# The VulnCheck 2022 Exploited Vulnerability Report - Missing CISA KEV Catalog Entries **vulncheck.com/blog/2022-missing-kev-report** [Go back](https://vulncheck.com/blog) March 9, 2023 Jacob Baines _The data in this report was generated on March 2, 2023. Any additions to the CISA KEV_ _Catalog after that date are not reflected in this report._ In [last week’s blog, we looked at the vulnerabilities the Cyber Security & Infrastructure](https://vulncheck.com/blog/2022-cisa-kev-review) Agency (CISA) added to the Known Exploited Vulnerability (KEV) Catalog in 2022. In the report,we mentioned CISA missed some actively exploited vulnerabilities that had been assigned CVEs in 2022. The KEV Catalog is the driving force for vulnerability management in the US federal civilian executive branch, and many private companies have adopted it as ----- the de facto standard. As such, excluding any exploited-in-the-wild vulnerability is a big deal with potentially far-reaching effects. This blog will share 42 likely exploited-in-the-wild vulnerabilities assigned CVEs in 2022 that haven’t been included in the KEV Catalog. ## Key Takeaways VulnCheck identified 42 vulnerabilities that were assigned CVEs in 2022 and reported to have been, or likely to have been, exploited in the wild that were not added to the CISA KEV Catalog. Of the 42 CVEs, an overwhelming majority are related to botnets (64%). However, there are also a number of ransomware (10%) and threat actor (12%) attributions. Some missing vulnerabilities, specifically CVE-2016-20016, have been exploited in the wild since 2017 and still have thousands of potential targets online. 76.2% of the missing vulnerabilities were initial access, which VulnCheck recommends prioritizing. The CISA KEV Catalog is undoubtedly helpful and a driving force in our industry. Still, as long as it’s missing actively exploited vulnerabilities, it cannot be treated as the authoritative catalog of exploited vulnerabilities. ## The Missing Vulnerabilities Using publicly-available reporting, VulnCheck identified 42 vulnerabilities that were assigned CVEs in 2022 and reported to have been, or likely to have been, exploited in the wild. The exploited-in-the-wild sources include a variety of world-class security organizations, including Talos, ESET Research, Avast, FortiGuard Labs, Rapid7, and more. The public reporting often tells us who was doing the exploitation: ransomware, botnets, threat actors, etc. The “who” is essential, as it can change the criticality of a vulnerability. A vulnerability exploited by ransomware is much more concerning than a vulnerability exploited by a Mirai botnet. VulnCheck breaks down the “who” into four general “attacker-type” categories: 1. Botnets (e.g. [Mirai,](https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai) [Zerobot, etc.)](https://malpedia.caad.fkie.fraunhofer.de/details/elf.zerobot) [2. Ransomware (e.g Clop)](https://malpedia.caad.fkie.fraunhofer.de/details/win.clop) 3. Threat Actors (e.g. [APT32)](https://malpedia.caad.fkie.fraunhofer.de/actor/apt32) 4. Unattributed (a source notes exploitation in the wild but doesn’t provide any attribution information) The following table contains all 42 vulnerabilities, the reported attacker type, and the publiclyavailable source indicating likely exploitation in the wild. **CVE-ID** **VulnCheck Attacker-Type** **Exploited Source** ----- **CVE-ID** **VulnCheck Attacker-Type** **Exploited Source** CVE-2022-45359 Unattributed [Wordfence](https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-premium-plugin-exploited-in-the-wild/) CVE-2022-45045 Botnet [VulnCheck,](https://nvd.nist.gov/vuln/detail/CVE-2022-45045) [360 Netlab](https://blog.netlab.360.com/the-botnet-cluster-on-185-244-25-0-24-en/) CVE-2022-39197 Threat Actor [360](https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/summary/2023/360_APT_Annual_Research_Report_2022.pdf) CVE-2022-37061 Botnet [FortiGuard Labs,](https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities) [360 Netlab](https://blog.netlab.360.com/new-ddos-botnet-wszeor/) CVE-2022-35914 Unattributed [FR-CERT,](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-001.pdf) [Unit 42](https://unit42.paloaltonetworks.com/network-security-trends-aug-oct-2022/) CVE-2022-35526 Botnet [FortiGuard Labs (see Unknown 2)](https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai) CVE-2022-34721 Threat Actor [CYFIRMA](https://www.cyfirma.com/blogs/windows-internet-key-exchange-ike-remote-code-execution-vulnerability-analysis/) CVE-2022-34538 Botnet [FortiGuard Labs,](https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities) [360 Netlab](https://blog.netlab.360.com/new-ddos-botnet-wszeor/) CVE-2022-31499 Unattributed [Unit 42](https://unit42.paloaltonetworks.com/network-security-trends-aug-oct-2022/) CVE-2022-31199 