The information presented here gives you an overview of the most recent data extracted from the Edgescan platform, which uses authentic vulnerability intelligence from actual companies. This data will provide you with up-to-date information about the risks in the “wild.” It is a supplement to our Vulnerability Statistics Report, which is released annually in late Winter.
Approaches to Vulnerability Prioritization:
Comparing EPSS with CVSS v3.0
As you may know, not all security vulnerabilities are the same. Some present minimal risk to your infrastructure, while others pose significant risk and can be detrimental to the operations and integrity of your business. Understanding that level of discrepancy amongst vulnerabilities helps make incident response and mitigation more effective while minimizing the headaches brought on by the resolution process.
Let’s look at two common methods to estimate the occurrence of significant risk vulnerabilities. The list is based on filtering the top 20 most common vulnerabilities discovered from a total list of 247,000 vulnerabilities by Edgescan between January and September 2023. (See the supporting charts at the end of this article.)
Most occurrences of a vulnerability with a minimum CVSS v3.0 score of 8.0;
Most occurrences of a vulnerability with a minimum EPSS score of 0.9.
The challenge here is precisely how to define “significant risk”. Should it be based on CVSS or EPSS? The result impacts prioritization in all cases. First, let’s ‘set a clean slate’ by defining these terms:
EPSS: The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. https://www.first.org/epss/
CVSS: The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. https://www.first.org/cvss/
Additionally, consider this additional component that indicates those vulnerabilities ‘out in the wild’ of the Internet.
CISA KEV: A maintained list by the Cybersecurity and Infrastructure Security Agency (CISA) of vulnerabilities known to be exploited on the Internet:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog/
Note that estimating the most common occurrence of a vulnerability based on specific risk criteria can result in significant differences depending on the approach to estimating risk. In this case, we compare vulnerabilities using CVSS v3.0 and EPSS attributes. As a result, there is a significant difference in results between using a CVSS and EPSS selection criteria. Top takeaways;
6 of the Top 20 vulnerabilities with a CVSS of 8.0 or above are listed on the CISA KEV (highlighted in the table below in blue);
12 of the Top 20 vulnerabilities with an EPSS of 0.9 or above are listed in the CISA KEV (highlighted in the table below in blue);
EPSS appears to be more aligned with CISA KEV than CVSS based on the sample space used;
EPSS covers more than 7,000 vulnerabilities, whilst CISA KEV currently contains 1,000+ vulnerabilities.
Overall, a combination of CVSS and EPSS ratings is recommended when attempting to prioritize security vulnerabilities. Introducing threat intelligence mapping to discovered vulnerabilities would also improve pragmatic, laser-focused prioritization. Realize that CVSS v4.0 introduces new attributes, such as threat intelligence which should improve CVSS effectiveness. Realize that context matters when it comes to vulnerability prioritization – as not all vulnerabilities are created equal. It’s the business risk of these vulnerabilities that is most important.
Besides these industry-established risk-rating systems, Edgescan also delivers validated vulnerability data and quickly rates the severity level of each exposure using a proprietary scoring process called EVSS (Edgescan Validated Security Score). This is a key component of our Risk-based Vulnerability Management (RBVM) solution, which uses automation combined with human intelligence to uniquely test for vulnerabilities that cannot be uncovered through traditional vulnerability scanning alone.
Based on this recent snapshot of information, I’d encourage you to consider this to optimize your vulnerability management program – and reduce any headaches in your remediation process.
For more information on how Edgescan can help your organization reduce risk from vulnerabilities and exposures, sign up for a demo to see how it all works.
