Researchers have found that 25% of high-risk vulnerabilities were exploited on the same day they were published.
In a Tuesday research blog by the Qualys, researchers spotted a number of trends tied to the release of Common Vulnerabilities and Exposures (CVEs) reported over the past year. Along with the speed in which hackers pounced on exploiting known bugs, it also noted that 97 of the high-risk vulnerabilities reported in 2023 (so far), which were likely exploited, never made it to CISA's Known Exploited Vulnerabilities (KEV) catalog.
“The rapid exploitation of vulnerabilities, especially within the same day of their disclosure, is a substantial concern,” said Saeed Abbasi, manager, vulnerability research at Qualys. “It leaves organizations minimal time to react and patch these vulnerabilities, increasing the risk of breaches and cyberattacks. This trend stresses the critical need for proactive and efficient vulnerability management strategies.”
Here are some top takeaways from Qualys:
- Less than 1% of vulnerabilities contributed to the highest risk and were routinely exploited in the wild.
- One-third of high-risk vulnerabilities impacted network devices and web applications.
- The top three MITRE ATT&CK tactics included the following: exploitation of remote services and public-facing applications; and exploitation for privilege escalation.
“Our research shows that vulnerabilities threat actors can weaponize are highly prized commodities,” said Abbasi. “Thus, whenever a vulnerability is identified that can be easily exploited and impacts a wide range of popularly deployed systems, attackers are quick to capitalize on them.”
John Gallagher, vice president at Viakoo Labs, added that based on the findings of the Qualys report, organizations need to assess their strategies for threat mitigation and remediation. Gallagher said threats are growing in volume and velocity, making automation critical for organizations to reduce their mean time to exploitation.
“A defense-in-depth or layered security approach is needed to address the 25% of vulnerabilities that are exploited on the day of their publication,” said Gallagher. “Most organizations lack automation to apply patches that fast, especially in IoT environments where patching may be more complex than for IT systems."
Gallagher said security teams should also follow best practice to stop lateral movement and remote code execution across the organization: ensure the organization has effective network segmentation that takes into account all devices and applications; have methods to automate patching and password rotations across fleets of devices; and look to extend zero-trust to all network-connected systems.