In 2024, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) continued to construct on its important cybersecurity initiative by increasing its Identified Exploited Vulnerabilities (KEV) catalog.
This database, which serves as a significant instrument for IT safety groups and organizations globally, added 185 new vulnerabilities this 12 months, bringing the whole variety of software program and {hardware} flaws at excessive threat of exploitation to 1,238. These vulnerabilities, that are actively being focused by cybercriminals, can pose extreme dangers to infrastructure, data security, and operations throughout numerous sectors.
The regular progress of the KEV catalog, launched in November 2021, highlights the persistent menace posed by cyberattacks. This text explores the numerous traits within the KEV catalog for 2024, identifies the most typical vulnerabilities, and discusses the distributors that confronted the very best variety of software program flaws this 12 months.
A Regular Development within the KEV Catalog
CISA’s KEV catalog has seen a constant enhance within the variety of entries since its inception. In 2024, 185 vulnerabilities had been added, barely fewer than the 187 added in 2023. This secure price of latest entries follows a extra explosive growth within the early years of the catalog. In 2022, CISA added over 500 vulnerabilities within the first six months, and the preliminary launch noticed greater than 300 entries.
Curiously, the catalog has not solely grown within the variety of new vulnerabilities but in addition within the age of vulnerabilities included. Whereas most of this 12 months’s entries had been latest (115 from 2024), a good portion (60 to 70) nonetheless consists of older vulnerabilities that stay actively exploited.
Notably, among the earliest vulnerabilities, like CVE-2002-0367, courting again to 2002, proceed to pose a threat, being leveraged in ransomware assaults. The oldest addition to the 2024 KEV catalog was CVE-2012-4792, a Use-After-Free vulnerability present in Microsoft Web Explorer variations 6 by way of 8.
Prominent Software Weaknesses in the KEV Catalog
Among the 185 new entries in 2024, several software weaknesses, known as Common Weakness Enumerations (CWEs), were particularly prevalent. These weaknesses expose critical vulnerabilities that cybercriminals can exploit to gain unauthorized access to systems, disrupt services, or steal sensitive data.
The commonest vulnerability kind within the KEV catalog this 12 months was CWE-78 (OS Command Injection), present in 14 of the added vulnerabilities. OS command injection happens when an attacker is ready to inject malicious instructions right into a system that’s working an working system, probably resulting in unauthorized management.
CWE-502 (Deserialization of Untrusted Information) was the second most typical vulnerability kind, showing in 11 of the brand new entries. This weak point permits attackers to exploit improperly dealt with or deserialized information, which might result in distant code execution or unauthorized entry.
Different notable vulnerabilities included CWE-416 (Use After Free), which appeared in 10 vulnerabilities, and CWE-22 (Path Traversal) and CWE-287 (Improper Authentication), each of which accounted for 9 vulnerabilities every.
Main Distributors with the Most Vulnerabilities in CISA KEV
Microsoft continued to dominate the checklist of distributors with vulnerabilities added to the KEV catalog. In 2024, Microsoft had 36 vulnerabilities added to the checklist, up from 27 in 2023. The corporate’s widespread presence throughout enterprise methods, cloud platforms, and software program merchandise makes it a frequent goal for cyberattacks.
Following Microsoft, Ivanti was the second most affected vendor, with 11 vulnerabilities added to the KEV catalog. This contains important flaws that had been exploited in a high-profile breach of CISA itself by way of an Ivanti vulnerability. Cyble’s honeypot sensor detected energetic assaults concentrating on Ivanti’s vulnerabilities as early as January 2024.
Different main distributors that confronted a number of variety of vulnerabilities in 2024 included Google Chromium (9 vulnerabilities), Adobe (8 vulnerabilities), and Apple (7 vulnerabilities). Distributors like Cisco, D-Hyperlink, Palo Alto Networks, and Apache additionally had a number of vulnerabilities added to the checklist, highlighting the broad vary of industries and applied sciences impacted by these weaknesses.
A notable instance of a vulnerability from 2024 is CVE-2024-39717, a 7.2-severity problem in Versa Director. Regardless of having simply 31 web-exposed cases, this vulnerability was exploited in provide chain assaults concentrating on Internet Service Suppliers (ISPs) and Managed Service Suppliers (MSPs). This highlights a important facet of the KEV catalog: the severity of a vulnerability doesn’t all the time align with its publicity or CVSS (Widespread Vulnerability Scoring System) rating. Even vulnerabilities with low publicity might be extremely damaging if leveraged in focused assaults.
Associated
