The discovery and disclosure of vulnerabilities continue to grow in volume and pace. In 2017 alone, an average of 41 new vulnerabilities were published every single day, for a total of 15,038 for the year. Additionally, the growth in newly disclosed vulnerabilities from the first half of 2018 showed a 27 percent increase over the first half of 2017.
High-profile vulnerabilities have also become a regular feature in mainstream headlines and are often cited as the root cause of massive data breaches. Whether the Equifax breach or WannaCry, the reality is many high-profile incidents could have been prevented through better cyber hygiene. In fact, 57 percent of enterprises that experienced a breach in the past two years state that a known, unpatched vulnerability was the root cause.
Zero-days and advanced threats are compelling topics for the media, but advanced threats – especially nation-state threat actors – are not an everyday occurrence for the average enterprise. The majority of data breaches do not involve sophisticated attacks or zero-day exploits.
The growth in new vulnerabilities continues unabated:
- 15,038 new vulnerabilities were published in 2017 to CVE3 versus 9,837 in 2016, an increase of 53%.
- The first half of 2018 shows an increase of 27% versus the first half of 2017. We are on track for 18,000–19,000 new vulnerabilities this year.
Prioritizing based on High severity or exploitability alone is becoming increasingly ineffective due to the sheer volume:
- 54% of new CVEs in 2017 were rated as CVSSv3 7.0 (High) or higher.
- Public exploits are available for 7% of vulnerabilities.
- For vulnerabilities where both CVSS version 2 and 3 scores are available and a comparison is possible (mainly post-2016), CVSSv3 scores the majority of vulnerabilities as High or Critical (CVSSv2 31% versus CVSSv3 60%).
Our study confirms that managing vulnerabilities is a challenge of scale, velocity and volume. It is not just an engineering challenge but requires a risk-centric view to prioritize thousands of vulnerabilities that superficially all seem the same.
In this report, we provide an overview of current vulnerability disclosure trends and insights into real-world vulnerability demographics in enterprise environments. We analyze vulnerability prevalence in the wild, based on the number of affected enterprises, to highlight vulnerabilities that security practitioners are dealing with in practice – not just in theory.
This report also introduces the Top 20 Vulnerabilities Chart, providing insight into the most prevalent vulnerabilities across different technologies in enterprise environments. The Top 20 Vulnerabilities Chart harnesses real-world telemetry data to determine which vulnerabilities are really present in enterprise environments, rather than just existing in vulnerability databases, thus providing a more reliable window into the true state of the vulnerability population.