We remembered KEVin!


runZero tracks vulnerabilities on assets discovered by runZero queries and numerous third-party integrations. We're pleased to announce that the Platform now enriches these vulnerability records with information from the CISA Known Exploited Vulnerabilities (KEV) catalog, the VulnCheck KEV list, and the Exploit Prediction Scoring System (EPSS).

The CISA Known Exploited Vulnerabilities Catalog #

The United States Cybersecurity and Infrastructure Agency (CISA) is a federal agency tasked with informing other government agencies about cybersecurity threats, information security best practices, mediation recommendations, and so on. It is also responsible for coordinating defense of critical infrastructure, such as electrical grids, water treatment systems, pipelines, and air traffic control systems.

CISA publishes a regularly-updated list of cybersecurity vulnerabilities that are known to be exploited in the wild: the Known Exploited Vulnerabilities (KEV) list. The CISA KEV list currently catalogs 1,127 vulnerabilities in hardware and software that CISA has evidence of being actively exploited.

In this case "active exploitation" means that CISA has reason to believe that threat actors are currently exploiting these vulnerabilities for malicious purposes. If a vulnerability appears on this list, it should be considered a high priority; it represents not just a vulnerability, but one that is known to be under active attack.

If a vulnerability has an associated CISA KEV record, runZero will display it on the vulnerability's information page. Here's an example from the runZero Platform:

CISA KEV display
A sample CISA KEV record attached to a vulnerability.

The VulnCheck KEV List #

VulnCheck, a leading cybersecurity intelligence vendor, also publishes their own Known Exploited Vulnerabilities list (the VulnCheck KEV) that is timely, accurate, and frequently updated. runZero can now enrich vulnerability information with input from the VulnCheck KEV. Here's an example:

VulnCheck KEV record
A sample VulnCheck KEV record attached to a vulnerability.

Searching KEV Lists #

It's easy to locate vulnerabilities that appear on the KEV list by visiting the Vulnerability Inventory in runZero and using the kev: search keyword. Search for membership in a specific KEV list simply by providing its name:


Or look for vulnerabilities that appear on any KEV list (including any other KEV lists that may be added in the future):


These query terms also work in the Asset Inventory to find assets with vulnerabilities that appear on the relevant list(s) and on individual assets, as well.

The Exploit Prediction Scoring System #

Additionally, runZero now integrates with the Exploit Prediction Scoring System (EPSS), a scoring system that predicts the likelihood that a given vulnerability will be exploited in the wild. EPSS provides a score between 0.0 (extremely unlikely to be exploited) and 1.0 (is definitely being exploited). You can search for vulnerabilities by their EPSS scores using the epss_score search term in the Vulnerability Inventory and for assets with EPSS-scored vulnerabilities in the Asset Inventory. The conventional runZero numeric search operators can be used, for example:


In general, vulnerabilities with scores higher than around 0.9 should be looked at very closely.

Like the KEV lists above, vulnerabilities with EPSS scores will have that information displayed in the vulnerability view:

A vulnerability EPSS record.
A sample EPSS record attached to a vulnerability.

A Bonus: Faster CVE Searches! #

The work to integrate with the CISA and VulnCheck KEV lists and the EPSS resulted in a nice little bonus: searches by CVE should now be considerably faster!

Written by Rob King

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

More about Rob King
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

runZero Research
SSHamble: Unexpected exposures in the Secure Shell
We conducted a deep dive into the SSH ecosystem and identified vulnerabilities across a wide range of implementations. During the research process,...
runZero Research
Attack Surface Challenges with OT/ICS and Cloud Environments
Learn why successfully navigating changes to operational technology and cloud attack surfaces is critical for successful asset security.
Life at runZero
Employee Spotlight: Nikki Milum
Nikki Milum is our stellar Senior People Operations Partner! Read on to learn more about why Nikki thinks runZero is different than any place she’s...
runZero Research
Evolving threat landscapes: a view through the lens of CAASM
See what our analysis of sample CAASM data reveals about the current threat landscape and how security teams are responding to challenges old and new.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved