The Vulnerability Treadmill
The reactive nature of vulnerability administration, mixed with delays from coverage and course of, strains safety groups. Capability is proscribed and patching every part instantly is a battle. Our Vulnerability Operation Heart (VOC) dataset evaluation recognized 1,337,797 distinctive findings (safety points) throughout 68,500 distinctive buyer belongings. 32,585 of them have been distinct CVEs, with 10,014 having a CVSS rating of 8 or larger. Amongst these, exterior belongings have 11,605 distinct CVEs, whereas inner belongings have 31,966. With this quantity of CVEs, it is no shock that some go unpatched and result in compromises.
Why are we caught on this state of affairs, what could be completed, and is there a greater method on the market?
We’ll discover the state of vulnerability reporting, learn how to prioritize vulnerabilities by risk and exploitation, study statistical possibilities, and briefly talk about threat. Lastly, we’ll contemplate options to attenuate vulnerability affect whereas giving administration groups flexibility in disaster response. This could give a great impression, however if you would like the total story you’ll find it in our annual report, the Safety Navigator.
Can You CVE What I CVE?
Western nations and organizations use the Frequent Vulnerability Enumeration (CVE) and Frequent Vulnerability Scoring System (CVSS) to trace and fee vulnerabilities, overseen by US government-funded packages like MITRE and NIST. By September 2024, the CVE program, energetic for 25 years, had printed over 264,000 CVEs, and by 15 April 2025, the variety of complete CVEs elevated to roughly 290,000 CVEs together with “Rejected” or “Deferred”.
NIST’s Nationwide Vulnerability Database (NVD) depends on CVE Numbering Authorities (CNAs) to report CVEs with preliminary CVSS assessments, which helps scale the method but in addition introduces biases. The disclosure of great vulnerabilities is difficult by disagreements between researchers and distributors over affect, relevance, and accuracy, affecting the broader neighborhood [1, 2].
By April 2025, a backlog of greater than 24,000 unenriched CVEs collected on the NVD [3, 4] as a result of bureaucratic delays that occurred in March 2024. Quickly halting CVE enrichment regardless of ongoing vulnerability stories, and dramatically illustrating the fragility of this technique. The non permanent pause resulted on this backlog that’s but to be cleared.
On 15 April 2025, MITRE introduced that the US Division of Homeland Safety won’t be renewing its contract with MITRE, impacting the CVE program immediately[15]. This created a number of uncertainty about the way forward for CVEs and the way it will affect cybersecurity practitioners. Fortuitously, funding for the CVE program was prolonged because of the robust neighborhood and trade response[16].
CVE and the NVD aren’t the only real sources of vulnerability intelligence. Many organizations, together with ours, develop impartial merchandise that monitor way more vulnerabilities than the MITRE’s CVE program and NIST NVD.
Since 2009, China has operated its personal vulnerability database, CNNVD [5], which could possibly be a beneficial technical useful resource [6, 7], although political obstacles make collaboration unlikely. Furthermore, not all vulnerabilities are disclosed instantly, creating blind spots, whereas some are exploited with out detection—so-called 0-days.
In 2023, Google’s Menace Evaluation Group (TAG) and Mandiant recognized 97 zero-day exploits, primarily affecting cell units, working techniques, browsers, and different functions. In the meantime, solely about 6% of vulnerabilities within the CVE dictionary have ever been exploited [8], and research from 2022 present that half of organizations patch simply 15.5% or fewer vulnerabilities month-to-month [9].
Whereas CVE is essential for safety managers, it is an imperfect, voluntary system, neither globally regulated nor universally adopted.
This weblog additionally goals to discover how we’d cut back reliance on it in our every day operations.
Menace Knowledgeable
Regardless of its shortcomings, the CVE system nonetheless gives beneficial intelligence on vulnerabilities that would affect safety. Nevertheless, with so many CVEs to deal with, we should prioritize these almost definitely to be exploited by risk actors.
The Exploit Prediction Scoring System (EPSS), developed by the Discussion board of Incident Response and Safety Groups (FIRST) SIG [10], helps predict the chance of a vulnerability being exploited within the wild. With EPSS intelligence, safety managers can both prioritize patching as many CVEs as attainable for broad protection or deal with crucial vulnerabilities to maximise effectivity and stop exploitation. Each approaches have professionals and cons.
To reveal the tradeoff between protection and effectivity, we want two datasets: one representing potential patches (VOC dataset) and one other representing actively exploited vulnerabilities, which incorporates CISA KEV [10], moral hacking findings, and information from our CERT Vulnerability Intelligence Watch service [12].
Safety Navigator 2025 is Right here – Obtain Now
The newly launched Safety Navigator 2025 presents crucial insights into present digital threats, documenting 135,225 incidents and 20,706 confirmed breaches. Greater than only a report, it serves as a information to navigating a safer digital panorama.
What’s Inside?#
📈 In-Depth Evaluation: Statistics from CyberSOC, Vulnerabilitiy scanning, Pentesting, CERT, Cy-X and Ransomware observations from Darkish Internet surveillance.
🔮 Future-Prepared: Equip your self with safety predictions and tales from the sector.
