* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [Product Features](https://www2.paloaltonetworks.com/blog/security-operations/category/product-features/)
* How Cortex Xpanse Can Ide...

# How Cortex Xpanse Can Identify CISA-Identified Known Exploited Vulnerabilities

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fcortex-xpanse-identify-cisa-kev%2F)  
[](https://twitter.com/share?text=How+Cortex+Xpanse+Can+Identify+CISA-Identified+Known+Exploited+Vulnerabilities&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fcortex-xpanse-identify-cisa-kev%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fcortex-xpanse-identify-cisa-kev%2F&title=How+Cortex+Xpanse+Can+Identify+CISA-Identified+Known+Exploited+Vulnerabilities&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/cortex-xpanse-identify-cisa-kev/&ts=markdown)  
\[\](mailto:?subject=How Cortex Xpanse Can Identify CISA-Identified Known Exploited Vulnerabilities)  
Link copied  
By [Cyrus Revand](https://www.paloaltonetworks.com/blog/author/cyrus-revand/?ts=markdown "Posts by Cyrus Revand")  
Mar 22, 2022  
5 minutes  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)  
[Threat Advisories - Advisories](https://www.paloaltonetworks.com/blog/category/threat-advisories-advisories/?ts=markdown)  
[Tip of the Week](https://www.paloaltonetworks.com/blog/category/tip-of-the-week/?ts=markdown)  
[CISA](https://www.paloaltonetworks.com/blog/tag/cisa/?ts=markdown)  
[Cortex Xpanse](https://www.paloaltonetworks.com/blog/tag/cortex-xpanse/?ts=markdown)  
[CVE](https://www.paloaltonetworks.com/blog/tag/cve/?ts=markdown)  
[issue](https://www.paloaltonetworks.com/blog/tag/issue/?ts=markdown)  
[Known exploited vulnerabilities](https://www.paloaltonetworks.com/blog/tag/known-exploited-vulnerabilities/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/security-operations/cortex-xpanse-identify-cisa-kev/?lang=ja "Switch to Japanese(日本語)")

## **What Cortex Xpanse does today**

In late 2021, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS/CISA) issued [Binding Operational Directive 22-01 (BOD 22-01)](https://cyber.dhs.gov/bod/22-01/), which introduced a list of Known Exploited Vulnerabilities (KEVs) that threat actors have exploited. Cortex Xpanse can help users to find potentially-impacted services for further investigation, patching, or decommissioning via the new ***Software Potentially Impacted by CISA Known Exploited Vulnerabilities (BOD 22-01)*** Issue category.

As of this writing, CISA's [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog accompanying BOD 22-01 contained 788 individual Common Vulnerabilities and Exposures (CVEs), impacting at least 322 unique products and services, approximately 57% of which face the public internet. These numbers continue to increase steadily as CISA adds new CVEs to the catalog.

## **Xpanse Issue Policies Aligning to CISA's Known Exploited Vulnerabilities (KEV) Catalog**

#### *(Updated: 8/1/2022)*

This section includes all Xpanse Issue policies that enumerate potentially vulnerable products and services in the KEV catalog. We will continually update this list as our research and development teams add detection capabilities to our product.

Expander shows systems that are exposed to the public internet, without the need to install agents or sensors of any kind. Some of the systems below do not advertise version information, or are otherwise restricted from doing so depending on the configuration of our customers' networks. Expander attempts to retrieve or derive version information and other metadata, but this is not possible in all cases.

We are able to determine some devices/applications with a higher degree of confidence and thereby infer vulnerability to specific CVEs in the KEV catalog. The insecure versions of the following services fall into that category, and have been automatically enabled as Issue Policies in Cortex Xpanse:

* Apache Druid
* Apache Web Server
* Atlassian Confluence Server
* Atlassian Crowd Server
* Cisco Small Business RV Series Router
* Citrix Application Delivery Controller
* Drupal Web Server
* Exim Mail Transfer Agent
* Hikvision Device
* Microsoft Exchange Server
* Mikrotik Router
* MobileIron Sentry
* PHP
* SolarWinds Orion Platform
* SolarWinds Serv-U
* Sumavision Enhanced Multimedia Router
* Telerik Web UI
* Zoho ManageEngine ServiceDesk Plus

Other devices/applications do not provide this level of visibility, though Xpanse is still able to identify the presence of the active internet-facing service. These applications have Issue policies that can be enabled by your team in the Policies tab; we encourage our customers to toggle them to "On" as needed.

