“To make the CISA KEV means that we’re seeing active exploitations,” agreed Tyler Reguly, Fortra’s associate director of security R&D. “Given that this CVE was patched by Oracle in the July 2024 Critical Patch Update (CPU), I would expect most admins to have patched this by now, particularly since it is a WebLogic vulnerability and, prior to the addition of this CVE, there were already a dozen WebLogic vulnerabilities listed in the KEV catalog.”
Older vulns under exploit
Reguly also had an observation about how fast vulnerabilities are added to the KEV. Based on a cursory review, he figured only about 41% of CVEs in the list were added during the same year they were released. Looking at release year + 1, that goes up to about 58%. That still means that, surprisingly, more than 40% of the CVEs added to the CISA KEV catalog are added two or more years after they are released. “I suppose it makes sense that it [the two-year-old Oracle hole] is just popping up now, if you consider that an organization that hasn’t patched their systems in multiple years is likely an easier target than an organization that patches regularly. After all, regular patching probably implies a more security-conscious environment.”
