Bob Young@fifonetworks@infosec.exchange
Knowing your KEVs is way more important than knowing your CVEs.
CVEs – Common Vulnerabilities and Exposures. Anyone who has ever taken a beginner’s course in cybersecurity should be familiar with the CVE list. If a vulnerability is verified, a CVE Numbering Authority (CNA) assigns it a number, like CVE-2025-49706. The repository for this information is cve dot org.
KEVs – Known Exploited Vulnerabilities. This list is maintained by CISA. The KEV catalog is a shorter list. It contains the CVEs that are known to have been “exploited in the wild.” (cisa dot gov / known-exploited-vulnerabilities-catalog).
The difference is important because some vulnerabilities identified in the CVE list are real enough, but they’re difficult to exploit at scale. A cybercriminal reads the latest CVE list and says, “Forget that one – that takes too much effort.” The cybercriminal reads another item on the list and says, “Oh, wow, I can do that with my existing tools!”
When you’re prioritizing your work, knowing the KEVs is a helpful guide.
Here’s a picture of the 14 SonicWall entries in the KEV catalog, as of August 11. Bigger organizations have more entries. Microsoft, for example, has 338 KEVs.
You shouldn’t ignore any CVE Record. Comparing the CVEs against the KEVs is a tool for prioritizing your work, not an excuse for neglect.
One last thing: before you comment that “there are automated tools for this,” keep in mind that in the USA 99.9% of all businesses employ fewer than 500 employees. In fact, the average number of employees for all US businesses is 10.5 (source: Statista). Most of these businesses are not paying for automated tools. If anyone at all is looking out for their cybersecurity, it means visiting the CVE and KEV source websites regularly and checking the new entries. Some of the bigger vulnerabilities make it into the news, but not all of them. You have to do the work and look. If your hardware and software inventories are up to date, you can sort by vendor and easily see if there are new entries that are relevant.
#CallMeIfYouNeedMe #FIFONetworks
#cybersecurity #CVE KEV #SmallBusiness