In vulnerability management, one of the most crucial factors for prioritising remediation efforts is determining whether a vulnerability is actively being exploited. This is where Known Vulnerability Exploitation (KVE) plays a vital role. KVE refers to vulnerabilities that have documented, real-world exploits that attackers can use to compromise systems. By focusing on vulnerabilities with known exploitation, organisations can significantly reduce the risk of incidents such as data breaches and service disruptions.
This article will explain what KVE is, why it is important, and how it complements other risk assessment metrics, including Vulnerability Severity Ratings (e.g., CVSS) and Tenable’s Vulnerability Priority Rating (VPR).
1. What is Known Vulnerability Exploitation (KVE)?
Known Vulnerability Exploitation (KVE) refers to vulnerabilities for which publicly available or documented exploits exist. These exploits may be found in:
Exploit databases (e.g., Exploit-DB)
Security research reports
Malicious toolkits (e.g., ransomware kits or exploit frameworks like Metasploit)
Real-world attacks, including threat actor campaigns
Vulnerabilities with KVE are often targeted by attackers because they already have pre-built tools or methods to exploit them. This makes these vulnerabilities more dangerous than those that are merely theoretical risks.
2. Why is KVE Important?
Vulnerabilities with KVE pose a higher risk to organisations for several reasons:
2.1. Active Threats to Systems
When an exploit for a vulnerability is publicly available, attackers can weaponise it to compromise vulnerable systems. Organisations that do not patch or mitigate these vulnerabilities are at an increased risk of exploitation, especially for high-value assets.
Example:
In 2021, the log4j vulnerability (CVE-2021-44228) became a global crisis due to its ease of exploitation and widespread use in enterprise software. Attackers quickly developed automated tools to exploit this vulnerability, causing organisations worldwide to prioritise immediate patching.
2.2. Reduced Exploitation Barriers
Attackers often prioritise vulnerabilities with known exploits because they require less effort to use. Instead of developing new attack methods, they can rely on off-the-shelf tools or scripts that target vulnerabilities with KVE.
Example:
A remote code execution (RCE) vulnerability with a published Metasploit module is far more likely to be exploited than a complex vulnerability without available exploits.
2.3. Increased Risk of Automated Attacks
Attackers frequently automate the exploitation of vulnerabilities with KVE, scanning networks for unpatched systems. This is especially common in ransomware campaigns and botnet operations.
Example:
The EternalBlue vulnerability (CVE-2017-0144) was exploited by the WannaCry ransomware attack, which spread rapidly due to the automation of the exploit.
3. How KVE Relates to Vulnerability Severity Ratings
Vulnerability severity ratings, such as those based on the Common Vulnerability Scoring System (CVSS), focus on the technical characteristics of a vulnerability. These ratings assess factors like exploit complexity, required privileges, and potential impact on confidentiality, integrity, and availability (CIA). However, CVSS does not account for whether a vulnerability is actively being exploited in the wild.
Key Differences Between CVSS and KVE:
CVSS: Provides a theoretical assessment of how impactful a vulnerability could be if exploited.
KVE: Focuses on whether the vulnerability is already being exploited by attackers, adding real-world threat context.
Example: CVSS vs. KVE
A vulnerability might have a CVSS score of 9.0 (Critical) due to its potential for remote code execution, but if no exploit exists, the immediate risk might be lower. Conversely, a vulnerability with a CVSS score of 6.5 (Medium) could become a top priority if there is active exploitation in the wild.
KVE highlights vulnerabilities that security teams cannot afford to deprioritise, even if their CVSS scores are not the highest.
4. How KVE Relates to the Vulnerability Priority Rating (VPR)
Tenable’s Vulnerability Priority Rating (VPR) incorporates KVE as a key factor in its dynamic scoring model. VPR enhances vulnerability prioritisation by including real-time threat intelligence, including whether a vulnerability is:
Being actively exploited.
Targeted by known attack campaigns.
Included in exploit frameworks (e.g., Metasploit or Cobalt Strike).
When KVE is detected, a vulnerability’s VPR score is often elevated, even if its CVSS score is moderate. This allows organisations to focus their remediation efforts on vulnerabilities that pose an immediate threat.
VPR vs. KVE in Action
Consider the following two vulnerabilities:
Vulnerability A:
CVSS Score: 9.3 (Critical)
No known exploitation.
VPR: 4.8 (Medium).
Vulnerability B:
CVSS Score: 6.5 (Medium)
Active exploitation in ransomware campaigns.
VPR: 9.0 (Critical).
Without VPR and KVE data, security teams might focus on Vulnerability A due to its high CVSS score. However, VPR highlights that Vulnerability B is a more immediate risk due to active exploitation, guiding the team to prioritise it for remediation.
5. Benefits of Integrating KVE into Vulnerability Management
Integrating KVE into your vulnerability management programme provides several key advantages:
5.1. Prioritisation Based on Real Threats
By focusing on vulnerabilities with known exploitation, organisations can reduce their attack surface more effectively. This approach minimises the likelihood of security incidents caused by unpatched vulnerabilities.
5.2. Reduced False Urgency
Traditional severity ratings can lead to "alert fatigue," where security teams are overwhelmed by the number of high-severity vulnerabilities. KVE helps filter vulnerabilities based on actual risk, allowing teams to concentrate on those that attackers are actively targeting.
5.3. Proactive Defence
Threat intelligence related to KVE enables organisations to stay ahead of attackers. By monitoring emerging exploit activity, security teams can implement mitigations before their systems are targeted.
6. Implementing KVE in Vulnerability Management
To effectively incorporate KVE into your vulnerability management strategy, follow these best practices:
Leverage Threat Intelligence:
Use vulnerability management platforms that provide real-time threat intelligence on known exploitation, such as Tenable.io or Tenable.sc.Combine Metrics:
Use both CVSS and VPR to assess vulnerabilities. CVSS provides a baseline severity score, while VPR incorporates KVE to prioritise based on active threats.Monitor Exploit Activity:
Continuously monitor security news, threat intelligence feeds, and vulnerability advisories to stay informed about new exploits.Develop a Response Plan:
Establish clear guidelines for how your organisation will respond to vulnerabilities with known exploitation. This may include accelerated patching, temporary mitigations, and enhanced monitoring.Reassess Vulnerabilities Regularly:
A vulnerability that was not being exploited at the time of the initial scan may later have known exploitation. Periodically update vulnerability data to reflect changes in threat conditions.
7. Conclusion
Known Vulnerability Exploitation (KVE) is a critical factor in modern vulnerability management. While traditional severity ratings like CVSS provide valuable technical insights, they do not account for real-world exploitation. By integrating KVE into your prioritisation process through systems like Tenable’s Vulnerability Priority Rating (VPR), you can focus on the vulnerabilities that pose the greatest immediate risk. This approach enhances security resilience, reduces incident risk, and optimises the use of security resources.
For more information on implementing KVE and VPR in your security programme, contact our team of experts.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article