Blog

CISA Adds Five ‘New’ Exploits to KEV Catalog, Including 2014’s Heartbleed Vulnerability

On May 4, 2022, CISA added five new entries to the Known Exploited Vulnerabilities Catalog, including the infamous Heartbleed vulnerability.

On May 4, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) added five “new” vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog. Three of the entries were originally disclosed in 2014, including the infamous Heartbleed vulnerability (CVE-2014-0160).

CISA adds the Heartbleed vulnerability

Before Log4Shell, there was Heartbleed, a third-party library vulnerability that still poses a challenge to organizations: five years since its discovery, it was the third-most exploited issue. Now with its inclusion in the Known Exploited Vulnerabilities Catalog, it seems that security teams will have to triage their systems once again. However, determining which IoT, ICS, or other devices may be vulnerable may prove difficult.

Organizations have only three weeks to remediate

The other most recent vulnerability exploits that CISA has added are CVE-2021-1789 and CVE-2019-8506.

Initially starting off as a zero-day vulnerability, CVE-2021-1789 first captured headlines in 2021, and then again at the start of this year after reportedly being used against pro-democracy Hong Kong residents.

Although there is little in the way of publicly disclosed active exploitation for these two issues, CISA still has given Federal Civilian Executive Branch (FCEB) agencies only three weeks to remediate all of the issues added on May 4th. As such, organizations should assume that threat actors still keep them in their repertoire and should proceed accordingly.

Remediate effectively with Flashpoint

In order to remediate risk effectively, organizations need the full vulnerability intelligence picture. And when it comes to classic issues like Heartbleed, security teams can easily become overwhelmed with the information out there. Sign up for a free VulnDB trial to get all known details for Heartbleed, as well as every other issue identified in the KEV Catalog.