Overview
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 185 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in 2024, as the database grew to 1,238 software and hardware flaws at high risk of cyberattacks.
The agency removed at least two vulnerabilities from the catalog in 2024, but the database has generally grown steadily since its launch in November 2021.
We’ll look at some of the trends and vulnerabilities from 2024, along with the vendors and projects that had the most CVEs added to the list this year.
CISA Known Exploited Vulnerabilities Growth Stabilizes
CISA’s KEV catalog has grown at a steady rate in 2023 and 2024, with 187 vulnerabilities added in 2023 and 185 this year. That’s a pretty stable rate after KEV’s first year, when the agency added more than 300 vulnerabilities in the first two months of the program and nearly 500 more in the first six months of 2022.
The addition of older vulnerabilities has also stabilized, as 115 of this year’s vulnerabilities were 2024 CVEs, compared to 121 CVEs from 2023 in last year’s additions. That still leaves 60 to 70 older vulnerabilities coming under active exploit each year.
The oldest vulnerability in the catalog dates from 2002 – CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used in ransomware attacks.
The oldest vulnerability added to the KEV database in 2024 was CVE-2012-4792, a Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8. CISA also added four Adobe Flash Player vulnerabilities from 2013 and 2014 this year, in addition to one vulnerability each from Cisco and D-Link from 2014.
Most Common Software Weaknesses in CISA KEV
Five software and hardware weaknesses (common weakness enumerations, or CWEs) were particularly prominent among the 2024 KEV additions.
- CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – was the most common weakness among vulnerabilities added to the KEV database this year, accounting for 14 of the 185 vulnerabilities.
- CWE-502 – Deserialization of Untrusted Data – occurred in 11 of the vulnerabilities.
- CWE-416 – Use After Free – was behind 10 of the vulnerabilities.
- CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, or ‘Path Traversal’) and CWE-287 (Improper Authentication) occurred 9 times each.
Vendors with the Most Vulnerabilities in CISA KEV
Not surprisingly, Microsoft had the most additions to CISA’s KEV database again this year, as the software giant accounted for 36 of the 185 vulnerabilities added this year, up from 27 out of 2023’s 187 additions.
Second on the list was Ivanti, which had 11 vulnerabilities across multiple products that made the list. Ivanti’s challenges this year were perhaps best exemplified by the fact that CISA itself was breached through an Ivanti vulnerability. Cyble honeypot sensor detected attacks on multiple Ivanti vulnerabilities this year, with the first detections occurring in January.
Vendors and projects with four or more CISA KEV additions are noted below:
| Vendor/project | 2024 CISA KEV additions |
| Microsoft | 36 |
| Ivanti | 11 |
| Google Chromium | 9 |
| Adobe | 8 |
| Apple | 7 |
| Android | 6 |
| Cisco | 6 |
| D-Link | 6 |
| Palo Alto Networks | 6 |
| Apache | 5 |
| VMware | 5 |
| Fortinet | 4 |
| Linux | 4 |
| Oracle | 4 |
Interestingly, while Fortinet vulnerabilities attracted widespread attention this year, in part due to the large number of exposed devices, network security rival Palo Alto Networks actually had more vulnerabilities added to the KEV database this year. Palo Alto may soon get another KEV addition, as the just-announced CVE-2024-3393 vulnerability is reportedly under active attack.
One interesting thing about the 2024 CISA KEV list is that the number of web-facing exposures or vulnerabilities a vendor has or even Common Vulnerability Scoring System (CVSS) severity ratings don’t always reflect the damage a particular vulnerability can cause.
A case in point: CVE-2024-39717, a 7.2-severity Versa Director vulnerability with just 31 web-exposed instances, may have been weaponized in supply chain attacks against ISPs and MSPs.
Cleo had just two vulnerabilities added to the KEV catalog this year (CVE-2024-50623 and CVE-2024-55956), and yet vulnerabilities in the company’s managed file transfer (MFT) solutions have apparently been used to breach 66 organizations.
Conclusion
CISA’s Known Exploited Vulnerabilities catalog remains a valuable tool for helping IT security teams prioritize patching and mitigation efforts.
CISA KEV can also alert organizations to third-party risks – although by the time a vulnerability gets added to the database it’s become an urgent problem requiring immediate attention. Third-party risk management (TPRM) solutions could provide earlier warnings about partner risk through audits and other tools.
Finally, software and application development teams should monitor CISA KEV additions to gain awareness of common software weaknesses that threat actors routinely target.
