CISA is ratcheting up the pressure on federal agencies to patch known exploited vulnerabilities added to the DHS CISA KEV catalog, which contains 504 CVEs as of writing.
Since its initial publication, the list has been regularly updated with new vulnerabilities, and we expect this to be a continuing trend. CSW has been closely analyzing these DHS CISA known exploited vulnerabilities and also monitors the new entries added to the list.
This blog brings you all the DHS CISA KEVs that need to be prioritized for patching this week (March 21 to March 27, 2022).
A total of 71 known exploited vulnerabilities from the DHS CISA catalog should be patched by federal agencies this week before March 21 and March 24, 2022. We further analyzed these 71 KEVs and found that –
How Far Back Do They Go?
Of the 71 KEVs, 69 CVEs are old vulnerabilities dating from 2002 to 2021 with a patch deadline of March 21 and March 24, 2022. There are 24 KEVs that exist in Microsoft products, 18 KEVs from Cisco, and 16 from Adobe.
Another thing that organizations should be aware of is that 2 CVEs are from 2022, which exists in Mozilla.
Which Vendors Are Affected?
Of these 71 KEVs that have a patch deadline of March 21 and March 24, 2022, affect major vendors such as Microsoft, Cisco, Adobe, Oracle, and Linux.
The analysis of these KEVs revealed that 65% of the KEVs with a patch due date of March 21 and March 24, 2022, fall under the Top 40 Most Dangerous Software Weaknesses. 31% of KEVs fall OWASP Top 10:2021.
Table: DHS CISA KEVs
Make Sure you Don’t Miss the Deadline
This breakdown of the KEV Catalog vulnerabilities with their patch due dates should provide context on CVEs and make remediation easier. A comprehensive, actionable, and timely source of vulnerability intelligence is crucial for resolving these issues in a short time frame. With CSW’s risk-based approach and vulnerability intelligence, security teams can prioritize the threats, including all KEVs, and minimize their attack surface.