Table 1. Top 20 most common vulnerabilities discovered on public Internet-facing systems with a CVSS v3.0 score of 8.0+
Vulnerability | CVSS v3.0 | EPSS | CISA KEV | |
| 1 | WordPress Advanced Custom Fields Pro Plugin 5.x < 5.12.3 File Upload Vulnerability | 8.8 | 0 | false |
| 2 | Wowza Streaming Engine < 4.8.17 Multiple Log4j Vulnerabilities (Log4Shell) | 10 | 0.97 | true |
| 3 | Microsoft Exchange Server OWA Multiple Vulnerabilities (Sep 2022, ProxyNotShell) | 8.8 | 0.97 | true |
| 4 | Wowza Streaming Engine <= 4.8.0 Multiple Vulnerabilities | 8.8 | 0.01 | false |
| 5 | Wowza Streaming Engine <= 4.8.11+5 Multiple Vulnerabilities | 8.1 | 0 | false |
| 6 | Spring4Shell | 9.8 | 0.97 | true |
| 7 | PHP < 7.4.30, 8.0.x < 8.0.20, 8.1.x < 8.1.7 Security Update (Jun 2022) – Linux | 8.8 | 0 | false |
| 8 | Microsoft Exchange Server 2013 / 2016 / 2019 Multiple Vulnerabilities (KB5007409) | 8.8 | 0.93 | true |
| 9 | Magento 2.3.3-p1 <= 2.3.7-p2, 2.4.x <= 2.4.3-p1 Multiple RCE Vulnerabilities (APSB22-12) | 9.8 | 0.26 | true |
| 10 | Microsoft Exchange Server 2016 / 2019 Multiple Vulnerabilities (KB5012698) | 8.8 | 0.02 | false |
| 11 | Magento < 2.3.6-p1, 2.4.x < 2.4.1-p1 Multiple Vulnerabilities (APSB21-08) | 9.1 | 0.01 | false |
| 12 | Microsoft Exchange Server 2016 / 2019 Multiple Vulnerabilities (KB5007012) | 9 | 0 | false |
| 13 | Microsoft Exchange Server 2013 / 2016 / 2019 Multiple Vulnerabilities (KB5008631) | 9 | 0 | false |
| 14 | Magento < 2.3.7-p3, 2.4.x < 2.4.3-p2 RCE Vulnerability (APSB22-13) | 8.3 | 0 | false |
| 15 | Magento < 2.3.7-p1, 2.4.x < 2.4.2-p2 Multiple Vulnerabilities (ASPB21-64) | 9.8 | 0 | false |
| 16 | Microsoft Exchange Server 2016 / 2019 Multiple Vulnerabilities (KB5015322) | 8 | 0 | false |
| 17 | PHP < 7.4.28, 8.0.x < 8.0.16, 8.1.x < 8.1.3 Security Update (Feb 2022) – Windows | 9.8 | 0 | false |
| 18 | Apache HTTP Server 2.4.7 – 2.4.51 Multiple Vulnerabilities – Windows | 8.2 | 0.75 | false |
| 19 | SAP Multiple Products Request Smuggling and Request Concatenation Vulnerability (ICMAD, 3123396 | 10 | 0.96 | true |
| 20 | Ipswitch WS_FTP Server < 8.6.1 Multiple Vulnerabilities | 9.8 | 0.01 | false |
Table 2. Top 20 most common vulnerabilities discovered on public Internet-facing systems with an EPSS score of 0.9+
Vulnerability | CVSS v3.0 | EPSS | CISA KEV | |
| 1 | SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (LogJam) | 3.7 | 0.97 | false |
| 2 | SSL/TLS: Weak Cipher Suites | 5.9 | 0.97 | false |
| 3 | SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) | 3.4 | 0.98 | false |
| 4 | OpenSSL ‘ChangeCipherSpec’ MiTM Vulnerability | 7.4 | 0.97 | false |
| 5 | Wowza Streaming Engine < 4.8.17 Multiple Log4j Vulnerabilities (Log4Shell) | 10 | 0.97 | true |
| 6 | Microsoft Exchange Server OWA Multiple Vulnerabilities (Sep 2022, ProxyNotShell) | 8.8 | 0.97 | true |
| 7 | OpenSSL ‘CVE-2016-2107’ Padding Oracle Vulnerability | 5.9 | 0.97 | false |
| 8 | Spring4Shell | 9.8 | 0.97 | true |
| 9 | Microsoft Exchange Server 2013 / 2016 / 2019 Multiple Vulnerabilities (KB5007409) | 8.8 | 0.93 | true |
| 10 | SAP Multiple Products Request Smuggling and Request Concatenation Vulnerability (ICMAD, 3123396) | 10 | 0.96 | true |
| 11 | Log4Shell (CVE-2021-44228) | 10 | 0.97 | true |
| 12 | ManageEngine ADSelfService Plus < 6.1 build 6122 Remote Code Execution | 6.8 | 0.95 | true |
| 13 | Cisco Adaptive Security Appliance Software Web Services Interface Cross-Site Scripting Vulnerabilities (cisco-sa-asaftd-xss-multiple-FCB3vPZe) | 6.1 | 0.97 | true |
| 14 | Apache Axis <= 1.4 Multiple Vulnerabilities | 7.5 | 0.96 | false |
| 15 | SSL/TLS EXPORT_RSA <= 512-bit Cipher Suites Supported (FREAK) | 4.3 | 0.97 | false |
| 16 | Oracle Access Manager (OAM) RCE Vulnerability (cpujan2022) | 9.8 | 0.96 | true |
| 17 | WordPress Multiple Vulnerabilities (Jan 2022) – Linux | 8.8 | 0.94 | false |
| 18 | SAP NetWeaver AS Java Multiple Vulnerabilities (2934135) | 10 | 0.97 | true |
| 19 | MobileIron Core Multiple Log4j Vulnerabilities (Log4Shell) | 10 | 0.97 | true |
| 20 | MobileIron Sentry Log4j RCE Vulnerability (Log4Shell) | 10 | 0.97 | true |