Defenders – as human beings – tend to focus on the new “shiny” threats and vulnerabilities, making sure organizations are patched and secure against the latest threats. And this is a great stance to take. Creating detection rules and mitigations for new threats is crucial, as attackers are quick to leverage zero days – something seen all too often.
With that in mind, in larger organizations, internal patching cycles, change control boards, deployment scheduling, and “shadow IT” means it can be weeks or even months before an enterprise can update everything in its estate, assuming it knows the software exists or has an active support contract to download or apply security updates.
Attackers also know this, which is why we continue to see old vulnerabilities used as part of new campaigns. Why would a sophisticated threat group burn their zero day if an old CVE still does the job?
The Known Exploited Vulnerability (KEV) Catalog is a list of actively exploited CVEs managed and maintained by the US Cyber Security & Infrastructure Security Agency (CISA). This list shows CVEs and vulnerabilities actively exploited in the wild by threat actors at scale. This catalog also sets up mandatory actions and patching deadlines for organizations operating in the government or federal space.
If it’s important enough for the government to mandate patching, then it should be important enough for any organization to do the same!
In August 2023, CISA, in partnership with the Five-Eyes community, released a list of the top 12 CVEs that were actively exploited in 2022. This list contains CVEs from 2018 through 2022, showing that attackers often focus on vulnerabilities affecting organizations that could be slow to patch.
Note that while there are 12 CVEs, there are only nine impacted applications, where multiple CVEs are used as part of a chain.