25 cybersecurity vulnerability statistics and facts

A cyber security vulnerability generally refers to a flaw in software code that allows an attacker access to a network or system. Vulnerabilities leave businesses and individuals open to a range of threats including malware and account takeovers.

There is a huge range of possible vulnerabilities and potential consequences to their exploits. The US government’s National Vulnerability Database (NVD) which is fed by the Common Vulnerabilities and Exposures (CVE) list currently has over 176,000 entries. One well-known example of a cybersecurity vulnerability is the CVE-2017-0144 Windows weakness that opened the door for WannaCry ransomware attacks via the EternalBlue exploit. Another infamous case is the Mirai botnet that spread through the exploitation of multiple flaws.

Once vulnerabilities are discovered, developers typically work fast to release an update, or “patch.” Ideally, all users install the update before attackers have a chance to exploit the vulnerability. But the reality is that in many cases, attackers strike quickly to take advantage of a known weakness. Plus, even when a patch is released, slow implementation of updates means that attackers can exploit vulnerabilities years after they have been discovered.

In this post, we’ve rounded up the top cybersecurity vulnerability statistics and facts to be aware of as we head into 2021.

1. Over 8,000 vulnerabilities were published in Q1 of 2022

The NVD database holds 8,051 vulnerabilities published in Q1 of 2022. This is about a 25 percent increase from the same period the year prior. If these numbers hold, this would mark a slight year-on-year increase since there were around 22,000 published in 2021.

2. Half of internal-facing web application vulnerabilities are considered high risk

Edgescan’s 2022 Vulnerability Statistics Report analyzed the severity of web application vulnerabilities. It found that almost one-in-ten vulnerabilities in internet-facing applications are considered high or critical risk. This rose to 15 percent if the target normally processed online payments.

Edgescan Vulnerability Report 2022
Source: Edgescan

3. Organizations with more than 100 staff see more high or critical-risk vulnerabilities

Edgescan’s 2021 report broke down the severity of vulnerabilities according to company size. Smaller companies with 100 employees or fewer saw the lowest portion of medium, high, or critical-risk vulnerabilities (five percent total). Companies with 10,000+ employees see the largest portion of medium and critical-risk vulnerabilities while medium-sized organizations with 101–1,000 employees saw the largest portion of high-risk vulnerabilities.

Vulnerability risk by company size.
Source: Edgescan

4. The mean time to remediation (MTTR) is around 58 days

According to Edgescan, the average time taken to remediate internet-facing vulnerabilities was 57.5 days. That is a slight improvement over the year prior when the MTTR was 60.3 days.

This varies from one industry to another, though. Public administrations, for instance, had a MTTR of 92 days, whereas healthcare organizations had an MTTR of just 44 days. The data shows that the smaller an affected organization is, the more quickly it tends to recover.

5. The most severe vulnerability of 2021 was CVE-2021-44228

CVE-2021-44228 is a vulnerability impacting Log4j, an open-source logging library used in thousands of projects, applications, and websites. This vulnerability allowed attackers to run arbitrary code on any affected system, and while it was swiftly patched out, it’s extremely likely that a high number of vulnerable applications remain online.

6. The oldest vulnerability discovered in 2020 was 21 years old

Interestingly, Edgescan found a pretty old vulnerability that has been around since 1999: CVE-1999-0517. This affects Simple Network Management Protocol version 2 (SNMPv2), which is used for managing devices and computers on an IP network. The vulnerability can allow unauthorized SNMP access via a guessed community string. It has a base Common Vulnerability Scoring System (CVSS) score of 7.5 making it a high-severity weakness.

7. The first critical vulnerabilities in a major cloud infrastructure were found in January 2020

In early 2020, Check Point researchers discovered and reported critical vulnerabilities in the Microsoft Azure infrastructure. According to the Check Point article detailing the vulnerability, researchers “wanted to disprove the assumption that cloud infrastructures are secure.” The vulnerabilities received the highest CVSS score of 10.0. The qualitative severity ranking of a score of 9.0-10.0 is “critical.”

