Security Operations

Report Says CISA Is Failing to Identify High-Risk Exploits

CISA Did Not Include Critical Vulnerabilities in Known Exploit List, Report Says
Report Says CISA Is Failing to Identify High-Risk Exploits
The Qualys Threat Research Unit says CISA should have included 97 vulnerabilities in a list of known exploits. (Image: Shutterstock)

New research has identified nearly 100 high-risk vulnerabilities that were not included as part of the Cybersecurity and Infrastructure Security Agency's known exploited vulnerabilities catalog.

See Also: Healthcare in The Cloud: Detecting and Overcoming Threats to Ensure Continuity & Compliance

According to the technology firm Qualys' threat research unit, CISA failed to include at least 97 high-risk vulnerabilities in a comprehensive public list that the U.S. cyber agency describes as "the authoritative source of vulnerabilities that have been exploited in the wild."

On Tuesday, the security researchers published a review of the threat landscape in 2023 asserting that high-risk vulnerabilities were going unreported by CISA and other cyber authorities. The cybersecurity agency did not immediately respond to a request for comment.

More than 26,000 vulnerabilities were disclosed in 2023, the researchers said, marking a record high and continuing a yearslong upward trajectory in disclosures. Less than 1% of those vulnerabilities were considered the highest risk, meaning that they have "a weaponized exploit" and "are actively exploited by ransomware, threat actors and malware, or have confirmed evidence of exploitation in the wild."

Researchers said CISA had identified 109 high-risk known exploited vulnerabilities throughout the year that showed evidence of being exploited in the wild. The researchers urged organizations that prioritize patching and threat mitigations based on the agency's known exploited vulnerability catalog to "pay special attention" to the known exploits that were not included in the list this year.

At least 25% of the exploits that CISA failed to include in its list were immediately targeted for exploitation on the same day the vulnerability was publicly disclosed, Qualys said.

It remains unclear why CISA did not include the nearly 100 high-risk vulnerabilities in its catalog.

One-third of the high-risk vulnerabilities meanwhile affected network devices and web applications. The researchers said that exploitation of remote services and public-facing applications and for privilege escalation remained the top three attack techniques among threat actors.

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.