When it comes to exploits in the Cybersecurity and Infrastructure Security Agency CISA Known Exploited Vulnerability Catalogues KEV, Remote Code Execution is king, as we analyze this article. So, in ASPM, do we need to care about anything else? Remote code execution might be the king of vulnerability, but other typologies could also lead to exploitation or dangerous effects like authentication bypass or denial of service.
What is CISA KEV
The Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (CISA KEV) catalog is crucial for organizations prioritizing their vulnerability management efforts. CISA KEV focuses on vulnerabilities actively exploited in the wild, offering a targeted view of the most pressing security threats. However, it’s important to note that the CISA KEV catalog has a strong bias towards vulnerabilities that impact infrastructure and operating systems (O/S), providing a partial view of the broader threat landscape. This bias can skew the perception of vulnerability risks, particularly when assessing vulnerabilities related to applications or other software layers.
CISA KEV Technical Impact Analysis
CISA KEV Technical Impact distribution
Analyzing the CISA KEV data using Phoenix AI’s category extraction reveals interesting trends in how vulnerability impacts have shifted over recent years. For instance, Remote Code Execution (RCE) remains one of the most prominent threats, with 133 instances across the years, though there has been a noticeable decline from 52 cases in 2023 to just 8 in 2024. Similarly, Privilege Escalation, which allows attackers to gain elevated permissions, has fluctuated significantly, with a peak of 105 cases in 2023 and a drop to 12 in 2024. Information Leak vulnerabilities expose sensitive data and show a similar downward trend, from 63 in 2023 to just 8 in 2024.
Denial of Service (DoS) vulnerabilities, which disrupt system availability, have remained relatively stable but low, with a slight increase in 2023 followed by a decrease in 2024. Authentication Bypass vulnerabilities, which allow attackers to circumvent security controls, have been consistent but relatively low in number, with a slight increase in 2024. The data also highlights some less frequent but noteworthy combinations of vulnerabilities, such as
Privilege Escalation coupled with Denial of Service or Information Leak, which are rare but critical when they occur.
Leveraging that vulnerability category, you can prioritize the vulnerability attackers use to get ahead of the curve.
CISA KEV Phoenix AI analysis of the typology of vulnerability
Exploring CISA KEV data with Phoenix Threat Intelligence
To explore this data and other check out the vulnerability intelligence explorers from Phoenix Security ASPM
- Technical Impact overview: https://phoenix.security/data-ex-categories/
Other useful references
- Exploit in the wild: https://phoenix.security/what-is-exploitability/
- OWASP/Appsec Vulnerability: https://phoenix.security/what-is-owasp-main/
- CWE/Appsec Vulnerabilities: https://phoenix.security/what-is-cwe-main/
The Role of EPSS: Predicting the Next Big Threat
While the CISA KEV catalog offers a snapshot of current threats, the Exploit Prediction Scoring System (EPSS) provides a forward-looking perspective. EPSS estimates the likelihood of a vulnerability being exploited in the future, helping organizations anticipate which threats might emerge next. The correlation between KEVs and EPSS is crucial: vulnerabilities that are both actively exploited (KEVs) and have high EPSS scores should be prioritized for immediate remediation.
CISA KEV Vulnerability Category Analysis
Over the years, vulnerability data analysis has revealed significant trends in the types of vulnerabilities that have been most prevalent and their evolving impact on security. This data, normalized and categorized by Phoenix AI’s category extraction, highlights how certain vulnerabilities have remained persistent threats while others have fluctuated in prevalence.
Vulnerability Category in CISA KEV
Over the years, one of the top vulnerabilities has been Memory Corruption, which allows attackers to exploit unintended memory alterations, potentially leading to system crashes or arbitrary code execution. Memory Corruption incidents peaked in 2021 with 310 cases but decreased in subsequent years, with 78 in 2022 and 181 in 2023, before dropping further to 14 in 2024.
For those reasons, CISA promotes memory-safe languages and methods to address vulnerabilities at scale with KEV.
Overflow vulnerabilities, closely related to Memory Corruption, have also shown significant activity, with 46 cases in 2021 and a notable reduction to just 1 case by 2024. These critical vulnerabilities often lead to severe impacts like arbitrary code execution or system compromise.
