The number of vulnerabilities is growing at an alarming rate. However, knowing which ones have actually been exploited in the wild is critical for the security community. Both red and blue teams benefit from this intel. It helps us sharpen our focus and act faster and with more precision. That’s why the Cyber Security & Infrastructure Agency (CISA) Known Exploited Vulnerability (KEV) Catalog has risen to prominence within the security community. The data it offers is not only useful, but important to almost all of us.
The following VulnCheck 2022 Exploited Vulnerability Report takes a year long review of the CISA KEV Catalog.
In 2022, CISA added a lot of vulnerabilities to the KEV Catalog. The Catalog entered 2022 with 311 CVEs and more than doubled in size by the end of the year. CISA added 557 new CVEs to reach a total of 868 entries by the end of 2022.
The addition of 557 CVEs over a single year breaks down to almost 11 new exploited-in-the-wild vulnerabilities added to the Catalog every week. However, the vulnerabilities weren’t actually added in such a linear fashion and a huge chunk of the vulnerabilities were added in March. By the second half of the year, new additions had tapered off.
CISA KEV Entries Published in 2022
A majority of the new additions in 2022 weren’t for new vulnerabilities. Of the 557 CVEs, only 93 (17%) used a CVE-2022 identifier. The following graph shows the 557 CVEs mapped to their CVE-ID year.
2022 CISA KEV Additions By CVE Year
As the graph shows, vulnerabilities throughout the last two decades were added to the KEV list in 2022. The oldest, CVE-2002-0367, affected Windows NT and Windows 2000 systems. Certainly, there are many active Windows NT/2000 systems across the globe. Still, it’s important to remember that the KEV Catalog is not a list of “currently exploited” vulnerabilities but a list of exploited vulnerabilities. The Catalog is fairly young, so it appears 2022 was used to catch up with the historical backlog of exploited vulnerabilities. That inevitably resulted in many old vulnerabilities being added to the Catalog.
Some old vulnerabilities have a lot of staying power, as we’ll later discuss, so they are important to know. But we’re especially interested in the recently published vulnerabilities added to KEV because those are more likely to be active threats. To get a better look at the vulnerabilities published in 2022, we filtered the 557 new KEV entries by their NVD publication date (As an interesting aside, by doing this, we found a KEV entry that hasn’t been published to NVD: CVE-2019-8720. The following graph shows the NVD publication dates of the newer vulnerabilities.
NVD Publication Dates of the CVE-2022 Vulnerabilities Added to CISA KEV in 2022
CISA added 92 CVE-2022 vulnerabilities that were published in 2022 (this number should be 93, but CVE-2022-42475, Fortinet FortiOS Heap-Based Buffer Overflow, was added to KEV on December 13, 2022, and wasn’t added to NVD until January 2, 2023).
The graph shows that more vulnerabilities from the first half of the year were added to the Catalog compared to the second half. While true now, this might not be the case in a few months. New vulnerabilities aren’t always exploited in the wild immediately, as we’ll see later, and sometimes there’s a delay in adding them to the KEV Catalog. A great example of that is CVE-202-35914, an actively exploited vulnerability affecting GLPI that was published in September but still hasn’t found its way into the KEV Catalog.
For most defenders, the new vulnerabilities graph should be fairly daunting, even without the missing vulnerabilities added in. Every week in 2022, defenders could expect almost two newly published vulnerabilities would find their way onto the KEV Catalog. Without good inventory management and decent vulnerability prioritization, defenders are essentially running a constant fire drill because attackers are eagerly adding new vulnerabilities to their arsenals.
Among the 557 newly added CVEs, there were 22 named vulnerabilities added to the KEV Catalog. Of the old vulnerabilities, it’s interesting to see what wasn’t included in the original KEV Catalog when it debuted in 2021. EternalRomance and EternalBlue, a vulnerability that has been widely exploited since the Shadow Brokers leak in 2017, were added to the Catalog in February 2022. Their sibling, EternalChampion, was added alongside EskimoRoll in March. A couple of Shellshock vulnerabilities were added in January, and Heartbleed was added in May.
For whatever reason, it felt weird that Log4Shell wasn’t among the 22 named vulnerabilities. Somehow it feels like Log4Shell happened yesterday, but CVE-2021-44228 was added to the Catalog in December 2021. Perhaps Log4Shell feels so fresh because of the long tail of exploitation, reporting, and remediation. The copy-cat names that popped up in 2022 didn’t help either: Spring4Shell (in the Catalog) and Text4Shell (not in the Catalog).
Naming vulnerabilities is fun. There is no doubt about it. But the reality is that a cool logo or a silly name doesn’t impact a vulnerability's usefulness. Since the beginning of 2020, VulnCheck has tracked more than 400 named vulnerabilities. Yet, in 2022, a year that CISA used to add a backlog of historical CVE, only 4% of the CVE added to KEV had an associated name. The other 96% had no names but were useful enough to be exploited in the wild. Think about that the next time you start to panic over a fancy new logo’d vulnerability.
