Prioritizing Vulnerabilities and Overcoming Patching Challenges
The CISA Known Exploited Vulnerabilities (KEV) Catalog is a dynamic resource that lists actively exploited vulnerabilities and is regularly updated as attackers identify and exploit new weaknesses.29 It is the cornerstone of vulnerability management programs for organizations.
Skip to
Known Exploited Vulnerabilities in 2024
CVE Trends Over Time
A record of 555 CVEs was reported, the highest number in three years. This is likely linked to significant vulnerability events or a surge in disclosures over a specific period.
The number of CVEs dropped significantly to 187, a decrease of over 66%. This decline may indicate improved vulnerability management and remediation processes or shifts in disclosure priorities.
174 CVEs were reported, a slightly lower number than those reported in 2023, suggesting a relatively stable trend.
Vendors with the Most Exploited Vulnerabilities in 2024
Microsoft continues to dominate the list of top ten vendors in the KEV catalog, accounting for nearly half of the CVEs. Ivanti, newly featured in the rankings, secured the second spot with eleven CVEs. There is a notable increase in vulnerabilities targeting firewalls and SOHO routers, suggesting that attackers are prioritizing these critical network components.
Figure 2.2. Known Exploited Vulnerabilities Distribution by Vendor
Known Exploited Vulnerabilities in 2024
The most frequently observed Common Weakness Enumerations (CWEs) behind KEVs in 2024 were CWE-78, CWE-502, and CWE-416, shown below. Other CWEs with significant increases in frequency include CWE-22, CWE-287, and CWE-502, underscoring the growing challenges in input validation and resource management security:
CWE-78
Command Injection
Description
Exploited when systems fail to properly validate command execution inputs, allowing attackers to inject malicious commands. Commonly targets routers, firewalls, and server systems, often leading to complete system takeover.
In OT/ICS environments, command injection is particularly dangerous, as many systems (e.g., routers, HMIs, SCADA) allow administrators to execute commands to manage devices or collect data. Attackers can control critical devices without proper input validation.
CWE-502
Deserialization of Untrusted Data
Description
These exploits involve the deserialization of untrusted data, potentially triggering remote code execution or logical flaws. These attacks are prevalent in Application Programming Interfaces (APIs) and object transfer layers, posing significant risks.
CWE-416
Use After Free
Description
Occurs when a resource is accessed after it has been released, potentially leading to memory corruption and remote code execution. It is primarily observed in lower-level system software, such as browsers and drivers, and is more common in IT environments.
CWE-22
Path Traversal
Description
Applications improperly neutralize input for file or directory names, enabling attackers to manipulate input to access unauthorized files or directories, often outside the application's root directory. CWE-22 can lead to the exposure of sensitive information or the bypassing of file system operations.
Case Study
Multiple Zyxel firewalls contain a path traversal vulnerability in the web management interface that could allow an attacker to download or upload files via a crafted URL.
CWE-287
Improper Authentication
Description
The system fails to correctly validate the identity of users or systems, allowing attackers to bypass authentication mechanisms and perform unauthorized actions. CWE-287 can result in data breaches, account takeover, or execution of unauthorized operations.
Case Study
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.
CWE-502
Deserialization of Untrusted Data
Description
Applications deserialize data from untrusted sources without adequate validation, potentially leading to modifications of program logic or execution of malicious code. CWE-502 can result in remote code execution, data tampering, or DoS attacks.
Case Study
Microsoft COM for Windows contains a deserialization of untrusted data vulnerability that allows for privilege escalation and remote code execution via a specially crafted file or script.
CWE-78
Command Injection
Description
Exploited when systems fail to properly validate command execution inputs, allowing attackers to inject malicious commands. Commonly targets routers, firewalls, and server systems, often leading to complete system takeover.
In OT/ICS environments, command injection is particularly dangerous, as many systems (e.g., routers, HMIs, SCADA) allow administrators to execute commands to manage devices or collect data. Attackers can control critical devices without proper input validation.
CWE-502
Deserialization of Untrusted Data
Description
These exploits involve the deserialization of untrusted data, potentially triggering remote code execution or logical flaws. These attacks are prevalent in Application Programming Interfaces (APIs) and object transfer layers, posing significant risks.
CWE-416
Use After Free
Description
Occurs when a resource is accessed after it has been released, potentially leading to memory corruption and remote code execution. It is primarily observed in lower-level system software, such as browsers and drivers, and is more common in IT environments.
CWE-22
Path Traversal
Description
Applications improperly neutralize input for file or directory names, enabling attackers to manipulate input to access unauthorized files or directories, often outside the application's root directory. CWE-22 can lead to the exposure of sensitive information or the bypassing of file system operations.
Case Study
Multiple Zyxel firewalls contain a path traversal vulnerability in the web management interface that could allow an attacker to download or upload files via a crafted URL.
