 |
| Top 10 vendors and vulnerable products |
CISA starts to share KEV catalog to public back in Nov 3, 2021. There are total of 860 cve been added into KEV catalog after 13 months (849 cve by Nov 3).
Too many organizations are relying on the Common Vulnerability Scoring System, developed at FIRST.org, to decide when it is time to patch.Vulnerabilities with a Low/Medium CVSS score are often ignored completely or deferred to another time, while a vulnerability with a 7.0 and above generates a hair-on-fire “patch now” event.
And this is the reason why patches just don’t get applied in a timely fashion all the time.
It is time we reexamine each of our vulnerability management programs to assure we are not letting impactful and known CVEs continue to exist in our networks long past the time that vendor fixes are available. We need to evolve our practices to incorporate capabilities such as KEV into our operational vulnerability analysis decision making.
The screenshot above shows the top 10 vulnerable products and the vendors within the KEV catalog. And I have shared the script at GitHub back in April 2022.
Links: