Skip to main content

Most security bugs in the wild are years old

security
(Image credit: Image Credit: ESB Professional / Shutterstock)

Most vulnerabilities exploited in the wild are years old and some could be remedied easily with a readily available patch.

This is one of the findings of a new report from security firm Edgescan, which states that two thirds (65 percent) of CVEs found in 2020 were more than three years old, while a third of those (32 percent) were originally identified in 2015 or earlier.

The oldest vulnerability (opens in new tab) in circulation last year was CVE-1999-0517, which was first identified at the turn of the millennium.

Most common malware-related vulnerabilities, the report further states, are between one and three years old, many of which could be fixed with an already available patch. Despite this fact, it takes businesses 84 days on average to patch high-risk vulnerabilities.

According to the report, PHP is “by far” the most insecure framework, accounting for almost a quarter (22.7 percent) of all critical risks (opens in new tab) found last year. Further, more than a tenth (13.4 percent) of all critical risks were linked to either unsupported, unpatched or outdated systems.

“We still see high rates of known (i.e. patchable) vulnerabilities which have working exploits in the wild, used by known nation states and cyber-criminal groups. So yes, patching and maintenance are still challenges, demonstrating that it is not trivial to patch production systems”, said Eoin Keary, CEO and founder of Edgescan.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.