Bitsight Reveals More than 60 Percent of Known Exploited Vulnerabilities Remain Unmitigated Past Deadlines in First-of-its-Kind Analysis of CISA’s KEV Catalog

Study of 1.4 million organizations shows nearly a quarter of organizations had multiple known vulnerabilities in 2023 amid remediation struggles

BOSTON – May 1, 2024 – Bitsight, the leader in cyber risk management, today released a new report by its TRACE security research team analyzing the Known Exploited Vulnerabilities (KEV) catalog, the Cybersecurity and Infrastructure Security Agency’s (CISA) authoritative source of vulnerabilities that have been exploited in the wild. 

The report, titled "A Global View of the CISA KEV Catalog: Prevalence and Remediation," analyzes data from 1.4 million organizations globally – the only such study to encompass Internet-wide scans – and highlights the deep challenges that global organizations face in remediating critical, exploited vulnerabilities in a timely manner: Over a third of organizations analyzed had at least one known vulnerability in 2023, with nearly a quarter of those facing five or more, and 60% of vulnerabilities remained unaddressed past CISA's deadlines.

CISA’s KEV catalog is a critical tool for any organization, and we’ve seen a positive impact on global vulnerability remediation rates – but most organizations are still too slow to mitigate,” said Derek Vadala, Chief Risk Officer, Bitsight. “Even critical severity vulnerabilities take four and a half months to remediate on average. The situation creates significant risk and speaks to the need for business leaders on the board and in the C-suite to recognize these vulnerabilities as the serious threats they are and demand a security posture that prioritizes deep insight and swift action. From there, organizations have an opportunity to grow.”

Key KEV prevalence and remediation findings from the Bitsight TRACE study include:

  • Vulnerabilities included in the KEV catalog are highly prevalent and over a third of organizations had at least one in 2023. 
    • KEVs are 2.6x more prevalent compared to the typical non-KEVs
    • 35% organizations experienced a KEV in 2023 – 66% of which had more than one, 25% of which had more than five and 10% of which had more than 10
  • Remediation of KEVs is significantly faster than non-KEVs of similar severity.
    • The average KEV is resolved within 6 months (174 median days), whereas non-KEVs can take more than 1.7 years (621 median days) 
    • Despite faster remediation of KEVs versus non-KEV, more than 60% are remediated after deadlines provided by CISA
    • Remediation of KEVs varies based on the severity: 
      • Critical severity KEVS took nearly 4.5 months (137 median days) 
      • High severity vulnerabilities take more than 9 months (238 median days)
      • Medium severity vulnerabilities take nearly 1.5 years (517 median days)
  • Known ransomware vulnerabilities are highly prevalent but remediated faster.
    • Ransomware vulnerabilities make up 20% of the KEV catalog, but are 64% more prevalent compared to those not known to be used in ransomware
    • Ransomware KEVs are remediated 2.5x faster than non-ransomware KEVs
  • Deadlines are missed 60% of the time, but U.S. federal agencies prove more capable. 
    • CISA’s recommended remediation deadlines are making a big difference in remediation rates for federal agencies 
      • On average, federal agencies are 56% more likely to meet the deadline for vulnerabilities than other organizations 
    • Technology companies have the highest exposure and rate of critical severity KEVs, but are also the fastest to remediate them (93 days) 
    • Despite making big headlines, healthcare organizations are average when it comes to exposure and remediation 

“CISA’s KEV catalog is a major step forward in the identification of high-risk vulnerabilities. Unfortunately, we still have a major problem with management of those vulnerabilities as security leaders often lack clear responsibility and authority for remediation, visibility across their environment, and metrics to measure their effectiveness,” said Roland Cloutier, former Fortune 100 CSO and Bitsight advisor. “The research from Bitsight sheds light on the mounting pressures facing every organization and proves that, now more than ever, security leaders need a seat at the table and the ability to influence operational change across the organization.” 

The full report includes data on specific vulnerabilities and which are most prevalent, KEV prevalence and time to remediation (each broken down by industry, country, and organization size), KEV “survival analysis” by vulnerability severity, and more. 

“The data leaves no doubt: CISA’s creation of the KEV catalog has been hugely positive. Unfortunately, KEVs are still extremely common and remediation is still too slow,” said Jim Langevin, former Congressman, co-founder and co-chairman of the bipartisan Congressional Cybersecurity Caucus, member of the Cyberspace Solarium Commission, and founding member of Bitsight’s Cyber Risk Advisory Board. “Bitsight’s new study provides the most wide-ranging analysis yet of how organizations are managing the most critical vulnerabilities and where they can improve in doing so. Policymakers around the world can leverage these insights to make better decisions about their national cybersecurity initiatives.”

“Organizations of all sizes are challenged to manage the pace of newly disclosed vulnerabilities. While organizations should adopt a vulnerability management model that accounts for their unique risks, we strongly recommend that every organization start by prioritizing Known Exploited Vulnerabilities,” said Eric Goldstein, CISA Executive Assistant Director for Cybersecurity. “While we are pleased to see that inclusion of a vulnerability in our Known Exploited Vulnerabilities catalog is associated with faster remediation, we know that the current model of ‘patch faster’ is unsustainable and every software company must reduce the prevalence of vulnerabilities by design.” 

For this study, Bitsight reviewed the security posture and examined vulnerability detections of 1.4 million entities (non-service provider or cloud service providers) that were active during 2023 and scannable by its vulnerability detection capabilities. All prevalence calculations were based on this sample of organizations within Bitsight data. The full study can be viewed here.

About Bitsight
Bitsight is a global cyber risk management leader transforming how organizations manage exposure, performance, and risk for themselves and their third parties. Companies rely on Bitsight to prioritize their cybersecurity investments, build greater trust within their ecosystem, and reduce their chances of financial loss. As the innovator and creator of the cyber risk ratings market, Bitsight’s integrated solutions deliver value across enterprise security performance, digital supply chains, cyber insurance, and data analysis. For more information, visit Bitsight.com or connect with us on LinkedIn.