Action1 Releases Inaugural Software Vulnerability Ratings Report 2024
2024年6月18日 - 7:00PM
Action1 Corporation, a provider of an integrated real-time
vulnerability discovery and automated patch management solution,
announced today the release of its “Software Vulnerability Ratings
Report 2024.” As the National Vulnerability Database (NVD)
continues to experience significant delays in vulnerability data
enrichment, Action1’s latest report provides security teams with
timely insights into vulnerability trends within commonly used
enterprise software categories, focusing on exploitation rate and
Remote Code Execution (RCE) vulnerabilities.
“With the NVD’s delay in
associating Common Vulnerabilities and Exposures (CVE) identifiers
with CPE (Common Platform Enumeration) data, our report comes at a
critical moment, providing much-needed insights into the
ever-evolving vulnerability landscape for enterprise software,”
said Mike Walters, President and co-founder of Action1. “Our goal
is to arm key decision makers with essential knowledge so that they
can prioritize their efforts in vulnerability monitoring using
alternative approaches while the traditional reliance on NVDs is
challenged. In light of the NVD crisis, the cybersecurity community
needs to share information and build stronger relationships amongst
private cybersecurity firms, academic institutions, and other
threat intelligence platforms to facilitate holistic and timely
data sharing so that all organizations can enhance their security
posture.”
Action1 researchers found
an alarming increase in the total number of vulnerabilities across
all enterprise software categories. The report delves into five key
trends based on exploitability rates and the dynamics of RCE
vulnerabilities within enterprise software categories and specific
applications.
Key trends and findings
include:
-
- Attackers target load balancers with record exploitation
rate:
Action1 researchers discovered a high exploitation rate for NGINX
(100%) and Citrix (57%). Vulnerabilities in load balancers pose
significant risks, as just one exploit can provide attackers with
broad access or disruption capabilities against targeted
networks.
-
- Threat actors target Apple operating systems:
MacOS and iOS showed an increased exploitation rate of 7% and 8%,
respectively. Additionally, although MacOS reduced its total
vulnerability by 29% from 2023 to 2022, exploited vulnerabilities
increased by over 30%. These findings underscore the targeted
nature of attacks on iOS devices.
-
- MSSQL RCE vulnerabilities surge, highlighting the risk of
new exploits:
In 2023, Microsoft SQL Server (MSSQL) experienced a 1600% surge in
critical vulnerabilities, each being an RCE. This spike signals a
potential risk that attackers are quickly discovering and
exploiting the next unknown RCE.
-
- Increased exploitability of MS Office as attackers
take advantage of human error:
MS Office’s critical vulnerabilities account for nearly 80% of the
overall annual vulnerability count, up to 50% being RCEs. In 2023,
Microsoft saw its exploitation rate rise to 7%, compared to 2% in
2022. These findings underscore threat actors' exploitation of
user-facing software prone to human error.
-
- Spike in RCEs and exploited vulnerabilities raises concerns
about Edge security:
Over the three years analyzed, Edge experienced a record number of
RCE vulnerabilities, spiking at 17% in 2023, following a 500%
growth in 2022. Additionally, in 2023, Edge reported a 7%
exploitation rate, representing a 2% increase from 2022.
The Software
Vulnerability Ratings Report 2024 analyzed 2021, 2022, and 2023
data and drew insights from the NVD and cvedetails.com. Based on
this data, the report quantifies vulnerabilities and provides a
comprehensive view of how the threat landscape changes over
time.
Additionally, the report
utilized exploitation rate, a metric developed by the Action1
research team, to demonstrate the ratio of exploited
vulnerabilities to the total number of vulnerabilities. This metric
helps enterprises assess risks associated with a vendor’s software
by indicating susceptibility to exploitation and the
comprehensiveness of their vulnerability management programs.
Action1 also counted RCE, a dangerous vulnerability that allows
attackers to execute arbitrary code remotely and potentially
compromise critical systems. An application with an increased RCE
count may have more potential entry points for attackers to
exploit.
These findings underscore
the continuing evolution of threats and the need for proactive
security strategies, including timely OS and third-party
application patching. To stay abreast of the changing vulnerability
landscape, Action1 experts advise enterprises to review their
technology stack (potentially eliminating certain vulnerable
technologies), anticipate future vulnerabilities based on trends,
and continuously improve their security posture to adapt to new
threats quickly.
To download the full
report, visit
www.action1.com/software-vulnerability-ratings-report-2024/.
Methodology Action1 obtained data from NVD and
cvedetails.com, with the criticality of the vulnerabilities
described as follows: Critical vulnerabilities have CVSS scores
greater than 7.0; Moderate vulnerabilities have CVSS scores less
than 7.0 but greater than 4.0; and Low severity vulnerabilities
have CVSS scores less than 4.0. Enterprise software categories were
defined based on popularity criteria, criticality in use by
organizations, and the total number of vulnerabilities found. Some
categories, such as text editors, database management clients,
cloud storage apps, and archivers, were excluded due to a lack of a
representative number of vulnerabilities in apps within the
category, rendering them not relevant to this study.The criteria
used are based on the CISA KEV catalog. Action1 tracked RCE
vulnerabilities and utilized the exploitation rate to demonstrate
the ratio of exploited vulnerabilities to the total number of
vulnerabilities.
About Action1
Corporation Action1 reinvents patch management with an
infinitely scalable and highly secure platform configurable in 5
minutes that just works. With integrated real-time vulnerability
assessment and automated remediation for third-party software and
OS, peer-to-peer patch distribution, and IT ecosystem integrations,
it ensures continuous patch compliance and reduces ransomware and
security risks – all while lowering costs. Action1 is certified for
SOC 2/ISO 27001 and is trusted by thousands of enterprises managing
millions of endpoints globally. The company was founded by
cybersecurity veterans Alex Vovk and Mike Walters, who previously
founded Netwrix, which was acquired by TA Associates. Learn more:
www.action1.com.
press@action1.com