2023 Vulnerability Statistics Report
2023 Vulnerability Statistics Report
Vulnerability
Statistics
Report
8th Edition
2023 Vulnerability Statistics Report 2
Table of Contents
Introduction.................................................................................................................... 03
2022 Year in Review......................................................................................................04
Report Synopsys............................................................................................................ 06
Risk Density.................................................................................................................... 08
Web Applications - Critical Severity Vulnerabilities............................................... 09
Web Applications - High Severity Vulnerabilities.....................................................10
Web Applications - Medium Severity Vulnerabilities.............................................. 11
API - Critical and High Severity Vulnerabilities........................................................12
Vulnerability Severity - EPSS, CISA KEV, and EVSS................................................14
Internet Facing Vulnerabilities - Critical Severity................................................... 15
Internet Facing Vulnerabilities - High Severity........................................................16
Non-Internet Facing Vulnerabilities - Critical Severity..........................................17
Non-Internet Facing Vulnerabilities - High Severity...............................................19
Most Common Vulnerabilities listed on the CISA KEV.......................................... 20
Highest Probability of Exploitation (EPSS)
Internet Facing.................................................................................................................21
Highest Probability of Exploitation (EPSS)
Non-Internet Facing....................................................................................................... 22
Attack Surface Management (ASM) - Exposure Landscape................................ 23
Mean Time to Remediate (MTTR)
Time it takes to fix Vulnerabilities across the Full Stack...................................... 25
MTTR by Industry - Mean Time to Remediate Vulnerabilities................................. 26
Risk Accepted................................................................................................................. 27
CISA KEV ......................................................................................................................... 29
Vulnerability Age............................................................................................................. 31
Vulnerability Clustering................................................................................................ 32
Vulnerability Backlog.................................................................................................... 33
Conclusions..................................................................................................................... 34
Why Edgescan - What makes us tick........................................................................ 35
Glossary........................................................................................................................... 39
2023 Vulnerability Statistics Report 3
Introduction
Welcome to the 8th edition of the Edgescan We split our statistical models across layers
Vulnerability Stats Report 2023. This report of the technology stack (Full Stack) such as
demonstrates the state of full stack security Web Application, API, and Device/Host layers.
based on thousands of security assessments Additionally, we make a distinction in the
and penetration tests on millions of assets data for four tiers of business sizes based on
that were performed globally from the employee count and a distinction between
Edgescan Cybersecurity Platform in 2022. internet facing and internally facing assets.
Fear cuts
deeper than
swords”
George R.R. Martin,
A Game of Thrones
2023 Vulnerability Statistics Report 66
Report Synopsys
Non-internet facing systems have a significant risk KEV do not align. CVSS score alone does not provide
density adequate metadata to help make risk based decisions.
A combination of CVSS, EPSS, CISA KEV, and security
•O
ur data indicates internal systems are less hardened validation is required to deliver risk based prioritization2.
than Internet facing systems (which is no surprise)
and many feature prominently exploitable applications
Prioritization needs to take into account the criticality of
like Mozilla Firefox and Adobe with multiple CVE’s that
the asset.
are listed on the CISA KEV. For example, The Adobe
vulnerabilities commonly found are listed on the CISA •G
iven limited resources, proper prioritization is key
KEV and have an EPSS score of 86%. to success as noted in the report. Additionally asset
criticality must be a factor in the prioritization calculus.
•T
his “target rich environment” allows threat actors to Understanding which assets are business critical and
easily pivot within a local network post initial-access combining that information with vulnerability scoring
(breach) at the perimeter. information, is an indicated path to achieving true Risk
•S
o called, “Shift-Left” security is not taking into Based Vulnerability Management.
account the live environment on which systems are
deployed, resulting in undetected weaknesses in the Convergence of Vulnerability Management and
overall network of systems. Systems being assessed in Penetration Testing output is highly effective.
a “lab” environment are not reflective of the risks when
•C
ybersecurity is perhaps more of a qualitative than
deployed on the public Internet.
quantitative effort. When identifying vulnerabilities in
systems it is necessary to prioritize risks. However,
Mean Time To Remediation (MTTR) for Critical Severity prioritization alone is not sufficient, as we see when
vulnerabilities is 65 days (across the full stack). we layer in exploitability metrics with EPSS and EVSS,
And while this result is similar to previous years, industry or when we also take into account asset value. Another
reports estimate that adversaries are now able to exploit level of validation needs to occur (like quality assurance
a vulnerability within 15 days (on average) of discovery1. of software releases) and that is essentially what
penetration testing provides. Penetration testing is the
One third of all vulnerabilities across the full stack qualitative proof, for security controls or exploitable
discovered in 2022 were either High or Critical Severity. vulnerabilities that should be remediated immediately.