Ransomware [Talos](https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/) CVE-2022-28810 Threat Actor [ESET Research,](https://www.welivesecurity.com/wp-content/uploads/2022/11/eset_apt_activity_report_t22022.pdf) [Rapid7](https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/) CVE-2022-27510 Ransomware [At-Bay](https://www.at-bay.com/articles/likely-first-exploit-citrix-vulnerability/) CVE-2022-27226 Botnet [FortiGuard Labs](https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet) CVE-2022-26809 Ransomware [Group-IB](https://www.group-ib.com/resources/research-hub/hi-tech-crime-trends-2022/) CVE-2022-26504 Ransomware [Cloudsek](https://cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication) CVE-2022-26210 Botnet [FortiGuard Labs,](https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign) [Unit 42](https://blog.netlab.360.com/new-ddos-botnet-wszeor/) CVE-2022-26186 Botnet [FortiGuard Labs,](https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign) [Unit 42](https://blog.netlab.360.com/new-ddos-botnet-wszeor/) CVE-2022-25084 Botnet [FortiGuard Labs](https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign) CVE-2022-25083 Botnet [FortiGuard Labs](https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign) CVE-2022-25082 Botnet [FortiGuard Labs](https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign) CVE-2022-25081 Botnet [FortiGuard Labs](https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign) CVE-2022-25080 Botnet [FortiGuard Labs](https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign) CVE-2022-25079 Botnet [FortiGuard Labs](https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign) CVE-2022-25078 Botnet [FortiGuard Labs](https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign) CVE-2022-25077 Botnet [FortiGuard Labs](https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign) CVE-2022-25076 Botnet [FortiGuard Labs](https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign) ----- **CVE-ID** **VulnCheck Attacker-Type** **Exploited Source** CVE-2022-25075 Botnet [FortiGuard Labs,](https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign) [Alien Labs,](https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers) [Unit 42](https://blog.netlab.360.com/new-ddos-botnet-wszeor/) CVE-2022-24934 Threat Actor [Avast](https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/) CVE-2022-2486 Unattributed [Threat Actor](https://unit42.paloaltonetworks.com/network-security-trends-aug-oct-2022/) CVE-2022-24500 Ransomware [Group-IB](https://www.group-ib.com/resources/research-hub/hi-tech-crime-trends-2022/) CVE-2022-23714 Ransomware [Group-IB](https://www.group-ib.com/resources/research-hub/hi-tech-crime-trends-2022/) CVE-2022-2003 Botnet [Dragos](https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/) CVE-2022-0456 Threat Actor [Group-IB](https://www.group-ib.com/resources/research-hub/hi-tech-crime-trends-2022/) CVE-2021-46850 Botnet [Talos (see VestaCP)](https://blog.talosintelligence.com/necro-python-bot-adds-new-tricks/) CVE-2021-46422 Botnet [FortiGuard Labs,](https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities) [360 Netlab](https://blog.netlab.360.com/new-ddos-botnet-wszeor/) CVE-2021-41506 Botnet [Trend Micro](https://www.trendmicro.com/en_us/research/19/g/keeping-a-hidden-identity-mirai-ccs-in-tor-network.html) CVE-2021-4045 Botnet [FortiGuard Labs](https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign) CVE-2021-4039 Botnet [Alien Labs](https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers) CVE-2021-31805 Botnet [360 Netlab](https://blog.netlab.360.com/public-cloud-threat-intelligence-202204/) CVE-2017-20149 Botnet [360 Netlab,](https://blog.netlab.360.com/quick-summary-port-8291-scan-en/) [NDSS Symposium](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_02B-3_Herwig_paper.pdf) CVE-2016-20017 Botnet [360 Netlab,](https://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/) [ESET Research](https://www.welivesecurity.com/wp-content/uploads/2022/10/eset_threat_report_t22022.pdf) CVE-2016-20016 Botnet [Trend Micro,](https://www.trendmicro.com/en_us/research/20/g/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173.html) [ESET Research](https://www.welivesecurity.com/wp-content/uploads/2022/10/eset_threat_report_t22022.pdf) ## Botnets Looking over the table, it’s probably obvious that an overwhelming majority of the vulnerabilities are related to botnets (64%). However, there are also a number of ransomware (10%) and threat actor (12%) attributions. Attacker-Type of Exploited Vulnerabilities Assigned CVE in 2022 Missing From CISA KEV The high rate of botnet-exploited vulnerabilities is interesting. Mirai-like botnets are wellknown for flinging exploits all over the internet. That behavior is quickly picked up by