A cyber security vulnerability generally refers to a flaw in software code that allows an attacker access to a network or system. Vulnerabilities leave businesses and individuals open to a range of threats including malware and account takeovers.
There is a huge range of possible vulnerabilities and potential consequences to their exploits. The US government’s National Vulnerability Database (NVD) which is fed by the Common Vulnerabilities and Exposures (CVE) list currently has over 176,000 entries. One well-known example of a cybersecurity vulnerability is the CVE-2017-0144 Windows weakness that opened the door for WannaCry ransomware attacks via the EternalBlue exploit. Another infamous case is the Mirai botnet that spread through the exploitation of multiple flaws.
Once vulnerabilities are discovered, developers typically work fast to release an update, or “patch.” Ideally, all users install the update before attackers have a chance to exploit the vulnerability. But the reality is that in many cases, attackers strike quickly to take advantage of a known weakness. Plus, even when a patch is released, slow implementation of updates means that attackers can exploit vulnerabilities years after they have been discovered.
In this post, we’ve rounded up the top cybersecurity vulnerability statistics and facts to be aware of as we head into 2021.
1. Over 8,000 vulnerabilities were published in Q1 of 2022
The NVD database holds 8,051 vulnerabilities published in Q1 of 2022. This is about a 25 percent increase from the same period the year prior. If these numbers hold, this would mark a slight year-on-year increase since there were around 22,000 published in 2021.
2. Half of internal-facing web application vulnerabilities are considered high risk
Edgescan’s 2022 Vulnerability Statistics Report analyzed the severity of web application vulnerabilities. It found that almost one-in-ten vulnerabilities in internet-facing applications are considered high or critical risk. This rose to 15 percent if the target normally processed online payments.
3. Organizations with more than 100 staff see more high or critical-risk vulnerabilities
Edgescan’s 2021 report broke down the severity of vulnerabilities according to company size. Smaller companies with 100 employees or fewer saw the lowest portion of medium, high, or critical-risk vulnerabilities (five percent total). Companies with 10,000+ employees see the largest portion of medium and critical-risk vulnerabilities while medium-sized organizations with 101–1,000 employees saw the largest portion of high-risk vulnerabilities.
4. The mean time to remediation (MTTR) is around 58 days
According to Edgescan, the average time taken to remediate internet-facing vulnerabilities was 57.5 days. That is a slight improvement over the year prior when the MTTR was 60.3 days.
This varies from one industry to another, though. Public administrations, for instance, had a MTTR of 92 days, whereas healthcare organizations had an MTTR of just 44 days. The data shows that the smaller an affected organization is, the more quickly it tends to recover.
5. The most severe vulnerability of 2021 was CVE-2021-44228
CVE-2021-44228 is a vulnerability impacting Log4j, an open-source logging library used in thousands of projects, applications, and websites. This vulnerability allowed attackers to run arbitrary code on any affected system, and while it was swiftly patched out, it’s extremely likely that a high number of vulnerable applications remain online.
6. The oldest vulnerability discovered in 2020 was 21 years old
Interestingly, Edgescan found a pretty old vulnerability that has been around since 1999: CVE-1999-0517. This affects Simple Network Management Protocol version 2 (SNMPv2), which is used for managing devices and computers on an IP network. The vulnerability can allow unauthorized SNMP access via a guessed community string. It has a base Common Vulnerability Scoring System (CVSS) score of 7.5 making it a high-severity weakness.
7. The first critical vulnerabilities in a major cloud infrastructure were found in January 2020
In early 2020, Check Point researchers discovered and reported critical vulnerabilities in the Microsoft Azure infrastructure. According to the Check Point article detailing the vulnerability, researchers “wanted to disprove the assumption that cloud infrastructures are secure.” The vulnerabilities received the highest CVSS score of 10.0. The qualitative severity ranking of a score of 9.0-10.0 is “critical.”
These vulnerabilities enable malicious actors to compromise apps and data of users who utilize the same hardware.
8. More than 11% of vulnerabilities have a critical score
According to CVE Details, out of roughly 176,000 vulnerabilities, more than 19,000 have a CVSS score of 9.0–10.0. That said, the vast majority (77.5 percent) have a score between 4.0 and 8.0.
9. 75% of attacks in 2020 used vulnerabilities that were at least two years old
According to the Check Point Cyber Security Report 2021, three out of four attacks took advantage of flaws that were reported in 2017 or earlier. And 18 percent of attacks utilized vulnerabilities that were disclosed in 2013 or before, making them at least seven years old.
10. Citrix remote access vulnerability attacks increased 2,066% in 2020
According to Check Point, the number of attacks exploiting vulnerabilities in remote access products increased substantially in 2020. Citrix attack numbers increased more than 20-fold, while Cisco, VPN, and RDP attacks increased by 41%, 610%, and 85%, respectively.
