file within Microsoft’s Active Directory Domain Services.  In effect, the attackers obtain all information related to critical data, such as user account details, passwords, group memberships, and other object attributes.

The name suggests that this vulnerability originates from 2022, but it has been added to CISA KEV catalog on 2023-02-02, which means that researchers noticed active exploitation in the wild around this time.

A Closer Look at CVE-2023-2868

CVE-2023-2868 is a critical command injection vulnerability in Barracuda Email Security Gateways. The appliances contain an improper input validation vulnerability in a user-supplied .tar file that could allow remote command injection.

CVE-2023-2868 has been exploited by Chinese APT Group UNC4841 to target governmental organizations and individuals working for government or research institutes in the Americas.

This vulnerability has been added to CISA KEV catalog on 2023-05-26.

What Does It Take for a Vulnerability to Be Added to the Known Exploited Vulnerabilities Catalog?

A vulnerability needs to satisfy three criteria to get listed on the KEV Catalog.

Known Exploited Vulnerabilities Catalog Catalog Inclusion Requirements

Criteria #1: Does It Have an Assigned Common Vulnerabilities and Exposures ID?

Every vulnerability that gets disclosed is given a Common Vulnerabilities and Exposures (CVE) ID by a CVE Numbering Authority (CNA), an organization authorized to assign and populate CVE IDs to vulnerabilities affecting products within their scope. After the CNA creates the CVE record, MITRE posts the vulnerability on the CVE website. Users can consult the MITRE CVE List website and the National Vulnerability Database (NVD) maintained by the National Institute of Standards and Technology (NIST) for a running list of all assigned CVEs.

Criteria #2: Is It Actively Being Exploited?

A vulnerability that is actively being exploited should have reliable evidence that the execution of malicious code was performed by an actor on a system without the system owner’s permission. Note that the exploitation can either be attempted or successful.

Criteria #3: Is Clear Remediation Guidance Available for It?

CISA adds KEVs to the KEV Catalog as soon as clear actions for affected organizations have been defined. Organizations are encouraged to apply updates or patches according to the vendor’s instructions or remove the vulnerability from their networks if the affected product or service has reached its end of life (EoL) or cannot be updated or patched anymore.

What Kind of Organizations Are Mandated to Stay Abreast of Changes to the KEV Catalog?

Organizations considered federal civilian executive branch (FCEB) agencies are expected to plug in weaknesses related to KEVs within the prescribed time frames under the Binding Operational Directive (BOD) 22-01.

Users can view KEV Catalog content by CVE metadata. More specifically, they can choose to view the latest additions to the catalog based on CISA due date, CISA date added, CVE release date, or CISA due date if they select any of these CVE metadata.

Can an EASM Platform Identify Issues Listed on the KEV Catalog?

Yes, an EASM platform like Attaxion can help organizations speed up their scanning for vulnerabilities and other issues to address network weaknesses, including those listed in the KEV Catalog. 

issues listed in the CISA KEV Catalog and discovered by an EASM platform
Figure 1: EASM platform flagging CVE-2023-44487 vulnerability listed in the KEV Catalog

EASM platforms may also provide more detailed information about vulnerabilities listed in the KEV Catalog, including what actions should be taken to address them.

Detailed data about vulnerabilities listed in the CISA KEV Catalog
Figure 2: Detailed data on the vulnerability with corresponding remediation recommendation

Key Takeaways

  • The KEV Catalog maintained by CISA is an authoritative source of vulnerabilities that have already been exploited in the wild.
  • The CISA KEV Catalog was created for the benefit of the cybersecurity community and network defenders and to help organizations better manage vulnerabilities.
  • Organizations should use the CISA KEV Catalog as an input to their vulnerability management prioritization framework, making it critical to EASM.
  • A vulnerability needs to fulfill three criteria—having a CVE ID, being actively exploited, and having remediation guidelines—to be included in the CISA KEV Catalog.

Ready to find out how Attaxion can help you keep up with the latest KEVs? Kickstart your 30-day trial now!

Interested to Learn More?