But is it exploitable?
Studies examining the risk posed by CVEs.
I frequently note that about 90% (sometimes I say 95%, as I think the former figure is conservative) of all Common Vulnerabilities and Exposures (CVE) identified in the National Vulnerability Database (NVD) are not exploitable in any given configuration.
By “any given configuration,” I mean that if you pick an application or network at random and scan it with an equally randomly selected tool, only about 10% (or less) of the CVE findings would be of any use to a malicious actor. While someone likely has exploited every CVE at some point (although the National Vulnerability Database does not necessarily confirm they have before publishing the CVE), the vast majority of these vulnerabilities require an extremely narrow - and unrealistic in the real world - set of conditions to take advantage of.
I say this because it happens to be true but also because many security teams find themselves overwhelmed by the volume of CVEs detected by modern scanners. To address this problem, I have made some recommendations on how to evaluate and prioritize such findings.
With that said, sometimes people challenge my assertion about exploitability (some even implying I am insane for holding this position) or, more reasonably, ask for a source for my information. Thus I thought it made sense to compile a list of studies backing up my claim. I have arrived at the 90% number through no scientific method but rather use it as a rough mental average of the figures listed in the various studies below.
Rezilion: “85% of Vulnerabilities Pose No Risk.”
Dark Reading: “Only 3% of Open Source Software Bugs Are Actually Attackable, Researchers Say.”
Contrast Security: “Study Finds That Less Than 10% Of Application Code Is Active Third-Party Library Code.”
Mend: “research shows that only 15% to 30% of vulnerabilities are indeed effective.”
Kenna Security : “Even though 20% of published CVEs have a clear threat (either actively exploited in the wild or a published exploit exists), only about 5% of them represent real risk right now for most firms.”Update (17 February 2023): While somewhat relevant, this statistic talks about public availability of exploit code, rather than exploitability of the vulnerability itself. I am striking it for clarity).
Forum of Incident Response and Security Teams: “2%-7% of published vulnerabilities are ever seen to be exploited in the wild.” Update (22 February 2023): while I while keep this statistic, I will note that it is referring to exploitation in the wild, rather than exploitability.
Tenable : “more than 75% of all vulnerabilities with a [CVSS] score of 7 or above have never had an exploit published against them.”Update (17 February 2023): While somewhat relevant, this statistic talks about public availability of exploit code, rather than exploitability of the vulnerability itself. I am striking it for clarity).
Cybersecurity and Infrastructure Security Agency: “many vulnerabilities classified as “critical” are highly complex and have never been seen exploited in the wild - in fact, less than 4% of the total number of CVEs have been publicly exploited [sic].” Note: this is likely a misinterpretation of a Carnegie Mellon study which actually says that “two common repositories of public exploit data became available and find that 4.1%±0.1% of CVE-IDs have public exploit code associated with them within 365 days.” This statement is substantially different than what CISA says, because merely having exploit code publicly available is not the same as actually exploiting a vulnerability, and there are well-known marketplaces for selling non-public exploits. Although CISA does not attribute the statement to any source, it goes on to say “of those 4% of known exploited CVEs, 42% are being used on day 0 of disclosure; 50% within 2 days; and 75% within 28 days.” This data also comes from the Carnegie Mellon study. Update (22 February 2023): while I while keep this statistic, I will note that it is referring to exploitation in the wild, rather than exploitability.
Please let me know in the comments section if there are any other studies relevant to this topic, and I will include them. I will also keep my eyes peeled for future research on this topic (and will adjust my 90% number if I find anything greatly contradicting this figure).
Update (15 November 2022): I have gotten some feedback that these articles and studies each say slightly different things about CVE exploitability, which I grant is certainly true. For those interested, I suggest reading into each one and evaluating the methodology and carefully. With that said, the main point of this post remains intact. Deploying Securely is all about providing actionable information and driving decision in the face of uncertainty. And I remain confident that my underlying point remains directionally correct.
Thanks for reading Deploying Securely! Subscribe to receive new posts.
In real life, Cybersecurity is not about an average, but about one specific company (your employer).
It is like one specific patient with cancer… he don’t care about the fact, that most population don’t have a cancer.