KEV catalog missing 88 percent of exploits
New research from Miggo Security suggests that CISA’s Known Exploited Vulnerabilities (KEV) catalog now reflects only a small slice of real-world exploit risk in open source, and it raises questions about how the industry should be using KEV going forward.
Using open source code speeds innovation but expands the attack surface with every imported library and dependency. The result is a growing catalog of vulnerabilities, each one a potential entry point for attackers.
To help organizations focus on verified threats, the US Cybersecurity and Infrastructure Security Agency (CISA) introduced the (KEV) catalog in 2021. The KEV list is meant to highlight vulnerabilities that had been confirmed as exploited in the wild.
Miggo Security has analyzed over 24,000 vulnerabilities from GitHub’s public open source advisory (GHSA), mapped 572 associated exploits, and compared their presence against the CISA KEV catalog -- and finds that 88 percent of CVEs with exploits don’t appear in KEV.
See also:
CVE system struggling to keep pace with modern development
Half of security teams struggling to cope with volume of vulnerabilities
In an AI era where exploit code can be generated or adapted in minutes, Miggo argues that any verification-based list will inevitably lag machine-speed exploitation. But this doesn’t render KEV useless.
Security and appsec teams need systems that act as fast as the attackers, and can detect, interpret, and respond inside the runtime itself not just reactively, but proactively. They need to identify and mitigate threats before the exploitation takes place.
Relying on catalogs or patch cycles will inevitably mean lagging behind attackers. Organizations need to be looking to AI-Driven Runtime Security as the way to defend applications in today’s AI attack landscape.
Defenders need to be able to weigh KEV against signals like exploit availability, ease of weaponization and application context. This means designing prioritization models that keep KEV, but don’t depend on it as the single source of truth.
You can read more on the Miggo blog.
Image credit: weerapat/depositphotos.com