In a recent development, new research has shed light on a significant oversight by the Cybersecurity and Infrastructure Security Agency (CISA). The study conducted by Qualys’ threat research unit identifies nearly 100 high-risk vulnerabilities that were omitted from CISA’s known exploited vulnerabilities catalog. These vulnerabilities, described as having “a weaponized exploit” and being actively exploited by ransomware, threat actors, or malware, were not part of the authoritative list maintained by CISA, raising concerns about the accuracy and completeness of the agency’s vulnerability information.
The researchers reported a record-breaking disclosure of over 26,000 vulnerabilities in 2023, with less than one percent considered the highest risk. Despite this, CISA allegedly failed to include 97 of these high-risk vulnerabilities in its public list. The report underscores the critical nature of these oversights, as these vulnerabilities pose an immediate threat and are actively exploited in the wild, necessitating urgent attention from organizations relying on CISA’s known exploited vulnerability catalog for patching and threat mitigations.
The research highlights that 25 percent of the overlooked exploits were targeted for exploitation on the same day the vulnerability was publicly disclosed. The reasons behind CISA’s exclusion of these vulnerabilities remain unclear, prompting questions about the agency’s vulnerability identification and reporting processes. With a third of the high-risk vulnerabilities affecting network devices and web applications, the study emphasizes the ongoing challenges in cybersecurity, urging organizations to remain vigilant and take additional measures to protect against these undisclosed threats.
