Action1 Releases Inaugural Software Vulnerability Ratings Report 2024

New research equips CISOs and CIOs with strategic insights into their software ecosystems, evaluating software vendors based on their security track record for more informed procurement decision-making.

Houston, Texas, June 18, 2024 (GLOBE NEWSWIRE) — Action1 Corporation, a provider of an integrated real-time vulnerability discovery and automated patch management solution, announced today the release of its “Software Vulnerability Ratings Report 2024.” As the National Vulnerability Database (NVD) continues to experience significant delays in vulnerability data enrichment, Action1’s latest report provides security teams with timely insights into vulnerability trends within commonly used enterprise software categories, focusing on exploitation rate and Remote Code Execution (RCE) vulnerabilities. 

“With the NVD’s delay in associating Common Vulnerabilities and Exposures (CVE) identifiers with CPE (Common Platform Enumeration) data, our report comes at a critical moment, providing much-needed insights into the ever-evolving vulnerability landscape for enterprise software,” said Mike Walters, President and co-founder of Action1. “Our goal is to arm key decision makers with essential knowledge so that they can prioritize their efforts in vulnerability monitoring using alternative approaches while the traditional reliance on NVDs is challenged. In light of the NVD crisis, the cybersecurity community needs to share information and build stronger relationships amongst private cybersecurity firms, academic institutions, and other threat intelligence platforms to facilitate holistic and timely data sharing so that all organizations can enhance their security posture.” 

Action1 researchers found an alarming increase in the total number of vulnerabilities across all enterprise software categories. The report delves into five key trends based on exploitability rates and the dynamics of RCE vulnerabilities within enterprise software categories and specific applications. 

Key trends and findings include: 

1. • Attackers target load balancers with record exploitation rate:

   Action1 researchers discovered a high exploitation rate for NGINX (100%) and Citrix (57%). Vulnerabilities in load balancers pose significant risks, as just one exploit can provide attackers with broad access or disruption capabilities against targeted networks.

• • Threat actors target Apple operating systems:

  MacOS and iOS showed an increased exploitation rate of 7% and 8%, respectively. Additionally, although MacOS reduced its total vulnerability by 29% from 2023 to 2022, exploited vulnerabilities increased by over 30%. These findings underscore the targeted nature of attacks on iOS devices.

• • MSSQL RCE vulnerabilities surge, highlighting the risk of new exploits:

  In 2023, Microsoft SQL Server (MSSQL) experienced a 1600% surge in critical vulnerabilities, each being an RCE. This spike signals a potential risk that attackers are quickly discovering and exploiting the next unknown RCE.

• • Increased exploitability of MS Office as attackers take advantage of human error:

  MS Office’s critical vulnerabilities account for nearly 80% of the overall annual vulnerability count, up to 50% being RCEs. In 2023, Microsoft saw its exploitation rate rise to 7%, compared to 2% in 2022. These findings underscore threat actors’ exploitation of user-facing software prone to human error.

• • Spike in RCEs and exploited vulnerabilities raises concerns about Edge security:

  Over the three years analyzed, Edge experienced a record number of RCE vulnerabilities, spiking at 17% in 2023, following a 500% growth in 2022. Additionally, in 2023, Edge reported a 7% exploitation rate, representing a 2% increase from 2022.

The Software Vulnerability Ratings Report 2024 analyzed 2021, 2022, and 2023 data and drew insights from the NVD and cvedetails.com. Based on this data, the report quantifies vulnerabilities and provides a comprehensive view of how the threat landscape changes over time.   

Additionally, the report utilized exploitation rate, a metric developed by the Action1 research team, to demonstrate the ratio of exploited vulnerabilities to the total number of vulnerabilities. This metric helps enterprises assess risks associated with a vendor’s software by indicating susceptibility to exploitation and the comprehensiveness of their vulnerability management programs. Action1 also counted RCE, a dangerous vulnerability that allows attackers to execute arbitrary code remotely and potentially compromise critical systems. An application with an increased RCE count may have more potential entry points for attackers to exploit. 

These findings underscore the continuing evolution of threats and the need for proactive security strategies, including timely OS and third-party application patching. To stay abreast of the changing vulnerability landscape, Action1 experts advise enterprises to review their technology stack (potentially eliminating certain vulnerable technologies), anticipate future vulnerabilities based on trends, and continuously improve their security posture to adapt to new threats quickly. 

To download the full report, visit www.action1.com/software-vulnerability-ratings-report-2024/. 

Methodology 
Action1 obtained data from NVD and cvedetails.com, with the criticality of the vulnerabilities described as follows: Critical vulnerabilities have CVSS scores greater than 7.0; Moderate vulnerabilities have CVSS scores less than 7.0 but greater than 4.0; and Low severity vulnerabilities have CVSS scores less than 4.0. Enterprise software categories were defined based on popularity criteria, criticality in use by organizations, and the total number of vulnerabilities found. Some categories, such as text editors, database management clients, cloud storage apps, and archivers, were excluded due to a lack of a representative number of vulnerabilities in apps within the category, rendering them not relevant to this study.The criteria used are based on the CISA KEV catalog. Action1 tracked RCE vulnerabilities and utilized the exploitation rate to demonstrate the ratio of exploited vulnerabilities to the total number of vulnerabilities.  

About Action1 Corporation  
Action1 reinvents patch management with an infinitely scalable and highly secure platform configurable in 5 minutes that just works. With integrated real-time vulnerability assessment and automated remediation for third-party software and OS, peer-to-peer patch distribution, and IT ecosystem integrations, it ensures continuous patch compliance and reduces ransomware and security risks – all while lowering costs. Action1 is certified for SOC 2/ISO 27001 and is trusted by thousands of enterprises managing millions of endpoints globally. The company was founded by cybersecurity veterans Alex Vovk and Mike Walters, who previously founded Netwrix, which was acquired by TA Associates. Learn more: www.action1.com.  

CONTACT: press@action1.com