Rising exploitation in enterprise software: Key trends for CISOs

Action1 researchers found an alarming increase in the total number of vulnerabilities across all enterprise software categories.

“With the NVD’s delay in associating Common Vulnerabilities and Exposures (CVE) identifiers with CPE (Common Platform Enumeration) data, our report comes at a critical moment, providing much-needed insights into the evolving vulnerability landscape for enterprise software,” said Mike Walters, President of Action1.

“Our goal is to arm key decision makers with essential knowledge so that they can prioritize their efforts in vulnerability monitoring using alternative approaches while the traditional reliance on NVDs is challenged. In light of the NVD crisis, the cybersecurity community needs to share information and build stronger relationships amongst private cybersecurity firms, academic institutions, and other threat intelligence platforms to facilitate holistic and timely data sharing so that all organizations can enhance their security posture,” added Walters.

Threat actors target Apple operating systems

Action1 discovered a high exploitation rate for NGINX (100%) and Citrix (57%). Vulnerabilities in load balancers pose significant risks, as just one exploit can provide attackers with broad access or disruption capabilities against targeted networks.

MacOS and iOS showed an increased exploitation rate of 7% and 8%, respectively. Additionally, although MacOS reduced its total vulnerability by 29% from 2023 to 2022, exploited vulnerabilities increased by over 30%. These findings underscore the targeted nature of attacks on iOS devices.

In 2023, Microsoft SQL Server (MSSQL) experienced a 1600% surge in critical vulnerabilities, each being an remote code execution (RCE). This spike signals a potential risk that attackers are quickly discovering and exploiting the next unknown RCE.

MSSQL is a lucrative target for hackers due to its widespread use in enterprise environments, housing valuable data like customer information and financial records.

MS Office’s critical vulnerabilities account for nearly 80% of the overall annual vulnerability count, up to 50% being RCEs. In 2023, Microsoft saw its exploitation rate rise to 7%, compared to 2% in 2022. These findings underscore threat actors’ exploitation of user-facing software prone to human error.

Spike in RCEs and exploited vulnerabilities raises concerns about Edge security

While Chrome has the highest number of total vulnerabilities over the three-year period analyzed, Edge’s record number of 14 RCE vulnerabilities over the same timeframe, which continues to grow, is an alarming insight.

Over the three years analyzed, Edge experienced a record number of RCE vulnerabilities, spiking at 17% in 2023, following a 500% growth in 2022. Additionally, in 2023 Edge reported a 7% exploitation rate, representing a 2% increase from 2022.

The fact that Edge faces an increase in RCE and exploited vulnerabilities, despite having a relatively low number of total vulnerabilities, suggests that Microsoft does not yet actively enforce a vulnerability management program for this web browser as rigorously as Google does for Chrome or Mozilla does for Firefox. This implies that it might not be a good idea to use Edge as the main corporate web browser.

The Software Vulnerability Ratings Report 2024 analyzed 2021, 2022, and 2023 data and drew insights from the NVD and cvedetails.com.

These findings underscore the continuing evolution of threats and the need for proactive security strategies, including timely OS and third-party application patching. To stay abreast of the changing vulnerability landscape, organizations should review their technology stack (potentially eliminating certain vulnerable technologies), anticipate future vulnerabilities based on trends, and continuously improve their security posture to quickly adapt to new threats.