•W
hile credential theft and stuffing is the most •C
ombining intelligence harvested from both manual
common mechanism for exploitation and phishing penetration testing (for depth) and vulnerability
is second, exploiting vulnerabilities is the third most scanning (for frequency) – different means to the same
common vector to breach an organisation (according end – can significantly help with prioritization and
to the Verizon DBIR). CISA recommends fixing critical identification of risks.
severity vulnerabilities within 15 days and high severity
vulnerabilities within 30 days. Both secure development Oddly, many “PCI Fails” are essentially “false flags” not listed
and continuous monitoring needs improvement, given on the CISA KEV or having a high EPSS probability score.
that many of the high and critical severity issues seen in
•A
PCI compliance failure may occur because a CVE
live environments are trivial to remediate.
has a CVSS score above 4.0, without having any known
exploits in the wild or impact on real world security via
The most common application layer vulnerabilities are penetration test validation.
still Injection related, this also applies to API’s.
• This leads us to conclude that Compliance and
•W
e are still seeing vulnerabilities which are not Security are certainly not the same. And unfortunately,
particularly new or exotic, but are widespread and compliance may be creating more harm than good by
very effective in terms of successful breach. Many distracting from the real work of RBVM.
injection related vulnerabilities can be easily detected
using automation if applied on a frequent basis and
importantly, if assessment coverage can be assured.
1- https://www.cisa.gov/sites/default/files/publications/
CISAInsights-Cyber-RemediateVulnerabilitiesforInternetAccessibl
CISA KEV & EPSS combined are very useful in moving eSystems_S508C.pdf
towards Risk Based Vulnerability Management (RBVM).
2- https://www.cisa.gov/known-exploited-vulnerabilities https://
•O
ur report notes instances when EPSS and CISA www.first.org/epss/ https://nvd.nist.gov/vuln-metrics/cvss
2023 Vulnerability Statistics Report 7
Those who
ignore Statistics
are condemned
to reinvent it
Bradley Efron
2023 Vulnerability Statistics Report 8
Risk Density
The following is a breakdown of vulnerabilities Severity is defined via the Edgescan Validated
by severity, discovered across the full stack; Security Score (EVSS). Later in the report we
Web Applications, API’s and Network/Host draw upon CVSS, CISA KEV and EPSS Risk and
deployments. Probability scores.
Across the full stack more than 33% of Across the Web application and API layers 12%
discovered vulnerabilities were of a critical or of discovered vulnerabilities were of a critical
high severity. or high severity.
35.5% of discovered vulnerabilities in the 54% of PCI failures were of medium Severity.
infrastructure/hosting/cloud/network layer were Research indicates that such vulnerabilities will
of a critical or high severity. never be exploited, albeit they result in a PCI DSS
compliance fail.
2023 Vulnerability Statistics Report 9
Web Applications
Critical Severity Vulnerabilities
The Application Security Critical severity Top 10 breach pivot points for attackers.
depicts the most common critical risk issues Log4Shell (First discovered in late 2022)
discovered by Edgescan over the past year. contributed to 5% of all critical severity
SQL Injection is still the main contender (as vulnerabilities discovered this year.
was in the 2022 report), which is interesting to Authorization issues cover privilege escalation or
note as we can easily develop code (or block access to restricted functionality which would
vectors) to mitigate such attacks. Detection result in a data breach.
of such vulnerabilities is also trivial using the
correct techniques. The most commonly found critical severity
Something which is overlooked quite frequently vulnerabilities across the application/web layer.
is “malicious file upload” at 22.7% of all critical “Critical Severity” vulnerabilities are defined by the
Edgescan Validated Security Score (EVSS) which is a
vulnerabilities discovered. This can give rise
combination of analytics and expert validation.
to ransomware, malware and internal network
23.4% CWE-89
1.4%
1.4% 1.4%
SQL injection On CISA KEV Yes
4.3%
SQL injection vulnerabilities arise when user-controllable data is incorporated into
5%
database SQL queries in an unsafe manner. An attacker can supply crafted input
to break out of the data context in which their input appears and interfere with 23.4%
the structure of the surrounding query. Various attacks can be delivered via SQL
injection, including reading or modifying critical application data, interfering with 7.1%
application logic, escalating privileges within the database and executing operating
system commands.