honeypots and intelligence-sharing organizations like Unit 42, 360 Netlab, and Fortiguard Labs. The high volume of botnet vulnerabilities should be some of the easiest to classify as exploited in the wild. ----- For example, one of the 42 vulnerabilities missing from the CISA KEV Catalog is CVE-201620016 (aka [EDB-41471). This vulnerability, which finally received a CVE in 2022, has been](https://www.exploit-db.com/exploits/41471) [exploited in the wild for years, and still has thousands of potential targets online. It’s had a](https://www.shodan.io/search?query=html%3A%22id%3D%5C%22dvr_usr%5C%22%22) Metasploit module since 2017 and is routinely one of the most widely attempted exploit [targets on both ShadowServer and](https://dashboard.shadowserver.org/statistics/honeypot/monitoring/vulnerability/?category=monitoring&statistic=unique_ips) [Greynoise. The NVD entry even notes “exploited in the](https://viz.greynoise.io/trends?view=active) wild in 2017 through 2022.” It’s obvious this vulnerability belongs in the KEV Catalog. ## Vulnerability Classification and Exploits Last week, we analyzed the type of vulnerabilities that were added to KEV in 2022. We found about ⅓ of the vulnerabilities are Initial Access, ⅓ are Client Side, and the other ⅓ fell to the remaining five vulnerability types that VulnCheck assigns. However, the 42 missing vulnerabilities don’t match that pattern,likely due to the healthy helping of botnet-exploited vulnerabilities. Missing Exploited Vulnerabilities Classification [At VulnCheck, we’re very interested in initial access vulnerabilities specifically because they](https://vulncheck.com/product/initial-access-intelligence) are so dangerous. Many of these vulnerabilities appear to provide initial access to small routers and IoT systems. Some will dismiss vulnerabilities in such targets. However, we know those types of targets are used by advanced threat actors to create massive botnets [like VPNFilter, and(taken down just last year) Cyclops Blink. So, these vulnerabilities should](https://en.wikipedia.org/wiki/VPNFilter) be taken seriously. They should also be taken seriously because most of them are well-known. More than 30 of the vulnerabilities have public exploits, and at least four of those have Metasploit modules. Additionally, seven have commercially available exploits. Exploited Vulnerabilities with Exploits ## Individual Vulnerabilities Each of the missing 42 vulnerabilities have interesting context around them too, partly due to the many different sources and unique points of view shared in their public reporting. Going through each would be tedious, but the following sections give insight into a few vulnerabilities that should give readers a general feel for the top vulnerabilities CISA missed. ### Chimay Red [CVE-2017-20149, also known as Chimay Red, is a peculiar case. The details of the](https://nvd.nist.gov/vuln/detail/CVE-2017-20149) [vulnerability were originally leaked in 2017 during the Vault 7 leak. The vulnerability affected](https://en.wikipedia.org/wiki/Vault_7) [the HTTP interface of Mikrotik routers (of which, there are currently more than 600k visible](https://www.shodan.io/search?query=title%3A%22RouterOS%22) ----- on Shodan). Shortly after the disclosure, a high quality exploit was developed by Lorenzo Santina. Eventually attackers, including the Hajime botnet, exploited this vulnerability in the wild. [While the vulnerability is getting old, Greynoise continues to see active scanning for the](https://viz.greynoise.io/tag/chimay-red-scanner) [vulnerability and, using Shodan, we can find approximately 10,000 internet-facing hosts that](https://www.shodan.io/search?query=title%3A%22RouterOS+router%22+os%3A%22MikroTik+RouterOS+6.0%22%2C%226.1%22%2C%226.10%22%2C%226.11%22%2C%226.12%22%2C%226.13%22%2C%226.14%22%2C%226.15%22%2C%226.16%22%2C%226.17%22%2C%226.18%22%2C%226.19%22%2C%226.2%22%2C%226.20%22%2C%226.21%22%2C%226.21.1%22%2C%226.22%22%2C%226.23%22%2C%226.24%22%2C%226.25%22%2C%226.26%22%2C%226.27%22%2C%226.28%22%2C%226.29%22%2C%226.3%22%2C%226.30%22%2C%226.30.1%22%2C%226.30.2%22%2C%226.30.4%22%2C%226.31%22%2C%226.32%22%2C%226.32.1%22%2C%226.32.2%22%2C%226.32.3%22%2C%226.33%22%2C%226.33.1%22%2C%226.33.2%22%2C%226.33.3%22%2C%226.33.5%22%2C%226.34%22%2C%226.34.1%22%2C%226.34.2%22%2C%226.34.3%22%2C%226.34.4%22%2C%226.34.5%22%2C%226.34.6%22%2C%226.35%22%2C%226.35.1%22%2C%226.35.2%22%2C%226.35.4%22%2C%226.36%22%2C%226.36.1%22%2C%226.36.2%22%2C%226.36.3%22%2C%226.37%22%2C%226.37.1%22%2C%226.38%22%2C%226.38.1%22%2C%226.38.2%22%2C%226.38.3%22%2C%226.38.4%22%2C%226.4%22%2C%226.5%22%2C%226.6%22%2C%226.7%22%2C%226.8%22%2C%226.9%22) are still vulnerable. However, the most fascinating part of Chimay Redis that it didn’t receive a CVE until 2022 when VulnCheck requested one (MITRE chose to back-date