👁️ Safety deep-dives: Get briefed on rising tendencies associated to hacktivist actions and LLMs/Generative AI.
Keep one step forward in cybersecurity. Your important information awaits!
🔗 Get Your Copy Now
The EPSS threshold is used to pick out a set of CVEs to patch, based mostly on how doubtless they’re to be exploited within the wild. The overlap between the remediation set and the exploited vulnerability set can be utilized to calculate the Effectivity, Protection, and Effort of a specific technique.
EPSS predicts the chance of a vulnerability being exploited someplace within the wild, not on any particular system. Nevertheless, possibilities can “scale.” For instance, flipping one coin provides a 50% likelihood of heads, however flipping 10 cash raises the possibility of at the very least one head to 99.9%. This scaling is calculated utilizing the complement rule [13], which finds the chance of the specified consequence by subtracting the possibility of failure from 1.
As FIRST explains, “EPSS predicts the chance of a selected vulnerability being exploited and could be scaled to estimate threats throughout servers, subnets, or total enterprises by calculating the chance of at the very least one occasion occurring.”[14, 15]
With EPSS, we will equally calculate the chance of at the very least one vulnerability being exploited from a listing by utilizing the complement rule.
To reveal, we analyzed 397 vulnerabilities from the VOC scan information of a Public Administration sector shopper. Because the chart under illustrates, most vulnerabilities had low EPSS scores till a pointy rise at place 276. Additionally proven on the chart is the scaled chance of exploitation utilizing the complement rule, which successfully reaches 100% when solely the primary 264 vulnerabilities are thought-about.
Because the scaled EPSS curve (left) on the chart signifies, as extra CVEs are thought-about, the scaled chance that one among them will probably be exploited within the wild will increase very quickly. By the point there are 265 distinct CVEs into consideration, the chance that one among them will probably be exploited within the wild is greater than 99%. This stage is reached earlier than any particular person vulnerabilities with excessive EPSS come into consideration. When the scaled EPSS worth crosses 99% (Place 260) the utmost EPSS continues to be below 11% (0.11).
This instance, based mostly on precise shopper information on vulnerabilities uncovered to the Web, reveals how tough prioritizing vulnerabilities turns into because the variety of techniques will increase.
EPSS provides a chance {that a} vulnerability will probably be exploited within the wild, which is useful for defenders, however we have proven how shortly this chance scales when a number of vulnerabilities are concerned. With sufficient vulnerabilities, there’s a actual chance that one will get exploited, even when the person EPSS scores are low.
Like a climate forecast predicting a “likelihood of rain,” the bigger the world, the higher the chance of rain someplace. Likewise, it’s doubtless unattainable to cut back the chance of exploitation even nearer right down to zero.
Attacker Odds
We have recognized three crucial truths that should be built-in into our examination of the vulnerability administration course of:
Attackers aren’t targeted on particular vulnerabilities; they intention to compromise techniques.
Exploiting vulnerabilities is not the one path to compromise.
Attackers’ talent and persistence ranges range.
These elements enable us to increase our evaluation of EPSS and possibilities to think about the chance of an attacker compromising some arbitrary system, then scaling that to find out the chance of compromising some system inside a community that grants entry to the remaining.
We are able to assume every hacker has a sure “chance” of compromising a system, with this chance rising based mostly on their talent, expertise, instruments, and time. We are able to then proceed making use of chance scaling to evaluate attacker success in opposition to a broader laptop setting.
Given a affected person, undetected hacker, what number of makes an attempt are statistically required to breach a system granting entry to the graph? Answering this requires making use of a reworked binomial distribution within the type of this equation [16, 17]:
Utilizing this equation, we will estimate what number of makes an attempt an attacker of a sure talent stage would wish. As an example, if attacker A1 has a 5% success fee (1 in 20) per system, they would wish to focus on as much as 180 techniques to be 99.99% positive of success.
One other attacker, A2, with a ten% success fee (1 in 10), would wish about 88 targets to make sure at the very least one success, whereas a extra expert attacker, A3, with a 20% success fee (1 in 5), would solely want round 42 targets for a similar chance.
These are possibilities—an attacker may succeed on the primary attempt or require a number of makes an attempt to succeed in the anticipated success fee. To evaluate real-world affect, we surveyed senior penetration testers in our enterprise, who estimated their success fee in opposition to arbitrary internet-connected targets to be round 30%.
Assuming a talented attacker has a 5% to 40% likelihood of compromising a single machine, we will now estimate what number of targets could be wanted to just about assure one profitable compromise.
The implications are hanging: with simply 100 potential targets, even a reasonably expert attacker is sort of sure to succeed at the very least as soon as. In a typical enterprise, this single compromise typically gives entry to the broader community, and enterprises sometimes have hundreds of computer systems to think about.
Reimagining Vulnerability Administration
For the longer term, we have to conceive an setting and structure that’s resistant to compromise from a person system. Within the brief time period, we argue that our method to vulnerability administration wants to vary.
