But is it exploitable?
Studies examining the risk posed by CVEs.
I frequently note that about 90% (sometimes I say 95%, as I think the former figure is conservative) of all Common Vulnerabilities and Exposures (CVE) identified in the National Vulnerability Database (NVD) are not exploitable in any given configuration.
By “any given configuration,” I mean that if you pick an application or network at random and scan it with an equally randomly selected tool, only about 10% (or less) of the CVE findings would be of any use to a malicious actor. While someone likely has exploited every CVE at some point (although the National Vulnerability Database does not necessarily confirm they have before publishing the CVE), the vast majority of these vulnerabilities require an extremely narrow - and unrealistic in the real world - set of conditions to take advantage of.
I say this because it happens to be true but also because many security teams find themselves overwhelmed by the volume of CVEs detected by modern scanners. To address this problem, I have made some recommendations on how to evaluate and prioritize such findings.
With that said, sometimes people challenge my assertion about exploitability (some even implying I am insane for holding this position) or, more subtly, ask for a source for my information. Thus I thought it made sense to compile a list of studies backing up my claim. I have arrived at the 90% number through no scientific method but rather use it as a rough mental average of the figures listed in the various studies below.
Rezilion: “85% of Vulnerabilities Pose No Risk.”
Dark Reading: “Only 3% of Open Source Software Bugs Are Actually Attackable, Researchers Say.”
Contrast Security: “Study Finds That Less Than 10% Of Application Code Is Active Third-Party Library Code.”
Mend: “research shows that only 15% to 30% of vulnerabilities are indeed effective.”
Kenna Security: “Even though 20% of published CVEs have a clear threat (either actively exploited in the wild or a published exploit exists), only about 5% of them represent real risk right now for most firms.”
Forum of Incident Response and Security Teams: “2%-7% of published vulnerabilities are ever seen to be exploited in the wild.”
Tenable: “more than 75% of all vulnerabilities with a [CVSS] score of 7 or above have never had an exploit published against them.”
Cybersecurity and Infrastructure Security Agency: “many vulnerabilities classified as “critical” are highly complex and have never been seen exploited in the wild - in fact, less than 4% of the total number of CVEs have been publicly exploited.”
Please let me know in the comments section if there are any other studies relevant to this topic, and I will include them. I will also keep my eyes peeled for future research on this topic (and will adjust my 90% number if I find anything greatly contradicting this figure).
Update (15 November 2022): I have gotten some feedback that these articles and studies each say slightly different things about CVE exploitability, which I grant is certainly true. For those interested, I suggest reading into each one and evaluating the methodology and carefully. With that said, the main point of this post remains intact. Deploying Securely is all about providing actionable information and driving decision in the face of uncertainty. And I remain confident that my underlying point remains directionally correct.
Thanks for reading Deploying Securely! Subscribe to receive new posts.