On October 10, the Cybersecurity and Infrastructure Security Agency (CISA) added five known software flaws to its Known Exploited Vulnerabilities (KEV) catalog. One of the most notable was a use-after-free vulnerability in Adobe's Acrobat and Reader PDF-viewing applications, which had been disclosed by Adobe ten months earlier. A proof-of-concept (PoC) code was published on GitHub within a week of the disclosure, and a working exploit was added to a commercial exploit framework in June, almost 10 months before CISA updated the KEV.
This delay in updating the KEV poses a significant risk to federal agencies and organizations that rely on the catalog for their security measures. Brian Martin, a vulnerability historian at Flashpoint, a threat intelligence firm, expressed his concern, saying, "This is like staring into the lamp of a train as it’s barreling down the tracks toward you. Any sane person would [want to] jump at this point."
The Adobe vulnerability is not an isolated case. On November 13, CISA updated the KEV catalog again, this time with five issues in Juniper's EX and SRX series network appliances. These vulnerabilities had been publicly disclosed in mid-August, and exploitation attempts had been detected by security researchers at Shadowserver as early as August 25.
Another vulnerability with a long lead time is the Veeam Backup & Replication flaw (CVE-2023-27532), which was disclosed in March and likely exploited later that month, but was only added to the KEV list in August. Caitlin Condon, head of vulnerability research at Rapid7, emphasized that while the KEV list is a valuable resource, organizations should not rely solely on it for their vulnerability management programs. She stated, "CISA KEV is often going to be a trailing indicator of exploitation in the wild. It's certainly a high-quality source of information, and it's very useful as one component in a risk-based vulnerability prioritization strategy, but we wouldn't recommend using KEV as your only source, or even your primary source, of data to support vulnerability prioritization."
There are certain challenges that CISA faces in determining whether a vulnerability is being exploited in the wild. The agency has stated that scanning for the vulnerability, active research on an exploit, and proof-of-concept (PoC) code do not meet the "in the wild" criteria. CISA also requires a certain level of proof to include an attack in the KEV catalog.
Even if a vulnerability is being exploited in the wild, CISA may delay adding it to the KEV if there is no clear guidance for remediation. This is because every federal agency is required to remediate any vulnerability within two weeks if it has been or is being exploited by attackers.
Given these delays, companies are advised not to rely solely on the KEV catalog for information on whether a vulnerability is being exploited. They should also look at other databases, such as the Exploit Prediction Scoring System, ransomware prediction models, Rapid7's AttackerKB, and Flashpoint's VulnDB exploit classification.
Despite the challenges, these databases still play a crucial role in the cybersecurity landscape. However, it's important to remember that none of these sources are infallible and each has its own limitations.