In 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) continued to build on its critical cybersecurity initiative by expanding its Known Exploited Vulnerabilities (KEV) catalog.
This database, which serves as a vital tool for IT security teams and organizations globally, added 185 new vulnerabilities this year, bringing the total number of software and hardware flaws at high risk of exploitation to 1,238. These vulnerabilities, which are actively being targeted by cybercriminals, can pose severe risks to infrastructure, data security, and operations across various sectors.
The steady growth of the KEV catalog, launched in November 2021, highlights the persistent threat posed by cyberattacks. This article explores the significant trends in the KEV catalog for 2024, identifies the most common vulnerabilities, and discusses the vendors that faced the highest number of software flaws this year.
A Steady Growth in the KEV Catalog
CISA’s KEV catalog has seen a consistent increase in the number of entries since its inception. In 2024, 185 vulnerabilities were added, slightly fewer than the 187 added in 2023. This stable rate of new entries follows a more explosive expansion in the early years of the catalog. In 2022, CISA added over 500 vulnerabilities in the first six months, and the initial launch saw more than 300 entries.
Interestingly, the catalog has not only grown in the number of new vulnerabilities but also in the age of vulnerabilities included. While most of this year’s entries were recent (115 from 2024), a significant portion (60 to 70) still consists of older vulnerabilities that remain actively exploited.
Notably, some of the earliest vulnerabilities, like CVE-2002-0367, dating back to 2002, continue to pose a risk, being leveraged in ransomware attacks. The oldest addition to the 2024 KEV catalog was CVE-2012-4792, a Use-After-Free vulnerability found in Microsoft Internet Explorer versions 6 through 8.
Prominent Software Weaknesses in the KEV Catalog
Among the 185 new entries in 2024, several software weaknesses, known as Common Weakness Enumerations (CWEs), were particularly prevalent. These weaknesses expose critical vulnerabilities that cybercriminals can exploit to gain unauthorized access to systems, disrupt services, or steal sensitive data.
The most common vulnerability type in the KEV catalog this year was CWE-78 (OS Command Injection), found in 14 of the added vulnerabilities. OS command injection occurs when an attacker is able to inject malicious commands into a system that is running an operating system, potentially leading to unauthorized control.
CWE-502 (Deserialization of Untrusted Data) was the second most common vulnerability type, appearing in 11 of the new entries. This weakness allows attackers to exploit improperly handled or deserialized data, which can lead to remote code execution or unauthorized access.
Other notable vulnerabilities included CWE-416 (Use After Free), which appeared in 10 vulnerabilities, and CWE-22 (Path Traversal) and CWE-287 (Improper Authentication), both of which accounted for 9 vulnerabilities each.
Leading Vendors with the Most Vulnerabilities in CISA KEV
Microsoft continued to dominate the list of vendors with vulnerabilities added to the KEV catalog. In 2024, Microsoft had 36 vulnerabilities added to the list, up from 27 in 2023. The company’s widespread presence across enterprise systems, cloud platforms, and software products makes it a frequent target for cyberattacks.
Following Microsoft, Ivanti was the second most affected vendor, with 11 vulnerabilities added to the KEV catalog. This includes critical flaws that were exploited in a high-profile breach of CISA itself through an Ivanti vulnerability. Cyble’s honeypot sensor detected active attacks targeting Ivanti’s vulnerabilities as early as January 2024.
Other major vendors that faced multiple number of vulnerabilities in 2024 included Google Chromium (9 vulnerabilities), Adobe (8 vulnerabilities), and Apple (7 vulnerabilities). Vendors like Cisco, D-Link, Palo Alto Networks, and Apache also had several vulnerabilities added to the list, highlighting the broad range of industries and technologies impacted by these weaknesses.
A notable example of a vulnerability from 2024 is CVE-2024-39717, a 7.2-severity issue in Versa Director. Despite having just 31 web-exposed instances, this vulnerability was exploited in supply chain attacks targeting Internet Service Providers (ISPs) and Managed Service Providers (MSPs). This highlights a critical aspect of the KEV catalog: the severity of a vulnerability doesn’t always align with its exposure or CVSS (Common Vulnerability Scoring System) score. Even vulnerabilities with low exposure can be highly damaging if leveraged in targeted attacks.
