CISA KEV and the Top exploited vulnerabilities provide fantastic insights into the top routinely exploited vulnerabilities, granting a fantastic insight on the top exploitable vulnerabilities to focus on first.
In the vast realm of cybersecurity, “vulnerability” is often thrown around. However, not all vulnerabilities are created equal. The true challenge for organizations is discerning which vulnerabilities pose a genuine threat and which can be relegated to the back burner. This is where the concept of vulnerability exploitability comes into play.
Top routinely exploited vulnerabilities from CISA is a collaborative yearly report on the top exploited vulnerabilities over the past year.
“This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). “
CISA Top exploited Vulnerabilities
CISA Kev has played a fantastic role in identifying what’s most exploitable and a collaboration with multiple agencies
The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):
- United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)
- Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
- Canada: Canadian Centre for Cyber Security (CCCS)
- New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
- United Kingdom: National Cyber Security Centre (NCSC-UK)
What are the key Insignst and takeaway of the top exploited vulnerabilities report 2022
What are the top vendors mentioned in CISA Top Exploited Vulnerability 2022
- VMware,
- Atlassian,
- Microsoft,
- Fortinet,
- F5,
- Zoho,
- Apache,
- SonicWall,
- Zimbra,
- SAP,
- Oracle
What are the top exploits in the CISA Top exploited Vulnerabilities 2022
- 🛡️ CVE-2018-13379: Affects Fortinet SSL VPNs. The issue lies in failing to patch software, making organizations vulnerable.
- 📧 CVE-2021-34473, CVE-2021-31207, CVE-2021-34523 (ProxyShell): Targets Microsoft Exchange email servers. Enables remote actors to execute arbitrary code.
- 🔐 CVE-2021-40539: Impacts Zoho ManageEngine ADSelfService Plus. Enables unauthenticated remote code execution due to outdated third-party dependency.
- 🤝 CVE-2021-26084: Affects Atlassian Confluence Server and Data Center. Allows unauthenticated cyber actors to execute arbitrary code.
- 📚 CVE-2021-44228 (Log4Shell): Affects Apache’s Log4j library. Enables the execution of arbitrary code and system control.
- 💻 CVE-2022-22954, CVE-2022-22960: Affects VMware Workspace ONE Access and other VMware products. Allows remote code execution, privilege escalation, and authentication bypass.
What are the top Method of Attacks in the CISA Top exploited Vulnerabilities
- RCE (Remote Code Execution): 16 Mentions
- RCE/Authentication Bypass: 1 Mention
- Arbitrary Code Execution: 4 Mentions
- Security Feature Bypass: 1 Mention
- Elevation of Privilege: 2 Mentions
- Privilege Escalation: 2 Mentions
- Server Path Traversal: 2 Mentions
- SSL VPN Credential Exposure: 1 Mention
In the new report for 2022, CISA Top routinely exploited vulnerabilities identifies the top routinely exploited vulnerabilities:
Note: The post has an embedded script and iframe to interact with the data directly. Make sure you have those enabled (on mobile, one of the visuals will ask to download a file, ignore this)
Vendors Leading the Charge
Certain vendors seem to dominate the vulnerability landscape, with their products featuring prominently in the CISA KEV database:
- Vendors with 4 or More Products in the Top 12 of the CISA Top Routinely exploited vulnerabilities:
- VMware
- Atlassian
- Microsoft
- Fortinet
- F5
- Zoho
- Apache
- SonicWall
- Zimbra
- SAP
- Oracle
Due to the widespread use of their products or their inherent vulnerabilities, these vendors have found themselves at the forefront of the exploitation arena.
- Vendors with a Strong Presence in the Top Categories:
- VMware, Atlassian, and Microsoft stand out, each having 2 or more products listed in the top categories of the CISA KEV database.
The Broader Picture: Vendors in the Top 30
Expanding our horizon to the top 30 vulnerabilities in the CISA KEV database, a few vendors continue to dominate:
- Microsoft
- Apache
- SonicWall
- Fortinet
- Zimbra
- F5
- VMware
- Atlassian
- SAP
- Oracle
- WSO2
Due to various factors ranging from their products’ ubiquity to specific vulnerabilities, these vendors have a pronounced presence in the database.
Spotlight on the Top Routinely Exploited Products
While understanding the dominant vendors is crucial, it’s equally vital to identify the specific products that are most exploited. Three products stand out in this regard:
- Windows: Given its widespread use, Microsoft’s flagship operating system is a prime target for attackers.
- FortiOS: Fortinet’s operating system has had its share of vulnerabilities, making it a notable entry in the list.
- BIG-IP: F5’s application delivery controller has also been on the radar of attackers, given some of its inherent vulnerabilities.
Understanding Vulnerability Exploitability
At its core, vulnerability exploitability refers to the likelihood that a particular vulnerability will be exploited. It’s not just about identifying vulnerabilities; it’s about understanding their potential impact and the probability that malicious actors will leverage them.
Which Vulnerability is Exploited the Most in CISA KEV Top Routinely Exploited Vulnerability?
In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.
