A recent report by Mandiant has brought to light the alarming trend of vulnerabilities being exploited mere days after patches are released or even before. The average time-to-exploit vulnerabilities has drastically decreased from 32 days in 2021 to just five days in 2023.
This rapid exploitation can be attributed to the increasing preference for zero-day vulnerabilities, which are bugs unknown to vendors with no available patches. In fact, Mandiant’s analysis revealed that 70% of the vulnerabilities exploited in 2023 were zero-days, while only 30% were n-days (publicly disclosed bugs with available patches).
The speed at which n-day vulnerabilities are exploited after patch release is concerning, with most vulnerabilities being exploited within a month and almost all within six months. This highlights the critical importance of prompt patching to mitigate the risk of exploitation.
Interestingly, the analysis also showed that there is no consistent correlation between the public release of an exploit and its use in the wild. Media coverage of vulnerabilities was also found to be an unreliable predictor of exploitation timelines. Factors such as the complexity of exploitation and the value of the vulnerability to attackers play a larger role in determining how quickly a vulnerability will be exploited.
For instance, the report highlighted the contrasting cases of CVE-2023-28121, an authentication vulnerability in the WooCommerce Payments plugin for WordPress, and CVE-2023-27997, a buffer overflow in the SSL/VPN component of Fortinet FortiOS. The former was quickly exploited due to its simplicity, while the latter, despite immediate public attention, required navigating complex protections and mechanisms, resulting in slower exploitation.
The importance of quick patching cannot be overstated in the face of growing vulnerabilities and increasingly rapid exploitation by threat actors. Cybercriminals are leveraging known vulnerabilities in a wide range of products, emphasizing the crucial need for prioritized and swift patching measures.
In conclusion, Mandiant analysts emphasized the importance of segmented architectures and access control implementations to limit the impact of exploitation. As technology continues to advance, organizations must prioritize security measures to safeguard their systems and data against opportunistic adversaries.