2024 Update: Expansion of CISA’s Known Exploited Vulnerabilities (KEV) Catalog

CISA Expands Cybersecurity Catalog Amid Rising Threats

In a proactive move to bolster national cybersecurity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog, adding 185 new vulnerabilities in 2024. This brings the total to 1,238 software and hardware flaws that are actively targeted by cybercriminals, posing significant risks to critical infrastructure and data security across various sectors.

Launched in November 2021, the KEV catalog has seen a steady increase in entries, reflecting the persistent threat of cyberattacks. While the number of new vulnerabilities added this year is slightly lower than the previous year, the catalog continues to include a mix of recent and older vulnerabilities, some dating back to 2002. Notably, vulnerabilities like CVE-2012-4792, a flaw in Microsoft Internet Explorer, remain actively exploited, underscoring the importance of addressing both new and legacy vulnerabilities.

Among the newly added vulnerabilities, OS Command Injection (CWE-78) emerged as the most common, appearing in 14 entries. This type of vulnerability allows attackers to execute unauthorized commands on a system, potentially leading to severe breaches. Other prevalent weaknesses include Deserialization of Untrusted Data (CWE-502) and Use After Free (CWE-416), highlighting the diverse nature of threats facing organizations today.

Microsoft continues to lead the list of vendors with vulnerabilities, accounting for 36 entries in 2024, followed by Ivanti with 11. The presence of vulnerabilities across major companies like Google, Adobe, and Apple illustrates the widespread nature of cybersecurity challenges.

As cyber threats evolve, CISA’s KEV catalog serves as a crucial resource for IT security teams, emphasizing the need for vigilance and proactive measures to safeguard against potential exploits.