11. 31% of companies detected attempts to exploit software vulnerabilities
A 2020 report from Positive Technologies tells us that almost one-third of detected threats involve software exploit attempts. According to the report:
“More than half of attempts involved vulnerability CVE2017-0144 in the implementation of the SMBv1 protocol. This is the same vulnerability leveraged by the infamous WannaCry ransomware, and for which a patch was released back in 2017. But attackers have kept it in their arsenals as they search for computers that have not been updated in the last 3.5 years.”
12. High-risk vulnerabilities are present on the network perimeters of 84% of companies
Another study from Positive Technologies uncovered the alarming statistic that 84 percent of companies have high-risk vulnerabilities on their external networks. It also found that more than half of these could be removed simply by installing updates.
13. More than one in four companies are still vulnerable to WannaCry
Positive Technologies also found that 26 percent of companies remain vulnerable to the WannaCry ransomware as they have not yet patched the vulnerability it exploits. That’s particularly concering given that WannaCry attacks spiked in Q1 of 2021.
14. XSS remains a huge threat
Hacker One research found that cross-site scripting (XSS) weaknesses were the most common type of vulnerability in 2020, accounting for 23 percent of all reports. Rounding out the top three weakness types was information disclosure (18 percent) and improper access control (10 percent).
15. The most profitable industry for bounty hunters is computer software
When it comes to which industries earn the most for bounty hunters, computer software weaknesses are the highest earners by quite a significant amount. The average bounty payout for a critical vulnerability is around $5,754. The electronic and semiconductor industry pays $4,633 per critical vulnerability and the cryptocurrency and blockchain field pays about $4,481.
16. “80% of public exploits are published before the CVEs are published”
A report published by Palo Alto Networks in August 2020 found that 80 percent of studied exploits were made public before their related CVEs had even been published. Perhaps more concerning is the length of time that passes between publish dates. On average, exploits are published 23 days before their respective CVEs. As noted in the report:
“As a result, there is a good chance that an exploit is already available when the CVE is officially published – illustrating one more way that attackers are too often a step ahead of security professionals.”
17. More than 28,500 WordPress vulnerabilities have been detected over the past 8 years
The number of new vulnerabilities has been increasing steadily since WPScan first started tracking in 2014. More than 3,000 new vulnerabilities were discovered in 2021, and in the first quarter of 2022, we’ve already seen an additional 700.
18. In Q4 2021, zero-day exploits were involved in 66% of malware
WatchGuard’s Internet Security Report – Q4 2021 tells us that from October to December of 2021, zero-day malware accounted for two-thirds of all threats. This was a marginal decrease over the previous quarter.
19. Lower numbers of vendor-specific vulnerabilities in 2021
According to RiskBased Security’s 2021 Year End Report, IBM was the vendor with the most confirmed vulnerabilities this year. However, it’s worth noting that most vendors actually have fewer vulnerabilities than last year. The exceptions are Software in the Public Interest, Inc and Fedora project, which saw a small increase.
20. Over 75 percent of applications have at least one flaw
Veracode’s State of Software Security Report Volume 11 released in October 2020 found that more than three-quarters (75.2 percent) of applications have security flaws. That said, only 24 percent of those are considered to have high-severity flaws.
21. Information leakage flaws are the most common
Veracode also tells us that the most common types of flaws are information leakage, CRLF injection (where an attacker injects unexpected code), cryptographic issues, code quality, and credentials management.
22. One in four flaws are still open after 18 months
A fairly alarming finding from Veracode’s 2021 report is that after a year and a half, around 27 percent of flaws are still open.
23. Frequent scanning correlates to much faster remediation time
Veracode did find that applications that scanned for flaws regularly saw much faster average remediation times. Those with 260+ scans per day remediated 50 percent of flaws within 62 days. That time was extended to 217 days for applications running just 1–12 scans per day.
24. Google has paid $35 million in bug bounties since 2010
Google’s Vulnerability Reward Program (commonly referred to as a bug bounty program) rewards researchers for discovering and reporting bugs in the company’s software. It has paid out $35 million since 2010. 696 researchers from 62 countries were paid bounties in 2021, with the largest single award amounting to $157,000.
25. Microsoft paid almost $14 million in bug bounties in one year.
In a similar vein, Microsoft rewards researchers that spot and report bugs in its software. In an July 2021 review, the company reported it had paid $13.6 million in bug bounties in the past 12 months. This is more than double the amount Google paid out in 2019. In total, 340 researchers were awarded with the largest award amounting to $200,000.
26. Facebook (now Meta) has awarded almost 7,000 bounties since 2011
A December 2021 blog post by Facebook (now known as Meta) tells us that since its bug bounty program began in 2011, the company has received over 150,000 reports and awarded 7,800 bounties. At the time of the report, 2021 bounties totaled $2.3 million. Around 25,000 reports had been received and more than 800 bounties awarded. Its highest bounty to date is $80,000.
27. Unpatched vulnerabilities were involved in 60% of data breaches
According to a 2019 Ponemon Institute Vulnerability Survey:
“60% of breach victims said they were breached due to an unpatched known vulnerability where the patch was not applied.” However, an even higher portion (62 percent) claimed they weren’t aware of vulnerabilities in their organizations prior to a breach.