22.7% CWE-434
Malicious File Upload 7.8%
Uploaded viruses and malware could later be downloaded by users of the applica-
tion. Such malware can cause partial or complete compromise of a network that
the host resides on.
22.7%
19.1% CWE-79
Cross-Site Scripting (Stored) 19.1%
Stored attacks are those where the injected script is permanently stored on the
target servers, such as in a database, in a message forum, visitor log, comment
field, etc. The victim then retrieves the malicious script from the server when it
requests the stored information. Stored XSS is also sometimes referred to as Per- 4.3% CWE-94
sistent or Type-II XSS.
Spring4Shell
7.8% CWE-285 CVE-2022-22965 On CISA KEV Yes
Authorization Issue - Privilege Bypass This is a remote code execution (RCE) vulnerability via data binding.
Access control enforces policy such that users cannot act outside of their intended
permissions. Failures typically lead to unauthorized information disclosure, mod- 1.4% CWE-521
ification, or destruction of all data or performing a business function outside the
Weak Password Policy
users limits.
Poor password controls such as no MFA, Default Credentials etc.
7.1% CWE-264
PHP Multiple Vulnerabilities 1.4% CWE-200
CVE-2012-2688,CVE-2012-3365
Database Console Exposure
The Database console was accessible, and provides access to privileged function-
Multiple vulnerabilities pertaining to PHP patching.
ality which should not be accessible, except by authorized users or networks. Ac-
cess to the console could allow a malicious actor to execute SQL statements on
5% CWE-917 the sever.
Log4Shell (CVE-2021-44228)
1.4% CWE-35
CVE-2021-44228 On CISA KEV Yes
File path traversal
A remote code execution vulnerability exists in Apache Log4j < 2.15.0 due to insuf- CVE-2012-2688,CVE-2012-3365
ficient protections on message lookup substitutions when dealing with user con-
trolled input. A remote, unauthenticated attacker can exploit this, via a web request This allows attackers to traverse the file system to access files or directories that
to execute arbitrary code with the permission level of the running Java process. are outside of the restricted directory.
2023 Vulnerability Statistics Report 10
Web Applications
High Severity Vulnerabilities
Broken Authentication/Brute forcing
The most commonly found high severity
possible (14.7%) is high on the list for vulnerabilities across the application/web layer.
2022. This relates to misconfigured, “High Severity” vulnerabilities are defined by the
broken logic, username enumeration or Edgescan Validated Security Score (EVSS) which is
insecure authentication functionality. a combination of analytics and expert validation.
Deserialization of Untrusted Data has also
increased since 2021 (3.2%) to 9.4%.
As ever Cross-Site Scripting - XSS 3.1%
(Reflected) at 12.9% is a common 3.1%
5.4% CWE-434
9.8% CWE-643,CWE-91
Malicious File Upload
XML External Entity Injection (XXE)
Uploaded viruses and malware could later be downloaded by users of the applica-
XML injection which resulted in application compromise or forcing the application tion. Such malware can cause partial or complete compromise of a network that
to perform functions not intended. the host resides on.
8.5% CWE-285
3.1% CWE-77
Insufficient Authorization
Remote Command Injection
Access control enforces policy such that users cannot act outside of their intended
permissions. Applications were found with insufficient controls leading to unau- The application constructs all or part of a command using externally-influenced
thorized access of data or functionality. input from an upstream component, but it does not neutralize or incorrectly neu-
tralizes special elements that could modify the intended command when it is sent
to a downstream component.
7.6% CWE-200
Administrative Functionality Exposed
3.1% CWE-1329
Administrator consoles provide access to privileged functionality which should not
be internet-accessible, except by authorized hosts or networks. Such web pag- Unsupported/Depricated System
es occasionally suffer from known security weaknesses and must themselves be An application component is no longer supported. If the component is discovered
patched regularly. Password based attacks could also be used and if successful aid to contain a vulnerability or critical bug, the issue cannot be fixed using an update
an attacker in compromising this host. or patch.
