KEVs Report

KEVs by publication year

It does not appear that attackers care much about when a vulnerability was published; they exploit what works. This chart pushes back on the idea that adversaries only care about zero-day exploits.

KEVs by affected vendor

Vendors come from the CVE Program CNA “affected” metadata in CVElist V5 (same approach as the legacy site). A single CVE can list multiple vendors; each vendor row counts once. The top nine vendors are shown individually; everything else is grouped into Other, including CVEs with no vendor in the CNA record or not present in CVElist.

KEVs vs individual Known Exploited catalogs

The KEVs catalog on this page is the union of multiple KEV lists and DFIR-style sources, because no single list is complete on its own. Each catalog has different inclusion criteria, and even the largest individual list misses a significant fraction of what the others flag. The components shown in these tabs are CISA KEV, VulnCheck, the ENISA EU CSIRT Network KEV list, and ENISA EUVD entries flagged as exploited in the wild (EUVD KEV); the full union additionally incorporates VCDB, Google Project Zero, Mandiant M-Trends, and the CrowdStrike Global Threat Report.

Overlap with Google Project Zero “0day in the wild”

Google Project Zero tracks CVEs exploited in the wild before a patch existed. There does not appear to be a significant overlap between KEVs and Google Project Zero. This may indicate the type of adversary that uses zero-day exploits is not the same as the type of adversary that is interested in KEVs.

EPSS score distribution and correlation

How do KEVs score on EPSS? EPSS is a machine learning model that claims to predict the likelihood of a vulnerability being exploited in the next 30 days. It is not a perfect measure, by their own admission, and should not be used instead of KEV lists according to first.org guidance. Even so, it is instructive to see how EPSS lines up with CVEs that are actually being exploited in the wild.

KEVs by CVSS severity

The various different sources for CVE and CVSS data each have different inclusion criteria and severity ratings for KEVs. A number of these sources are incomplete and do not include all KEVs, carry different severity ratings, or even fail to score actively-exploited CVEs at all.

Severity → KEVs / No breach

Every CVE NVD knows about is bucketed by severity on the left. On the right, each CVE ends up in "KEVs" if at least one of our eight KEV sources has flagged it exploited, otherwise "No breach". The takeaway is that the overwhelming majority of CVEs never show up in any public exploitation record. That includes most Critical and High ones. Attackers’ real target list does not track CVSS severity the way most people assume.

KEVs vs breach forensics data

Verizon DBIR and Mandiant M-Trends track CVEs from breach investigations for a single year at a time. They overlap with KEVs to some extent, but so few new vulnerabilities are used in breaches each year that the year-over-year numbers are very low.

Metasploit, Nuclei & OpenVAS vs KEVs

The common wisdom about the “Metasploit metric” appears to be wrong: there is only modest overlap between Metasploit CVEs and what actually gets exploited in the wild. The same holds for Nuclei, which has become the new standard among penetration testers, and for the much larger Greenbone OpenVAS NASL coverage.

KEVs vs exploit databases

The common understanding that CVEs with exploit references are the ones actually used by attackers is only partially true. Percentages below show how KEVs map to ExploitDB and to CVEs carrying exploit references in cvelistV5.

OWASP Top 10 controls ranked by KEVs

The Open Web Application Security Project (OWASP) Top 10 is a list of the vulnerabilities that are most often found by security vendors who test web applications. Not all OWASP Top 10 categories appear to map to CVEs that show up in exploitation-in-the-wild catalogs.

Overlap between ransomware lists and MITRE ATT&CK

The overlap is very low between ransomware group names (PrivTools EU, RansomFeed.it) and MITRE ATT&CK identified groups. MITRE ATT&CK does not appear to be tracking most ransomware groups in their dataset.

Counts of KEVs per CVSS vector attribute

The most common CVSS vector attributes for KEVs give us a window into what attackers are actually exploiting in the wild. The 8 CVSS vector attributes in CVSS 3.x are Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity, and Availability.

Most common CVSS vector vs other

The most commonly used CVSS Vector while used often is not used enough to limit our view to it alone. The following is a breakdown of the most common CVSS vector used in KEVs or all CVEs (NVD).