2021 Vulnerability Statistic Report Press Release

Over 65% of the CVEs Edgescan found in 2020 are more than 3 years old, with 32% dating back to 2015 or earlier 

Edgescan’s 2021 Vulnerability Stats Report Offers a snapshot of the overall state of cyber security globally 

DUBLIN, 15th FEB 2021 – Edgescan, providers of the award winning Fullstack Vulnerability Management™ range of services, today releases the 2021 Vulnerability Stats Report that, for the sixth year running, offers unique insight into the global security landscape from a trends and statistics perspective, as well as a snapshot of the overall state of cyber security globally. This year’s report takes a deeper look at vulnerability metrics from a known vulnerability (CVE), Malware, Ransomware and visibility standpoint (exposed services), coupling both internal and public Internet-facing systems. 

Edgescan’s 2021 Vulnerability Stats Report aims to demonstrate the state of full stack security based on thousands of security assessments performed globally, as delivered by Edgescan during the past year. 

Some of the key findings include: 

• Remote desktop (RDP) and Secure Shell (SSH) exposures increased by 40%, likely due to the increase in remote working due to Covid-19. This resulted in a massive increase in discovery of vulnerabilities such as the infamous Bluekeep (CVE-2019-0708), the critical bug behind the Wannacry attack of 2018 
• Of a sample of 1,000,000 endpoints profiled in 2020, 21,070 of the endpoints had an exposed database. This points to a serious lack of asset inventory and visibility 

• Over 65% of the CVEs Edgescan found in 2020 are more than 3 years old, with 32% dating back to 2015 or earlier 
• The oldest vulnerability discovered in 2020 in the wild: CVE-1999-0517 is 21 years old, but some systems are still exposed 
• It takes organisations an average of 84 days to remediate high risk vulnerabilities 
• SQL injection endures: 51.7% of discovered critical risk issues related to SQLI on the web application layer. SQL could allow attackers to exploit a data breach, tamper with existing data, and even become administrators of the database server in specific cases 
• The most common malware-related vulnerabilities are between 1 and 3 years old 

• Malware is exploiting common old vulnerabilities, which could easily be patched 
• By far the most insecure framework on the internet is PHP, accounting for 22.7% of all critical risks discovered in 2020 
• 13.4% of all critical risks discovered in 2020 related to unpatched, unsupported or out-of-date systems 
• 33% of discovered vulnerabilities on public Internet facing web applications were High or Critical Risk, while 50% of discovered vulnerabilities on Internal web applications were High or Critical Risk. 

“I am still as passionate as ever in compiling this report and delving into the underlying data. We still see high rates of known (i.e. patchable) vulnerabilities which have working exploits in the wild, used by known nation states and cyber criminal groups. So yes, patching and maintenance are still challenges, demonstrating that it is not trivial to patch production systems”, said Eoin Keary, CEO and founder of Edgescan.  

“This report provides a glimpse of a global snapshot across dozens of industry verticals and how to prioritize on what is important, as not all vulnerabilities are equal. This year we call out which threat actors are leveraging discovered vulnerabilities, which should be food for thought,” he added. 

The value of Edgescan’s data has become more evident as their unique dataset is now a regular part of other annual security analysis reports, such as the OWASP Top 10 and Verizon DBIR.   

To get a copy of the 2021 Vulnerability Statistics Report, click here