CISA KEV Catalog Patterns: 5 Exploitation Categories Indian Defenders Systematically Miss

1,000 entries and counting

CISA’s CISA KEV catalogue crossed the 1,000-entry mark in early 2026. The KEV is the single most useful public artifact for vulnerability prioritisation — every entry is a CVE that has been observed in active exploitation. If you patch in KEV order before you patch by CVSS score, you will close real attacker access faster than the median enterprise.

Three years of operation also produces enough data to talk about patterns. We mined the catalogue against our own Indian VAPT engagement findings to see which categories Indian defenders systematically miss. Five emerge.

1. Edge-VPN and edge-firewall management interfaces

SonicWall, Fortinet, Ivanti Pulse, Cisco ASA — half the KEV catalogue’s “actively exploited the day after disclosure” entries are management-plane bugs in these. Recent examples worth knowing by heart:

• CVE-2024-21887 (Ivanti Connect Secure) — command injection in the web admin component. Added to KEV the day after disclosure. Exploitation in the wild within 24 hours. Bypassed by chaining with CVE-2023-46805.
• CVE-2024-3400 (PAN-OS GlobalProtect) — pre-auth RCE via the GlobalProtect feature. Mass-exploited by UTA0218 within hours of public PoC.
• CVE-2025-0282 (Ivanti Connect Secure) — stack overflow, pre-auth RCE. Added to KEV before the vendor advisory was fully understood.

The pattern in Indian deployments is consistent: the firewall is at the edge, the management interface is bound to the management VLAN but reachable from the WAN by accident, and the firewall vendor’s pre-auth bug becomes a perimeter breach within hours of public disclosure. The mitigation is operational, not vulnerability-specific: bind the management plane to a single allowlisted IP, monitor for new TCP listeners on the WAN side, and subscribe to the KEV feed itself.

Detection one-liner that catches the management-plane exposure regression:

# Compare today's open ports on the WAN-facing IP against yesterday's
diff <(ssh edge-fw "iptables -L INPUT -n | awk '/dpt:/{print \$NF}' | sort -u") \
     /var/cache/sec/edge-fw.ports.yesterday \
  | tee /tmp/portdiff.$(date +%F).txt
# Anything in the output is a config drift to investigate this morning, not next quarter.

2. Backup software

Veeam, Veritas, Commvault all have KEV entries. The Veeam CVE-2024-40711 deserialisation bug — pre-auth RCE in Veeam Backup & Replication — went from KEV addition to documented use in Akira and Fog ransomware campaigns within three weeks. Commvault CVE-2025-3928 (Web Server SSRF, pre-auth) followed the same pattern.

Indian defenders consistently misclassify backup software as “internal” and skip its patch cycle. In a ransomware engagement we worked in late 2025, the initial foothold was a publicly-reachable Veeam Console, two CVEs behind. The attacker disabled backups before the ransomware payload fired — which is the standard playbook now. Treat backup software like internet-facing software, regardless of whether it actually faces the internet.

3. Public-facing file transfer products

MOVEit, GoAnywhere, Cleo, Citrix ShareFile. Clop ransomware built a whole business model around finding and weaponising bugs here:

• CVE-2023-34362 (MOVEit Transfer SQLi → RCE) — Clop hit 2,500+ orgs including BBC, Shell, multiple US federal agencies.
• CVE-2023-0669 (GoAnywhere MFT, pre-auth RCE) — Clop again, ~130 orgs claimed.
• CVE-2024-50623 (Cleo Harmony / VLTrader / LexiCom) — same pattern: pre-auth RCE in a niche file-transfer product, mass exploitation within days.

In Indian financial-services environments these products often sit in the DMZ for partner integrations and rarely get the patching attention of the websites in the same DMZ. KEV calls them out; Indian patch cycles ignore that signal. The fix is to inventory them explicitly — your “internet-facing assets” register should have a “managed file transfer” line item, separate from “web apps”, with its own owner and SLA.

