Why We should care about CISA KEV – A Deep Dive into CISA KEV: Top Exploited Vulnerabilities and Vendor 2023

Hello, everyone. Frank here with a quick analysis of the CISA Known Exploited Vulnerabilities (KEV) top routinely exploited vulnerabilities 2023 over the years. Recently, an update for 2022 to 2023 revealed some compelling trends that warrant a closer look. Let’s dive into the evolving landscape of application security and vulnerability management.

Full Video Analysis:

CISA KEV, Top Routinely Exploited Vulnerabilities 2023, Vulnerability Managment, Threat intelligence, Phoenix Security

From 2022 to 2023, the number of top routinely exploited vulnerabilities highlighted by CISA KEV expanded significantly. In 2022, the report listed 30 vulnerabilities, 12 of which were the most exploitable. By 2023, the number had grown to 50, with 15 in the top exploitable category. This increase underscores the growing challenge of securing a rapidly diversifying technology landscape.

You can interact with the diagrams above in the first link, and if you want to explore more, you can visit the other intelligence that powers Phoenix Security CTI.

Shifting Vendor Density and Exploitation Methods in CISA Top Routinely Exploited 2022

CISA KEV, Top Routinely Exploited Vulnerabilities 2022, Vulnerability Managment, Threat intelligence, Phoenix Security

While Microsoft previously dominated the focus in 2022—with vulnerabilities in Exchange and Microsoft Services frequently targeted—2023 showed a more distributed attack surface across multiple vendors. Notable contributors included Atlassian, Juniper, and Ivanti, alongside Microsoft. This shift highlights the expanding range of technologies targeted by malicious actors and the necessity for organizations to adopt robust application security posture management (ASPM) solutions.

In 2022, Microsoft vulnerabilities accounted for a significant portion of the top exploited list, particularly involving Remote Code Execution (RCE) and Privilege Escalation. By top routinely exploited vulnerabilities in 2023. However, the data reveals a broader distribution of vulnerabilities across vendors:

  • Microsoft: Despite a reduction in targeted vulnerabilities in 2023, RCE and authentication bypass remained common attack vectors.
  • Atlassian and Apache: Contributed to critical vulnerabilities in Confluence and Log4j, underscoring persistent risks in enterprise collaboration and logging systems.
  • Juniper, Cisco, and Ivanti: These infrastructure-focused vendors emerged prominently in 2023, reflecting increased networking and business-critical systems targeting.

Ivanti, in particular, experienced a tough year, with numerous vulnerabilities identified across its product suite. This highlights the growing complexity of securing IT infrastructure at scale.

Exploitation Patterns

A critical component of the CISA KEV analysis is understanding the diverse methodologies employed by threat actors to exploit vulnerabilities. These attack methods are a window into the tactics, techniques, and procedures (TTPs) adversaries use to compromise systems. Below is a detailed breakdown of the methodologies and their prevalence:

CISA KEV, Top Routinely Exploited Vulnerabilities, Vulnerability Managment, Threat intelligence, Phoenix Security, top routinely exploited vulnerabilities

The exploitation methods haven’t shifted dramatically. Remote Code Execution (RCE), authentication bypass, and privilege escalation remain the top attack vectors. RCE vulnerabilities, in particular, have been repeatedly weaponized for attacks on high-value targets, from ransomware to sophisticated nation-state campaigns.

TypeNumber of vulnerabilities
RCE25
Authentication Bypass6
Privilege Escalation5
Arbitrary code execution4
Elevation of Privilege2
SQL Injection2
Server-Side Request Forgery2
Server Path Traversal2
Heap-based Buffer Overflow2
Code Injection2
Buffer Overflow2
Path Traversal2
External Variable Modification2
Missing Authentication for Critical Function2
Code Execution2
Vulnerability Exploitation Methods, CISA, KEV, top routinely exploited vulnerabilities 2023

The high Exploit Prediction Scoring System (EPSS) scores for these vulnerabilities further emphasize their attractiveness to attackers. What’s striking is how the EPSS scores are spread across the list, showing that the risk is not confined to a few vulnerabilities but distributed broadly. This makes comprehensive vulnerability management more critical than ever.

EPSS Insights: Exploitation Likelihood Across 2022 and 2023 CISA Top Routinely Exploited

EPSS, CISA KEV, top routinely exploited vulnerabilities 2023

The median EPSS scores for the top routinely exploited vulnerabilities 2022 and 2023 reveal an unsettling reality: most vulnerabilities are highly exploitable across the board. For example:

– RCE vulnerabilities in Microsoft’s Exchange Server and Apache’s Log4j remain among the highest risk.