The present method to vulnerability administration is rooted in its identify: specializing in “vulnerabilities” (as outlined by CVE, CVSS, EPSS, misconfiguration, errors, and many others) and their “administration.” Nevertheless, we’ve no management over the quantity, velocity, or significance of CVEs, main us to continually react to chaotic new intelligence.
EPSS helps us prioritize vulnerabilities more likely to be exploited within the wild, representing actual threats, which forces us right into a reactive mode. Whereas mitigation addresses vulnerabilities, our response is actually about countering threats—therefore, this course of must be referred to as Menace Mitigation.
As mentioned earlier, it is statistically unattainable to successfully counter threats in massive enterprises by merely reacting to vulnerability intelligence. Danger Discount is about the perfect we will do. Cyber threat outcomes from a risk concentrating on a system’s belongings, leveraging vulnerabilities, and the potential affect of such an assault. By addressing threat, we open up extra areas below our management to handle and mitigate.
Menace Mitigation
Menace Mitigation is a dynamic, ongoing course of that entails figuring out threats, assessing their relevance, and taking motion to mitigate them. This response can embrace patching, reconfiguring, filtering, including compensating controls, and even eradicating susceptible techniques. EPSS is a beneficial instrument that enhances different sources of risk and vulnerability intelligence.
Nevertheless, the scaling nature of possibilities makes EPSS much less helpful in massive inner environments. Since EPSS focuses on vulnerabilities more likely to be exploited “within the wild,” it’s most relevant to techniques immediately uncovered to the web. Due to this fact, Menace Mitigation efforts ought to primarily goal these externally uncovered techniques.
Danger Discount
Cyber threat is a product of Menace, Vulnerability, and Affect. Whereas the “Menace” is essentially past our management, patching particular vulnerabilities in massive environments does not considerably decrease the chance of compromise. Due to this fact, threat discount ought to deal with three key efforts:
Decreasing the assault floor: Because the chance of compromise will increase with scale, it may be diminished by shrinking the assault floor. A key precedence is figuring out and eradicating unmanaged or pointless internet-facing techniques.
Limiting the affect: Lambert’s regulation advises limiting attackers’ capability to entry and traverse the “graph.” That is achieved by segmentation in any respect ranges—community, permissions, functions, and information. The Zero Belief structure gives a sensible reference mannequin for this aim.
Enhancing the baseline: As an alternative of specializing in particular vulnerabilities as they’re reported or found, systematically lowering the general quantity and severity of vulnerabilities lowers the chance of compromise. This method prioritizes effectivity and Return on Funding, ignoring present acute threats in favor of long-term threat discount.
By separating Menace Mitigation from Danger Discount, we will break away from the fixed cycle of reacting to particular threats and deal with extra environment friendly, strategic approaches, liberating up sources for different priorities.
An Environment friendly Method
This method could be pursued systematically to optimize sources. The main target shifts from “managing vulnerabilities” to designing, implementing, and validating resilient architectures and baseline configurations. As soon as these baselines are set by safety, IT can take over their implementation and upkeep.
The important thing right here is that the “set off” for patching inner techniques is a predefined plan, agreed with system house owners, to improve to a brand new, authorized baseline. This method is definite to be a lot much less disruptive and extra environment friendly than continually chasing the newest vulnerabilities.
Vulnerability Scanning stays necessary for creating an correct asset stock and figuring out non-compliant techniques. It might help present standardized processes, as an alternative of triggering them.
Shaping the Future
The overwhelming barrage of randomly found and reported vulnerabilities as represented by CVE, CVSS and EPSS are stressing our individuals, processes and expertise. We have successfully been approaching vulnerability administration the identical method for over 20 years, with average success.
It is time to reimagine how we design, construct, and keep techniques.
A Template for a New Technique
Key elements to think about for safety methods towards 2030 and past:
Beginning on the supply
Human Issue
Leverage human strengths and anticipate their weaknesses.Achieve help from senior administration and executives.Be an enabler, not a blocker.
Menace-Knowledgeable Determination Making
Study from incidents and deal with what’s being exploited.Use methods to reinforce remediation based mostly in your capabilities.
Menace Modeling and Simulation
Use risk fashions to know potential assault paths.Conduct Moral Hacking to check your setting in opposition to actual threats.
System Structure and Design
Apply risk fashions and simulations to validate assumptions in new techniques.Scale back the assault floor systematically.Strengthen protection in depth by reviewing present techniques.Deal with SASE and Zero-Belief as methods, not simply expertise.
Safe by Demand / Default
Implement formal insurance policies to embed safety into company tradition.Guarantee distributors and suppliers have energetic safety enchancment packages.
There may be extra to this. That is simply an excerpt of our protection of vulnerabilities within the Safety Navigator 2025. To seek out out extra on how we will take again management, how totally different industries examine in our vulnerability screening operations and the way elements like Generative AI affect cyber safety I warmly suggest heading over to the obtain web page and getting the total report!
Be aware: This text was expertly written and contributed by Wicus Ross, Senior Safety Researcher at Orange Cyberdefense.
Discovered this text attention-grabbing? This text is a contributed piece from one among our valued companions. Observe us on Twitter and LinkedIn to learn extra unique content material we publish.
