Understanding Exploit Availability
This knowledge base article will give insight into:
- The definition of exploitability and the factors that affect a vulnerability’s exploitability
- The definition of exploit availability
- What the Known Exploited Vulnerability (KEV) catalog is
- Exploit availability’s importance and challenges that security teams face
What is the Meaning of Exploitability?
Exploitability refers to the potential or likelihood that threat actors can use a vulnerability to compromise systems, applications, or networks. When assessing exploitability, security professionals consider whether attackers can easily use the vulnerability to achieve their objectives, accounting for factors like:
- Complexity of system architecture: Complex systems require more advanced attacker expertise, influencing ease of exploitation.
- Existence of Exploit Code: Verified and popular exploit code, especially if linked extensively in common repositories, increases the chances of exploitation.
- Threat Actor Skill Level: The expert status of threat actors can determine how vulnerabilities are exploited.
- Exploit Timelines: The median time from disclosure to exploitation may vary, affected by exploit difficulty and value.
- Network Tools and Automated Agents: These tools can enhance an exploit's spread, increasing vulnerability scores.
- Potential Impact: The harm attackers can cause if they exploit a vulnerability, such as remote code execution or zero-day exploitation.
The Common Vulnerability Scoring System (CVSS), supported by the National Vulnerability Database (NVD), uses exploitability as one of the qualitative measures for vulnerability severity.
Vulnerability and patch management teams use exploitability as one way to help them prioritize their remediation activities.
What is Exploit Availability?
Exploit Availability refers to the existence and accessibility of exploit code for identified vulnerabilities. Within CVSS 4.0, the Threat Metrics incorporate the following publicly available information when when adjusting a vulnerability’s severity:
- Availability of proof-of-concept code: Publicly available exploit code with sufficient technical details that indicate attackers may be able to exploit the vulnerability, even without knowledge of reported attempts or publicly available solutions to simplify attempts.
- Active exploitation: Reports of attempted or successful attacks against the vulnerability with solutions that simplify the exploit attempts, like publicly or privately available exploit toolkits.
Understanding exploit availability helps prioritize remediation efforts, especially when dealing with zero-day and n-day vulnerabilities. Exploit availability can fall into three different categories:
- Publicly available: Publicly accessible exploit
- Commercially available: Exploit available for purchase
- Allegedly privately available: Claims or rumors that an exploit is available privately
What is the Known Exploited Vulnerability (KEV) Catalog?
The Known Exploited Vulnerability (KEV) Catalog lists vulnerabilities that have assigned Common Vulnerabilities and Exposures (CVE) IDs with confirmed evidence of active exploitation by threat actors.
The KEV Catalog’s key feature include:
- CVE Assignment: Identifying and tracking CVE IDs provided by the CVE Program which is sponsored by CISA and operated by The MITRE Corporation.
- Active Exploitation: Each entry in the catalog has reliable evidence of being exploited in the wild, highlighting n-day vulnerabilities and zero-day exploitation.
- Remediation Prioritization: The catalog prioritizes those vulnerabilities that have clear remediation actions, such as updates provided by software vendors.
Security, vulnerability management, and patch management teams can use the KEV catalog to:
- Prioritize vulnerability management activities
- Focus remediation and monitoring on actively exploited vulnerabilities
- Optimize patching strategies or compensating control implementations to mitigate potential impacts
Why is Exploit Availability Important?
Exploit availability indicates whether exploit code for a specific vulnerability is accessible in public, commercial, or private formats, impacting the likelihood that threat actors will target the vulnerability to achieve their objectives.
Some benefits of using Exploit Availability as part of prioritizing vulnerability remediation include:
- Increased likelihood of exploitation: While the existence of exploit code can increase the chances of successful exploitation, many vulnerabilities with exploit code remain unused so this should be only one factor used when prioritizing activities.
- Early threat indicator: The availability of exploits provides insight into threat actor thought processes and evolving attack methodologies, so security teams can proactively fortify defenses.
- Vulnerability Management: While exploit availability aids in assessing the security posture and prioritizing remediation, vulnerability and patch management teams should prioritize active exploitation targeting specific entities.
When determining the potential impact that an available exploit can have, security teams should also consider:
- Attackers are more likely to use a publicly available exploit, making these vulnerabilities the highest priority.
- Attackers often use commercial exploits for targeted attacks, so additional threat intelligence surrounding real-world attacks using the vulnerability can help understand whether the organization is more or less likely to be a victim.
- Attackers often have limited access to and use of privately available exploits, influencing the risk and harm to individual organizations.
What Challenges do Security Teams Face When Trying to Understand Exploit Availability for Their Environments?
Security, vulnerability management, and patch management teams struggle to appropriately incorporate Exploit Availability into their vulnerability prioritization strategies.
Lack of Comprehensive Exploit Intelligence
While the KEV Catalog provides information about known exploits, information about proof-of-concept, commercially available, and privately available exploits is difficult to find. The information is often dispersed across different threat actor communication channels, making it more difficult to consolidate all information about available exploits.
Lack of Skills
Many security teams already struggle with the cybersecurity skills gap, making it more difficult to implement threat research. Without people who can monitor cybercriminal communications, these teams have no way to collect information unless it appears on the clear web.
Time-Consuming Manual Processes
When security teams have the people who can monitor these communications, the process is time-consuming. Often, organizations need to dedicate a full time security analyst to infiltrate these communications channels or limit their research which leads to information gaps. These time-consuming processes mean that security teams often only receive information about exploit availability after threat actors have successfully used the vulnerability in an attack against the organization or someone else.
Lack of Specialized Tools
While some security teams have dark web monitoring tools, these technologies often collect a wide array of threat information. Even when they integrate into the organization’s security information and event management (SIEM) solution, they may collect comprehensive information focused on vulnerability exploits.
VulnCheck: Exploit and Vulnerability Intelligence for Informed Remediation Prioritization
With VulnCheck organizations gain the insights they need into exploit availability so they can appropriately prioritize remediation activities. VulnCheck is an average of 14 days faster than the NVD for reporting vulnerabilities and provides the industry’s largest collection of exploit availability threat intelligence, and over 1 month faster vs CISA KEV. Our platform provides complete exploitation timelines covering vulnerability discovery and publication, discovery of exploit availability and exploitation, and vulnerability remediation publication.