CISA details Known Exploited Vulnerabilities considerations

The Cybersecurity and Infrastructure Security Agency has clarified that security flaws should have a CVE identifier, reliable proof of active exploitation, including exploitation attempts, and necessary patches, mitigations, or workarounds, to be included in its Known Exploited Vulnerabilities catalog, according to SecurityWeek. Security vulnerabilities are being added to CISA's KEV catalog within 24 hours of receiving exploitation evidence from security researchers, vendors, and partners, but CISA noted that it has also been examining proof of exploitation. "CISA also has purchased subscription services for threat intelligence platforms that contain information on vulnerabilities, including honeypot detection, malware observations in the wild, threat intelligence reports, etc. Similar to the open-source research procedures, CISA reviews the information from the platforms and adds the vulnerability to the KEV catalog, if the information is reliable," said CISA. However, old CVEs from products that have reached end of life which lacked exploitation proof are still added to the catalog as they could still be unremediated and targeted in future attacks.