the year). This vulnerability has been exploited in the wild for approximately five years, and no one saw fit to request a CVE. Having a CVE is a requirement to be included in the CISA KEV Catalog, and, sadly, appears to be the only way to remain in the vulnerability historical record. [It’s also worth noting that back when the Shadow Brokers leak occurred, there was an effort](https://en.wikipedia.org/wiki/The_Shadow_Brokers) to identify and assign CVE to zero-day vulnerabilities that had been leaked. This was obviously not the case here. The responsible parties should have done the right thing and ensured this was assigned a CVE five years ago. Maybe there wouldn’t be any more vulnerable internet-facing Mikrotik routers if they did. ### CVE-2022-28810 [CVE-2022-28810 is an authenticated unrestricted operating system command execution](https://nvd.nist.gov/vuln/detail/CVE-2022-28810) vulnerability affecting ManageEngine ADSelfService Plus. ManageEngine products have been included in several CISA advisories. For example, in October 2022, a ManageEngine vulnerability, CVE-2021-40539, was included in a bulletin titled, Top CVEs Actively Exploited _By People’s Republic of China State-Sponsored Cyber Actors._ [This vulnerability was first seen in the wild in April 2022 as a zero-day by Rapid7 (full](https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/) disclosure: this author was involved in the analysis of the vulnerability). Additionally, ESET [Research noted in their APT Activity Report T2 2022 report that a “defense contractor in the](https://www.welivesecurity.com/wp-content/uploads/2022/11/eset_apt_activity_report_t22022.pdf) US” was targeted using this vulnerability. Although ESET couldn’t attribute the attack to a specific group, it was lumped in with “China-aligned” APT activity. ### CVE-2022-2003 [Dragos researchers shared a great writeup on finding CVE-2022-2003 in the wild. The](https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/) vulnerability was discovered in a PLC “password cracking” program advertised on social media. Dragos found the cracking software actually worked as advertised, and the software recovered passwords from AutomationDirect’s DirectLOGIC PLC by exploiting CVE-20222003. Also, hilariously, the cracking software drops malware on the host machine in order to join it to the Sality botnet. ----- ICS-specific vulnerabilities exploited in the wild are few and far between. Dragos uncovered an attacker specifically targeting PLC and engineering workstations. Given the attacker’s active engagement on social media, this vulnerability seems like it should have been an easy add to the KEV Catalog. ### CVE-2022-31199 [Cisco Talos was able to link CVE-2022-31199, a vulnerability in Netwrix Auditor, to Truebot](https://nvd.nist.gov/vuln/detail/CVE-2022-31199) [activity (and eventually Clop ransomware) in an early December 2022 blog.](https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/) [An advisory for CVE-2022-31199 was published by Bishop Fox in July 2022. The advisory](https://bishopfox.com/blog/netwrix-auditor-advisory) has no CVE, but it is linked directly to NVD. To our knowledge, there is no public exploit for this vulnerability. However, the Bishop Fox advisory, from our experience, provides sufficient details to recreate the exploit with minimal effort. That’s likely why Talos saw the vulnerability exploited a “few weeks” after the advisory was published. [Netwrix Auditor isn’t exactly a household name, and there are fewer than a dozen internet-](https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.banner%3A%22.NET%22+and+Services.banner%3A%22System.Runtime.Remoting.RemotingException%3A+Tcp+channel+protocol+violation%22+and+services.port%3A9004+and+services.service_name%3A%22UNKNOWN%22+and+services.tls.certificates.leaf_data.issuer.common_name%3A%22Netwrix%22) facing targets. The fact that an attacker chose to weaponize this vulnerability and it was exploited in the wild shows how valuable initial access vulnerabilities are to attackers. ## Conclusion In this blog, we shared 42 vulnerabilities assigned CVEs in 2022, which were publicly reported to be exploited in the wild. Yet, none of these vulnerabilities are in the CISA KEV Catalog. The CISA KEV Catalog is undoubtedly helpful and a driving force in our industry. Still, as long as it’s missing actively exploited vulnerabilities, it cannot be treated as the authoritative catalog of exploited vulnerabilities. Practitioners should augment vulnerability management programs by seeking out additional sources or finding a source with a more complete dataset. For more information on vulnerabilities exploited in the wild, register for a VulnCheck account [today by loading https://vulncheck.com and clicking “Log In”.](https://vulncheck.com/) -----