"The KEV list is useful but largely misunderstood. KEVology explains what it is, and how best to use it. CISA's KEV Catalog, more commonly known as the KEV list, emerged with the issue of BOD 22-01 in November 2021. This catalog, currently a list of just over 1,500 vulnerabilities known to have been exploited in the wild, suggests a high value prioritization source for vulnerability remediation within industry."
""To be included in the KEV," he said, "a vulnerability must have the four qualities defined in BOD 22-01. Firstly, it must have a CVE number - so a super fresh zero-day will not make it into KEV." End-of-life operating systems similarly miss out. Companies still use them, but nobody produces a CVE for them. "They can just be quietly accumulating vulnerabilities that no one knows or cares about," he added,"
KEV Catalog originated with BOD 22-01 in November 2021 and lists just over 1,500 vulnerabilities known to have been exploited in the wild. The catalog targets FECB agencies and signals vulnerabilities that are urgent and have vendor patches. Inclusion requires a CVE and other strict conditions, which exclude fresh zero-days and end-of-life systems that lack CVEs. Each KEV entry provides minimal detail, limiting guidance on remediation ordering. KEV can be a valuable prioritization source for industry when its range and detail limitations are understood and supplemented with additional context and risk assessment.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]