One of the surprises among the named vulnerabilities was Ripple20. Ripple20 is the name of 19 vulnerabilities affecting a TCP/IP stack used by a variety of IoT, IoMT (Internet of Medical Things), and ICS/OT systems. The specific Ripple20 vulnerability in KEV is CVE-2020-11899. We may never know if CVE-2020-11899 was used against an ICS/OT network or against a medical network, but by mapping each KEV Catalog vulnerability to affected systems (or components), we can get a general idea of what attackers are exploiting. The graph below maps the KEV Catalog entries from 2022:
CISA KEV 2022 Additions Categorized
If you add all the columns, you’ll find the number exceeds 557. That’s because some vulnerabilities fit into more than one category. The Ripple20 vulnerability was a great example of that. Another good example is Dirty Pipe. Dirty Pipe is categorized as “Operating System”, “IoMT”, “Firmware”, and “ICS/OT”. This is entirely based on who has issued advisories for the vulnerability. For DirtyPipe that’s:
- Operating System: Ubuntu, Debian, RedHat, SUSE
- IoMT: GE-Healthcare
- ICS/OT: Siemens, Wago, ICS-CERT
- Firmware: SonicWall, NetApp
Having completed this exact mapping for all 557 vulnerabilities, we have a few observations. The first is that, over the years, operating system vulnerabilities have been incredibly important for attackers. It’s the top category because it’s the most reliable path for exploitation. Using a Windows vulnerability in a campaign will be much more flexible than, for example, a specific PDF reader. A good operating system patching plan is essential for defenders. This isn’t surprising to anyone (Patch Tuesday is/was important for a reason), but it is worth calling out.
Another observation is if you stack “Desktop Application” and “Web Browser”, then you have a fairly large category of vulnerabilities that likely require the user to do something (open a word doc, click a link). These are the favorite targets of a variety of advanced threat actors. Being able to inventory these types of applications and apply patches is a huge headache. But ensuring end users’ browsers and favorite editors are up to date need to be high in the prioritization list.
Finally, after looking through the data, we think “IoT” and “Server Software” are the most important categories. These categories contain items like CVE-2021-20038 (SonicWall SMA-100 stack-based buffer overflow) and CVE-2022-26136 (Confluence OGNL RCE). These vulnerabilities are largely used by attackers with no access to the victim network. They use these vulnerabilities to establish initial access without any type of user interaction. The attacks are incredibly dangerous because they don’t rely on access or user mistakes.
We have an idea of what is being exploited by the new CISA KEV Catalog entries, but what about how?
How is exploitation happening?
We previously published a blog, Prioritizing CISA Known Exploited Vulnerabilities, on the importance of understanding how vulnerabilities are being exploited in order to properly prioritize them for remediation. In that blog, we discussed how VulnCheck breaks down vulnerabilities into seven categories:
- Initial Access (unauthenticated and remote compromise)
- Credentialed Initial Access (authenticated and remote compromise)
- Information Leak (unauthenticated and remote data leak)
- Denial of Service
- Client-Side (user interaction vulnerabilities)
- Other (anything that doesn’t fit above)
The CVE added to KEV in 2022 are categorized in the following graph:
CISA KEV 2022 Additions By Vulnerability Type
In the Prioritization blog, which we encourage you to read, we suggest prioritizing Initial Access vulnerabilities. While dangerous, client side, local, and credentialed attacks are simply less of a priority compared to vulnerabilities that can be exploited at will with no user interaction. Prioritizing initial access vulnerabilities makes sense and it immediately drops the defender's high-priority workload. Of the 557 new CISA KEV entries, 200 (35.9%) are initial access vulnerabilities.
The other important aspect of prioritization is who is exploiting a vulnerability in the wild. That can further narrow down the CVE prioritization list. So, let’s look at who is exploiting these 557 vulnerabilities.
KEV Entries Exploited in the Wild
The KEV Catalog lets everyone know a vulnerability has been exploited in the wild, but that’s it. Not by who. Not where. Not why. Those are all important factors. For example, was the vulnerability exploited by a threat actor that only targets organizations in Southeast Asia, or was it globally exploited to drop ransomware? Those are two very different things to an overworked defender.
We mapped the 557 vulnerabilities to associated threat actors, ransomware, and/or botnets. The following graph shows how many of the vulnerabilities are associated with one of those groups (note that this isn’t intended to add up to 557).
CISA KEV 2022 Additions Categorized by Attacker Type
This graph shows, for example, that VulnCheck can link 122 (22%) of the 2022 KEV entries to ransomware. That’s incredibly useful to know for prioritization, but because that type of information isn’t in the KEV Catalog, defenders have to seek that out themselves.
At VulnCheck, we aggregate and curate as much threat intelligence as possible. That’s what allows us to link CVE to particular ransomware crews, botnets, or threat actors. It also allows us to see how much some vulnerabilities are reused. Consider these three tables that show the most reused vulnerabilities from the 2022 KEV entries for ransomware, threat actors, and botnets.
Top 5 CVE Used by Ransomware
Top 5 CVE Used By Named Threat Actors
|CVE||Named Threat Actors|
Top 5 CVE Used By Named Botnets
There is an incredible amount of overlap between attackers. That makes sense. Many attackers copy each other or simply grab the latest and greatest from exploit-db, Metasploit, etc. The tables also show that attackers will pivot to new useful vulnerabilities. Notice Spring4Shell and Follina have already climbed their way into the threat actors top 5.
Time to KEV
In this final section, we look at how long it takes for a vulnerability to be added to the KEV Catalog. KEV is not supposed to be an early warning system, and treating it that way is unfair. But it is treated that way, and frankly, it’s interesting to see how long it takes for exploited vulnerabilities to arrive there.
For this discussion, “Time to KEV” is measured from the first public exploit or the first public reporting of exploitation in the wild. Measuring from the first public exploit is a little unfair. But there are really two good reasons why we’ve done that:
- Open source threat intelligence (including exploitation in the wild details) often significantly lags actual exploitation. Many of the organizations that share this information put it out in detailed reports well after the incident has completed.
- A (good) public exploit is a solid indicator of imminent exploitation. We’ve seen this time after time. This only becomes unfair, we think, when the public exploit is bad, but that’s difficult to measure at scale.
Measuring “Time to KEV” for all 557 vulnerabilities is sort of useless. As discussed, the majority of the vulnerabilities are old, and pre-date the KEV Catalog. So we, once again, filtered the 557 CVE down to those CVE-2022 vulnerabilities published in 2022. We performed the calculation and generated the following “Time to KEV” graph.
CISA KEV CVE-2022 Vulnerabilities Added in 2022 "Time to KEV"
Admittedly, the graph excluded a few vulnerabilities with no public exploits and no public information about exploitation in the wild. For example, a couple of Cisco RV series vulnerabilities (CVE-2022-20701, CVE-2022-20703) are included in the KEV list and have no public proof of concept or reporting of exploitation in the wild (although we do have some interesting details on these vulnerabilities we’ll share in a few weeks).
For the remainder, the graph shows that 11% of the KEV entries for CVE published in 2022 were added before or on the same day a public exploit or exploitation details were made public. The one vulnerability in our dataset that was added before any other data source was CVE-2022-20700, which again is a Cisco RV series vulnerability. Put a pin in that for a few weeks.
The “same day” additions include vulnerabilities like CVE-2022-22047. Microsoft’s advisory indicating exploitation in the wild was released on July 12, 2022, and the vulnerability was added to the KEV Catalog the same day. A perfect response time.
41% of vulnerabilities were added within a week of an exploit or exploitation details being made public. A good example of this is Fortiguard’s CVE-2022-40684. On October 10, Fortiguard released an advisory indicating the vulnerability was exploited in the wild, and CISA added the vulnerability to the KEV Catalog on October 11.
The remaining 48% of vulnerabilities took more than one week to be added to the KEV Catalog. An example from that group is CVE-2022-26500. The vulnerability was added to NVD in March 2022. A technical breakdown and proof of concept was shared the same month. A report of exploits for sale was published in October 2022, and ransomware was linked to the vulnerability in early December. The vulnerability was added to the KEV catalog on December 13, 2022, nine months after the first public PoC and about two months after initial reports of likely exploitation in the wild.
Of course, such delays aren’t always the fault of CISA (and show bias to how we measured “Time to KEV”). Consider Dogwalk (CVE-2022-34713). The first proof of concept for this vulnerability was published in 2020. Public reporting indicated exploitation in the wild started in Spring 2022. But Microsoft didn’t fix the vulnerability or publish an advisory until August 2022. CISA quickly added the vulnerability to KEV after the Microsoft advisory went public. But that was months after exploitation and years after the first proof of concept.
The KEV Catalog isn’t an early warning system, but warning everyone about exploitation in the wild within a week of the first public exploit or exploitation details at a 52% rate is very respectable. Of course, that doesn’t tell the full story. There are a whole bunch of vulnerabilities published in 2022 that are known to have been exploited and aren’t on the CISA KEV list. Next week, we’ll look at those vulnerabilities.
In this blog we examined the additions to the CISA KEV Catalog in 2022, and we were able to make a series of useful observations:
- In 2022, defenders saw nearly 2 newly published exploited vulnerabilities in the wild per week.
- The KEV Catalog contains a large amount of vulnerabilities that affect operating systems.
- Nearly all KEV Catalog entries can be linked to specific threat actors, botnets, or ransomware crews.
- For items included in the KEV Catalog, CISA does a respectable job of adding them to the KEV Catalog in a timely manner.
Tune in next week where we’ll discuss the 2022 vulnerabilities exploited in the wild that aren’t in the KEV Catalog.
For more information on vulnerabilities exploited in the wild, register for a VulnCheck account today by loading https://vulncheck.com and clicking “Log In”.