Effective vulnerability management is about knowing what you own and prioritizing what you need to fix. A new research report shows that millions of organizations are failing at those critical cybersecurity practices.
Researchers at cybersecurity firm Rezilion found more than 15 million instances in which systems are vulnerable to the 896 flaws listed in the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog.
Tens of thousands of new security vulnerabilities are discovered each year; the value of CISA’s KEV catalog is that it helps organizations prioritize the software and firmware flaws that threat groups are actively exploiting — and many of those exploited flaws are older ones that users have failed to apply patches for. The Rezilion report is the latest evidence that practices like IT asset management and patch management are critical cybersecurity processes that organizations need to be better at.
The majority of the exposed vulnerabilities Rezilion found are Microsoft Windows instances, with 137 vulnerabilities, followed by Adobe Flash player (29 vulnerabilities) and Microsoft Internet Explorer (24).
While the flaws in the KEV Catalog comprise less than 1 percent of the vulnerabilities discovered each year, Rezilion notes, those flaws are often the most actively exploited by APT groups and other threat actors, many of them linked to nation states including Russia, Iran, China, and North Korea.
See the top vulnerability management and patch management tools
The top flaws in terms of ongoing exploitation attempts in the last 30 days include the following:
- CVE-2022-26314 (816 attempts) – a critical vulnerability in the Mendix Forgot Password Appstore module
- CVE-2021-44228 and CVE-2021-45046 (66 attempts) – a pair of critical flaws in Apache Log4j, aka Log4Shell
- CVE-2019-2725 (46 attempts) – a critical vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware
- CVE-2021-41773 (46 attempts) – a vulnerability in Apache HTTP Server
- CVE-2021-26084 (32 attempts) – a critical flaw in Confluence Server and Data Center
“Despite the availability of patches for these vulnerabilities, millions of systems remain exposed to attacks,” Yotam Perkal, Rezilion director of vulnerability research, said in a statement. “This leaves organizations vulnerable to exploitation from threat actors and Advanced Persistent Threat (APT) groups who often target publicly known vulnerabilities.”
Also read: Patch Management Policy: Steps, Benefits, and a Free Template
How Organizations Should Respond
Rezilion recommends taking two key steps to respond to these threats:
- Identify which vulnerabilities are even exploitable through runtime validation. Since most vulnerabilities in code are never loaded to memory or executed, this step eliminates 85 percent of the initial backlog.
- Use the CISA KEV catalog or other threat intelligence sources as part of an ongoing vulnerability management strategy to identify vulnerabilities that require immediate patching as attackers exploit them.
“It is crucial that organizations prioritize patching vulnerabilities that have already been exploited in the wild,” Perkal said. “The KEV catalog provides an excellent starting point for this. Combined with runtime validation it narrows down huge backlogs to a handful of patches that must be applied as quickly as possible.”
Also read: Is the Answer to Vulnerabilities Patch Management as a Service?
CISA Launches Anti-Ransomware Programs
Separately, CISA recently introduced two programs, the Ransomware Vulnerability Warning Pilot (RVWP) and the Pre-Ransomware Notification Initiative, to help organizations protect themselves from ransomware threats.
The RVWP is designed to identify vulnerabilities associated with ransomware exploitation and warn critical infrastructure entities with those vulnerabilities. At its launch, the RVWP notified 93 organizations that were exposed by ProxyNotShell.
“The RVWP will allow CISA to provide timely and actionable information that will directly reduce the prevalence of damaging ransomware incidents affecting American organizations,” CISA executive assistant director for cybersecurity Eric Goldstein said in a statement.
The Pre-Ransomware Notification Initiative focuses instead on intrusions, warning organizations about potential early-stage ransomware activity.
“Although we’re in the early days, we’re already seeing material results: since the start of 2023, we’ve notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or exfiltration occurred,” CISA said in a statement.