Despite the fast changing nature of the world of cybersecurity, it seems that when it comes to vulnerabilities there's still a place for the golden oldies.
New research by Rezilion find that more that 4.5 million internet-facing devices are still vulnerable to vulnerabilities discovered between 2010 to 2020. What's more, for most of these vulnerabilities, active scanning/exploitation attempts have taken place in the past 30 days too.
The report focuses on some of the most critical vulnerabilities which already have a fix, but are still at risk of exploitation if patches haven't been applied. While the research looks at internet-facing servers, it's safe to assume that there are also many more vulnerable servers that are not public facing.
"The research highlights the fact that the timespan between the moment a vendor/maintainer issues a patch for a vulnerability and the moment in which the patch is actually deployed remains an Achilles heel in the vulnerability management lifecycle. What should ideally be the easy part, applying an existing patch to a known vulnerability that is known to be exploited in the wild, is apparently still out of reach for many organizations," says Yotam Perkal, head of vulnerability research at Rezilion, writing on the company's blog.
Significant examples highlighted by the report include, CVE-2012-1823 a PHP CGI remote code execution vulnerability which has been around for 10 years and to which over half a million web-facing applications could still be vulnerable.
CVE-2014-0160 -- our old friend Heartbleed -- has been eight years in the wild, yet over 228,000 internet-facing systems could still be vulnerable, and CVE-2015-1635 a Microsoft HTTP.sys remote code execution vulnerability, 7.5 years in the wild but still with more than 164,000 vulnerable applications facing the internet.
The moral here is that it's important to keep up to date with patching known vulnerabilities or you risk leaving your systems open to attack. The report also emphasizes the need for continuous monitoring and assessment as there are examples of vulnerable code that had already been patched getting moved back into production environments by the CI/CD process.
You can get the full report from the Rezilion site.
Image Credit: maxkabakov / depositphotos.com