Source: www.govinfosecurity.com – Author: 1
CISA Did Not Include Critical Vulnerabilities in Known Exploit List, Report Says
Chris Riotta (@chrisriotta) •
December 19, 2023
New research has identified nearly 100 high-risk vulnerabilities that were not included as part of the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog.
See Also: JavaScript and Blockchain: Technologies You Can’t Ignore
According to the technology firm Qualys’ threat research unit, CISA failed to include at least 97 high-risk vulnerabilities in a comprehensive public list that the U.S. cyber agency describes as “the authoritative source of vulnerabilities that have been exploited in the wild.”
On Tuesday, the security researchers published a review of the threat landscape in 2023 asserting that high-risk vulnerabilities were going unreported by CISA and other cyber authorities. The cybersecurity agency did not immediately respond to a request for comment.
More than 26,000 vulnerabilities were disclosed in 2023, the researchers said, marking a record high and continuing a yearslong upward trajectory in disclosures. Less than 1% of those vulnerabilities were considered the highest risk, meaning that they have “a weaponized exploit” and “are actively exploited by ransomware, threat actors and malware, or have confirmed evidence of exploitation in the wild.”
Researchers said CISA had identified 109 high-risk known exploited vulnerabilities throughout the year that showed evidence of being exploited in the wild. The researchers urged organizations that prioritize patching and threat mitigations based on the agency’s known exploited vulnerability catalog to “pay special attention” to the known exploits that were not included in the list this year.
At least 25% of the exploits that CISA failed to include in its list were immediately targeted for exploitation on the same day the vulnerability was publicly disclosed, Qualys said.
It remains unclear why CISA did not include the nearly 100 high-risk vulnerabilities in its catalog.
One-third of the high-risk vulnerabilities meanwhile affected network devices and web applications. The researchers said that exploitation of remote services and public-facing applications and for privilege escalation remained the top three attack techniques among threat actors.
Original Post URL: https://www.govinfosecurity.com/report-says-cisa-failing-to-identify-high-risk-exploits-a-23931
Category & Tags: –
