Only 5.5% of Vulnerabilities Are Used in Real Attacks

A joint team of researchers from Virginia Polytechnic Institute, the RAND Corporation, and Cyentia Institute has published the results of an intriguing study that sheds light on how many vulnerabilities discovered over the past decade have actually been used in real-world attacks.

According to the study, out of 76,000 bugs identified between 2009 and 2018, only 4,183 were exploited in malicious campaigns. Furthermore, the researchers found no correlation between the public release of proof-of-concept (PoC) code for vulnerabilities and the start of their exploitation. For example, only half of the 4,183 exploited vulnerabilities had publicly available exploits.

Key Findings

• Most vulnerabilities exploited in attacks are rated 9-10 on the CVSSv2 scale, where 10 represents the most dangerous and easily exploitable vulnerabilities.
• The availability of PoC code does not necessarily lead to exploitation attempts.

The researchers hope their findings will help improve the effectiveness of the CVSS framework by providing new data on the risks of exploitation for specific vulnerabilities. This could allow organizations that rely on CVSS to prioritize patches more effectively and enhance the security of their systems.

As a reminder, in May, the Google Project Zero team launched the 0Day ‘In the Wild’ project, which allows tracking of vulnerabilities that began to be exploited before they became known to the public or vendors.