CISA Failed to Include High-Risk Vulnerabilities in Known Exploit List, Report Says
New research has identified nearly 100 high-risk vulnerabilities that were not included as part of the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog.
See Also: JavaScript and Blockchain: Technologies You Can’t Ignore
According to the technology firm Qualys’ threat research unit, CISA failed to include at least 97 high-risk vulnerabilities in a comprehensive public list that the U.S. cyber agency describes as “the authoritative source of vulnerabilities that have been exploited in the wild.”
On Tuesday, the security researchers published a review on the threat landscape in 2023 asserting that high-risk vulnerabilities were going unreported by CISA and other cyber authorities. The cybersecurity agency did not immediately respond to a request for comment.
More than 26,000 vulnerabilities were disclosed in 2023, the researchers said, marking a record high and continuing a years-long upward trajectory in disclosures. Less than one percent of those vulnerabilities were considered the highest risk, meaning that they have “a weaponized exploit” and “are actively exploited by ransomware, threat actors and malware, or have confirmed evidence of exploitation in the wild.”
Researchers said CISA identified 109 high-risk known exploited vulnerabilities throughout the year that had evidence of exploitation in the wild. The researchers urged organizations that prioritize patching and threat mitigations based on the agency’s known exploited vulnerability catalog to “pay special attention” to the known exploits that were not included in the list this year.
At least 25 percent of the exploits that CISA failed to include in its list were immediately targeted for exploitation on the same day the vulnerability was publicly disclosed, Qualys said.
It remains unclear why CISA did not include the nearly 100 high-risk vulnerabilities in its catalog.
A third of the high-risk vulnerabilities meanwhile impacted network devices and web applications. The researchers noted that exploitation of remote services and public-facing applications and for privilege escalation remained the top three attack techniques among threat actors.