2023 Vulnerability Statistics Report 11
Web Applications
Medium Severity Vulnerabilities
Server-side Request Forgery (SSRF) was
The most commonly found medium severity
significant allowing attackers to interact with vulnerabilities across the application/web layer.
arbitrary external resources. “Medium Severity” vulnerabilities are defined by
Cross-Site Scripting - XSS (reflected) at 19.1% is the Edgescan Validated Security Score (EVSS)
which is a combination of analytics and expert
a common vulnerability whose prevalence does
validation.
not seem to wane.
1.8% 1.8%
19.1% CWE-79, CWE-725 2%
Cross-Site Scripting - XSS (reflected) 2.5%
Reflected cross-site scripting vulnerabilities arise when data is copied from a re- 2.9%
quest and echoed into the application’s immediate response in an unsafe way. An
19.1%
attacker can use the vulnerability to construct a request which, if issued by another 3%
application user, will cause JavaScript code supplied by the attacker to execute
within the user’s browser in the context of that users session with the application.
3.4%
18.2% CWE-918
Server-Side Request Forgery
SSRF is an attack that abuses an application to interact with a privileged network
or the server itself.
6.8%
10.4% CWE-942
HTML5 Cross-Origin Resource Sharing
CORS, when misconfigured, can enable an attacker to bypass it and make the client
browser act as a proxy between a malicious website and the target web application. 18.2%
7.6%
7.6% CWE-204
User Enumeration
When a failed log-in attempt is made, enumeration of the username can occur if
10.4%
the server returns a non-generic response.
6.8% CWE-643,CWE-91
Xpath Injection
Similar to SQL Injection, XPath Injection attacks occur when a website uses user-
supplied information to construct an XPath query for XML data.
2.5% CWE-200
3.4% CWE-521 Information Disclosure
Weak Password Policy The application exposed unnecessary sensitive information. Types of information
considered sensitive include: internal IP addresses, physical paths on the host,
Poor password controls such as no MFA, Default Credentials etc. detailed platform information, domain information, etc.
3% 2% CWE-613
CWE-419,CWE-284
Administrative Interface Exposed Insufficient Session Timeout
Insufficient session expiration by the web application increases the exposure to
Administrator consoles provide access to privileged functionality which should not other session-based attacks.
be internet-accessible, except by authorized hosts or networks. Such web pag-
es occasionally suffer from known security weaknesses and must themselves be 1.8% CWE-644
patched regularly. Password based attacks could also be used and if successful aid
an attacker in compromising this host. Host Header Injection
Without proper validation of the host header, an application is vulnerable to a
2.9% CWE-601 number of types of attack.
Open Redirection
1.8% CWE-1104,CWE-1329
Unvalidated redirects and forwards are possible when a web application accepts
Vulnerable Wordpress Version
untrusted input that could cause the web application to redirect to an arbitrary
location. The version of the Wordpress deployed is known to be vulnerable.
2023 Vulnerability Statistics Report 12
6.9%
27.3% CWE-79, CWE-725/API8:2019
7.3% 27.3% Injection Attacks
SQL, NoSQL, LDAP, OS Injections, Code Injections, ORM based vulnerabilities,
Parsers such as XML, Traversal based attacks.
19.2% CWE-770/API4:2019
9.7%
Lack of Resources and Rate Limiting
The API does not restrict the number or frequency of requests from a particular API
client. This can be abused to make thousands of API calls per second, or request
hundred or thousands of data records at once, resulting in a Denial of Service
condition. This weakness also enables arbitrary scraping of other parties API’s and
violate fair usage agreements.
15.3% API2:2019/CWE-287
13.2% Broken Authentication
Weak authentication allowing compromise of authentication tokens or exploitation
of common implementation flaws to assume other user’s identity or bypass
authentication completely, compromising systems ability to identify the client/user,
19.2% compromises API security overall.
