45% of critical CVEs left unpatched in 2023

Global attack attempts more than doubled in 2023, increasing 104%, according to Armis.

Blind spots and critical vulnerabilities are worsening, with 45% of critical CVEs remaining unpatched.

Utilities (over 200% increase) and manufacturing (165% increase) were the most at risk industries. Attack attempts peaked in July, with communications devices, imaging devices and manufacturing devices experiencing intensified targeting during this period.

“Armis found that not only are attack attempts increasing, but cybersecurity blind spots and critical vulnerabilities are worsening, painting prime targets for malicious actors,” said Nadir Izrael, CTO, Armis. “It’s critical that security teams leverage similar intelligence defensively so that they know where to prioritise efforts and fill these gaps to mitigate risk. We hope that by sharing these insights, global businesses and governments will leverage them to immediately pinpoint what they should be focusing on to improve their cybersecurity posture this year to keep critical infrastructure, economies and society safe and secure.”

Outdated devices contributed to the rising threats

Cyberwarfare grew more widespread in 2023. Top industries exposed to attack from Chinese and Russian actors were those within manufacturing, educational services and public administration. In manufacturing, .cn and .ru domains contributed to an average of 30% of monthly attack attempts, while attacks from these domains on educational services have risen to about 10% of total attacks.

Older Windows server OS versions (2012 and earlier) are 77% more likely to experience attack attempts compared to newer Windows Server versions. This vulnerability is particularly evident in the server environment, with nearly a quarter of server versions facing end-of-support (EoS) scenarios. The educational services industry has a significantly higher percentage of servers (41%) with unpatched weaponised Common Vulnerabilities and Exposures (CVEs), compared to the general average of 10%.

Industries still using end-of-life (EoL) or EoS OSs that are no longer actively supported or patched for vulnerabilities and security issues by the manufacturer: Educational services (18%), retail trade (14%), healthcare (12%), manufacturing (11%) and public administration (10%).

Security professionals struggle with surge in vulnerabilities

Security professionals found themselves grappling with an overwhelming number of vulnerabilities in 2023, making prioritization and remediation an increasingly complex challenge.

Over the past year, the cybersecurity community identified and dealt with an astonishing 65,000 unique CVEs, underscoring the sheer breadth of potential threats. This proliferation of vulnerabilities is further exacerbated by the staggering figure of over 3.6 billion CVEs associated with active assets.

With so much to contend with, it’s not a question of if, but when, a cyberattack will occur. Unseen, unscanned or unaccounted assets can introduce critical security exposures, especially if configured non-securely, security updates aren’t installed or patches are not applied. Put simply, organizations often don’t have the complete visibility of their network as they may think.

Log4Shell vulnerability persists

More worryingly, high-profile vulnerabilities, such as Log4Shell, continue to pose a threat, with a third of devices still lacking the necessary patches. This underscores the challenges faced by organizations in swiftly addressing and neutralizing known vulnerabilities, leaving potential avenues for exploitation.

Throughout 2023, organizations struggled to manage physical and virtual assets connected to their networks. Organizations continue to face a formidable challenge in prioritizing and remedying critical vulnerabilities within their cybersecurity landscape. Despite maintaining similar patch rates across severity levels, the actual number of critical CVEs being patched remains notably low.

Patch rates for critical CVEs are not prioritised:

• Low CVEs: 11% patch rate
• Medium CVEs: 58% patch rate
• High CVEs: 64% patch rate
• Critical CVEs: 55% patch rate

Irrespective of the weaponisation status of a CVE, organizations consistently grapple with patch rates at 62% for non-weaponised and 61% for weaponised vulnerabilities.

“Blueprints like this report are invaluable as they help teams focus limited resources on efforts with the greatest impact and with the insights to tell data-driven stories in justification of cross-team priorities,” said Curtis Simpson, CISO, Armis. “Using hindsight and analysed data could allow CISOs to focus 2024 efforts on segmenting legacy technology, prioritising exposures of greatest significance, and utilising AI-driven technologies that can assist security teams with defending and managing the attack surface in real-time.”