The U.S. Cybersecurity and Infrastructure Security Agency has been keeping an updated list of Known Exploited Vulnerabilities (KEV) that currently includes more than 900 security bugs, with the goal of helping inform organizations about vulnerabilities that should be prioritized.
Despite that awareness campaign and emphasis on vulnerabilities that have been exploited in the wild, new research from software supply chain security company Rezilion shows that there are over 15 million vulnerable instances of vulnerabilities in the KEV catalog.
According to Rezilion’s report, the company analyzed the vulnerabilities in the KEV catalog using Shodan and GreyNoise and found that many of them are involved in active campaigns, many of which are being carried out by nation-state actors.
Widely publicized vulnerabilities such as Log4Shell, ProxyLogon, ProxyShell, and bugs in Atlassian Confluence and FortiOS make up some of the most commonly exploited bugs in ongoing campaigns, the company found.
Rezilion’s research found that the top most vulnerable products include Microsoft Windows, Adobe Flash Player, Internet Explorer, Google Chromium V8 Engine, Microsoft Office, Microsoft Win32k, Google Chrome, Apple iOS, Exchange Server and other widely used business tools.
The vast majority of the bugs in CISA’s KEV catalog have existing patches, which would indicate that finding systems still susceptible to these issues would be challenging. However, that is far from the case, Rezilion found.
The company’s researchers used Shodan to identify publicly facing assets still vulnerable to the bugs in the KEV catalog, and found vulnerable instances for over 200 of them, amounting to more than 15 million vulnerable instances.
As is the case with the state of vulnerability remediation, many of the top 10 results in terms of publicly accessible vulnerable instances are several years old, including the Heartbleed vulnerability from 2014, SMBGhost from 2020 and BlueKeep from 2019. Other date back to 2012, 2015 and 2018.
In fact, four of the top 10 bugs are more than five years old, which translates to more than 800,000 machines still exposed to those dangerous vulnerabilities, Rezilion found.
Further, more than 4.5 million internet-facing devices were identified as vulnerable to KEVs discovered between 2010 and 2020, which suggests that users and organizations are still not grasping the dangers of leaving devices unpatched and out of date.
According to Rezilion, the company discovered vulnerable instances for these vulnerabilities, among others:
ProxyShell — CVE-2021-34523, CVE-2021-34473, CVE-2021-31207
- Shodan appearances: 14,554
ProxyLogon — CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065
- Shodan appearances: 4,990
Log4Shell — CVE-2021-44228
- Exploitation attempts in last 30 days: 68
Apache HTTP Server-Side Request Forgery — CVE-2021-40438
- Shodan appearances: 6.5 million
Heartbleed — CVE-2014-0160
- Shodan appearances: 190,446
Rezilion recommends that organizations identify vulnerabilities in the KEV catalog in their environment and leverage the list as part of a vulnerability management strategy to identify which vulnerabilities require immediate patching.
“It is important to recognize that assuming all systems are up to date all the time is impractical, particularly in larger and more complex organizations,” Rezilion says in the report. “Therefore, prioritizing patches that matter most is necessary using the two step process laid out here is important.”
