Earlier this year a joint cybersecurity advisory from U.S and allied cybersecurity authorities identified the top exploited vulnerabilities and exposures (CVEs) of 2021. We noted in a blog post about the advisory that out of the vulnerabilities on the list, 25% of them were identified in 2020 and earlier and continue to be routinely exploited.
This indicates poor patch management.
To make matters worse, according to new research by Google Project Zero, half of the zero-day vulnerabilities discovered in the first half of 2022 were a variant of an existing vulnerability – all of which had patches available.
Bad vulnerability management allows previously reported vulnerabilities to reappear as new.
“Many of the 2022 in-the-wild 0-days are due to the previous vulnerability not being fully patched,” wrote Google Project Zero’s security researcher, Maddie Stone. “In the case of the Windows win32k and the Chromium property access interceptor bugs, the execution flow that the proof-of-concept exploits took were patched, but the root cause issue was not addressed: attackers were able to come back and trigger the original vulnerability through a different path.”
Investing in vulnerability management is imperative for organizations to minimize the risk from vulnerabilities. Here are a few things that security teams should do.