4. Browser zero-days via embedded WebViews

CVE-2024-7971 was a V8 type-confusion exploited as a zero-day to install Citrine Sleet’s BadEntry malware. It landed in KEV the day after disclosure. The Chromium browser patches were quick. The Electron embeds were not — for example, Discord, Postman, and Slack all carry their own Chromium build, and the patch latency across the Electron ecosystem ranges from days (Postman) to months (smaller vendors). A quick audit:

# Extract Chromium version from an Electron app on macOS
$ grep -aE "Chrome/[0-9.]+ Safari" /Applications/Slack.app/Contents/Frameworks/*.framework/Versions/A/Electron\ Framework | head -1
# Chrome/126.0.6478.183 Safari/537.36

# Compare to current Chromium stable: chromiumdash.appspot.com
# If you are >30 days behind, you have a KEV-class exposure on every workstation.

5. Pre-auth deserialisation in middleware

Apache Struts, Apache Tomcat manager, Spring Cloud Function, ColdFusion, Telerik UI. Every KEV entry in this category is a year-plus old by the time most Indian enterprises notice it sitting on an internal app. Examples:

• CVE-2024-53677 (Apache Struts 2 file upload → RCE) — exploitation within 7 days of patch.
• CVE-2023-22527 (Confluence template injection, pre-auth RCE) — mass scanned for; abandoned Confluence instances all over the Indian SaaS sector got popped.
• CVE-2022-26134 (Confluence OGNL injection) — same product, two years earlier, same lesson.

The pattern is that the asset register doesn’t know about a 2014 ColdFusion install on a forgotten subdomain; the EDR doesn’t run on that VM; the WAF doesn’t filter that hostname. Discovery is the unglamorous control here — a quarterly asset reconciliation against DNS, certificate transparency, and outbound netflow finds these long before an attacker’s KEV-driven scan does.

How to wire KEV into a patching programme

The KEV catalogue is published as JSON at https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json. A 30-line Python script wires this into your ticketing system:

import json, urllib.request, datetime, pathlib

URL = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
STATE_FILE = pathlib.Path("/var/cache/sec/kev-seen.txt")

seen = set(STATE_FILE.read_text().splitlines()) if STATE_FILE.exists() else set()
catalog = json.loads(urllib.request.urlopen(URL, timeout=15).read())

new = [v for v in catalog["vulnerabilities"] if v["cveID"] not in seen]
for v in new:
    # Replace with your ticketing client (Jira, Linear, ServiceNow)
    create_ticket(
        title = f"[KEV] {v['cveID']} - {v['vendorProject']} {v['product']}",
        severity = "P1" if "ransomware" in v.get("knownRansomwareCampaignUse", "").lower() else "P2",
        sla_days = 7 if is_internet_facing(v) else 30,
        body = v["shortDescription"] + "\n\n" + v.get("requiredAction", ""),
    )
    seen.add(v["cveID"])

STATE_FILE.write_text("\n".join(sorted(seen)))

Run via cron daily. The first run will create ~1,000 tickets — that is the point. The backlog is your real KEV coverage gap. Triage by intersecting CVE → product → asset inventory. The unsatisfying number you will see in year one (typically 60-70% coverage) is the headline metric to drive up over time.

Augment KEV with EPSS for the long tail

KEV is binary — a CVE is in, or it is not. The Exploit Prediction Scoring System gives a 0-1 probability that any CVE will be exploited in the next 30 days. The two combine cleanly: KEV says “patch now, no debate”; EPSS gives you the ordering for everything below the KEV floor. A patching SLA matrix that uses both:

References

• RingSafe Academy track: Cyber Threat Intelligence
• RingSafe Academy track: Blue Team / SOC Operations
• CISA KEV catalogue (JSON): cisa.gov/known-exploited-vulnerabilities-catalog
• FIRST EPSS scoring: first.org/epss