Report: Vintage Vulnerabilities Never Go Out of Fashion
While cybercriminals’ fashion taste (at least according to popular media), remains loyal to the good-old hoodie, their taste for vintage vulnerabilities is no different.
Rezilion’s vulnerability research team explored the current attack surface for vulnerabilities discovered between 2010 to 2020, all appearing on the CISA Known Exploited Vulnerabilities list, and discovered that these known vulnerabilities, even ones dating back more than a decade to the past, are still extremely common. Because these “vintage vulnerabilities” are so pervasive, they still pose significant risk. While fixes for these vulnerabilities have been available for years and despite them being known to be exploited in the wild, software and devices remain vulnerable.
Overall, Rezilion has been able to identify over 4.5 million internet-facing devices which, to this date, are vulnerable to vulnerabilities discovered between 2010 to 2020. For most of these vulnerabilities, active scanning/exploitation attempts in the past 30 days were also identified.
The research highlights the fact that the timespan between the moment a vendor/maintainer issues a patch for a vulnerability and the moment in which the patch is actually deployed remains an Achilles heel in the vulnerability management lifecycle. What should ideally be the easy part, applying an existing patch to a known vulnerability that is known to be exploited in the wild, is apparently still out of reach for many organizations.
Studies find that most Advanced Persistent Threat (APT) groups utilize publicly known vulnerabilities, these lingering vulnerabilities play into the hands of the adversaries and expose these organizations to potential attacks.
A summary of Rezilion’s analysis can be found in the table contained in the full report. The full research report also examines some of the notable, actively exploited, “vintage” vulnerabilities, dating back before 2020 (which are still very much in fashion), and explores potential explanations for the findings. It provides actionable recommendations that organizations should take in order to minimize their risk.
Read the full report at https://www.rezilion.com/lp/vintage-vulnerabilities-research/ .