Ransomware, Vulnerability Management

CISA urged to add 8 severe ransomware bugs to vulnerability catalog 

The CISA logo is seen hanging on a blue wall

A CISA spokesperson contacted SC Media after initial publication, and their comments were added Feb. 21.

Researchers found that eight of the 131 vulnerabilities associated with ransomware not yet listed in a federal catalog meant to help the cybersecurity community are considered “most dangerous” because they could be easily exploited from initial access to exfiltration. 

A ransomware report from Cyber Security Works, Ivanti, Cyware, and Securin warned organizations not to ignore vulnerabilities that have yet to be added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog (KEV), especially those with complete MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) kill chains where each stage of an attack can be defined, described, and tracked by attackers.  

According to the report, researchers identified 57 extremely dangerous ransomware-associated vulnerabilities with complete kill chains, eight of which are excluded in the KEV. These eight bugs are found in over 30 products, including products by Microsoft, Oracle, Zyxel, and QNAP.

Eight CVEs with complete kill chain that are not listed in KEV. (Image credit: Spotlight Report 2023 Ransomware: Through the Lens of Threat & Vulnerability Management)

The Ivanti research team highlighted that bugs (CVE-2016-10401, CVE-2017-6884) in Zyxel, a subsidiary of a Taiwanese multinational broadband provider Unizyx Holding is particularly notable because of the nation-state and global threat actor focusing on Taiwan. Additionally, these are old vulnerabilities discovered in 2016 and 2017, yet do not have a patch. 

Srinivas Mukkamala, chief product officer at Ivanti, told SC Media that the research team has reached out to CISA to recommend including all of the severe vulnerabilities to its KEV catalog.  

A CISA spokesperson did not directly respond to SC Media's inquiry on whether they will add the vulnerabilities, but told SC Media that "CISA relies on stakeholder feedback to improve its services to the cybersecurity community as well as input with nominating an actively exploited vulnerability to [KEV] catalog."

CISA published the KEV catalog in November 2021 to help organizations manage vulnerabilities and prioritize remediation for free. It started with 287 vulnerabilities and it is now a repository of 866 CVEs.  

Mukkamala said all researchers should actively collaborate with CISA and contribute to expanding the KEV catalog.  

"KEV is the authoritative source of exploited vulnerabilities. We benefit from this best service without having to pay for it. So as defenders, why don't we give back by sharing our knowledge and information with CISA?" he said.  

Tony Cook, senior director of DFIR and Threat Intel at GuidePoint Security, echoed Mukkamala, highlighting that organizations should have a more transparent vulnerability disclosure process to help secure the large ecosystem.  

"One of the biggest issues now is that companies do not want to disclose security incidents or vulnerability information to CISA for fear of legal obligation. It would be much easier for CISA to have a comprehensive database if organizations could openly report things happening around," Cook said. 

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.