In a moment where the number of vulnerabilities increases 38% YoY, having the ability to separate what matters from what does not and focus on the important issues is more crucial than ever. A few months ago, we added support for the CISA KEV catalog inside our Tanzu Application Catalog (TAC) product. This is a way to provide information on whether certain vulnerabilities are known to be exploited or not. In this blog post, we’ll go over a recent enhancement on this capability, which is our new integration with the VulnCheck vulnerability intelligence platform.
One of the most important events in the CyberSecurity industry within the last five years was when, in 2021, CISA released its Known Exploited Vulnerabilities (KEV) catalog along with a binding operational directive (**** 22-01). Since then, this directive has become a vital resource for agencies and researchers as it details the vulnerabilities that are being actively exploited and hence are critical to be understood, prioritized, and mitigated.
CISA’s KEV catalog is not only relevant for setting the minimal bar needed to be compliant inside Federal environments but also for remarking the importance of focusing on the risks that matter the most, rather than being overwhelmed by a deluge of information. Since early 2024, VMware Tanzu Application Catalog (TAC) has integrated CISA’s KEV catalog so that you can quickly find if the software that we deliver is affected by one of the critical vulnerabilities analyzed by CISA. Today, we are announcing what feels like an iterative improvement in that approach, which is the integration of the VulnCheck KEV feed.
VulnCheck is an exploit and vulnerability intelligence platform that helps organizations understand and prioritize security risks, ultimately improving their ability to defend against cyberattacks. The VulnCheck KEV is available through the VulnCheck Community as a free intelligence feed for any enterprise, cybersecurity firm, government team, or managed service provider.
With this new integration, now you’ll notice a red icon wherever we display vulnerabilities in TAC. This is shown when VulnCheck signals us that a vulnerability has been found to be exploited in the real world.
For us, doing this incremental update was very important for a few reasons. On one hand, we knew that VulnCheck includes all CISA’s KEV catalog vulnerabilities, which makes it a superset of CISA’s feed. We also validated that VulnCheck’s KEV catalog is considerably larger than CISA’s (actually 173% larger). But the most relevant difference to us was that it included way more information about exploits on Open-Source Software (OSS) than what we could find on CISA’s catalog.
So, while CISA reports mainly vulnerabilities related to commercial software that is being used by Federal agencies, and the very few vulnerabilities that were known to originate from OSS components were not affecting TAC, this has not been the case with VulnCheck’s catalog. VulnCheck actually gave us quite interesting insights and valuable data.
Continuously updated OSS is crucial to remediate OSS exploits
So, what got us really excited about VulnCheck was that it actually gave us actual known-exploited vulnerabilities. If you are following our product, you know that TAC customers avail of a huge Photon 5 based low-CVE catalog with more than 550 unique OSS applications in different shapes, primarily Helm charts and container images.
Those container images in TAC are actually already very small and have minimal dependencies. But the question then was, how badly are they affected by known exploited vulnerabilities?
And the answer is, we found 3 vulnerabilities, all already with fixes, known to be exploited.
So, this is actually good. We know there are not many vulnerabilities known to be exploited in a catalog that happens to be very large. But then the question is, how fast did we patch those?
Attackers target exploits quickly. In fact, a recent DarkReading report highlights that while attackers may not be targeting more vulnerabilities, they appear to be focusing on new vulnerability disclosures and taking advantage of the widespread availability of information to create those exploits quickly. VulnCheck data showed that 45 KEVs last quarter were exploited no later than one day after their first being publicized in security advisories.
And it is actually where we believe a tool like VMware’s TAC becomes critical. When you have attackers that act that quickly, you need trusted OSS providers reacting equally fast.
Let’s look at an example. One of the known-exploited CVEs above is also critical, affecting Tomcat, a Java based application server. That is CVE-2025-24813, and VulnCheck already tells us a few important facts. The vulnerability was published on March 10, 2025; it was made available to VulnCheck’s KEV on March 14, 2025, and published on CISA’s KEV on April 1, 2025.
And now, drumrolls, when we look at the TAC dashboard, the patches for Tomcat versions 9 and 10 were released on February 14, a couple of weeks before the vulnerability was even disclosed.
As per Tomcat 11, if you are wondering, this is still a beta version and hence it has not made it to our TAC catalog yet. It will soon, though.
Keep an eye out for more updates
We are very excited to deliver this new feature that highlights how important it is to keep OSS and dependencies updated and how vulnerability exploit analysis platforms like VulnCheck can be used along with TAC to reach a common goal. If you haven’t checked VulnCheck already, then go and check it out. Their community is amazing, and you might also find their commercial products interesting.
We would love to know your thoughts and your feedback. So, please reach out to us, and we will be more than happy to learn more about your ideas in this area.
For more information about the Tanzu Application Catalog, visit our webpage. To keep up with the latest on our minimal container images initiative and more, be sure to follow us on X (formerly Twitter) and LinkedIn.