During the RSA Conference 2024, Forescout Technologies Inc. presented new findings titled “Exposing the Exploited.” This research delves into a range of vulnerabilities that have been exploited but were not included in the CISA KEV catalog, which is widely relied upon as a primary source of information on actively exploited vulnerabilities. “Exposing the Exploited” illustrates how depending too heavily on outdated information repositories and standard guidelines significantly diminishes the comprehensive understanding of the worldwide threat landscape. The investigation was carried out by Forescout Research – Vedere Labs, a distinguished international team dedicated to identifying vulnerabilities and threats targeting critical infrastructure.
“Vulnerabilities are being found, weaponized, and exploited in the wild faster than ever before, with 97 0-days exploited in 2023 and already 27 this year,” said Elisa Costante, VP of Research, Forescout Research – Vedere Labs. “Current methodologies for cataloging issues such as MITRE’s Common Vulnerabilities and Exposures (CVE) system and NIST’s National Vulnerability Database (NVD) are critical tools but have significant limitations. This research shows that even FIRST’s Common Vulnerability Scoring System (CVSS), the Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) should not be used exclusively.”
Forescout researchers found a significant increase in unrecognized exploited vulnerabilities in the wild with no CVE identifiers and CVSS scores. The top findings include:
- Vulnerabilities without a CVE are growing. Forescout recently found 90,000 vulnerabilities without a CVE ID and this number is increasing every year. 44% of the vulnerabilities without a CVE ID can be used to gain access to a system and 37% have either high or critical severity.
- No database captured everything. 2,087 distinct exploited vulnerabilities were identified across four databases, but no database alone contained all the information. CISA-KEV had 1,055 (50%) of the total. 968 exploited vulnerabilities (47%) are seen in only one database and only 90 (4%) are seen in all four.
- Customer networks showed thousands of affected devices. The devices were affected by 28 vulnerabilities in our catalog (VL-KEV) and were not tracked by the CISA KEV list. Most of these devices were uninterruptible power supplies (UPSs), computers, printers, infusion pumps, and network equipment.
- Most exploited vulnerabilities had either high (44%) or critical (39%) severity. The most common root causes of exploited vulnerabilities were OS command injections, path traversals, improper input validation and out-of-bounds write.
- The most common targets were web applications, operating systems and routers. OT and IoT devices were the fifth most common target. The most exploited OT and IoT devices were Network Attached Storage (NAS), IP cameras, building automation devices, and VoIP equipment.
The rapid increase in vulnerabilities being discovered and exploited by malicious actors underscores the need for a new approach to prioritization. While the CISA KEV list is a valuable resource and the most recognized catalog for exploited vulnerabilities, it does have certain limitations. Our analysis reveals that the CISA KEV catalog is not exhaustive — we have observed exploited vulnerabilities in the wild that are absent from this catalog. Additionally, crucial details on how these vulnerabilities are exploited, such as modus operandi, tactics, techniques, and procedures (TTPs), and associated indicators of compromise (IoCs), are often missing. Therefore, organizations should rely on multiple sources to enhance their preparedness.
To learn more about the uncovering the hosts of exploited vulnerabilities by Forescout research released in “Exposing the Exploited” here.
Related News:
OAuth Implementations Security Flaws Remedied with Salt Security
ManageEngine Launches Security and Risk Posture Management
How Forescout Research Works
Forescout Research employs its Adversary Engagement Environment (AEE) to conduct analysis, leveraging a blend of real and simulated connected devices. This dynamic environment functions as a robust tool, enabling the pinpointing of incidents and the identification of intricate threat actor patterns at a granular level. The overarching objective is to elevate responses to complex critical infrastructure attacks by leveraging the detailed insights and understanding derived from this specialized deception environment. The AEE is maintained by Vedere Labs, a leading global team dedicated to uncovering vulnerabilities in and threats to critical infrastructure. Forescout products directly leverage this research, which is also shared openly with vendors, agencies, and other researchers.
