{"id":1916,"date":"2025-02-13T07:30:00","date_gmt":"2025-02-13T07:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1916"},"modified":"2025-02-13T07:30:00","modified_gmt":"2025-02-13T07:30:00","slug":"24-of-vulnerabilities-are-abused-before-a-patch-is-available","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1916","title":{"rendered":"24% of vulnerabilities are abused before a patch is available"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Almost one in four (24%) known exploited vulnerabilities discovered last year were abused on or before the day their CVEs were publicly disclosed.<\/p>\n

A study by exploit and vulnerability specialists VulnCheck<\/a> identified 768 CVEs that were publicly reported as exploited in the wild for the first time last year, an increase of 20% from the 639 CVEs confirmed as first exploited during 2023.<\/p>\n

Although around a quarter of vulnerabilities are hit before a patch is available the majority get abused long after a security fix comes out. Around half of vulnerabilities are first exploited within 192 days of patching, but many are hit months or even years after patching. For example, after 1,000 days \u2014 close to three years \u2014 only around 75% of vulnerabilities that eventually come to be exploited will be hit.<\/p>\n

VulnCheck\u2019s study is based on data from 100 sources, including security companies and government agencies and nonprofits such as Shadow Server.<\/p>\n

Greater transparency about vulnerabilities<\/h2>\n

The increase in CVE disclosures from sources across various industries helps to (at least partly) explain the increase in exploited vulnerabilities recorded between successive annual editions of VulnCheck\u2019s study.<\/p>\n

\u201cThe reported increase is in part a combination of both a rise in exploitations and more data sources,\u201d according to VulnCheck. \u201cThere is greater visibility related to exploitations because more organizations, vendors, and security research teams are reporting exploitations and publicly disclosing evidence.\u201d<\/p>\n

[ See also: Patch management: A dull IT pain that won\u2019t go away<\/a> ]<\/strong><\/p>\n

Matthias Held, technical program manager at Bugcrowd, also noted this trend: \u201cCompanies are increasingly recognizing their cybersecurity responsibilities, leading to greater transparency regarding vulnerabilities. The sheer volume of publicly disclosed CVEs is undoubtedly contributing to this trend, potentially making a more accurate representation of the actual impact on exploitable systems.\u201d<\/p>\n

Wordfence disclosures are a component of VulnCheck\u2019s research, so figures on attacks against WordPress are a significant part of the mix. WordPress is a major target for exploitation because it powers an estimated 40% of websites so this is likely to have an inflationary effect on VulnCheck\u2019s annual exploitation figures, according to Held.<\/p>\n

\u201cThe number [of vulnerabilities] will rise by the shear easy exploitability of web apps running on vulnerable versions [of WordPress],\u201d Held said.<\/p>\n

In addition, more companies are now CNAs (CVE Number Authorities). With more organizations issuing CVEs the rate of their publication is naturally bound to increase over time.<\/p>\n

\u201cI believe this data serves as a stark reminder that we need to prioritize robust vulnerability management strategies across all organizations, including comprehensive threat intelligence sharing initiatives and real-time attack mitigation efforts,\u201d Held concluded.<\/p>\n

Building the case for proactive security<\/h2>\n

Boris Cipot, senior security engineer at software composition analysis firm Black Duck, said that several factors contribute toward the rise in exploited vulnerabilities, including improvements in monitoring.<\/p>\n

\u201cThe software we use may simply contain more vulnerabilities, or these vulnerabilities are being reported and discovered more effectively,\u201d Cipot said. \u201cSome vulnerabilities remain unpatched for extended periods, giving attackers more time to exploit them.\u201d<\/p>\n

The impact of exploited vulnerabilities, regardless of their cause, highlights the need for proactive security measures.<\/p>\n

\u201cOrganizations must invest in observability tools that monitor their environments and detect suspicious activity,\u201d Cipot said. \u201cAdopting a zero trust approach<\/a> can further enhance security by limiting access and reducing risk.\u201d<\/p>\n

Kevin Robertson, CTO of Acumen Cyber, said the research highlighted how the timeframe needed for organizations to apply patches is shortening.<\/p>\n

\u201cWhile the findings indicate a rise in actively exploited CVEs, this trend is likely driven by the growing reliance on third-party software,\u201d Robertson said. \u201cModern enterprises depend heavily on third-party applications and services, which expands the potential attack surface.\u201d<\/p>\n

Robertson advised: \u201cAs organizations increasingly integrate third-party software into their environments, proactive vulnerability management must be embedded into their security strategies.\u201d<\/p>\n

Compromised credentials rather than bugs blamed for more breaches<\/h2>\n

Other vendors quizzed by CSO were keen to downplay the significance of vulnerabilities as a vector in security breaches, arguing that compromised credentials were a much bigger factor in security breaches.<\/p>\n

Rapid7 said it has seen vulnerability exploitation decrease year over year as an initial access vector in 2024, amid a social engineering surge and the increasing abuse of leaked credentials to hack into remote systems with weak or absent security controls.<\/p>\n

\u201cNotably, a number of the incidents Rapid7 teams observed in 2024 where vulnerability exploitation was initially thought to be in scope turned out to instead stem from adversaries\u2019 use of compromised credentials, rather than CVE exploitation,\u201d Caitlin Condon, director of vulnerability intelligence at Rapid7, told CSO.<\/p>\n

Where vulnerabilities did lead to breaches, according to Rapid7\u2019s managed detection and response (MDR) team, this resulted from older bugs rather than 0-days.<\/p>\n

\u201cA slim majority of vulnerabilities Rapid7 MDR and incident response teams saw exploited in real-world production environments last year were CVEs that were new in 2024 and had known exploits available,\u201d Condon told CSO. \u201cThe rest of the confirmed CVE exploitation our teams observed against production systems were older vulnerabilities that had previously been used in highly publicized threat campaigns.\u201d<\/p>\n

Most vulnerabilities Rapid7 MDR confirmed as exploited in the wild in 2024 targeted file transfer applications and network edge devices, irrespective of whether those vulnerabilities had previously been exploited or not, Condon said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Almost one in four (24%) known exploited vulnerabilities discovered last year were abused on or before the day their CVEs were publicly disclosed. A study by exploit and vulnerability specialists VulnCheck identified 768 CVEs that were publicly reported as exploited in the wild for the first time last year, an increase of 20% from the […]<\/p>\n","protected":false},"author":0,"featured_media":1917,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1916","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1916"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1916"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1916\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1917"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1916"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1916"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1916"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}