Vendors Leading the Charge
Certain vendors seem to dominate the vulnerability landscape, with their products featuring prominently in the CISA KEV database:
- Vendors with 4 or More Products in the Top 12 Most Exploited vendor in the CISA Top routinely exploited vulnerabilities:
- VMware
- Atlassian
- Microsoft
- Fortinet
- F5
- Zoho
- Apache
- SonicWall
- Zimbra
- SAP
- Oracle
Due to the widespread use of their products or their inherent vulnerabilities, these vendors have found themselves at the forefront of the exploitation arena.
- Vendors with a Strong Presence in the Top Categories:
- VMware, Atlassian, and Microsoft stand out, each having 2 or more products listed in the top categories of the CISA KEV database.
The Broader Picture: Vendors in the Top 30
Expanding our horizon to the top 30 vulnerabilities in the CISA KEV database, a few vendors continue to dominate the top routinely exploited vulnerability 2022:
- Microsoft
- Apache
- SonicWall
- Fortinet
- Zimbra
- F5
- VMware
- Atlassian
- SAP
- Oracle
- WSO2
Due to various factors ranging from their products’ ubiquity to specific vulnerabilities, these vendors have a pronounced presence in the database.
What is the most common attack methodology in the CISA Top Routinely exploited Vulnerability 2022
While there is a fair distinction in method a patter of RCE appears prominent in the Top Routinely Exploited Method
Attack Methodology | Mentions |
RCE | 16 |
RCE/ Authentication Bypass | 1 |
Arbitrary code execution | 4 |
Security Feature Bypass | 1 |
Elevation of Privilege | 2 |
Privilege Escalation | 2 |
Server Path Traversal | 2 |
SSL VPN credential exposure | 1 |
The Top Exploited RCE are:
CVE | Tag | Vendor | Product | Type |
CVE-2021-34473 | Microsoft | Exchange Server | RCE | |
CVE-2021-40539 | Zoho ManageEngine | ADSelfService Plus | RCE/ Authentication Bypass | |
CVE-2021-44228 | (Log4Shell) | Apache | Log4j2 | RCE |
CVE-2022-22954 | VMware | Workspace ONE Access and Identity Manager | RCE | |
CVE-2022-30190 | Microsoft | Multiple Products | RCE | |
CVE-2022-26134 | Atlassian | Confluence Server and Data Center | RCE | |
CVE-2019-0708 | Microsoft | Remote Desktop Services | RCE | |
CVE-2020-5902 | F5 Networks | BIG-IP | RCE | |
CVE-2020-14882 | Oracle | WebLogic Server | RCE | |
CVE-2020-14883 | Oracle | WebLogic Server | RCE | |
CVE-2021-26855 | (ProxyLogon) | Microsoft | Exchange Server | RCE |
CVE-2021-27065 | (ProxyLogon) | Microsoft | Exchange Server | RCE |
CVE-2021-26858 | (ProxyLogon) | Microsoft | Exchange Server | RCE |
CVE-2021-26857 | (ProxyLogon) | Microsoft | Exchange Server | RCE |
CVE-2021-45046 | Apache | Log4j | RCE | |
CVE-2022-22963 | VMware Tanzu | Spring Cloud | RCE | |
CVE-2022-29464 | WSO2 | Multiple Products | RCE |
What are the top exploited products in the CISA Top Exploited Vulnerabilities?
While understanding the dominant vendors is crucial, it’s equally vital to identify the specific products that are most exploited. Three products stand out in this regard:
- Windows: Given its widespread use, Microsoft’s flagship operating system is a prime target for cybercriminals.
- FortiOS: Fortinet’s operating system has had its share of vulnerabilities, making it a notable entry in the list.
- BIG-IP: F5’s application delivery controller has also been on the attackers’ radar, given some of its inherent vulnerabilities.
CISA Top exploitable vulnerability insights
- What are the top CVSS Score in CISA KEV Top Routinely Exploited Vulnerability
- Most of the vulnerabilities lie in the higher end of the CVSS scale, indicating that they are of high to critical severity.
- Top CVSS score: 10.0
- Average CVSS score: ≈7.8
- Lower CVSS score: 5.0
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. Our goal is to assist network defenders in prioritizing vulnerability remediation efforts better. While other industry standards have been useful for capturing innate vulnerability characteristics and providing severity measures, they are limited in assessing threats. EPSS fills that gap by using current threat information from CVE and real-world exploit data. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
What are the top EPSS Score in CISA KEV Top Routinely Exploited Vulnerability.
- EPSS scores are densely packed near the 0.975 mark. This suggests that many of these vulnerabilities are highly likely to be exploited.
- Top EPSS score: ≈0.97486
- Average EPSS score ≈0.97283
- Lower EPSS score ≈0.97191
What is CISA KEV
The CISA, or Cybersecurity & Infrastructure Security Agency, is a federal agency of the United States government responsible for ensuring the security of the nation’s critical infrastructure. The Known Exploited Vulnerabilities (KEV) list typically lists known software vulnerabilities that are actively or recently exploited.
