NCC Group Q1 Threat Report Update: Exploits publicly available for 29% of critical vulnerabilities discovered
Research from NCC Group’s Research and Intelligence Fusion Team (RIFT), has revealed that, of the more than 4,400 vulnerabilities that were disclosed* between January and March 2021, 72% had no patches available.
Of these vulnerabilities, 13% were classed as critical, and a proof-of-concept exploit was publicly available for 29%.
For around 50% of the vulnerabilities for which an exploit code was accessible, no remediation patch was available – meaning that cyber criminals would be able to successfully target hardware or software by exploiting the vulnerabilities.
Our threat intelligence also identified a trend of cyber criminals targeting a single vulnerability to exploit multiple issues within a system. One example is the Microsoft Exchange zero-day (CVE-2021-26855), which led to a range of threat actors attempting to exploit this and other vulnerabilities to target email servers.
The total number of critical vulnerabilities, calculated using vulnerability database figures*, was 4% lower than the same period in 2020, which could indicate a slight positive trend towards built-in security as part of the software design life cycle.
Ollie Whitehouse, global CTO at NCC Group, said: “While there has been a slight decrease in the number of high-risk vulnerabilities publicly reported, the true scale is much larger. Leadership and engineering teams must prioritise security as part of the development process and have an effective and rapid vulnerability root cause analysis, remediation and disclosure processes in place in order to quickly and comprehensively resolve, release and communicate any issues to customers.
“It is important for organisations to have a performance culture around asset management and patch deployment. Without such an ethos and approach the likelihood that organisations are resilient to current and future vulnerabilities is greatly diminished.”
Notes to editors
*Figures calculated using available data from the National Vulnerability Database, MITRE and NIST vulnerability databases, as well as Google Project Zero.