* Accellion FTA
* Adobe ColdFusion
* Adobe Commerce
* Adobe Flash
* Apache Active MQ
* Apache Log4j\*
* ApacheShiro
* Apache Solr
* Atlassian Jira Server
* Cisco Adaptive Security Appliance
* Cisco Duo SSO
* Cisco Firepower Device
* Cisco HyperFlex
* Cisco IOS
* Cisco IOS XE
* Cisco IOS XR
* Cisco Unified IP Phones
* Citrix SD-WAN
* Citrix ShareFile Server
* Citrix Workspace
* Citrix XenMobile Server
* DrayTek Vigor Router
* Elastic Kibana User Interface
* Elasticsearch Server
* EmbedThis GoAhead WebServer
* F5 Advanced Web Application Firewall
* F5 BIG-IP Access Policy Manager
* F5 BIG-IP Platform
* F5 BIG-IP TMUI
* ForgeRock Access Management Server
* Fortinet FortiOS
* Fortinet Fortigate SSL Vpn
* Hikvision Device
* IBM Planning Analytics
* IBM Websphere Application Server
* Kaseya VSA
* Liferay Portal
* Log4Shell Vulnerable Apache Solr
* Log4Shell Vulnerable IBM WebSphere Application Server
* Log4Shell Vulnerable SonicWall Email Security
* Log4Shell Vulnerable VMware Workspace ONE Access Server
* Microsoft OWA Server
* MikroTik Router
* MongoDB Mongo-Express
* Nagios Fusion
* NetGear ProSafe
* Netis Router
* October CMS
* Oracle WebLogic Server
* PAN-OS Device
* Pulse Secure Pulse Connect Secure VPN
* rConfig Network Configuration Management
* RDP Server
* Redis Server
* Roundcube Webmail
* SaltStack Server
* SAP NetWeaver Application Server
* SharePoint Server
* SMB Server
* SonicWall Email Security
* SonicWall Secure Mobile Access VPN
* SonicWall Secure Remote Access
* Sophos SG Series Firewall
* Sophos XG Series Firewall
* Symantec Messaging Gateway
* Synacor Zimbra Collaboration Suite
* Tenda Routers
* ThinkPHP Application
* Tomcat Web Server
* vBulletin Web Server
* VMware ESXi
* VMware Spring Framework
* VMware vCenter Admin Page
* VMware Workspace ONE Access Server
* VMware Workspace One Administrative Configurator
* Zabbix IT Monitoring Software
* Zoho ManageEngine ADSelfService Plus
* Zoho ManageEngine Desktop Central
* Zyxel Firewall
* vBulletinWebServer

Customers can leverage this basic enumeration for quick identification of active internet-facing services and export of an audit list for patching. For Cortex XSOAR customers, Xpanse integration leverages the outside-in perspective to automatically check for exposed software, and in some cases record the detected versions and queue other actions.

## **Surfacing KEV Exposures in Expander → Issues Module**

Xpanse groups Issue types into categories or themes to make them easier to browse and filter. We've created a new Issue Category called ***Software Potentially Impacted by CISA Known Exploited Vulnerabilities (BOD 22-01)*** containing all existing policies covering software potentially affected by CVEs in the KEV catalog. This section offers a walk through of the user experience for enumerating assets that may be impacted by a KEV.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/Xpanse-CISA-Blog-screenshot1.png)

To find a particular Issue of interest, scroll through the list \[1\] or start typing the name of the Issue in the search field \[2\], select from the list that populates below, then click Apply \[3\].  
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/Xpanse-CISA-Blog-screenshot2.png)  
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/Xpanse-CISA-Blog-screenshot3.png)

As you select individual Issues, Xpanse's cumulative findings will populate within the list view in the main part of the screen:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/Xpanse-CISA-Blog-screenshot4.png)

To export this list as a comma separated values (.csv) file, click the Export CSV button:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/Xpanse-CISA-Blog-screenshot5.png)

To get more information on an individual Issue on the list, click into it in the list view:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/Xpanse-CISA-Blog-screenshot6.png)

This will open the Issues details view, with information on the specific exposure and why Xpanse flagged it, where it was found on your network, and any IP ranges, certificates, or domains associated with the observation:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/Xpanse-CISA-Blog-screenshot7.png)

To created a detailed, shareable report on the selected Issue, use the Print to PDF button:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/Xpanse-CISA-Blog-screenshot8.png)

This generates a .pdf summary of Issue details, including all the information for that Issue in Expander:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/Xpanse-CISA-Blog-screenshot9.png)

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Xpanse Covers Top Vulnerabilities Warned of by CISA](https://www2.paloaltonetworks.com/blog/security-operations/xpanse-covers-top-vulnerabilities-warned-of-by-cisa/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Mapping Zoho ADSelfService Plus CVE-2021-40539 in the Wild](https://www2.paloaltonetworks.com/blog/security-operations/zoho-manageengine-adselfservice-plus-cve-2021-40539/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Beyond the Cloud Dashboard: Exposure Management Requires Full-Scope Visibility and Real Action](https://www2.paloaltonetworks.com/blog/security-operations/beyond-the-cloud-dashboard-exposure-management-requires-full-scope-visibility-and-real-action/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Automate Insecure OpenSSH vulnerability patching in Ubuntu AWS EC2 with Cortex Xpanse](https://www2.paloaltonetworks.com/blog/security-operations/automate-insecure-openssh-vulnerability-patching-in-ubuntu-aws-ec2-with-cortex-xpanse/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Get Ahead of Chrome Changes with Cortex Xpanse](https://www2.paloaltonetworks.com/blog/security-operations/get-ahead-of-chrome-changes-with-cortex-xpanse/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's Next in Cortex - New Wave of Innovations in Cortex (June 2024 Release)](https://www2.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-new-wave-of-innovations-in-cortex-june-2024-release/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language