You control
your own
wins and
losses”
Maria Sharapova
2023 Vulnerability Statistics Report 14
Vulnerability Severity
EPSS, CISA KEV, and EVSS
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is an open, data-driven
effort for estimating the likelihood (probability) that a software
vulnerability will be exploited in the wild. The EPSS model produces a
probability score between 0 and 1 (0 and 100%). The higher the score,
the greater the probability that a vulnerability will be exploited.
https://www.first.org/epss/
CWE-20,
Apache Multiple Log4j Vulnerabilities CVE-2021-44228, CVE-2021-
3.0% 10 CWE-400, TRUE CVE-2021-44228 0.97095
(Log4Shell) 45046
CWE-502
PHP < 7.4.33, 8.0.x < 8.0.25, 8.1.x < 8.1.12 CVE-2022-31630, CVE-2022- CWE-125,
1.5% 9.8 FALSE 0.03806
Security Update 37454 CWE-190
CVE-2019-9020, CVE-2019-
PHP Multiple Vulnerabilities (Feb 2019) - CWE-125,
1.5% 9.8 9021, CVE-2019-9023, CVE- FALSE 0.02686
Windows CWE-416
2019-9024
The mapping between CVSS, CISA KEV and EPSS is important to note. CISA KEV and EPSS do not appear to be aligned 100% of the
time. High CVSS scores do not necessarily mean remediation is considered high priority. Some CISA KEV vulnerabilities have a low EPSS
score. Conclusion: we need multiple viewpoints to determine priority.
2023 Vulnerability Statistics Report 16
On CISA CVE On
Name CVSS CVE CWE KEV CISA KEV EPSS
5% OpenSSH <= 8.6 Command Injection Vulnerability 7.8 CVE-2020-15778 CWE-78 FALSE 0.01787
4% OpenSSH < 8.1 Integer Overflow Vulnerability 7.8 CVE-2019-16905 CWE-190 FALSE 0.01864
1% nginx <= 1.21.1 Information Disclosure Vulnerability 7.5 CVE-2013-0337 CWE-264 FALSE 0.01018
Microsoft Vulnerabilities CVE-2022-41040, CVE-2022-41082 were uncommon at 1% but are listed on the CISA KEV. OpenSSL ‘Change-
CipherSpec’ MiTM Vulnerability CVE-2014-0224 has an EPSS score of 95% but again an uncommon vulnerability at 1% and not listed
on the CISA KEV.
2023 Vulnerability Statistics Report 17
1.1%
8.1%
Critical severity vulnerabilities not exposed to the public 1.7%
Oracle Java SE Security Updates (apr2019-5072813) - Windows 0.9% CVSS 10 On CISA KEV False
5.3% CVSS 9
Apache Tomcat AJP RCE Vulnerability (Ghostcat)
CVE-2019-2699 EPSS 0.00954 On CISA KEV False
0.7% CVSS 9,8
Adobe Flash PlayerVarious Vulnerabilities CVE-2020-1938 CWE-269
3.2% CVSS 10 EPSS 0.96554 CVE-2020-1938 On CISA KEV True
Non-Internet Facing
Vulnerabilities
Critical Severity
Highlights
EPSS Score
EPSS Score
Mozilla Firefox Security Updates (mfsa2022-24) - Windows CVE-2022-30190 CVE-2022-30190 On CISA KEV False
Windows IExpress Untrusted Search Path Vulnerability CVE-2022-41060, CVE-2022-41061, CVE-2022-41063, On CISA KEV False
CVE-2022-41103, CVE-2022-41104, CVE-2022-41105,
3.0% CVSS 7.8 CVE-2022-41106, CVE-2022-41107 EPSS 0.04475
Highest Probability of
Exploitation (EPSS)
Internet Facing
3% 3%
The highest probability (of attack) vulnerabilities 3%
3%
discovered on public Internet facing systems
last year based on the EPSS probability score 5% 29%
which provides a value between 0.0 – 1.0 . (0=0%,
5%
1=100% probability of attack).
The most common of the top EPSS 5%
vulnerabilities discovered was CVE-2014- 0224,
OpenSSL ‘ChangeCipherSpec’ MiTM Vulnerability
8%
at 29% with an EPSS score of 95%.
Log4J vulnerabilities (Log4Shell), CVE-2021- 21%
44228, was the highest EPSS score at 97%,
16%
discovered in last year’s report.
