24% of vulnerabilities are abused before a patch is available

Almost one in four (24%) known exploited vulnerabilities discovered last year were abused on or before the day their CVEs were publicly disclosed.

A study by exploit and vulnerability specialists VulnCheck identified 768 CVEs that were publicly reported as exploited in the wild for the first time last year, an increase of 20% from the 639 CVEs confirmed as first exploited during 2023.

Although around a quarter of vulnerabilities are hit before a patch is available the majority get abused long after a security fix comes out. Around half of vulnerabilities are first exploited within 192 days of patching, but many are hit months or even years after patching. For example, after 1,000 days — close to three years — only around 75% of vulnerabilities that eventually come to be exploited will be hit.

VulnCheck’s study is based on data from 100 sources, including security companies and government agencies and nonprofits such as Shadow Server.

Greater transparency about vulnerabilities

The increase in CVE disclosures from sources across various industries helps to (at least partly) explain the increase in exploited vulnerabilities recorded between successive annual editions of VulnCheck’s study.

“The reported increase is in part a combination of both a rise in exploitations and more data sources,” according to VulnCheck. “There is greater visibility related to exploitations because more organizations, vendors, and security research teams are reporting exploitations and publicly disclosing evidence.”

[ See also: Patch management: A dull IT pain that won’t go away ]

Matthias Held, technical program manager at Bugcrowd, also noted this trend: “Companies are increasingly recognizing their cybersecurity responsibilities, leading to greater transparency regarding vulnerabilities. The sheer volume of publicly disclosed CVEs is undoubtedly contributing to this trend, potentially making a more accurate representation of the actual impact on exploitable systems.”

Wordfence disclosures are a component of VulnCheck’s research, so figures on attacks against WordPress are a significant part of the mix. WordPress is a major target for exploitation because it powers an estimated 40% of websites so this is likely to have an inflationary effect on VulnCheck’s annual exploitation figures, according to Held.

“The number [of vulnerabilities] will rise by the shear easy exploitability of web apps running on vulnerable versions [of WordPress],” Held said.

In addition, more companies are now CNAs (CVE Number Authorities). With more organizations issuing CVEs the rate of their publication is naturally bound to increase over time.

“I believe this data serves as a stark reminder that we need to prioritize robust vulnerability management strategies across all organizations, including comprehensive threat intelligence sharing initiatives and real-time attack mitigation efforts,” Held concluded.

Building the case for proactive security

Boris Cipot, senior security engineer at software composition analysis firm Black Duck, said that several factors contribute toward the rise in exploited vulnerabilities, including improvements in monitoring.

“The software we use may simply contain more vulnerabilities, or these vulnerabilities are being reported and discovered more effectively,” Cipot said. “Some vulnerabilities remain unpatched for extended periods, giving attackers more time to exploit them.”

The impact of exploited vulnerabilities, regardless of their cause, highlights the need for proactive security measures.

“Organizations must invest in observability tools that monitor their environments and detect suspicious activity,” Cipot said. “Adopting a zero trust approach can further enhance security by limiting access and reducing risk.”

Kevin Robertson, CTO of Acumen Cyber, said the research highlighted how the timeframe needed for organizations to apply patches is shortening.

“While the findings indicate a rise in actively exploited CVEs, this trend is likely driven by the growing reliance on third-party software,” Robertson said. “Modern enterprises depend heavily on third-party applications and services, which expands the potential attack surface.”

Robertson advised: “As organizations increasingly integrate third-party software into their environments, proactive vulnerability management must be embedded into their security strategies.”

Compromised credentials rather than bugs blamed for more breaches

Other vendors quizzed by CSO were keen to downplay the significance of vulnerabilities as a vector in security breaches, arguing that compromised credentials were a much bigger factor in security breaches.

Rapid7 said it has seen vulnerability exploitation decrease year over year as an initial access vector in 2024, amid a social engineering surge and the increasing abuse of leaked credentials to hack into remote systems with weak or absent security controls.

“Notably, a number of the incidents Rapid7 teams observed in 2024 where vulnerability exploitation was initially thought to be in scope turned out to instead stem from adversaries’ use of compromised credentials, rather than CVE exploitation,” Caitlin Condon, director of vulnerability intelligence at Rapid7, told CSO.

Where vulnerabilities did lead to breaches, according to Rapid7’s managed detection and response (MDR) team, this resulted from older bugs rather than 0-days.

“A slim majority of vulnerabilities Rapid7 MDR and incident response teams saw exploited in real-world production environments last year were CVEs that were new in 2024 and had known exploits available,” Condon told CSO. “The rest of the confirmed CVE exploitation our teams observed against production systems were older vulnerabilities that had previously been used in highly publicized threat campaigns.”

Most vulnerabilities Rapid7 MDR confirmed as exploited in the wild in 2024 targeted file transfer applications and network edge devices, irrespective of whether those vulnerabilities had previously been exploited or not, Condon said.