These vulnerabilities enable malicious actors to compromise apps and data of users who utilize the same hardware.

8. More than 11% of vulnerabilities have a critical score

According to CVE Details, out of roughly 176,000 vulnerabilities, more than 19,000 have a CVSS score of 9.0–10.0. That said, the vast majority (77.5 percent) have a score between 4.0 and 8.0.

CVSS score distribution
Source: CVE Details

9. 75% of attacks in 2020 used vulnerabilities that were at least two years old

According to the Check Point Cyber Security Report 2021, three out of four attacks took advantage of flaws that were reported in 2017 or earlier. And 18 percent of attacks utilized vulnerabilities that were disclosed in 2013 or before, making them at least seven years old.

PT chart for vulnerability age.
Source: Check Point

10. Citrix remote access vulnerability attacks increased 2,066% in 2020

According to Check Point, the number of attacks exploiting vulnerabilities in remote access products increased substantially in 2020. Citrix attack numbers increased more than 20-fold, while Cisco, VPN, and RDP attacks increased by 41%, 610%, and 85%, respectively.

11. 31% of companies detected attempts to exploit software vulnerabilities

A 2020 report from Positive Technologies tells us that almost one-third of detected threats involve software exploit attempts. According to the report:

“More than half of attempts involved vulnerability CVE2017-0144 in the implementation of the SMBv1 protocol. This is the same vulnerability leveraged by the infamous WannaCry ransomware, and for which a patch was released back in 2017. But attackers have kept it in their arsenals as they search for computers that have not been updated in the last 3.5 years.”

12. High-risk vulnerabilities are present on the network perimeters of 84% of companies

Another study from Positive Technologies uncovered the alarming statistic that 84 percent of companies have high-risk vulnerabilities on their external networks. It also found that more than half of these could be removed simply by installing updates.

Severity of cybersecurity vulnerabilities.
Source: Positive Technologies

13. More than one in four companies are still vulnerable to WannaCry

Positive Technologies also found that 26 percent of companies remain vulnerable to the WannaCry ransomware as they have not yet patched the vulnerability it exploits. That’s particularly concering given that WannaCry attacks spiked in Q1 of 2021.

14. XSS remains a huge threat

Hacker One research found that cross-site scripting (XSS) weaknesses were the most common type of vulnerability in 2020, accounting for 23 percent of all reports. Rounding out the top three weakness types was information disclosure (18 percent) and improper access control (10 percent).

15. The most profitable industry for bounty hunters is computer software

When it comes to which industries earn the most for bounty hunters, computer software weaknesses are the highest earners by quite a significant amount. The average bounty payout for a critical vulnerability is around $5,754. The electronic and semiconductor industry pays $4,633 per critical vulnerability and the cryptocurrency and blockchain field pays about $4,481.

Graph of cybersecurity vulnerability bounty payouts.
Source: Hacker One

16. “80% of public exploits are published before the CVEs are published”

A report published by Palo Alto Networks in August 2020 found that 80 percent of studied exploits were made public before their related CVEs had even been published. Perhaps more concerning is the length of time that passes between publish dates. On average, exploits are published 23 days before their respective CVEs. As noted in the report:

“As a result, there is a good chance that an exploit is already available when the CVE is officially published – illustrating one more way that attackers are too often a step ahead of security professionals.”

17. More than 28,500 WordPress vulnerabilities have been detected over the past 8 years

The number of new vulnerabilities has been increasing steadily since WPScan first started tracking in 2014. More than 3,000 new vulnerabilities were discovered in 2021, and in the first quarter of 2022, we’ve already seen an additional 700.

18. In Q4 2021, zero-day exploits were involved in 66% of malware

WatchGuard’s Internet Security Report – Q4 2021 tells us that from October to December of 2021, zero-day malware accounted for two-thirds of all threats. This was a marginal decrease over the previous quarter.

19. Lower numbers of vendor-specific vulnerabilities in 2021

According to RiskBased Security’s 2021 Year End Report, IBM was the vendor with the most confirmed vulnerabilities this year. However, it’s worth noting that most vendors actually have fewer vulnerabilities than last year. The exceptions are Software in the Public Interest, Inc and Fedora project, which saw a small increase.

