The Vulnerability Treadmill
The reactive nature of vulnerability administration, mixed with delays from coverage and course of, strains safety groups. Capability is restricted and patching the whole lot instantly is a wrestle. Our Vulnerability Operation Heart (VOC) dataset evaluation recognized 1,337,797 distinctive findings (safety points) throughout 68,500 distinctive buyer belongings. 32,585 of them have been distinct CVEs, with 10,014 having a CVSS rating of 8 or larger. Amongst these, exterior belongings have 11,605 distinct CVEs, whereas inside belongings have 31,966. With this quantity of CVEs, it is no shock that some go unpatched and result in compromises.
Why are we caught on this scenario, what could be executed, and is there a greater strategy on the market?
We’ll discover the state of vulnerability reporting, tips on how to prioritize vulnerabilities by risk and exploitation, study statistical chances, and briefly focus on threat. Lastly, we’ll think about options to reduce vulnerability influence whereas giving administration groups flexibility in disaster response. This could give an excellent impression, however if you would like the total story yow will discover it in our annual report, the Safety Navigator.
Can You CVE What I CVE?
Western nations and organizations use the Frequent Vulnerability Enumeration (CVE) and Frequent Vulnerability Scoring System (CVSS) to trace and fee vulnerabilities, overseen by US government-funded packages like MITRE and NIST. By September 2024, the CVE program, lively for 25 years, had printed over 264,000 CVEs, and by 15 April 2025, the variety of complete CVEs elevated to roughly 290,000 CVEs together with “Rejected” or “Deferred”.
NIST’s Nationwide Vulnerability Database (NVD) depends on CVE Numbering Authorities (CNAs) to document CVEs with preliminary CVSS assessments, which helps scale the method but additionally introduces biases. The disclosure of great vulnerabilities is difficult by disagreements between researchers and distributors over influence, relevance, and accuracy, affecting the broader group [1, 2].
By April 2025, a backlog of greater than 24,000 unenriched CVEs gathered on the NVD [3, 4] as a consequence of bureaucratic delays that occurred in March 2024. Quickly halting CVE enrichment regardless of ongoing vulnerability experiences, and dramatically illustrating the fragility of this method. The short-term pause resulted on this backlog that’s but to be cleared.
On 15 April 2025, MITRE introduced that the US Division of Homeland Safety is not going to be renewing its contract with MITRE, impacting the CVE program immediately[15]. This created plenty of uncertainty about the way forward for CVEs and the way it will influence cybersecurity practitioners. Happily, funding for the CVE program was prolonged because of the sturdy group and trade response[16].
CVE and the NVD should not the only sources of vulnerability intelligence. Many organizations, together with ours, develop impartial merchandise that monitor way more vulnerabilities than the MITRE’s CVE program and NIST NVD.
Since 2009, China has operated its personal vulnerability database, CNNVD [5], which could possibly be a helpful technical useful resource [6, 7], although political boundaries make collaboration unlikely. Furthermore, not all vulnerabilities are disclosed instantly, creating blind spots, whereas some are exploited with out detection—so-called 0-days.
In 2023, Google’s Risk Evaluation Group (TAG) and Mandiant recognized 97 zero-day exploits, primarily affecting cell gadgets, working methods, browsers, and different purposes. In the meantime, solely about 6% of vulnerabilities within the CVE dictionary have ever been exploited [8], and research from 2022 present that half of organizations patch simply 15.5% or fewer vulnerabilities month-to-month [9].
Whereas CVE is essential for safety managers, it is an imperfect, voluntary system, neither globally regulated nor universally adopted.
This weblog additionally goals to discover how we would scale back reliance on it in our each day operations.
Risk Knowledgeable
Regardless of its shortcomings, the CVE system nonetheless gives helpful intelligence on vulnerabilities that might influence safety. Nevertheless, with so many CVEs to handle, we should prioritize these almost certainly to be exploited by risk actors.
The Exploit Prediction Scoring System (EPSS), developed by the Discussion board of Incident Response and Safety Groups (FIRST) SIG [10], helps predict the chance of a vulnerability being exploited within the wild. With EPSS intelligence, safety managers can both prioritize patching as many CVEs as doable for broad protection or give attention to important vulnerabilities to maximise effectivity and forestall exploitation. Each approaches have professionals and cons.
To show the tradeoff between protection and effectivity, we want two datasets: one representing potential patches (VOC dataset) and one other representing actively exploited vulnerabilities, which incorporates CISA KEV [10], moral hacking findings, and information from our CERT Vulnerability Intelligence Watch service [12].
Safety Navigator 2025 is Right here – Obtain Now
The newly launched Safety Navigator 2025 affords important insights into present digital threats, documenting 135,225 incidents and 20,706 confirmed breaches. Greater than only a report, it serves as a information to navigating a safer digital panorama.
What’s Inside?#
- 📈 In-Depth Evaluation: Statistics from CyberSOC, Vulnerabilitiy scanning, Pentesting, CERT, Cy-X and Ransomware observations from Darkish Internet surveillance.
- 🔮 Future-Prepared: Equip your self with safety predictions and tales from the sphere.
