According to a recent study by Bitsight, the CISA Known Exploited Vulnerabilities (KEV) catalog has demonstrated a significant positive impact on organizations. The catalog, in existence for nearly three years, has emerged as a key source of vulnerability data actively leveraged by hackers globally.
Bitsight’s research reveals that vulnerabilities listed in the KEV catalog are remediated, on average, 3.5 times faster than others. The average time taken to address KEV vulnerabilities is 6 months, compared to 1.7 years for vulnerabilities not included in the catalog.
Notably, vulnerabilities commonly exploited in ransomware attacks are addressed even more swiftly. These vulnerabilities constitute 20% of the KEV catalog and are resolved, on average, 2.5 times faster.
The data is drawn from the scanning of 1.4 million entities, including businesses, educational institutions, and local government bodies. In 2023, 35% of all organizations surveyed encountered at least one vulnerability from the KEV list, with many facing multiple issues.
Federal civilian agencies under direct CISA oversight adhere to strict deadlines for vulnerability remediation. These agencies are 56% more likely to meet the deadlines compared to other organizations. Approximately 40% of non-CISA-regulated organizations also meet their remediation deadlines.
Technology companies demonstrate the most prompt response to vulnerabilities, while educational institutions and local governments encounter more challenges in addressing such issues.
This report underscores the critical importance of prompt vulnerability response, particularly concerning vulnerabilities exploitable in ransomware attacks. It also highlights the efficacy of the KEV catalog as a tool to enhance cybersecurity practices across various levels of management and business.