A security vulnerability previously added to CISA’s Known Exploited Vulnerability catalog (KEV), which was recognized by CVE Numbering Authorities (CNA), and included in reputable threat reports is now being formally rejected by infosec organizations.
CISA removed CVE-2022-28958 from its KEV on December 1, two days after the National Vulnerability Database (NVD) revoked its “vulnerability” status following a months-long review.
The “issue” was thought to be a critical remote code execution (RCE) flaw impacting an end-of-life D-Link router (DIR-816L), carrying a near-maximum severity score of 9.8. It actually had no impact on the systems it targeted.
