A new report from Israeli cybersecurity startup Ox Security urges companies to rethink how they handle CISA KEV vulnerabilities. Instead of patching everything, teams should focus on what actually matters to their environment.
The CISA Known Exploited Vulnerabilities (KEV) catalog lists over 1,300 software flaws. These vulnerabilities are known to be actively used by attackers. But according to Ox Security, treating each one as urgent can lead to wasted time and resources.
Their research shows that not every vulnerability on the list poses a real threat—especially in cloud environments. Ox analyzed how these bugs impact containerized systems. Out of 25 KEV entries that affect cloud-native apps, they found that 10 were not exploitable in practice.
The report looked at over 200 cloud setups. It found that many vulnerabilities require very specific conditions to work. Some need physical access to a device. Others affect browsers or Android systems that aren’t even used in cloud infrastructure.
Six of these 10 flaws only work on Android or need direct access to a terminal. Two of them can affect all Linux-based systems, but only when combined with other flaws. Three others target Chrome, but only matter if the system processes images, videos, or fonts. One Safari flaw doesn’t apply outside browser use.
Even though some of these bugs appeared thousands of times in open-source container images, they still posed no real risk in most cases.
Ox’s point is clear: Context is everything.
Rather than automatically patching every KEV-listed CVE, security teams should ask key questions:
- Does this vulnerability affect platforms we use?
- Is there a public exploit?
- Can it be triggered in real-world conditions?
- What happens if it’s exploited?
- Is sensitive data or core infrastructure at risk?
Answering these questions helps teams decide what really needs fixing. It also avoids alert fatigue and saves time. Instead of spreading resources too thin, teams can focus where it counts.
Still, Ox makes it clear that KEV remains a crucial tool. Many of its listed flaws are real threats. But each vulnerability should be reviewed in context.
To improve KEV’s usefulness, Ox suggests adding more detailed tags. These could include info about affected platforms, how the flaw spreads, and whether it’s part of a larger attack chain.
This report comes just as CISA and NIST propose a new system: Likely Exploited Vulnerabilities (LEV). The LEV metric aims to flag flaws that are not only known, but also highly likely to be exploited. This update could help teams act faster and smarter.
In the end, Ox Security wants organizations to move beyond “patch everything” and start thinking critically. That shift could make all the difference in real-world defense.
