back to article Just 2.6% of 2019's 18,000 tracked vulnerabilities were actively exploited in the wild

While the infosec industry is used to reading (and pumping out) FUD about software vulnerabilities, eye-catching research suggests about 500 vulns were exploited in 2019 – despite 18,000 new CVEs being created. Kenna Security, a US infosec firm, reckons that despite thousands of vulnerabilities being assigned a Common …

  1. Anonymous Coward
    Anonymous Coward

    Saying "only 2.6% of these ever ended up practically exploited" is all well and good after the fact. If you can't tell me _which_ 2.6% I need to care about as the reports come in, or indeed how severe the resulting impact is, then we can't really use that to be any smarter in how we respond to them.

    1. Throatwarbler Mangrove Silver badge


      These exploits are just like the flu! I'm not going to waste resources needlessly patching my systems, changing configurations, or employing anti-malware tools, and I'm certainly not going to quarantine my environment just because we've had a ransomware attack and so-called "experts" claim that my system will never recover! You might take my data, but you'll never take my FREEDOM!

      1. tfewster

        Re: Counterpoint

        Patch your systems?! Heavens no, Kenna and other Vulnerability Management vampires want you to "manage" vulns, with pretty graphs and steering committees, not actually fix them!

  2. Anonymous Coward
    Anonymous Coward

    Shirley you only need one?

    1. Anonymous Coward
      Anonymous Coward

      Don't call me Shirley! ;-)

  3. HildyJ Silver badge

    Not surprising

    Non governmental malware shops and solo hackers have the same problem that IT shops have - limited programmers and limited resources.

    They use the vulnerabilities as long as they work.

    Unfortunately, it doesn't make IT's job any easier because there's no way to predict what the next exploit will be.

    1. Falmari Silver badge

      Only so many hours in the day

      My thoughts when I first read the article. There are only so many hours in the day only 2.6 are exploited because there are so many to choose from.

      They will be used until they are fixed but then it is anyone's guess which of the unused 97.4% they will use next.

      1. Michael Wojcik Silver badge

        Re: Only so many hours in the day

        Exactly. The headline could just as well be "attackers have vast untapped vulnerability resources".

  4. David Pearce

    The ones that get used discretely?

    I wonder how many more get used sparingly by various TLAs around the world.

  5. Claptrap314 Silver badge

    I'm sure

    no one ever underreported for this study...

  6. NonSSL-Login

    Lies, damn lies and statistics

    How many of those 18,000 were local exploits rather than remote?

    How many of the exploits were auth bypass or remote code execution vs some cross script issue that needs interaction from an admin while logged in?

    How often were the same RCE and privilege escalation used because no other exploits were needed?

    My honour, I rest my case.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022