- 👁️ Safety deep-dives: Get briefed on rising tendencies associated to hacktivist actions and LLMs/Generative AI.
Keep one step forward in cybersecurity. Your important information awaits!
The EPSS threshold is used to pick out a set of CVEs to patch, primarily based on how probably they’re to be exploited within the wild. The overlap between the remediation set and the exploited vulnerability set can be utilized to calculate the Effectivity, Protection, and Effort of a particular technique.
EPSS predicts the chance of a vulnerability being exploited someplace within the wild, not on any particular system. Nevertheless, chances can “scale.” For instance, flipping one coin provides a 50% likelihood of heads, however flipping 10 cash raises the possibility of a minimum of one head to 99.9%. This scaling is calculated utilizing the complement rule [13], which finds the likelihood of the specified end result by subtracting the possibility of failure from 1.
As FIRST explains, “EPSS predicts the likelihood of a particular vulnerability being exploited and could be scaled to estimate threats throughout servers, subnets, or complete enterprises by calculating the likelihood of a minimum of one occasion occurring.”[14, 15]
With EPSS, we are able to equally calculate the chance of a minimum of one vulnerability being exploited from an inventory through the use of the complement rule.
To show, we analyzed 397 vulnerabilities from the VOC scan information of a Public Administration sector consumer. Because the chart under illustrates, most vulnerabilities had low EPSS scores till a pointy rise at place 276. Additionally proven on the chart is the scaled likelihood of exploitation utilizing the complement rule, which successfully reaches 100% when solely the primary 264 vulnerabilities are thought-about.
Because the scaled EPSS curve (left) on the chart signifies, as extra CVEs are thought-about, the scaled likelihood that one among them can be exploited within the wild will increase very quickly. By the point there are 265 distinct CVEs into consideration, the likelihood that one among them can be exploited within the wild is greater than 99%. This stage is reached earlier than any particular person vulnerabilities with excessive EPSS come into consideration. When the scaled EPSS worth crosses 99% (Place 260) the utmost EPSS continues to be underneath 11% (0.11).
This instance, primarily based on precise consumer information on vulnerabilities uncovered to the Web, exhibits how tough prioritizing vulnerabilities turns into because the variety of methods will increase.
EPSS provides a likelihood {that a} vulnerability can be exploited within the wild, which is useful for defenders, however we have proven how shortly this likelihood scales when a number of vulnerabilities are concerned. With sufficient vulnerabilities, there’s a actual likelihood that one will get exploited, even when the person EPSS scores are low.
Like a climate forecast predicting a “likelihood of rain,” the bigger the realm, the larger the chance of rain someplace. Likewise, it’s probably unimaginable to cut back the likelihood of exploitation even nearer right down to zero.
Attacker Odds
We have recognized three important truths that have to be built-in into our examination of the vulnerability administration course of:
- Attackers aren’t targeted on particular vulnerabilities; they goal to compromise methods.
- Exploiting vulnerabilities is not the one path to compromise.
- Attackers’ ability and persistence ranges differ.
These components permit us to increase our evaluation of EPSS and chances to think about the chance of an attacker compromising some arbitrary system, then scaling that to find out the likelihood of compromising some system inside a community that grants entry to the remaining.
We are able to assume every hacker has a sure “likelihood” of compromising a system, with this likelihood growing primarily based on their ability, expertise, instruments, and time. We are able to then proceed making use of likelihood scaling to evaluate attacker success towards a broader laptop surroundings.
Given a affected person, undetected hacker, what number of makes an attempt are statistically required to breach a system granting entry to the graph? Answering this requires making use of a reworked binomial distribution within the type of this equation [16, 17]:
Utilizing this equation, we are able to estimate what number of makes an attempt an attacker of a sure ability stage would wish. As an example, if attacker A1 has a 5% success fee (1 in 20) per system, they would wish to focus on as much as 180 methods to be 99.99% certain of success.
One other attacker, A2, with a ten% success fee (1 in 10), would wish about 88 targets to make sure a minimum of one success, whereas a extra expert attacker, A3, with a 20% success fee (1 in 5), would solely want round 42 targets for a similar likelihood.
These are chances—an attacker would possibly succeed on the primary attempt or require a number of makes an attempt to succeed in the anticipated success fee. To evaluate real-world influence, we surveyed senior penetration testers in our enterprise, who estimated their success fee towards arbitrary internet-connected targets to be round 30%.
Assuming a talented attacker has a 5% to 40% likelihood of compromising a single machine, we are able to now estimate what number of targets could be wanted to almost assure one profitable compromise.
The implications are placing: with simply 100 potential targets, even a reasonably expert attacker is nearly sure to succeed a minimum of as soon as. In a typical enterprise, this single compromise typically gives entry to the broader community, and enterprises usually have 1000’s of computer systems to think about.
Reimagining Vulnerability Administration
For the longer term, we have to conceive an surroundings and structure that’s resistant to compromise from a person system. Within the brief time period, we argue that our strategy to vulnerability administration wants to alter.
The present strategy to vulnerability administration is rooted in its identify: specializing in “vulnerabilities” (as outlined by CVE, CVSS, EPSS, misconfiguration, errors, and so forth) and their “administration.” Nevertheless, we’ve got no management over the amount, velocity, or significance of CVEs, main us to continually react to chaotic new intelligence.
EPSS helps us prioritize vulnerabilities more likely to be exploited within the wild, representing actual threats, which forces us right into a reactive mode. Whereas mitigation addresses vulnerabilities, our response is actually about countering threats—therefore, this course of must be referred to as Risk Mitigation.
As mentioned earlier, it is statistically unimaginable to successfully counter threats in giant enterprises by merely reacting to vulnerability intelligence. Danger Discount is about one of the best we are able to do. Cyber threat outcomes from a risk focusing on a system’s belongings, leveraging vulnerabilities, and the potential influence of such an assault. By addressing threat, we open up extra areas underneath our management to handle and mitigate.
Risk Mitigation
Risk Mitigation is a dynamic, ongoing course of that includes figuring out threats, assessing their relevance, and taking motion to mitigate them. This response can embody patching, reconfiguring, filtering, including compensating controls, and even eradicating susceptible methods. EPSS is a helpful instrument that enhances different sources of risk and vulnerability intelligence.
Nevertheless, the scaling nature of chances makes EPSS much less helpful in giant inside environments. Since EPSS focuses on vulnerabilities more likely to be exploited “within the wild,” it’s most relevant to methods immediately uncovered to the web. Subsequently, Risk Mitigation efforts ought to primarily goal these externally uncovered methods.
Danger Discount
Cyber threat is a product of Risk, Vulnerability, and Influence. Whereas the “Risk” is essentially past our management, patching particular vulnerabilities in giant environments does not considerably decrease the danger of compromise. Subsequently, threat discount ought to give attention to three key efforts:
- Lowering the assault floor: Because the likelihood of compromise will increase with scale, it may be diminished by shrinking the assault floor. A key precedence is figuring out and eradicating unmanaged or pointless internet-facing methods.
- Limiting the influence: Lambert’s regulation advises limiting attackers’ capacity to entry and traverse the “graph.” That is achieved by means of segmentation in any respect ranges—community, permissions, purposes, and information. The Zero Belief structure gives a sensible reference mannequin for this purpose.
- Bettering the baseline: As an alternative of specializing in particular vulnerabilities as they’re reported or found, systematically lowering the general quantity and severity of vulnerabilities lowers the danger of compromise. This strategy prioritizes effectivity and Return on Funding, ignoring present acute threats in favor of long-term threat discount.
By separating Risk Mitigation from Danger Discount, we are able to break away from the fixed cycle of reacting to particular threats and give attention to extra environment friendly, strategic approaches, releasing up sources for different priorities.
An Environment friendly Strategy
This strategy could be pursued systematically to optimize sources. The main target shifts from “managing vulnerabilities” to designing, implementing, and validating resilient architectures and baseline configurations. As soon as these baselines are set by safety, IT can take over their implementation and upkeep.
The important thing right here is that the “set off” for patching inside methods is a predefined plan, agreed with system homeowners, to improve to a brand new, authorised baseline. This strategy is for certain to be a lot much less disruptive and extra environment friendly than continually chasing the newest vulnerabilities.
Vulnerability Scanning stays vital for creating an correct asset stock and figuring out non-compliant methods. It might probably assist present standardized processes, as an alternative of triggering them.
Shaping the Future
The overwhelming barrage of randomly found and reported vulnerabilities as represented by CVE, CVSS and EPSS are stressing our folks, processes and expertise. We have successfully been approaching vulnerability administration the identical manner for over twenty years, with average success.
It is time to reimagine how we design, construct, and preserve methods.
A Template for a New Technique
Key components to think about for safety methods towards 2030 and past:
- Beginning on the supply
- Human Issue
- Leverage human strengths and anticipate their weaknesses.
- Acquire assist from senior administration and executives.
- Be an enabler, not a blocker.
Risk-Knowledgeable Choice Making
- Study from incidents and give attention to what’s being exploited.
- Use methods to reinforce remediation primarily based in your capabilities.
Risk Modeling and Simulation
- Use risk fashions to grasp potential assault paths.
- Conduct Moral Hacking to check your surroundings towards actual threats.
System Structure and Design
- Apply risk fashions and simulations to validate assumptions in new methods.
- Cut back the assault floor systematically.
- Strengthen protection in depth by reviewing present methods.
- Deal with SASE and Zero-Belief as methods, not simply expertise.
Safe by Demand / Default
- Implement formal insurance policies to embed safety into company tradition.
- Guarantee distributors and suppliers have lively safety enchancment packages.
There may be extra to this. That is simply an excerpt of our protection of vulnerabilities within the Safety Navigator 2025. To search out out extra on how we are able to take again management, how completely different industries examine in our vulnerability screening operations and the way components like Generative AI influence cyber safety I warmly advocate heading over to the obtain web page and getting the total report!
Be aware: This text was expertly written and contributed by Wicus Ross, Senior Safety Researcher at Orange Cyberdefense.
