04 | TOP KEVS
Manufacturing's Active Threats: Vulnerabilities from the CISA KEV Catalog
The CISA Known Exploited Vulnerabilities (KEV) Catalog is a critical resource for prioritizing vulnerabilities that have been actively exploited by threat actors.
Based on the results of our current scans, we found that out of 1,042 manufacturing companies, 674 (65%) have at least one vulnerability listed in the KEV catalog.
This analysis revealed a total of 102 unique CVEs across these companies, with 17 of these vulnerabilities known to be used in ransomware campaigns. The remaining 85 vulnerabilities are also known to be actively exploited in the wild but have not yet been publicly linked to a specific ransomware campaign. They could be used by other types of cyberattacks or be leveraged by a new ransomware group at any time.
- Known Ransomware Use: 17 vulnerabilities
- Unknown Ransomware Use: 85 vulnerabilities
of 1,042 manufacturing companies have at least one vulnerability listed in the KEV catalog
Top vendors by the number of listed vulnerabilities:
Microsoft Windows
29 vulnerabilities
Ivanti
4 vulnerabilities
Fortinet
5 vulnerabilities
Tied with 4 vulnerabilities each:
SAP | Oracle | Synacor | Adobe | Roundcube
Top products by the number of listed vulnerabilities:
Microsoft
16 vulnerabilities
Tied with
7 vulnerabilities each:
Flash Player | Webmail
Tied with
3 vulnerabilities each:
NetWeaver | Connect Secure, Policy Secure and ZTA Gateways | WebLogic Server
Common Vulnerability Types
The most common types of vulnerabilities found in the KEV catalog for this analysis include Information Disclosure (6 instances), as well as Authentication Bypass and Cross-Site Scripting (XSS), each with 4 instances. Other frequently found vulnerabilities include Privilege Escalation, Use-After-Free, and Deserialization.
Information Disclosure
6 instances
Authentication Bypass
4
instances
Cross-Site Scripting (XSS)
4 vulnerabilities each:
instances
Privilege Escalation
3 instances
Heap-Based Buffer Overflow
3
instances
Use-After-Free
3
instances
Deserialization
3 instances
Spoofing
3
instances
Path Traversal
3
instances
Tied with
2 instances each:
Buffer Overflow | Improper Input Validation | Command Injection | Improper Neutralization | Server-Side Request Forgery (SSRF) | Unspecified Vulnerability | Code Injection
Vulnerabilities by Ransomware Campaign Use
The data shows that several of these vulnerabilities have been exploited by well-known ransomware groups. For instance, CVE-2023-4966 and CVE-2023-3519 have been used by LockBit and ALPHV, while CVE-2021-34473 has been exploited by multiple groups, including Babuk, Hive, and Conti. It is also worth noting that Advanced Persistent Threat (APT) groups have used some of these same CVEs, such as CVE-2021-26855 and CVE-2021-27065.
View the full list of CVEs by Ransomware Campaign Use (PDF).
Which of Your Suppliers Are Ransomware Groups Interested In?
To stay ahead of the next wave of attacks, cybersecurity leaders must know what ransomware groups are thinking.
Black Kite’s Adversary Susceptibility Index (ASI) maps threat actors to your vendor ecosystem by factoring their confirmed targeting patterns, preferred industries, and geographical focus, and gives you more details into each threat actor’s Tactics, Techniques, and Procedures (TTPs). This allows you to see which of your vendors are most vulnerable to specific threat actors and take control before the next campaign hits.
