Critical vulnerabilities take 4.5 months on average to remediate

Over a third of organizations had at least one known vulnerability in 2023, with nearly a quarter of those facing five or more, and 60% of vulnerabilities remained unaddressed past CISA’s deadlines, according to Bitsight.

Organizations struggle to remediate critical vulnerabilities

The report, titled “A Global View of the CISA KEV Catalog: Prevalence and Remediation,” analyzes data from 1.4 million organizations globally and highlights the deep challenges that global organizations face in remediating critical, exploited vulnerabilities on time.

“CISA’s KEV catalog is a critical tool for any organization, and we’ve seen a positive impact on global vulnerability remediation rates – but most organizations are still too slow to mitigate,” said Derek Vadala, Chief Risk Officer, Bitsight.

“Even critical severity vulnerabilities take 4.5 months to remediate on average. The situation creates significant risk and speaks to the need for business leaders on the board and in the C-suite to recognize these vulnerabilities as the serious threats they are and demand a security posture that prioritizes deep insight and swift action. From there, organizations have an opportunity to grow,” added Vadala.

Vulnerabilities included in the Known Exploited Vulnerabilities (KEV) catalog are highly prevalent and over a third of organizations had at least one in 2023. KEVs are 2.6x more prevalent compared to the typical non-KEVs.

35% organizations experienced a KEV in 2023 – 66% of which had more than one, 25% of which had more than five and 10% of which had more than ten.

The average KEV is resolved within 6 months (174 median days), whereas non-KEVs can take more than 1.7 years (621 median days). Despite faster remediation of KEVs versus non-KEV, more than 60% are remediated after deadlines provided by CISA.

Remediation of KEVs varies based on the severity:

• Critical severity KEVs took nearly 4.5 months (137 median days)
• High severity vulnerabilities take more than 9 months (238 median days)
• Medium severity vulnerabilities take nearly 1.5 years (517 median days)

Critical severity KEVs dominate across tech companies

Ransomware vulnerabilities make up 20% of the KEV catalog, but are 64% more prevalent compared to those not known to be used in ransomware. Ransomware KEVs are remediated 2.5x faster than non-ransomware KEVs.

CISA’s recommended remediation deadlines are making a big difference in remediation rates for federal agencies. On average, federal agencies are 56% more likely to meet the deadline for vulnerabilities than other organizations.

Technology companies have the highest exposure and rate of critical severity KEVs, but are also the fastest to remediate them (93 days). Despite making big headlines, healthcare organizations are average when it comes to exposure and remediation.

“CISA’s KEV catalog is a major step forward in the identification of high-risk vulnerabilities. Unfortunately, we still have a major problem with management of those vulnerabilities as security leaders often lack clear responsibility and authority for remediation, visibility across their environment, and metrics to measure their effectiveness,” said Roland Cloutier, former Fortune 100 CSO and Bitsight advisor.

“The research from Bitsight sheds light on the mounting pressures facing every organization and proves that, now more than ever, security leaders need a seat at the table and the ability to influence operational change across the organization,” concluded Cloutier.

“The data leaves no doubt: CISA’s creation of the KEV catalog has been hugely positive. Unfortunately, KEVs are still extremely common and remediation is still too slow,” said Jim Langevin, founding member of Bitsight’s Cyber Risk Advisory Board.

“Organizations of all sizes are challenged to manage the pace of newly disclosed vulnerabilities. While organizations should adopt a vulnerability management model that accounts for their unique risks, we strongly recommend that every organization start by prioritizing Known Exploited Vulnerabilities,” said Eric Goldstein, CISA Executive Assistant Director for Cybersecurity. “While we are pleased to see that inclusion of a vulnerability in our Known Exploited Vulnerabilities catalog is associated with faster remediation, we know that the current model of ‘patch faster’ is unsustainable and every software company must reduce the prevalence of vulnerabilities by design.”