– Authentication bypass flaws in Ivanti’s Endpoint Manager Mobile and Juniper’s Junos OS showcase how attackers continue to exploit access-related weaknesses.

These findings suggest that while organizations have made strides in patching the most critical vulnerabilities, the spread of medium-to-high EPSS scores indicates a broader range of attack vectors requiring attention.

Note that not all the Top routinely exploited vulnerabilities or the one in KEV have an EPSS Value, so using both elements is key in the effort of prioritizing vulnerabilities with Phoenix Security. Both drive different values in the risk formula. The topic has been widely discussed here as well

top routinely exploited vulnerabilities, CISA, EPSS, KEV

Implications for Application Security and Vulnerability Management

CISA’s expanding KEV list serves as a wake-up call for organizations to prioritize proactive security measures. Here’s what this means for your ASPM strategy:

1. Broader Vendor Coverage: With vulnerabilities now spread across more vendors and sectors, organizations must expand their focus beyond Microsoft and Apache to include networking and infrastructure solutions like Juniper and Cisco.

2. Prioritization Through Context: EPSS scores and real-time threat intelligence should guide vulnerability prioritization. Not all vulnerabilities carry equal risk, and focusing on those with high EPSS scores ensures efficient resource allocation.

3. Secure SDLC Practices: Vendors must embrace secure-by-design principles, reducing classes of vulnerabilities at the development stage to mitigate the growing attack surface.

4. Collaboration With Security Providers: Partnering with ASPM platforms that integrate data from CISA KEV and other threat intelligence sources can streamline remediation efforts and enhance overall security posture.

Conclusion

As we’ve seen, the shift in CISA’s KEV data from 2022 to 2023 reflects a changing and increasingly complex threat landscape. The widespread targeting of multiple vendors and technologies underscores the importance of robust application security and vulnerability management strategies.

At Phoenix Security, we’re committed to helping organizations stay ahead of these evolving threats. With our integrated ASPM platform, you can leverage real-time insights from CISA KEV and over 28 other sources to prioritize and mitigate vulnerabilities effectively. Stay safe, and remember to patch those systems regularly!

Get on top of your code and container vulnerabilities with Phoenix Security Actionable ASPM

attack graph phoenix security
ASPM

Organizations often face an overwhelming volume of security alerts, including false positives and duplicate vulnerabilities, which can distract from real threats. Traditional tools may overwhelm engineers with lengthy, misaligned lists that fail to reflect business objectives or the risk tolerance of product owners.

Phoenix Security offers a transformative solution through its Actionable Application Security Posture Management (ASPM), powered by AI-based Contextual Quantitative analysis. This innovative approach correlates runtime data with code analysis to deliver a single, prioritized list of vulnerabilities. This list is tailored to the specific needs of engineering teams and aligns with executive goals, reducing noise and focusing efforts on the most critical issues. Why do people talk about Phoenix

Automated Triage: Phoenix streamlines the triage process using a customizable 4D risk formula, ensuring critical vulnerabilities are addressed promptly by the right teams.

Contextual Deduplication: Utilizing canary token-based traceability, Phoenix accurately deduplicates and tracks vulnerabilities within application code and deployment environments, allowing teams to concentrate on genuine threats.

Actionable Threat Intelligence: Phoenix provides real-time insights into vulnerabilities’ exploitability, combining runtime threat intelligence with application security data for precise risk mitigation.

ASPm, CISA KEV, Remote Code Execution, Inforamtion Leak, Category, Impact, MITRE&ATTACK, AI Assessment, Phoenix CISA KEV, Threat intelligence

By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.

