25 cybersecurity vulnerability statistics and facts

A cyber security vulnerability generally refers to a flaw in software code that allows an attacker access to a network or system. Vulnerabilities leave businesses and individuals open to a range of threats including malware and account takeovers.

There is a huge range of possible vulnerabilities and potential consequences to their exploits. The US government’s National Vulnerability Database (NVD) which is fed by the Common Vulnerabilities and Exposures (CVE) list currently has over 150,000 entries. One well-known example of a cybersecurity vulnerability is the CVE-2017-0144 Windows weakness that opened the door for WannaCry ransomware attacks via the EternalBlue exploit. Another infamous case is the Mirai botnet that spread through the exploitation of multiple flaws.

Once vulnerabilities are discovered, developers typically work fast to release an update, or “patch.” Ideally, all users install the update before attackers have a chance to exploit the vulnerability. But the reality is that in many cases, attackers strike quickly to take advantage of a known weakness. Plus, even when a patch is released, slow implementation of updates means that attackers can exploit vulnerabilities years after they have been discovered.

In this post, we’ve rounded up the top cybersecurity vulnerability statistics and facts to be aware of as we head into 2021.

1. Over 18,000 vulnerabilities were published in 2020

The NVD database holds 18,362 vulnerabilities published in 2020. This is a higher number than in previous years (17,382 in 2019 and 17,252 in 2018).

2. Half of internal-facing web application vulnerabilities are considered high risk

Edgescan’s 2021 Vulnerability Statistics Report analyzed the severity of web application vulnerabilities. It found that 50 percent of internal application vulnerabilities are considered high or critical risk. It also found that 32 percent of vulnerabilities in internet-facing applications are considered high or critical risk.

Vulnerability chart.
Left: external-facing; right: internal-facing. Source: Edgescan.

3. Organizations with more than 100 staff see more high or critical-risk vulnerabilities

Edgescan’s report also broke down the severity of vulnerabilities according to company size. Smaller companies with 100 employees or fewer saw the lowest portion of medium, high, or critical-risk vulnerabilities (five percent total). Companies with 10,000+ employees see the largest portion of medium and critical-risk vulnerabilities while medium-sized organizations with 101–1,000 employees saw the largest portion of high-risk vulnerabilities.

Vulnerability risk by company size.
Source: Edgescan

4. The mean time to remediation (MTTR) is around 60 days

According to Edgescan, the average time taken to remediate internet-facing vulnerabilities was 60.3 days. That is a significant improvement over the year prior when the MTTR was 84.5 days. On average, application vulnerabilities (50.3 days) are remediated more quickly than host/network weaknesses (63.1 days). High-risk vulnerabilities see the longest remediation time (84.4 days), but critical-risk weaknesses see the shortest (50.9 days).

5. The oldest vulnerability discovered in 2020 was 21 years old

Interestingly, Edgescan found a pretty old vulnerability that has been around since 1999: CVE-1999-0517. This affects Simple Network Management Protocol version 2 (SNMPv2), which is used for managing devices and computers on an IP network. The vulnerability can allow unauthorized SNMP access via a guessed community string. It has a base Common Vulnerability Scoring System (CVSS) score of 7.5 making it a high-severity weakness.

6. The first critical vulnerabilities in a major cloud infrastructure were found in January 2020

In early 2020, Check Point researchers discovered and reported critical vulnerabilities in the Microsoft Azure infrastructure. According to the Check Point article detailing the vulnerability, researchers “wanted to disprove the assumption that cloud infrastructures are secure.” The vulnerabilities received the highest CVSS score of 10.0. The qualitative severity ranking of a score of 9.0-10.0 is “critical.”

These vulnerabilities enable malicious actors to compromise apps and data of users who utilize the same hardware.

7. More than 13% of vulnerabilities have a critical score

According to CVE Details, out of roughly 123,000 vulnerabilities, more than 16,000 have a CVSS score of 9.0–10.0. That said, the vast majority (77 percent) have a score between 4.0 and 8.0.

CVE Details graphs.
Source: CVE Details

8. 75% of attacks in 2020 used vulnerabilities that were at least two years old

According to the Check Point Cyber Security Report 2021, three out of four attacks took advantage of flaws that were reported in 2017 or earlier. And 18 percent of attacks utilized vulnerabilities that were disclosed in 2013 or before, making them at least seven years old.

PT chart for vulnerability age.
Source: Check Point

9. Citrix remote access vulnerability attacks increased 2,066% in 2020

According to Check Point, the number of attacks exploiting vulnerabilities in remote access products increased substantially in 2020. Citrix attack numbers increased more than 20-fold, while Cisco, VPN, and RDP attacks increased by 41%, 610%, and 85%, respectively.

10. 31% of companies detected attempts to exploit software vulnerabilities

A 2020 report from Positive Technologies tells us that almost one-third of detected threats involve software exploit attempts. According to the report:

“More than half of attempts involved vulnerability CVE2017-0144 in the implementation of the SMBv1 protocol. This is the same vulnerability leveraged by the infamous WannaCry ransomware, and for which a patch was released back in 2017. But attackers have kept it in their arsenals as they search for computers that have not been updated in the last 3.5 years.”

