"Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog"

In November 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published the Known Exploited Vulnerabilities Catalog to help federal agencies and critical infrastructure organizations identify and remediate vulnerabilities that are actively being exploited.  CISA, between January to the end of November 2022, added 548 new vulnerabilities to the catalog across 58 updates.  Including the approximately 300 vulnerabilities added in November and December 2021, CISA listed approximately 850 vulnerabilities in the first year of the catalog's existence.  Security researchers at Grey Noise discovered that actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple products accounted for over half of the updates to the KEV catalog in 2022.  A little over three-quarters, or 77%, of the updates to the KEV catalog, were older vulnerabilities dating back to before 2022.  The researchers noted that many were published in the previous two decades.  CISA updates the KEV catalog only if the vulnerability is under active exploitation, has an assigned CVE, and there is clear guidance on how to remediate the issue.  In 2022, the researchers noted that enterprise defenders had to deal with an update to the KEV catalog on an almost weekly basis, as a new alert was typically issued every four to seven days.  

Dark Reading reports: "Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog"