Skip to main content

Most security bugs in the wild are years old

(Image credit: Image Credit: ESB Professional / Shutterstock)

Most vulnerabilities exploited in the wild are years old and some could be remedied easily with a readily available patch.

This is one of the findings of a new report from security firm Edgescan, which states that two thirds (65 percent) of CVEs found in 2020 were more than three years old, while a third of those (32 percent) were originally identified in 2015 or earlier.

The oldest vulnerability in circulation last year was CVE-1999-0517, which was first identified at the turn of the millennium.

Most common malware-related vulnerabilities, the report further states, are between one and three years old, many of which could be fixed with an already available patch. Despite this fact, it takes businesses 84 days on average to patch high-risk vulnerabilities.

According to the report, PHP is “by far” the most insecure framework, accounting for almost a quarter (22.7 percent) of all critical risks found last year. Further, more than a tenth (13.4 percent) of all critical risks were linked to either unsupported, unpatched or outdated systems.

“We still see high rates of known (i.e. patchable) vulnerabilities which have working exploits in the wild, used by known nation states and cyber-criminal groups. So yes, patching and maintenance are still challenges, demonstrating that it is not trivial to patch production systems”, said Eoin Keary, CEO and founder of Edgescan.