On CISA CVE On
Name CVSS CVE CWE KEV CISA KEV EPSS
OpenSSL 'ChangeCipherSpec' MiTM
29% 7.4 CVE-2014-0224 CWE-326 FALSE 0.95231
Vulnerability
Wowza Streaming Engine < 4.8.17 CWE-20, CWE-
21% 10 CVE-2021-44228, CVE-2021-45046 TRUE CVE-2021-44228 0.97095
Multiple Log4j Vulnerabilities (Log4Shell) 400, CWE-502
MobileIron Core Multiple Log4j CWE-20, CWE-
16% 10 CVE-2021-44228, CVE-2021-45046 TRUE CVE-2021-44228 0.97095
Vulnerabilities (Log4Shell) 400, CWE-502
Apache HTTP Server < 2.4.49 Multiple CVE-2021-34798, CVE-2021-39275, CVE- CWE-476, CWE-
8% 9.8 TRUE CVE-2021-40438 0.97224
Vulnerabilities - Windows 2021-40438 787, CWE-918
The above is an list of the most common high probability vulnerabilities discovered on Internet facing systems in the 12
months to December 2022.
The most common vulnerability (OpenSSL MiTM) at 29% has an EPSS score of 0.95 and a CVSS score of 7.4 but is not listed
in the CISA catalogue.
2023 Vulnerability Statistics Report 22
Highest Probability of
Exploitation (EPSS)
Non-Internet Facing 2%
2% 1%
1%
2%
3%
7%
28%
On CISA CVE On
Name CVSS CVE CWE KEV CISA KEV EPSS
VMware vCenter Server 6.5, 6.7, 7.0
CVE-2021-44228, CVE-2021- CWE-20, CWE-400,
33% Multiple Log4j Vulnerabilities (VMSA- 10 TRUE CVE-2021-44228 0.97095
45046 CWE-502
2021-0028, Log4Shell)
Apache HTTP Server < 2.4.49 Multiple CVE-2021-34798, CVE-2021- CWE-476, CWE-787,
28% 9.8 TRUE CVE-2021-40438 0.97224
Vulnerabilities - Windows 39275, CVE-2021-40438 CWE-918
Elastic Elasticsearch Multiple Log4j CVE-2021-44228, CVE-2021- CWE-20, CWE-400,
19% 10 TRUE CVE-2021-44228 0.97095
Vulnerabilities (ESA-2021-31, Log4Shell) 45046 CWE-502
FedEx Ship Manager 340x - 3508 Multiple CVE-2021-44228, CVE-2021- CWE-20, CWE-400,
2% 10 TRUE CVE-2021-44228 0.97095
Log4j Vulnerabilities (Log4Shell) 45046 CWE-502
The above depicts the vulnerabilities with the highest EPSS (probability) and the associated % of occurrence which were
discovered in 2022.
Both EPSS and CISA KEV are aligned (both high probability and listed in catalogue) as per the matrix above.
2023 Vulnerability Statistics Report 23
Attack Surface
Based on a sample of
continuous scans the below
describes the systems
Exposure Landscape
ports such as http 80 and https
443 are excluded).
Occurence
discovered
20000
15000
10000
5000
Port/service
22
8443
8080
179
222
25
5000
111
53
1720
10000
264
3389
1300
1719
21
110
3306
139
5432
23
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
Protocol Notes
1 SSH Exposed remote Access Service. There were 90 CVE’s reported relating to SSH in 2022
2 HTTP Potential Pre-production Web Service
3 HTTP Potential Pre-production Web Application
4 BGP Exposed Border Gateway Web Service. There were 17 CVE’s reported relating to BGP in 2022
5 UDP UDP Service
6 SMTP Exposed SMTP Email Port.
7 UPnP Exposed Universal Plug and Play Service. There were 5 CVE’s reported relating to UPnP in 2022
8 SUNRPC Exposed RPC service. There were 4 CVE’s reported relating to SUNRPC in 2022
9 DNS DNS Service
10 H323 Exposed VOIP service. There were 8 CVE’s reported relating to H323/SIP in 2022
11 NDMP Exposed Network Data Management Protocol
12 SecuRemote Checkpoint SecuRemote Service.
13 RDP Exposed Remote Login. There were 16 CVE’s reported relating to RDP in 2022
14 H323 VOIP service. There were 8 CVE’s reported relating to H323/SIP in 2022
15 SMB Exposed SMB Report. There were 18 CVE’s reported relating to RDP in 2022
16 FTP File Transfer Service. There were 18 CVE’s reported relating to FTP in 2022
17 POP3 Plain text Email Port Service
18 MYSQL Exposed Database
18 SMB Server Message Block
20 PostgreSQL Exposed Database
21 Telnet Exposed Remote Access
We still see exposed Databases and remote access services SSH exposures were relatively common (21,910 exposures dis-
which are easily exploited for data theft, network breach or ran- covered). SSH had circa 90 new CVE’s attributed to the protocol
somware attacks. in 2022.
