VulnCheck, a US-based exploit intelligence specialist has launched its own Known Exploited Vulnerabilities (KEV) catalogue, with the aim of publicising impactful common vulnerabilities and exposures (CVEs) more widely among end-users.
The organisation says that the tool, which will be accessible for free to those joining the VulnCheck community, will provide security teams and other defenders with intel on vulnerabilities that are being exploited in the wild, helping them better manage threats, figure out what needs to be prioritised, and stay ahead of problematic bugs.
The concept behind VulnCheck’s initiative drawns on the well-known KEV catalogue run by the US Cybersecurity Infrastructure and Security Agency (CISA), America’s counterpart to the UK’s National Cyber Security Centre (NCSC).
The CISA KEV catalogue is designed to track vulnerabilities than the agency assesses are a threat to US government bodies, and it mandates remediating or patching within a set timescale – these conditions do not apply to private organisations or members of the public.
However CISA’s strict focus means it has been known to miss things, indeed, VulnCheck says at present it is tracking 876, or 81%, more vulnerabilities exploited in the wild than CISA, and adding new bugs to its catalogue 27 days earlier than the Arlington, Virginia-based agency, which forms part of the Department of Homeland Security (DHS).
“The CISA KEV catalogue continues to be an invaluable tool and a driving force in our industry, but there is an opportunity for broader visibility and often earlier indicators into known exploitation,” said Anthony Bettini, founder and CEO of VulnCheck.
“This is why we decided to offer a community resource that provides broader known exploited vulnerability intelligence and reference materials, all delivered at machine speed.”
Recent research conducted by Coalition, a supplier of cyber risk and insurance services, found that the total number of CVEs disclosed was set to grow by 25% during 2024, hitting a new high of almost 35,000. In light of this rapid growth – and equally rapid exploitation by malicious actors – VulnCheck said that the ability to move quickly and access a wide breadth of data were highly valuable assets to security teams, something it hopes it can provide through its own service.
Some of the key features of the new service include comprehensive CVE tracking, including all those listed by CISA; contextual exploit intelligence, including publicly-available proof of concept (PoC) exploit code if possible; and exploit references, the new KEV provides citations for all CVEs listed to give defenders an idea of why a particular CVE has made the cut – for example, if one is being used by a ransomware gang, evidence of this will be given.
The tool is available now to community members via the VulnCheck KEV dashboard, machine-readable JSON, and the VulnCheck KEV API endpoint.
Case study: A three-day head start on Atlassian
As a demonstration of how its capabilities will work going forward, VulnCheck additionally shared some insight into the lifecycle of a recently disclosed CVE in Atlassian Confluence Server, tracked as CVE-2023-22527, a remote code execution (RCE) flaw disclosed by Atlassian in a 16 January 2024 advisory.
By 21 January, exploitation of the vulnerability had been observed by the DFIR Report, and it was added to the VulnCheck KEV catalogue that same day. Additional confirmation of exploitation came on 22 January courtesy of the ShadowServer Foundation and SANS, and three exploit PoCs were added to GitHub that day. Researchers at Tenable added their two cents on 23 January, and more exploit code began appearing, before the bug was finally added to CISA’s catalogue on 24 January, with a remediation deadline of 14 February.