Vulnerability Management, Threat Intelligence, Patch/Configuration Management

Accelerated patching found with CISA KEV catalog-listed flaws

CISA warns buggy Sophos, Oracle, Microsoft apps join Known Exploited Vulnerabilities list

Organizations remediated security issues added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog 3.5 times faster than those that are not in the catalog, according to The Record, a news site by cybersecurity firm Recorded Future.

Moreover, KEVs involved in ransomware attacks were addressed 2.5 times faster than those that were not, a Bitsight report revealed. Even though federal agencies also had a 63% increased likelihood of fixing KEVs before the deadline issued by CISA, such a deadline has been met by 40% of all other entities not required to adhere to the agency's directive.

The findings showed that vulnerability remediation times were fastest among technology firms and slowest among local governments and educational institutions. CISA has also been observed to have transitioned to shorter deadlines for addressing security flaws.

"Deadlines seem to be influenced by whether a vulnerability is used in ransomware: 1-week deadline vulnerabilities are nearly twice as likely to have been used in ransomware," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.