The Cybersecurity and Infrastructure Security Agency (CISA) has significantly expanded its Known Exploited Vulnerabilities (KEV) Catalog this week, adding seven critical security flaws that threat actors are actively exploiting in the wild. This latest update represents a concerning mix of decade-old legacy vulnerabilities alongside newly discovered critical remote code execution flaws in enterprise software, highlighting the persistent cybersecurity challenges facing organizations today.

Understanding CISA's KEV Catalog Expansion

The KEV Catalog serves as CISA's authoritative list of vulnerabilities that have confirmed evidence of active exploitation. Federal agencies are required to patch these vulnerabilities within strict timelines, but the catalog also serves as critical guidance for private sector organizations worldwide. This week's additions bring the total number of tracked exploited vulnerabilities to over 1,100, demonstrating the scale of the ongoing cybersecurity threat landscape.

According to CISA's binding operational directive, federal agencies must remediate these newly added vulnerabilities within specific timeframes—typically 30 days for most flaws and 15 days for critical remote code execution vulnerabilities. Private sector organizations are strongly encouraged to follow similar timelines to protect their networks from compromise.

The Seven New Vulnerabilities: Technical Breakdown

Legacy Browser and Windows Flaws

Among the newly added vulnerabilities are several legacy flaws dating back over a decade, including critical issues in Internet Explorer and Windows components that many organizations may have considered resolved years ago. These include:

  • CVE-2013-1347: A critical remote code execution vulnerability in Internet Explorer that allows attackers to execute arbitrary code when users visit malicious websites
  • CVE-2013-3881: A Windows kernel vulnerability that enables privilege escalation attacks
  • CVE-2014-0322: Another Internet Explorer flaw that bypasses security protections through specially crafted web content

These legacy vulnerabilities demonstrate how threat actors continue to weaponize older flaws that organizations may have deprioritized in their patch management programs. The persistence of these exploits in attacker toolkits underscores the importance of comprehensive vulnerability management that addresses both current and historical security gaps.

Oracle E-Business Suite Critical Flaws

The most concerning additions to the KEV catalog involve two critical remote code execution vulnerabilities in Oracle E-Business Suite (EBS):

  • CVE-2022-21587: A critical vulnerability with a CVSS score of 9.8 that allows unauthenticated attackers to achieve remote code execution without user interaction
  • CVE-2022-21589: Another high-severity flaw in Oracle EBS that enables attackers to compromise the integrity and availability of affected systems

These Oracle EBS vulnerabilities are particularly dangerous because they affect widely used enterprise resource planning systems that often contain sensitive financial, HR, and operational data. The fact that these vulnerabilities are now confirmed as actively exploited means organizations running Oracle EBS must treat patching as an immediate priority.

Why Legacy Vulnerabilities Remain Dangerous

The inclusion of decade-old vulnerabilities in this week's KEV update reveals several critical insights about modern cybersecurity threats:

Persistent Attack Vectors

Many organizations maintain legacy systems or applications that cannot be easily updated, creating persistent attack surfaces that threat actors continue to target. Additionally, some organizations may have incomplete patch deployment records, leaving systems vulnerable to flaws they believed were resolved years ago.

Attack Chain Composition

Advanced threat actors often combine multiple vulnerabilities in attack chains, using older, well-documented flaws to achieve initial access before moving to more sophisticated exploitation techniques. The presence of these legacy vulnerabilities in active exploitation suggests they're being used as reliable entry points in multi-stage attacks.

Security Tool Gaps

Some legacy vulnerabilities may not be adequately detected by modern security tools, particularly if organizations have shifted their focus to newer threats. This creates blind spots that attackers can exploit with relative ease.

Oracle EBS Vulnerabilities: Enterprise Impact

The Oracle E-Business Suite vulnerabilities represent a significant threat to enterprise security for several reasons:

Widespread Deployment

Oracle EBS is used by thousands of organizations worldwide across multiple industries, including finance, healthcare, manufacturing, and government. The software typically manages critical business processes and contains highly sensitive data, making successful exploitation particularly damaging.

