The rate at which vulnerabilities are increasing is a cause for concern. It is crucial for the security community to identify the vulnerabilities that have been exploited in the real world. The CISA’s Known Exploited Vulnerability (KEV) Catalog has become popular among security experts for this very reason. An analysis of the catalog and its vulnerabilities, by VulnCheck, revealed some statistics you may be interested in.
Some stats your way
The KEV Catalog comprises 868 bugs, including 557 added in the past year. Among the vulnerabilities added in 2022, 241 have been abused by APT actors, 122 by ransomware gangs, and 69 by botnets.
Twenty-two named vulnerabilities from 2022 included EternalBlue, EternalRomance, Shellshock, Heartbleed, EternalChampion, EskimoRoll, Dirty Pipe, ProxyNotShell, Ripple20, SpoolFool, and Dogwalk, among others.
The known exploited vulnerabilities were used against IoT, operating systems, web browsers, and desktop applications.
Of the 557 entries, 200 (35.9%) are initial access vulnerabilities.
More insights from Tenable
A Tenable report categorized significant vulnerability data and analyzed attacker behavior to assist organizations. It categorized significant vulnerability data to identify the most significant risks and disrupt attack paths, thereby reducing the overall exposure to cyberattacks.
The study analyzed events that revealed 2.29 billion records were exposed, accounting for 257 TB of data.
Unsecured databases caused over 3% of all data breaches, resulting in more than 800 million records being leaked.
The most exploited vulnerabilities include high-severity bugs in Microsoft Exchange, Zoho ManageEngine products, and VPN solutions from Fortinet, Citrix, and Pulse Secure.
Nevertheless, Log4Shell, Follina, ProxyShell, and an Atlassian Confluence Server and Data Center flaw were also among the most commonly abused.
The bottom line
The data reveals that long-known vulnerabilities often result in more significant damage than newly discovered ones. Threat actors repeatedly exploit these overlooked vulnerabilities to gain access to sensitive information, as highlighted by the numbers presented. This clearly demonstrates that reactive post-event cybersecurity measures are inadequate in mitigating risks. To effectively address this issue, a shift to preventive security and exposure management is necessary.