71% of exploited vulnerabilities are not in the CISA KEV catalog.

242 vulnerabilities are added to the CISA Known Exploited Vulnerabilities catalog, a 30% year-over-year increase, and 285 vulnerabilities are added to the Vedere Labs KEV, a 213% year-over-year increase.

65% of manufacturing companies have at least one vulnerability listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog.

90 third-party vendors are flagged with high-risk threat categories. Among these, 35 vendors are marked with Known Exploited Vulnerabilities (KEV) tags.

9% of IoMT devices contain confirmed KEVs in their systems, impacting 99% of organisations.

89% of healthcare organisations have the top 1% of riskiest IoMT devices on their networks, which contain known exploitable vulnerabilities (KEVs) linked to active ransomware campaigns and an insecure connection to the internet.

1% of IoMT devices carry KEVs linked to active ransomware campaigns and insecure internet connectivity, impacting 89% of organisations.

8% of imaging systems (X-rays, CT scans, MRI, ultrasound, and more) have KEVs linked to ransomware and insecure internet connectivity, making this the riskiest medical device category and impacting 85% of organisations.

20% of HIS (hospital information systems), which manage clinical patient data, as well as administrative and financial information, have KEVs linked to ransomware and insecure internet connectivity, impacting 58% of organisations

Organizations enrolled in CISA’s Vulnerability Scanning service saw a steady decline in KEVs on their networks.

Average remediation time for critical-severity KEVs improved by 50%, reducing from 60 days to 30 days.

Cisco-related vulnerabilities accounted for 9.8% of all observed KEVs.

High-severity KEVs saw a 25% reduction in remediation time.

58% of KEVs were linked to open-source software vulnerabilities, particularly PHP and Apache.

The CISA Known Exploited Vulnerabilities (KEV) Catalog recorded 1,199 KEVs as of August 31, 2024.