Building the case for proactive security: Boris Cipot, senior security engineer at software composition analysis firm Black Duck, said that several factors contribute toward the rise in exploited vulnerabilities, including improvements in monitoring.”The software we use may simply contain more vulnerabilities, or these vulnerabilities are being reported and discovered more effectively,” Cipot said. “Some vulnerabilities remain unpatched for extended periods, giving attackers more time to exploit them.”The impact of exploited vulnerabilities, regardless of their cause, highlights the need for proactive security measures.”Organizations must invest in observability tools that monitor their environments and detect suspicious activity,” Cipot said. “Adopting a zero trust approach can further enhance security by limiting access and reducing risk.”Kevin Robertson, CTO of Acumen Cyber, said the research highlighted how the timeframe needed for organizations to apply patches is shortening.”While the findings indicate a rise in actively exploited CVEs, this trend is likely driven by the growing reliance on third-party software,” Robertson said. “Modern enterprises depend heavily on third-party applications and services, which expands the potential attack surface.”Robertson advised: “As organizations increasingly integrate third-party software into their environments, proactive vulnerability management must be embedded into their security strategies.”
Compromised credentials rather than bugs blamed for more breaches: Other vendors quizzed by CSO were keen to downplay the significance of vulnerabilities as a vector in security breaches, arguing that compromised credentials were a much bigger factor in security breaches.Rapid7 said it has seen vulnerability exploitation decrease year over year as an initial access vector in 2024, amid a social engineering surge and the increasing abuse of leaked credentials to hack into remote systems with weak or absent security controls.”Notably, a number of the incidents Rapid7 teams observed in 2024 where vulnerability exploitation was initially thought to be in scope turned out to instead stem from adversaries’ use of compromised credentials, rather than CVE exploitation,” Caitlin Condon, director of vulnerability intelligence at Rapid7, told CSO.Where vulnerabilities did lead to breaches, according to Rapid7’s managed detection and response (MDR) team, this resulted from older bugs rather than 0-days.”A slim majority of vulnerabilities Rapid7 MDR and incident response teams saw exploited in real-world production environments last year were CVEs that were new in 2024 and had known exploits available,” Condon told CSO. “The rest of the confirmed CVE exploitation our teams observed against production systems were older vulnerabilities that had previously been used in highly publicized threat campaigns.”Most vulnerabilities Rapid7 MDR confirmed as exploited in the wild in 2024 targeted file transfer applications and network edge devices, irrespective of whether those vulnerabilities had previously been exploited or not, Condon said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3823429/24-of-vulnerabilities-are-abused-before-a-patch-is-available.html
