What is the KEV Catalog?
With external threats looming as a constant source of potential disruption, multiple government agencies have coordinated to compile a catalog of Known Exploited Vulnerabilities (KEV). The Known Exploited Vulnerabilities Catalog, or KEV catalog, is a database of actively exploited vulnerabilities, including those that have been exploited by ransomware campaigns, that can help application security professionals in the public and private sectors monitor threats and prioritize fixes.
A brief history of the KEV catalog
The KEV Catalog was created and is maintained by the Cybersecurity and Infrastructure Security Agency (CISA), a component of the Department of Homeland Security, and NIST, the National Institute of Standards and Technology, an agency within the Department of Commerce.
In 2021, CISA issued “Binding Operational Directive (BOD) 22-01 – Reducing the Significant Risk of Known Exploited Vulnerabilities”, which requires all federal civilian executive branch (FCEB) agencies to comply with regulations to ensure protection of government systems and information from cyberthreats. These regulations include regular monitoring of the KEV catalog and remediation of all known exploited vulnerabilities included in the catalog within specific timeframes.
Though it is not legally required for private sector organizations to follow CISA’s guidelines, all organizations with online applications and websites are strongly encouraged to regularly monitor the catalog to better protect themselves and their clients.
How does a vulnerability get added to the KEV catalog?
The KEV catalog only contains vulnerabilities that pass an evaluation process. When a new vulnerability is disclosed, it is typically assigned a Common Vulnerabilities and Exposures (CVE) ID and analyzed to determine potential impact and exploitation status. CISA then seeks feedback from security experts, federal agencies, and the private sector to gain insight into the vulnerability.
In order to be included in the catalog, the vulnerability must meet the following criteria:
- Evidence of active exploitation
- An assigned CVE ID
- Existing methods for remediation, typically from the vendor
If the vulnerability meets these criteria, it is added to the KEV catalog with detailed information. Once a vulnerability is added to the catalog, information is regularly updated to include remediation guidance. It’s important to emphasize that vulnerabilities aren’t added to the catalog until there are ways to address them.
Prioritize with CVSS, EPSS, known exploits and reachability
Are all vulnerabilities created equally?
Though the government also maintains a National Vulnerability Database (NVD) with over 160,000 CVEs, the majority of potential vulnerabilities have no known exploits in the wild. Research from CISA indicates that less than four percent of CVEs have been exploited. However, once a CVE is exploited, threat actors move quickly, which is why regular monitoring of CVEs and their exploit status is important.
While a vulnerability may be known to many within cybersecurity, it does not typically warrant action until a public exploit is discovered. Academics frequently release papers on potential ways an exploit could be performed, but it cannot cause harm until an exploit is performed in the real world. The KEV catalog helps filter out theoretical threats from active threats by only including vulnerabilities with known exploits.
Are all actively exploited vulnerabilities in the KEV catalog?
No, not all known vulnerabilities are reported through the CVE process, even though they could be, and will thus not be included in the KEV catalog. It’s also likely that some known and unknown vulnerabilities are being actively exploited right now, but no one has discovered it yet. Other things we sometimes think of as vulnerabilities, like malicious packages, cannot be reported through the CVE process so they won’t show up in KEV either. But if you’ve installed a malicious package, there’s no question on whether it’s exploitable or not–you are actively under attack.
Prioritizing with known exploits
The KEV catalog can make it easier to determine which exploits should be addressed first. Though a CVE may have a critical severity score, if it has no known exploits, it is less of a threat than an CVE with a medium threat severity score that is listed in the KEV database, as that means there are active exploits for it. A CVE that has active exploits should always be prioritized over CVEs with only theoretical exploits.
While the KEV catalog is not the end-all, be-all of application security, it is an important tool for those within application security. Utilization of exploit information such as data from the KEV catalog, in addition to other vulnerability metrics, including Exploit Prediction Scoring System (EPSS) and Common Vulnerability Scoring System (CVSS), can aid any organization in strengthening their application security.