CWE-287
Improper Authentication
Description
The system fails to correctly validate the identity of users or systems, allowing attackers to bypass authentication mechanisms and perform unauthorized actions. CWE-287 can result in data breaches, account takeover, or execution of unauthorized operations.
Case Study
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.
CWE-502
Deserialization of Untrusted Data
Description
Applications deserialize data from untrusted sources without adequate validation, potentially leading to modifications of program logic or execution of malicious code. CWE-502 can result in remote code execution, data tampering, or DoS attacks.
Case Study
Microsoft COM for Windows contains a deserialization of untrusted data vulnerability that allows for privilege escalation and remote code execution via a specially crafted file or script.
Figure 2.3. CWEs Responsible for KEVs Between 2023 and 2024
Implications and Recommendations
The continued exploitation of these vulnerabilities reflects attackers’ increased focus on critical infrastructure and systems with inadequate input validation or authentication mechanisms. By focusing on these measures, organizations can significantly reduce their exposure to commonly exploited vulnerabilities.
Patch Management
Implement robust and proactive vulnerability management processes to address KEVs promptly.
Input Validation
Ensure that systems handling command inputs (especially in OT/ICS environments) are fortified with strict input validation mechanisms.
Threat Intelligence Integration
Continuously monitor emerging CVEs and CWEs to align defenses with the latest threat trends.
Enhance Authentication Protocols
Address CWE-287 vulnerabilities by deploying multi-factor authentication and stringent access controls.
Infrequent Patching in OT Environments
A staggering 85% of organizations do not conduct regular patching in their OT environments. In OT systems, applying patches risks causing equipment downtime or operational disruptions, especially in industries such as manufacturing and energy, where business continuity is of paramount importance.
Many OT systems rely on outdated hardware or proprietary software, and the risk of patch incompatibility further discourages organizations from implementing updates. As a result, infrequent patching leaves systems exposed to known vulnerabilities for extended periods. In the oil and gas sector, the situation is particularly concerning, with 10% of organizations foregoing patching altogether.
This neglect places critical infrastructure at significant risk, as attackers could exploit unpatched vulnerabilities to disrupt operations essential to daily life.
QC1: How often does your organization apply patches to its OT environments?
Figure 2.4. Frequency of Patch Application in OT Environments
Overcoming Patching Challenges in OT Environments
Survey findings reveal several critical challenges to patching in OT environments. These challenges directly hinder organizations’ ability to apply patches, particularly in industries where operational stability is paramount.
To overcome these obstacles, organizations must adopt more flexible and collaborative patch management strategies, leveraging automation tools and innovative technologies to balance cybersecurity with operational efficiency.
Addressing compatibility issues in End-of-Life (EOL) systems and the constraints of maintenance windows will require long-term optimization planning.
Top three critical challenges to patching OT environments
Limited personnel or expertise
Concerns about operational disruptions or downtime
Lack of vendor support or patch testing
QC3: What are the main challenges your organization faces when applying patches to OT environments? (Rank Top 3)
Figure 2.5. Challenges in Patch Application
Flexible Configurations for Secure OT Patch Management
Patch management strategies in OT environments must be tailored to industry-specific needs. The importance of these strategies is underscored by the 2024 CrowdStrike incident, which affected nearly 8 million Windows devices globally and disrupted multiple industries.
This highlights the critical need for rigorous testing to identify potential issues, phased deployment to minimize impact, and rollback mechanisms to quickly restore systems.
Integrating dynamic tools and virtualization can materially improve security and operational continuity. Flexible patch management strategies equip organizations with the adaptability necessary to address diverse challenges while maintaining robust OT cybersecurity.
Scheduled Downtime and Maintenance Windows
Most respondents reported applying patches during planned downtime or maintenance windows. While effective in avoiding operational disruptions, this approach requires meticulous planning and can be challenging for industries with high-efficiency demands.
Controlled Environment Testing
Pre-deployment patch testing in controlled environments minimizes risks. This step is crucial, as unvalidated changes by third parties to internal endpoints can introduce vulnerabilities or cause disruptions.
Phased Rollout Deployment
Rolling out patches incrementally reduces the impact on the entire system. This strategy combines dynamic technologies with virtualized testing environments, enhancing both efficiency and security in patch deployment.
QC7: What strategies does your organization use to minimize disruption during patching activities in OT environments?
Figure 2.6. Strategies Used to Minimize Disruption During Patching Activities
Dedicated Testing Environments as the Standard for Patch Management
1
2
3
Invest in Testing Environments
Build testing environments to replicate production systems and effectively evaluate patches.
Resource Allocation
Allocate sufficient personnel and tools to streamline the patching process for efficiency and reliability.
Vendor Collaboration
Work closely with vendors to ensure patches are compatible, thoroughly tested, and well-supported.