These vulnerabilities are typically discovered in popular software or systems, and the details are provided so that IT professionals and systems administrators can take the necessary steps to patch or mitigate them. The objective of this is to inform the public about existing vulnerabilities in order to prevent cyberattacks.
All federal civilian executive branch (FCEB) agencies must remediate vulnerabilities in the KEV catalogue within prescribed timeframes under Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities.
The following sections detail the criteria behind each of the three thresholds for KEV catalogue updates, which are:
- The vulnerability has an assigned Common Vulnerabilities and Exposures (CVE) ID.
- There is reliable evidence that the vulnerability has been actively exploited in the wild.
- There is a clear remediation action for the vulnerability, such as a vendor-provided update.
What are the oldest and youngest vulnerabilities in CISA KEV routinely Exploited Vulnerability
- Vulnerability Registration Date:
- Oldest vulnerability by registration date: October 3, 2019
- Newest vulnerability by registration date: August 8, 2023
- Distribution of Vulnerabilities Over Time:
- A noticeable increase in the number of vulnerabilities registered around mid-2022 to 2023 indicates a surge in identified vulnerabilities during this period.
The Importance of Reputable Sources
Relying on reputable sources like the CISA KEV is crucial. Such databases provide a wealth of information on vulnerabilities observed to be exploited in the wild. They offer a real-world perspective, moving beyond theoretical risks to actual threat data.
But CISA KEV isn’t the only source. Other key databases and platforms, such as Metasploit and vulnerability databse, offer insights into the latest vulnerabilities and their exploitability. Leveraging multiple sources ensures a comprehensive understanding of the threat landscape.
What are the Top CWE in CISA Top routinely exploitable vulnerabilities 2022
- The most frequent CWE is “None Listed” with 6 occurrences.
- Following that, we have:
- “CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)” with 6 occurrences.
- “CWE-269: Improper Privilege Management” with 2 occurrences.
- “CWE-287 Improper Authentication” with 2 occurrences.
- It’s worth noting that “CWE-22” appears in two different formats, suggesting some inconsistencies in the data entry.
- Top Vendors with the Most Vulnerabilities:
- Microsoft leads the list with 14 vulnerabilities.
- Apache follows with 5 vulnerabilities.
- Other notable mentions include Fortinet with three vulnerabilities and Zimbra and Atlassian with 2 vulnerabilities each.
This data indicates that Microsoft products have the highest number of vulnerabilities among the list of top exploitable vulnerabilities. It’s crucial, however, to understand that a high count doesn’t necessarily indicate negligence; it might also be due to the wide usage and scrutiny of their products.
Location of Assets: A Key Consideration
The position of an organization’s assets can significantly increase the likelihood of exploitation. For instance, a vulnerability in an internet-facing system poses a higher risk than one buried deep within an internal network. Understanding the position and role of assets helps organizations prioritize patching and defence efforts more effectively.
Phoenix: Pioneering a Proactive Approach
Phoenix emphasizes the importance of focusing on vulnerabilities that truly matter. With myriad potential threats, it’s easy for organizations to become overwhelmed. However, organizations can channel their resources more effectively by adopting a risk-based prioritisation approach.
1. Likelihood of Exploitation
Not all vulnerabilities will be exploited. Phoenix helps organizations understand the real likelihood of attackers leveraging a particular vulnerability. This is achieved by analyzing threat intelligence, historical data, and current cyber trends.
2. Actual Chances of Exploitability Using EPSS Scores
The Exploit Prediction Scoring System (EPSS) offers a data-driven approach to predict the likelihood of a vulnerability being exploited. Phoenix integrates EPSS scores to provide organizations with a quantifiable metric on exploitability.
3. Verified Sources of Exploitation
Phoenix emphasizes the importance of verified sources like CISA KEV and Verified exploit databases. Organizations can prioritise genuine threats by focusing on vulnerabilities observed to be exploited in the wild.
4. Business Impact and Consequences of Vulnerability
Beyond exploitability, Phoenix helps organizations understand the potential business impact of a vulnerability. This includes potential data breaches, financial implications, and reputational damage.
Moving from Reactive to Proactive with Phoenix
Traditional vulnerability management often takes a reactive approach, responding to threats as they arise. However, this method is no longer sustainable. With the sheer volume of vulnerabilities, a reactive approach is akin to playing an endless game of whack-a-mole.
Phoenix champions a shift towards a risk-based approach. Instead of reacting to every vulnerability, the focus is on the critical 1% that truly matters. Organizations can prioritise their efforts more effectively by understanding vulnerability exploitability, the position of assets, and the potential business impact.
Conclusion
In the ever-evolving world of cybersecurity, staying one step ahead is paramount. Vulnerability exploitability offers a lens through which organizations can view threats, focusing on those that pose a genuine risk. Organizations can navigate the cybersecurity landscape more effectively by leveraging reputable sources, understanding the position of assets, and adopting a risk-based approach.
Phoenix stands at the forefront of this shift, guiding organizations towards a proactive approach. By focusing on the vulnerabilities that truly matter and understanding their broader implications, organizations can safeguard their assets, reputation, and future.