11. High-risk vulnerabilities are present on the network perimeters of 84% of companies

Another study from Positive Technologies uncovered the alarming statistic that 84 percent of companies have high-risk vulnerabilities on their external networks. It also found that more than half of these could be removed simply by installing updates.

Severity of cybersecurity vulnerabilities.
Source: Positive Technologies

12. More than one in four companies are still vulnerable to WannaCry

Positive Technologies also found that 26 percent of companies remain vulnerable to the WannaCry ransomware as they have not yet patched the vulnerability it exploits.

13. The highest-earning vulnerability for bug bounty hunters is XSS

Hacker One research found that during the period of May 2019 until May 2020, cross-site scripting (XSS) weaknesses earned the most for bug bounty hunters with financial rewards totaling over $4.2 million. Rounding out the top three weakness types was improper access control and information disclosure.

14. The most profitable industry for bounty hunters is computer software

When it comes to which industries earn the most for bounty hunters, computer software weaknesses are the highest earners by quite a significant amount. The average bounty payout for a critical vulnerability is around $5,754. The electronic and semiconductor industry pays $4,633 per critical vulnerability and the cryptocurrency and blockchain field pays about $4,481.

Graph of cybersecurity vulnerability bounty payouts.
Source: Hacker One

15. “80% of public exploits are published before the CVEs are published”

A report published by Palo Alto Networks in August 2020 found that 80 percent of studied exploits were made public before their related CVEs had even been published. Perhaps more concerning is the length of time that passes between publish dates. On average, exploits are published 23 days before their respective CVEs. As noted in the report:

“As a result, there is a good chance that an exploit is already available when the CVE is officially published – illustrating one more way that attackers are too often a step ahead of security professionals.”

16. More than 20,000 WordPress vulnerabilities have been detected over the past 7 years

The number of new vulnerabilities has been increasing steadily since WPScan first started tracking in 2014. More than 4,000 new vulnerabilities were discovered in 2020, and in 2021, we’ve already seen an additional 4,800.

Wordpress vulnerabilities WPScan
Source: WPScan

17. In Q1 2021, zero-day exploits were involved in over 74% of malware

WatchGuard’s Internet Security Report – Q1 2021 tells us that in January–March 2021, zero-day malware accounted for almost three quarters of all threats. This was up 13 points over the previous quarter.

18. Microsoft saw a surge in vulnerabilities in 2020

According to RiskBased Security’s 2020 Year End Report, Microsoft saw a huge increase in the number of detected vulnerabilities with the figure rising by 67 percent in 2020 compared to the previous year. With 1,566 vulnerabilities, it topped the list of the top 10 vendors in terms of the number of vulnerability disclosures.

RiskBased Security's top ten.
Source: RIskBased Security

19. Over 75 percent of applications have at least one flaw

Veracode’s State of Software Security Report Volume 11 released in October 2020 found that more than three-quarters (75.2 percent) of applications have security flaws. That said, only 24 percent of those are considered to have high-severity flaws.

20. Information leakage flaws are the most common

Veracode also tells us that the most common types of flaws are information leakage, CRLF injection (where an attacker injects unexpected code), cryptographic issues, code quality, and credentials management.

21. One in four flaws are still open after 18 months

A fairly alarming finding from the Veracode report is that after a year and a half, around 25 percent of flaws are still open.

Graph of open flaws.
Source: Veracode

22. Frequent scanning correlates to much faster remediation time

Veracode did find that applications that scanned for flaws regularly saw much faster average remediation times. Those with 260+ scans per day remediated 50 percent of flaws within 62 days. That time was extended to 217 days for applications running just 1–12 scans per day.

Cybersecurity vulnerability remediation time.
Source: Veracode

23. Google has paid $28 million in bug bounties since 2010

Google’s Vulnerability Reward Program (commonly referred to as a bug bounty program) rewards researchers for discovering and reporting bugs in the company’s software. It paid out $6.7 million in rewards and $28 million since 2010. 662 researchers from 62 countries were paid bounties in 2020, with the largest single award amounting to $132,500.

24. Microsoft paid almost $14 million in bug bounties in one year.

In a similar vein, Microsoft rewards researchers that spot and report bugs in its software. In an August 2020 review, the company reported it had paid $13.7 million in bug bounties in the past 12 months. This is more than double the amount Google paid out in 2019. In total, 327 researchers were awarded with the largest award amounting to $200,000.

Microsoft bounty programs infographic.
Source: Microsoft

25. Facebook has awarded almost 7,000 bounties since 2011

A November 2020 report by Facebook tells us that since its bug bounty program began in 2011, the company has received over 13,000 reports and awarded 6,900 bounties. At the time of the report, 2020 bounties totaled almost $2 million. Around 17,000 reports had been received and more than 1,000 bounties awarded. Its highest bounty to date is $80,000.

26. Unpatched vulnerabilities were involved in 60% of data breaches

According to a Ponemon Institute Vulnerability Survey:

“60% of breach victims said they were breached due to an unpatched known vulnerability where the patch was not applied.” However, an even higher portion (62 percent) claimed they weren’t aware of vulnerabilities in their organizations prior to a breach.