Action1 Corporation, a provider of an integrated real-time vulnerability discovery and automated patch management solution, today released its “Software Vulnerability Ratings Report 2024.” As the National Vulnerability Database (NVD) continues to experience significant delays in vulnerability data enrichment, Action1’s latest report provides security teams with timely insights into vulnerability trends within commonly used enterprise software categories, focusing on exploitation rate and Remote Code Execution (RCE) vulnerabilities.
With the NVD’s delay in associating Common Vulnerabilities and Exposures (CVE) identifiers with CPE (Common Platform Enumeration) data, our report comes at a critical moment, providing much-needed insights into the ever-evolving vulnerability landscape for enterprise software. Our goal is to arm key decision makers with essential knowledge so that they can prioritize their efforts in vulnerability monitoring using alternative approaches while the traditional reliance on NVDs is challenged. In light of the NVD crisis, the cybersecurity community needs to share information and build stronger relationships amongst private cybersecurity firms, academic institutions, and other threat intelligence platforms to facilitate holistic and timely data sharing so that all organizations can enhance their security posture.
Mike Walters, President and co-founder of Action1.
Action1 researchers found an alarming increase in the total number of vulnerabilities across all enterprise software categories. The report delves into five key trends based on exploitability rates and the dynamics of RCE vulnerabilities within enterprise software categories and specific applications.
Key trends and findings include:
- Attackers target load balancers with record exploitation rate: Action1 researchers discovered a high exploitation rate for NGINX (100%) and Citrix (57%). Vulnerabilities in load balancers pose significant risks, as just one exploit can provide attackers with broad access or disruption capabilities against targeted networks.
- Threat actors target Apple operating systems: MacOS and iOS showed an increased exploitation rate of 7% and 8%, respectively. Additionally, although MacOS reduced its total vulnerability by 29% from 2023 to 2022, exploited vulnerabilities increased by over 30%. These findings underscore the targeted nature of attacks on iOS devices.
- MSSQL RCE vulnerabilities surge, highlighting the risk of new exploits: In 2023, Microsoft SQL Server (MSSQL) experienced a 1600% surge in critical vulnerabilities, each being an RCE. This spike signals a potential risk that attackers are quickly discovering and exploiting the next unknown RCE.
- Increased exploitability of MS Office as attackers take advantage of human error: MS Office’s critical vulnerabilities account for nearly 80% of the overall annual vulnerability count, up to 50% being RCEs. In 2023, Microsoft saw its exploitation rate rise to 7%, compared to 2% in 2022. These findings underscore threat actors’ exploitation of user-facing software prone to human error.
- Spike in RCEs and exploited vulnerabilities raises concerns about Edge security: Over the three years analyzed, Edge experienced a record number of RCE vulnerabilities, spiking at 17% in 2023, following a 500% growth in 2022. Additionally, 2023 Edge reported a 7% exploitation rate, representing a 2% increase from 2022.
The Software Vulnerability Ratings Report 2024 analyzed 2021, 2022, and 2023 data and drew insights from the NVD and cvedetails.com. Based on this data, the report quantifies vulnerabilities and provides a comprehensive view of how the threat landscape changes over time.
Additionally, the report utilized exploitation rate, a metric developed by the Action1 research team, to demonstrate the ratio of exploited vulnerabilities to the total number of vulnerabilities. This metric helps enterprises assess risks associated with a vendor’s software by indicating susceptibility to exploitation and the comprehensiveness of their vulnerability management programs. Action1 also counted RCE, a dangerous type of vulnerability that allows attackers to execute arbitrary code remotely and potentially compromise critical systems. An application with an increased RCE count may have more potential entry points for attackers to exploit.
These findings underscore the continuing evolution of threats and the need for proactive security strategies, including timely OS and third-party application patching. To stay abreast of the changing vulnerability landscape, Action1 experts advise enterprises to review their technology stack (potentially eliminating certain vulnerable technologies), anticipate future vulnerabilities based on trends, and continuously improve their security posture to adapt to new threats quickly.
To download the full report, visit www.action1.com/software-vulnerability-ratings-report-2024/.
Methodology
Action1 obtained data from NVD and cvedetails.com, with the criticality of the vulnerabilities described as follows: Critical vulnerabilities have CVSS scores greater than 7.0; Moderate vulnerabilities have CVSS scores less than 7.0 but greater than 4.0; and Low severity vulnerabilities have CVSS scores less than 4.0.
Enterprise software categories were defined based on popularity criteria, criticality in use by organizations, and the total number of vulnerabilities found. Some categories, such as text editors, database management clients, cloud storage apps, and archivers, were excluded due to a lack of a representative number of vulnerabilities in apps within the category, rendering them not relevant to this study.
The criteria used are based on the CISA KEV catalog. Action1 tracked RCE vulnerabilities and utilized the exploitation rate to demonstrate the ratio of exploited vulnerabilities to the total number of vulnerabilities.