Faster exploitation of vulnerabilities poses a major risk for businesses

The average time to known exploitation of vulnerabilities is 12 days, down from 42 days last year, according to the latest Rapid7 Annual Vulnerability Intelligence report.

Of 50 2021 vulnerabilities looked at in the report, 43 were exploited in the wild and 52 percent of the known exploited vulnerabilities in this report came under attack within one week of public disclosure.

In addition vulnerabilities classified as ‘widespread threats’ — for the scale at which they were exploited — increased an alarming 136 percent over the previous year.

“More than half of all the widespread threats that are looking at this year began with a zero day exploit,” says Caitlin Condon, manager, vulnerability risk management engineering at Rapid7. “That pace is really highly unusual. In years past, a lot of this exploitation that we’re seeing was targeted attacks by sophisticated hackers, that’s not true any more. Rising attack volume is concerning, but when that rising attack volume is coming with a high proportion of zero day exploits that’s a real concern for security teams.”

The report also shows that just over half the vulnerabilities noted were remote code execution flaws, which allow attackers to remotely execute a payload on a target system. A dozen of the vulnerabilities identified as widespread threats were network pivots (that offer attackers initial access, like flaws in gateways, firewalls and VPNs) or network infrastructure compromise vulnerabilities (that give attackers control over downstream assets or systems).

One of the year’s high-profile vulnerabilities has ben Log4Shell, the simplicity and pervasiveness of which made it arguably the biggest cybersecurity incident in history. Its massive attack surface area and variety of implementations made it tricky and time-consuming to remediate effectively, which gave attackers more time to compromise both internal and internet-facing systems.

Condon points out that Log4Shell is also likely to have a long tail, “Everybody sort of understood that they had to patch the initial vulnerability, but there are so many products and applications that are vulnerable. Folks maybe aren’t realizing they have to keep patching Log4Shell as all the facts have come out and I think it’s easy for that initial wave of urgency to taper off. Especially when people don’t have the ability to answer just how many business critical applications are still unpatched.”

You can read more about the report on the Rapid7 blog.

Image credit: Gorodenkoff/

Author: Martha Meyer