Many of the exposed services of note have CVE’s attributed to Remote Access exposures are a common attack vector for ran-
them in 2022. somware attacks as a first step in the attack chain.
2023 Vulnerability Statistics Report 24
Victorious warriors
win first and then
go to war, while
defeated warriors go
to war first and then
seek to win”
Sun Tzu
2023 Vulnerability Statistics Report 25
60 60 66.3
57.8
50 50 57.1
40 40
30 30
20 20
Critical Severity High Severity Medium Severity Critical Severity High Severity Medium Severity
70 75.6 70
72.9 72.8
60 65.9 60
50 50
40 40
30 30
27.8
20 20
Critical Severity High Severity Medium Severity CVSS 7.6 - 10.0 CVSS 4.1 - 7.5 CVSS 0 - 4.0
The measurements include remediation and verification that the fixes are robust
(including reassessments & retesting).
ean time to Remediate (i.e. a code fix) for a critical risk on the web
M
application/API layer is 73.9 days.
Mean time to Remediate (i.e. patch or reconfigure) a device/host layer critical risk is 57.8 days.
The quickest remediation on a vulnerability that was found was 0.25 days.
dgescan has a Vulnerability Lifecycle SLA feature which measures vulnerability age and alerts
E
you to vulnerabilities needing urgent attention.
(https://www.edgescan.com/new-edgescan-feature-sla/).
2023 Vulnerability Statistics Report 26
MTTR by Industry
Mean Time to Remediate Vulnerabilities
For 2022 we examined ten different industries to report on their average rates of MTTR within that
industry. We can see that the shortest MTTR can be seen in Financial & Insurance (NAICS 52): 47
days while the longest is Public Administration (NAICS 92): 89 days.
*Federal agencies use the North American Industry Classification System (NAICS) to classify businesses when collecting,
analyzing, and publishing statistical data about the United States economy. This numeric coding system is also used for
administrative, regulatory, contracting, and taxation purposes.
2023 Vulnerability Statistics Report 27
Risk Accepted
Most organizations maintain the concept of accepting known risks.
There are lots of reasons why this is done and some common
ones include; the presence of some other compensating control,
acknowledgement that the risk is impractically low, or that an
upcoming change will remove the risk completely. Edgescan clients
with appropriate privileges can “Risk-Accept” vulnerabilities in the
platform.
Critical Severity:
Most Commonly Risk Accepted 1.2%
1.6%
0.6%
0.6%
1.9% 0.3%
2.2%
High Severity:
Most Commonly Risk Accepted
1.2%
1.2% 0.9%
1.9%
2.8%
23.7% 23.7% SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
3.7%
14.3% Intel Active Management Technology Multiple Vulnerabilities
4.4% 13.4% Intel Active Management Technology Multiple Buffer Overflow Vulnerabilities
8.7% Atlassian Jira Multiple Vulnerabilities
CISA KEV
554 vulnerabilities were added to the CISA KEV
as of December 2022, including:
Adobe...................................................................................... 54 additions
Cisco......................................................................................... 50 additions
Apple......................................................................................... 25 additions
Oracle.......................................................................................22 additions
Google....................................................................................... 21 additions
Apache.....................................................................................13 additions
QNAP..........................................................................................12 additions
D-link.........................................................................................12 additions
Vmware....................................................................................12 additions
Linux............................................................................................8 additions
Mozilla........................................................................................ 7 additions
Netgear...................................................................................... 7 additions
Zimbra........................................................................................ 6 additions
Atlassian................................................................................... 5 additions
Citrix............................................................................................. 5 additions
Fortinet...................................................................................... 5 additions
Android...................................................................................... 3 additions
Microsoft CVE 2021-1647 was the most common vulnerability discovered in 2022
which is listed on the CISA KEV.
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647
2023 Vulnerability Statistics Report 30
CISA KEV
1.7%
1.9%
The most common vulnerabilities discovered
last year by Edgescan across over 250+ 3.6% 9.4%
organisations and 30 industry verticals.
These are listed on the CISA (Cybersecurity
& Infrastructure Security Agency) KEV
(Known Exploitable Vulnerability) Catalogue.
