Every organization is confronted by a common cybersecurity challenge: there are too many vulnerabilities in technology products. This makes it difficult to prioritize limited resources – with over 25,000 new vulnerabilities released in 2022 alone, where should an organization begin? As a starting point, we know that the majority of vulnerabilities are never exploited by malicious actors. With that understanding, CISA launched the Known Exploited Vulnerabilities catalog (known simply as “The KEV”) in November 2021 to provide an authoritative source of vulnerabilities that have been exploited “in the wild.” The purpose of the KEV is simple: while focusing on vulnerabilities that have been exploited isn’t sufficient, it’s absolutely necessary – so let’s start there.
Recently, the catalog has grown to cover more than 1,000 vulnerabilities, which seems like an appropriate time to check in. In this blog, CISA review how the KEV program works and what they’ve learned along the way.
Source: U.S. Cybersecurity and Infrastructure Security Agency