Patch testing has become a critical component of organizational cybersecurity strategies. With 57% of respondents utilizing dedicated testing environments, organizations demonstrate an awareness of the risks of directly deploying patches in production environments. No surveyed organizations reported skipping pre-deployment testing entirely, demonstrating that patch testing is regarded as a crucial part of standard security procedures.
With these measures, organizations can achieve a cost-effective and secure patch management process that minimizes risks while supporting operational demands.
1. Invest in Testing Environments
Build testing environments to replicate production systems and effectively evaluate patches.
2. Resource Allocation
Allocate sufficient personnel and tools to streamline the patching process for efficiency and reliability.
3. Vendor Collaboration
Work closely with vendors to ensure patches are compatible, thoroughly tested, and well-supported.
Patch testing has become a critical component of organizational cybersecurity strategies. With 57% of respondents utilizing dedicated testing environments, organizations demonstrate an awareness of the risks of directly deploying patches in production environments. No surveyed organizations reported skipping pre-deployment testing entirely, demonstrating that patch testing is regarded as a crucial part of standard security procedures.
With these measures, organizations can achieve a cost-effective and secure patch management process that minimizes risks while supporting operational demands.
QC5: How does your organization manage patch testing before deployment in live OT environments?
Figure 2.7. Management of Patch Testing Before Deployment
Critical Defense Measures During Patch Delays
When patches are unavailable, 51% of organizations rely on enhanced monitoring and intrusion detection as their primary mitigation strategy. While this approach can detect attacks, it does not prevent vulnerabilities from being exploited. Additionally, resource-limited teams may struggle to sustain continuous monitoring. To address these challenges, organizations should adopt multi-layered, industry-specific measures, including compensating controls, virtual patching, and external expert support, to effectively manage security risks during patch delays.
Integrate Monitoring with Compensating Controls
Monitoring alone is insufficient; its value is maximized when combined with compensating controls. One effective starting point is network segmentation, adopted by 46% of respondents to isolate high-risk devices from critical infrastructure and reduce the attack surface.
Real-Time Monitoring
Helps security teams to quickly identify threats through alerts for suspicious behavior.
Micro-Segmentation
Takes traditional network segmentation further by implementing fine-grained control, limiting attackers’ lateral movement within systems.
Human Error Mitigation
Even with advanced technologies, human negligence remains a common entry point for attackers, emphasizing the need for comprehensive training.
Real-Time Monitoring
Helps security teams to quickly identify threats through alerts for suspicious behavior.
Micro-Segmentation
Takes traditional network segmentation further by implementing fine-grained control, limiting attackers’ lateral movement within systems.
Human Error Mitigation
Even with advanced technologies, human negligence remains a common entry point for attackers, emphasizing the need for comprehensive training.
Virtual Patching: A Key Defense
When immediate patching is not feasible, virtual patching provides an essential stopgap defense. This technique establishes a temporary security barrier for vulnerable applications and devices without altering system code, preventing attackers from exploiting known vulnerabilities. Virtual patching ensures that organizations maintain a defense layer while working to resolve underlying vulnerabilities, minimizing risks associated with unpatched systems.
QC6: How does your organization handle situations where patches are unavailable for critical vulnerabilities in OT environments?
Figure 2.8. Mitigation Strategies When Patches are Unavailable
Dynamic Patch Prioritization Model
A dynamic, industry-specific prioritization model enables organizations to optimize their patch management strategies by effectively allocating resources, collaborating with vendors, and applying risk-driven methodologies.
of organizations prioritize patching based on system criticality.
Multi-Factor Approach: Patch prioritization involves balancing factors such as system criticality to operations, patch availability, and risk exposure.
QC4: How does your organization prioritize which OT systems to patch first?
Figure 2.9. Factors Affecting Prioritization of OT Systems to Patch
Adoption of Multiple Metrics for OT Asset Vulnerability Assessment
of organizations have adopted the Common Vulnerability Scoring System (CVSS) and KEV databases, making them the most commonly used assessment tools.
of organizations use the Exploit Prediction Scoring System (EPSS) tool for risk prediction.
of organizations use the Time-to-Exploit (TTE) estimates tool for risk prediction.
Organizations increasingly use a combination of metrics to evaluate OT asset vulnerabilities. These metrics provide data-driven insights to support patch prioritization decisions.
Risk prediction metrics enable businesses to quickly identify vulnerabilities that require immediate remediation, prioritizing high-risk vulnerabilities likely to be targeted by attackers. In summary, the use of multiple metrics plays a critical role in OT asset vulnerability management. By establishing unified platforms that integrate diverse metrics, organizations can streamline automated prioritization, ensuring efficient and strategic allocation of resources to address vulnerabilities.
QC8: What metrics or methodologies does your organization utilize to assess OT asset vulnerabilities?