Attack Sophistication

The remote code execution capabilities of these vulnerabilities mean attackers can potentially gain complete control over affected systems without requiring user interaction or authentication. This makes them ideal for large-scale, automated attacks.

Data Breach Risks

Successful exploitation could lead to massive data breaches, financial fraud, operational disruption, and compliance violations. Organizations in regulated industries face particular risks from these vulnerabilities.

Immediate Patching Priorities

Organizations should immediately prioritize patching the Oracle EBS vulnerabilities (CVE-2022-21587 and CVE-2022-21589) due to their critical severity and active exploitation status. Oracle has released security updates addressing these flaws, and organizations should deploy them without delay.

Legacy Vulnerability Management

For the older vulnerabilities added to the KEV catalog, organizations should:

  • Conduct comprehensive asset inventories to identify systems that may still be vulnerable
  • Implement compensating controls where immediate patching isn't feasible
  • Review and update patch management policies to ensure legacy systems receive appropriate security attention
  • Consider network segmentation to isolate systems that cannot be immediately updated

Defense-in-Depth Approach

Beyond immediate patching, organizations should implement multiple layers of security controls:

  • Application whitelisting to prevent execution of unauthorized code
  • Network monitoring to detect exploitation attempts
  • Endpoint detection and response (EDR) solutions to identify compromise indicators
  • Regular vulnerability scanning to identify unpatched systems
  • Security awareness training to help users recognize social engineering attempts

This KEV catalog update reflects several broader trends in cybersecurity:

Software Supply Chain Risks

The inclusion of enterprise software like Oracle EBS highlights growing concerns about software supply chain security. Organizations must extend their vulnerability management programs to include third-party and enterprise applications, not just operating systems and browsers.

Attacker Persistence

The continued exploitation of decade-old vulnerabilities demonstrates that attackers will use whatever tools work, regardless of age. This challenges the common assumption that newer vulnerabilities pose the greatest risk.

Regulatory Pressure

CISA's expanding KEV catalog and associated binding directives reflect increasing government focus on cybersecurity accountability. Organizations should expect similar requirements to emerge in private sector regulations and insurance requirements.

Looking Ahead: Proactive Security Measures

As the threat landscape continues to evolve, organizations should consider several proactive measures:

Automated Patch Management

Implement automated patch management solutions that can quickly deploy critical updates across enterprise environments. Manual patching processes often cannot keep pace with the volume of security updates required.

Threat Intelligence Integration

Integrate threat intelligence feeds, including CISA's KEV catalog, into security operations to prioritize vulnerabilities based on actual exploitation activity rather than just severity scores.

Zero Trust Architecture

Adopt zero trust principles that assume breach and verify explicitly, reducing the impact of successful vulnerability exploitation through micro-segmentation and least-privilege access.

Regular Security Assessments

Conduct regular penetration testing and red team exercises to identify security gaps before attackers can exploit them, with particular focus on legacy systems and critical business applications.

Conclusion: The Urgency of Comprehensive Vulnerability Management

This week's KEV catalog update serves as a stark reminder that vulnerability management requires constant vigilance and comprehensive coverage. The combination of newly discovered critical flaws in enterprise software alongside persistently exploited legacy vulnerabilities creates a complex defense challenge that demands both immediate action and strategic planning.

Organizations that treat CISA's KEV catalog as a mandatory patching list rather than a recommended guideline will be better positioned to defend against evolving threats. The time to act on these seven vulnerabilities is now—before they become entry points for damaging cyber incidents that could have been prevented through timely security maintenance.

As CISA continues to expand and update the KEV catalog, organizations should establish processes to automatically incorporate these updates into their vulnerability management programs, ensuring they remain protected against the vulnerabilities that matter most in today's threat landscape.