4.4%
CISA maintains the authoritative source
of vulnerabilities that have been exploited
in the wild. CISA strongly recommends all
organizations review and monitor the KEV
catalogue and prioritize remediation of the 9.2%
listed vulnerabilities to reduce the likelihood of
compromise by known threat actors. Edgescan
7.6%
highlights vulnerabilities which are listed in the
CISA KEV to help with priortization.
8.4%
Name CVE
Microsoft Windows Defender Antimalware Platform Remote Code
9.4% Execution Vulnerability
CVE-2021-1647
Vulnerability Age
Here we take a look at the age of all For example, 16.34% of vulnerabilities discovered
vulnerabilities discovered from 2003 to 2022. in 2022 contained a CVE from 2022.
Each vulnerability can contain more than one 83.54% of the CVE’s discovered in 2022 are
CVE from multiple years. considered High or Critical Severity.
0.08% 0.15% 0.00% 0.01% 0.11% 0.8% 0.34% 0.11% 0.79% 0.98%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
0.00% 1.79% 0.00% 57.14% 5.29% 14.74% 51.77% 73.17% 15.23% 32.10%
5.79% 1.31% 9.10% 6.03% 5.78% 16.01% 23.60% 31.49% 21.10% 16.34%
2013 2014 2015 2016 2017 2018 2019 2020 2021 2022
3.05% 36.62% 11.66% 75.55% 56.77% 54.11% 44.43% 74.18% 80.95% 83.54%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
2007
2017
2003
2004
2005
2006
2008
2009
2010
2011
2012
2013
2014
2015
2016
2018
2019
2020
2021
2022
During 2022 we can see the percentages of aged CVE’s discovered. E.g. 21.1% of the vul-
nerabilities discovered contained a CVE’s from 2021 with 80% of the CVE’s considered
High or Critical Severity.
2023 Vulnerability Statistics Report 32
Vulnerability
Clustering
Metrics relating to the average amount of vulnerabilities per asset.
Most assets across the full stack have multiple vulnerabilities.
Vulnerability Backlog
Vulnerability Backlog is the % of unclosed vulnerabilities an
organisation has within a 12 month period. This is typical of
all organisations and most professionals agree that fixing all
vulnerabilities is not a wise use of resources – fix what matters.
Conclusions
We are still not getting the basics right.
C
ontinuous assessment, validation & prioritization will
make a huge difference to any organizations cybersecurity
posture.
Why Edgescan
What makes us tick
Verified vulnerability intelligence. the Edgescan data lake. This yearly report has
become a reliable source for approximating
Real data. Actionable results the global state of vulnerability management
and enterprises security postures. This is
During an assessment, the Edgescan validation
exemplified by our unique dataset being part
engine queries millions of vulnerability
of the Verizon Data Breach Report (DBIR),
examples stored in our data lake; our data
which is the de facto standard for insights
is sourced from thousands of security
into the common drivers for incidents and
assessments and penetration tests performed
breaches today.
on millions of assets utilizing the Edgescan
Platform. Vulnerability data is then run through
our proprietary analytics models to determine
if the vulnerability is a true positive. If it meets
a certain numeric threshold it is released to
the customer; we call this an auto-commit
vulnerability. If the confidence level falls below
the threshold, the vulnerability is flagged for
expert validation by an Edgescan security
analyst. This hybrid process of automation
and combined human intelligence is what
differentiates us from scanning tools and
legacy services providing real and actionable
results.
One Platform.
Five Full-Featured Solutions
The Edgescan platform features five security solutions so customers
can choose what works best with their existing CI/CD pipelines and
current tools stack. The platform provides a unique view of risk-rated
and verified vulnerability intelligence to help prioritize remediation all
reviewed by the eyes of our security analysts.
2023 Vulnerability Statistics Report 37
Solutions Include
Vulnerability Management
Full-stack coverage that automatically provides risk-rated
and validated vulnerability data that is verified by certified
security analysts.
Stronger Together.
The Edgescan Universe
Security pros must be ever vigilant to safeguard
their data and The Edgescan Universe cast of
heroes is a representation on how we perceive our
staff, our customers, our partners... and all security
pros. Check out our website to see our lineup of
heroes... and the villains they fight.
Glossary
Asset A web application, an IP network range, mobile
application, API, microservice or a CI/CD pipeline
edgescan.com