- My favorite portable vinyl player is perfect for summer trips, and it's discounted
- Threat Actors Weaponizing Hardware Devices to Exploit Fortified Enviro
- Cybersecurity Face-Off: CISA and DoD's Zero Trust Frameworks Explained and Compared
- Beyerdynamic's DT 990 Pro headphones get a refresh, promising portability without compromise
- How AI is helping PwC clients comply with European Union sustainability regulations
CISA Urged to Enrich KEV Catalog with More Contextual Data
In a new report, application security provider OX urged the US Cybersecurity and Infrastructure Security Agency (CISA) to add more context to its Known Exploited Vulnerabilities (KEV) catalog.
After analyzing 10 common vulnerabilities (CVEs) in CISA’s KEV list across over 200 cloud environments, the OX researchers found that none posed any actual risks to cloud containerized environments.
The firm shared its findings in a report, published on May 28, and recommended that security teams dealing with vulnerability management move away from a ‘patch everything, everywhere, all at once’ strategy and instead leverage context to prioritize patching.
It also urged CISA to enrich its KEV entries with more contextual data.
Listed in KEV, But Not Critical
To carry out their investigation, OX researchers selected 25 CVEs listed in CISA’s KEV list among the 10,000 most common CVEs across 200 separate cloud environments.
They then picked 10 KEV entries across several platforms, including Android, Linux, Google Chrome and Safari, and tested whether they could be exploited in cloud container environments.
They found that five were unexploitable when using a cloud container environment and five were exploitable but only under particular conditions.
Based on these findings, the OX researchers concluded that while a crucial tool for vulnerability management operators, CISA’s KEV list does not sufficiently differentiate between contextual relevance.
“Treating all KEV vulnerabilities with equal urgency, as is sometimes demanded by compliance regulations, and regardless of environmental context, creates unnecessary workload for already overwhelmed security teams and diverts resources from genuinely critical issues,” the researchers noted.
CISA Urged to Enrich KEV Data
First, the OX team urged CISA to update its KEV publishing process to add the following data to each KEV entry:
- Platform-specific relevance indicators
- CVE origin information
- Attack chain and attack path context
Prioritizing with More Vulnerability Context
OX provided security teams with a list of things to consider before treating a KEV as critical:
- Determine the original context in which the CVE was reported and compare it to your environment
- Search for exploit examples, including proof-of-concept (PoC) exploits
- Assess the vulnerability’s relationship to sensitive information
“With security teams facing over 180 new KEVs annually, contextual prioritization is essential for effective vulnerability management,” the OX researchers concluded.
Read now: CISA Launches Vulnrichment Program to Address NVD Challenges
