CISA KEV Report

The CISA Known Exploited Vulnerabilities (KEV) Catalog is a curated list maintained by the Cybersecurity and Infrastructure Security Agency (CISA). It includes vulnerabilities actively exploited in the wild and requiring immediate remediation. Organizations can use this intelligence to prioritize patching efforts and reduce exposure to cyber threats.

Key Benefits of CISA KEV

  • Identifies vulnerabilities with confirmed exploitation in real-world attacks.
  • Provides mandated patching deadlines (for U.S. federal agencies).
  • Helps organizations prioritize security patches effectively.

Use Cases

  • Security Teams: Helps in vulnerability management by focusing on critical threats.
  • Compliance: U.S. federal agencies must comply with KEV patching deadlines.
  • Threat Intelligence: Organizations can proactively monitor and defend against known exploited vulnerabilities.

Accessing CISA KEV report

To view the CISA KEV report, from BigFix SaaS Remediate, click Apps > CyberFOCUS. By default, the dashboard displays the CISA KEV report.
CyberFOCUS CISA KEV Report

CISA KEV Report Data Representation and Interactions

CyberFOCUS displays CISA KEV data in an interactive table and chart, offering insights into an organization’s exposure to known threats and take actions.

CISA KEV Chart Representation

  • CyberFOCUS uses a bubble chart to visualize CISA KEV data:

    • X-axis: Due date of the CVE.

    • Y-axis: Number of unique affected devices.

    • Bubble Size: Exposure count (larger bubbles indicate higher exposure).

    • Bubble Color: CVSS3 severity (darker color = higher severity).

    • Behavior:

      • Shrinking bubbles indicate that the vulnerabilities are partially remediated.

      • Fully remediated vulnerabilities disappear from the chart.

CISA KEV Chart Interactions
  • Hover for Details: Hover over a bubble in the graph to view additional details about the associated CVE and its impact on the applicable environment below the chart.
  • Show Selected Only: Filter the chart to display only the CVEs selected from the table.
  • Zoom Controls: Zoom in or out to focus on specific data points, with an option to reset the zoom level.
  • Detailed CVE Insights: Click on any bubble in the chart to view specific information, such as CVE details, Fixlet details, and other relevant content.
CISA KEV Table Representation
The table provides a structured list of vulnerabilities with key details:
Column Name Description
CVE ID The unique identifier for the vulnerability, sourced from NVD.
CVSS Score The severity rating from NVD, based on the Common Vulnerability Scoring System (CVSS).
Severity The risk level assigned to vulnerability (Critical, High, Medium, Low).
Due Date The deadline by which the vulnerability should be remediated, as per CISA.
Exposure Count The total number of Fixlet-device mappings required to remediate the vulnerability.
Unique Devices Affected The number of unique devices in your environment affected by the CVE.
Applicable Fixlets Fixlets that can be used to patch the affected devices.
Relevant Fixlets The subset of Fixlets that still need to be applied (after some patches have been deployed).
CISA KEV Table Interactions
  • Click for More Information: Click on a CVE in the table to access in-depth details, including a description, applicable Fixlets, and affected devices. A direct link to the National Vulnerability Database (NVD) is available on the details page for further reference.
  • Sort Functionality: Sort vulnerabilities by any column in the table to quickly identify and prioritize threats.
  • Start Remediation: Select one or more CVEs from the table and click the Remediate button to initiate the CyberFOCUS remediation flow.

Prescriptive Guidance for CISA KEV Scanner

Prescriptive Guidance on the CyberFOCUS app helps identify and remediate endpoints that are missing the required CISA KEV scanner and/or not actively running the KEV scanner.

You will see a device count in each prescriptive guidance. This data is retrieved using the corresponding Site ID and Fixlet ID.Click on the respective Remediate button to:
  • Deploy the scanner to devices that do not have it installed.
  • Execute the scanner on applicable devices.

Prescriptive Guidance on CISA KEV Scanner
How the Remediation Flow Works

Each remediate action is tied to a specific Site ID and Fixlet ID.

  1. User clicks on the Remediate button to install KEV scanner or run the KEV scanner.

  2. The side panel opens and automatically triggers the remediation flow.

  3. The flow deploys the corresponding fixlet using:

    • Site ID: Example – 15785
    • Fixlet ID: Example – 100

  4. The user completes the wizard by providing a deployment name and confirming the deployment.

  5. The deployment status can be viewed in the Deployment Manager.

With this, you can easily install and run the KEV scanner across your deployment, ensuring continuous vulnerability assessment and compliance.