Just five major vendors account for 24.1 percent of disclosed vulnerabilities in 2019 so far, according to a new report from Risk Based Security.
The report also reveals that 54 percent of 2019 vulnerabilities are web-related, 34 percent have public exploits, 53 percent can be exploited remotely and that 34 percent of 2019 vulnerabilities don’t yet have a documented solution.
“34 percent of vulnerabilities do not have a solution, which may be because vendors are not patching. This can occur when the researcher has not informed the vendor, so they don’t know about the vulnerability,” says Brian Martin, vice president of vulnerability intelligence at Risk Based Security. “Additionally, if an organization is using vulnerability scanning, they may simply not know about all of their assets. For example, if they are not scanning their entire IP space, or are using a scanner that is unable to identify 100 percent of their assets, then devices and servers may go unpatched.”
Of the vulnerabilities not published by CVE/NVD, 28.2 percent have a CVSSv2 score of between 7.0 and 10. Meanwhile, 8.6 percent of vulnerabilities that do have a CVE ID are in RESERVED status despite having a public disclosure.
“An ongoing theme in VulnDB reports is that CVE/NVD continues to fall short in vulnerability coverage,” adds Martin. “Many organizations, scanning companies, risk platforms, and security service providers insist that vulnerability intelligence from CVE/NVD is ‘good enough’. However, our mindset and approach to vulnerability aggregation is completely different. There are cases where an ID has been assigned to an issue that was published, but MITRE isn’t aware. There are thousands of vulnerabilities that we cover with complete details that MITRE still does not. Worse yet, some RESERVED vulnerabilities have been in that state for up to a decade, despite being public for just as long.”
The full report is available to download from the Risk Based Security site.
Image credit: zothen/depositphotos.com