RiskBased Security 2021 Vulnerability Report
Source: RiskBased security

20. Over 75 percent of applications have at least one flaw

Veracode’s State of Software Security Report Volume 11 released in October 2020 found that more than three-quarters (75.2 percent) of applications have security flaws. That said, only 24 percent of those are considered to have high-severity flaws.

21. Information leakage flaws are the most common

Veracode also tells us that the most common types of flaws are information leakage, CRLF injection (where an attacker injects unexpected code), cryptographic issues, code quality, and credentials management.

22. One in four flaws are still open after 18 months

A fairly alarming finding from Veracode’s 2021 report is that after a year and a half, around 27 percent of flaws are still open.

Veracode MTTR Flaw Type 2021
Source: Veracode

23. Frequent scanning correlates to much faster remediation time

Veracode did find that applications that scanned for flaws regularly saw much faster average remediation times. Those with 260+ scans per day remediated 50 percent of flaws within 62 days. That time was extended to 217 days for applications running just 1–12 scans per day.

Cybersecurity vulnerability remediation time.
Source: Veracode

24. Google has paid $35 million in bug bounties since 2010

Google’s Vulnerability Reward Program (commonly referred to as a bug bounty program) rewards researchers for discovering and reporting bugs in the company’s software. It has paid out $35 million since 2010. 696 researchers from 62 countries were paid bounties in 2021, with the largest single award amounting to $157,000.

25. Microsoft paid almost $14 million in bug bounties in one year.

In a similar vein, Microsoft rewards researchers that spot and report bugs in its software. In an July 2021 review, the company reported it had paid $13.6 million in bug bounties in the past 12 months. This is more than double the amount Google paid out in 2019. In total, 340 researchers were awarded with the largest award amounting to $200,000.

Microsoft bug bounty summary
Source: Microsoft

26. Facebook (now Meta) has awarded almost 7,000 bounties since 2011

A December 2021 blog post by Facebook (now known as Meta) tells us that since its bug bounty program began in 2011, the company has received over 150,000 reports and awarded 7,800 bounties. At the time of the report, 2021 bounties totaled $2.3 million. Around 25,000 reports had been received, and more than 800 bounties were awarded. Its highest bounty to date is $80,000.

27. Unpatched vulnerabilities were involved in 60% of data breaches

According to a 2019 Ponemon Institute Vulnerability Survey:

“60% of breach victims said they were breached due to an unpatched known vulnerability where the patch was not applied.” However, an even higher portion (62 percent) claimed they weren’t aware of their organizations’ vulnerabilities before a breach.

28. The global IT security market is set to reach almost $400bn by 2028

According to a report by Fortune Business insights, the value of the information security market is forecast to hit $366.1bn by 2028. The exponential growth is driven by the integration of machine learning, the Internet of Things (IoT), and a surge in the number of eCommerce platforms.

FAQs about cyber security vulnerabilities

How do you identify cyber security vulnerabilities?

Whether you're a home user or using a system for business, there are several ways to identify a cyber security vulnerability to help prevent threats from cybercriminals. These are some best practices to follow:

  • Check that your device software and operating systems are up-to-date.
  • Use an internet security suite to monitor your network for any vulnerabilities.
  • Keep up with the latest cyber threat information to avoid risks of ransomware and phishing attacks.

What are the different types of cyber security vulnerabilities?

Cyber security vulnerabilities generally fall into four categories, these include:

  1. Operating system vulnerabilities arise when the OS is outdated, often allowing an attacker to find an exploit yet to be patched to gain entry to a system.
  2. Network vulnerabilities, i.e., issues with software or hardware on a network that could allow an outside entity to gain malicious entry.
  3. User error is one of the most common ways that sensitive data falls into the wrong hands, a.k.a, human vulnerabilities.
  4. Process vulnerabilities are when processes aren't followed correctly or are not in place to begin with. Reused passwords or weak passwords can make a system more vulnerable for an attacker to penetrate.