What are exploitable vulnerabilities?

An exploitable vulnerability as a security flaw in software, hardware, or network systems that can be leveraged by threat actors to gain unauthorized access, disrupt operations, or otherwise compromise the affected systems. Exploitable vulnerabilities are typically associated with a known method or exploit that can be used to take advantage of the weakness, leading to potential harm or data breaches. 

How does a vulnerability differ from an exploitable vulnerability?

A vulnerability is a weakness or flaw in a system, application, or network that could potentially be targeted by an attacker, according to both NIST and CISA. However, not all vulnerabilities are immediately exploitable. An exploitable vulnerability is a specific type of vulnerability that can be actively used by attackers using known methods, tools, or exploits to gain unauthorized access or cause harm to the system. The key difference lies in the presence of an exploit that makes the vulnerability actionable and poses a direct, immediate threat to the security of the affected systems.

Are known exploitable vulnerabilities being monitored and tracked?

CISA maintains a Known Exploited Vulnerabilities (KEV) catalog, which is a regularly updated list of vulnerabilities that have been actively exploited in the wild. This catalog is designed to help organizations prioritize their remediation efforts by focusing on vulnerabilities that are known to be actively targeted by attackers. Organizations are encouraged to monitor and address the vulnerabilities listed in the KEV catalog to mitigate potential threats and strengthen their security posture.