Get in control of your Application Security posture and Vulnerability management

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

The journey of securing an organization’s application landscape varies dramatically, depending on where a company stands in its maturity. Early-stage startups with small security teams face challenges not only with vulnerabilities but also with scaling their security processes in line with their growth. On the flip side, established enterprises struggle with managing complex environments, prioritizing remediation, and dealing with vast amounts of vulnerabilities while staying ahead of sophisticated threats. For startups, the focus is clear—establish visibility and ensure core security practices are in place. Application Security Posture Management (ASPM) tools provide a straightforward, automated approach to detecting vulnerabilities and enforcing policies. These solutions help reduce risk quickly without overburdening small security teams. Mature organizations, on the other hand, are tackling a different set of problems. With the sheer number of vulnerabilities and an increasingly complicated threat landscape, enterprises need to fine-tune their approach. The goal shifts toward intelligent remediation, leveraging real-time threat intelligence and advanced risk prioritization. ASPM tools at this stage do more than just detect vulnerabilities—they provide context, enable proactive decision-making, and streamline the entire remediation process. The emergence of AI-assisted code generation has further complicated security in both environments. These tools, while speeding up development, are often responsible for introducing new vulnerabilities into applications at a faster pace than traditional methods. The challenge is clear: AI-generated code can hide flaws that are difficult to catch in the rush of innovation. Both startups and enterprises need to adjust their security posture to account for these new risks. ASPM platforms, like Phoenix Security, provide automated scanning of code before it hits production, ensuring that flaws don’t make it past the first line of defense. Meanwhile, organizations are also grappling with the backlog crisis in the National Vulnerability Database (NVD). A staggering number of CVEs remain unprocessed, leaving many businesses with limited data on which to base their patching decisions. While these delays leave companies vulnerable, Phoenix Security steps in by cross-referencing CVE data with known exploits and live threat intelligence, helping organizations stay ahead despite the lag in official vulnerability reporting. Whether just starting their security program or managing a complex infrastructure, organizations need a toolset that adapts with them. Phoenix Security enables businesses of any size to prioritize vulnerabilities based on actual risk, not just theoretical impact, helping security teams navigate the evolving threat landscape with speed and accuracy.
Francesco Cipollone
The cybersecurity world is reeling as MITRE’s funding for the CVE and NVD systems expires, disrupting the backbone of global vulnerability management. As traditional sources like the National Vulnerability Database collapse under funding cuts and submission backlogs, security teams face delays, incomplete data, and loss of automation in remediation pipelines. This isn’t just a data problem—it’s a structural crisis for application security and vulnerability correlation. In this landscape of uncertainty, Phoenix Security’s ASPM platform steps up with a code-to-cloud correlation engine that doesn’t depend on outdated data workflows. By connecting code-level insights (including tools like Semgrep) to runtime and cloud environments, Phoenix enables faster, context-aware vulnerability remediation—even as NVD and CVE pipelines deteriorate. This article dives into the implications of the CVE shutdown and how Phoenix Security is helping security and development teams transition to a resilient, correlation-first approach to cybersecurity.
Francesco Cipollone
Learn how to predict ransomware risks and vulnerability exploitation using a threat-centric approach. Explore data-driven insights, verified exploit trends, and methods for assessing the likelihood of attacks with key references to CISA KEV, EPSS, and Phoenix Security’s 4D Risk Formula.
Francesco Cipollone
Remote Code Execution flaws continue to undermine Kubernetes ingress integrity. IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974) showcases severe threat vectors in NGINX-based proxies, leading to cluster-wide exposure. ASPM, robust remediation tactics, and strong application security solutions—like Phoenix Security—mitigate these vulnerabilities before ransomware groups exploit them.
Francesco Cipollone
Remote Code Execution flaws continue to undermine Kubernetes ingress integrity. IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974) showcases severe threat vectors in NGINX-based proxies, leading to cluster-wide exposure. ASPM, robust remediation tactics, and strong application security solutions—like Phoenix Security—mitigate these vulnerabilities before ransomware groups exploit them.
Francesco Cipollone
The recent Google acquisition of Wiz for $32 billion has sent shockwaves through the cybersecurity industry, particularly in the realm of Application Security Posture Management (ASPM). This monumental deal highlights the critical importance of cloud security and the growing demand for robust ASPM solutions. While the acquisition promises potential benefits for Google Cloud users, it also raises concerns about vendor lock-in and the future of cloud-agnostic security. Explore the implications of this acquisition and discover how neutral ASPM solutions like Phoenix Security can bridge the gap in multi-cloud environments, ensuring continuous, collaborative, and comprehensive security from code to cloud.” – Find Assets/Vulns by Scanner – Detailed findings Location information Risk-based Posture Management – Risk and Risk Magnitude for Assets – Filter assets and vulnerabilities by source scanner Integrations – BurpSuite XML Import – Assessment Import API Other Improvements – Improved multi-selection in filters – New CVSS Score column in Vulnerabilities
Alfonso Eusebio
Derek

Derek Fisher

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

christophe

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris

Chris Romeo

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

jim

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

The IKIGAI concept
x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
ShieldPRO