SQL Injection and Remote Code Execution (RCE) have also been prominent. SQL Injection, which enables attackers to manipulate database queries, has decreased from 13 cases in 2021 to just 1 in 2024. Similarly, Remote Code Execution, a highly severe vulnerability, dropped from 60 cases in 2021 to 0 by 2024, indicating improvements in mitigating these types of attacks.
Command Injection and Privilege Escalation remain concerning. Command Injection saw a peak in 2021 at 28 cases, followed by fluctuations in the subsequent years. Privilege Escalation, which allows attackers to gain elevated access rights, showed a significant presence in 2021 with 59 cases and has decreased over time, with 7 cases in 2024.
File Inclusion vulnerabilities, which allow attackers to include unauthorized files in web applications, also had a notable impact, with 39 cases in 2021 and a decline to 0 in 2024. Similarly,
Directory Traversal, which enables attackers to access restricted directories, showed similar trends, peaking at 44 cases in 2021 and declining to 2 in 2024.
The data also highlights less frequent but critical vulnerabilities, such as Improper Access Control and XXE (XML External Entity) attacks. Although these categories have had fewer incidents overall, they remain significant due to the severe impact they can cause.
It’s important to note that the CISA KEV data, while invaluable, shows a strong bias toward vulnerabilities affecting infrastructure and operating systems (O/S), offering a partial view of the broader cybersecurity landscape.
The landscape changes over the years, observing the Analysis of the CISA Kev Categories over the years.
CISA KEV Categories of vulnerabilities over the years
Confirmation of trends for CISA KEV over the years
The details above are confirmed in the CISA’s top routinely exploited vulnerability report for most exploited vulnerabilities. Phoenix analysis of this report is available in this vulnerability analysis navigator, and the original publication is available here. Remote Code Execution, Elevation of privileges, SQL Injections, and cross-site scripting are the top exploited vulnerabilities, confirming the trend observed in the overall KEV catalog and in the NVD.
https://phoenix.security/data-ex-categories/CISA KEV Top routinely exploited Vulnerability in the 2022 analysis
Over the past four years of CISA KEV vulnerabilities, the trend of vulnerabilities matches the above diagram of the top exploited vulnerability, with Remote and Code execution, as well as Privilege escalation, being the top trending method to attack
CISA KEV Phoenix AI analysis of the typology of vulnerability
Analyzing the entirety of CISA KEV as If it were a parliament, the majority would be to Privilege escalation, Remote Code Execution, and Privilege Escalation dominating the scene.
Conclusion:
In conclusion, while Remote Code Execution might grab the headlines, a comprehensive approach to vulnerability management requires looking beyond the obvious. The CISA KEV catalog, combined with EPSS and tools like Phoenix Security, offers a powerful framework for organizations to understand, prioritize, and address the full spectrum of vulnerabilities. By not letting the bias towards infrastructure and operating systems blind you, you can ensure that your security efforts are truly robust, covering all potential entry points that attackers might exploit.
How Phoenix Security Can Help
Organizations often face an overwhelming volume of security alerts, including false positives and duplicate vulnerabilities, which can distract from real threats. Traditional tools may overwhelm engineers with lengthy, misaligned lists that fail to reflect business objectives or the risk tolerance of product owners.
Phoenix Security offers a transformative solution through its Actionable Application Security Posture Management (ASPM), powered by AI-based Contextual Quantitative analysis. This innovative approach correlates runtime data with code analysis to deliver a single, prioritized list of vulnerabilities. This list is tailored to the specific needs of engineering teams and aligns with executive goals, reducing noise and focusing efforts on the most critical issues. Why do people talk about Phoenix
• Automated Triage: Phoenix streamlines the triage process using a customizable 4D risk formula, ensuring critical vulnerabilities are addressed promptly by the right teams.
• Contextual Deduplication: Utilizing canary token-based traceability, Phoenix accurately deduplicates and tracks vulnerabilities within application code and deployment environments, allowing teams to concentrate on genuine threats.
• Actionable Threat Intelligence: Phoenix provides real-time insights into vulnerabilities’ exploitability, combining runtime threat intelligence with application security data for precise risk mitigation.
By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.
