2022 Vulnerability Statistics Report

2022 Vulnerability Statistics Report

Loading

2022 Vulnerability Statistics Report

Table of Contents

Section

Page Name

Page #

Introduction

3

2021 Year in Review

Ogranisation

Vulnerabilities

CVE & CWE

Attack Surface

Edgescan Metrics

7

Risk Density – Across the Fullstack

9

Risk Density – Web Application & Network Layer

10

Mean Time to Remediate Vulnerabilities – Across the Fullstack

11

Mean Time to Remediate Vulnerabilities – Web App/API & Device/Host

12

MTTR by Industry

13

MTTR by Region

14

MTTR by Company Size

15

MTTR based on Company Size

16

Vulnerability Age – Full Stack

17

Most Common High & Critical Risk – API Vulnerabilities

18

Most Common Critical & High Risk – Full Stack

19

Most Common High Risk – Web Application

20

Most Common Critical Risk – Web Application

21

Most Common CVE Discovered in 2021

23

Most Common CWE Discvovered in 2021

24

Most Common Device/Framework Network Vulnerabilties – Critical Risk

25

Most Common Device/Framework Network Vulnerabilities – High Risk

26

Most Common Risk-Accepted Vulnerability

27

CVE Dispersion and Clustering

28

Exposed Ports
Exposed Services and Systems

Edgescan

4-6

30-31
32

What is Edgescan

34-35

Whitepaper Links

36

Edgescan Awards

37

Edgescan Platform

38-39

Customer Anecodotes

40-41

Glossary

42

2022 Vulnerability Statistics Report

2

Introduction
For our 7th Year running, welcome to the Edgescan Vulnerability Stats Report 2022. This report aims to
demonstrate the state of full stack security based on thousands of security assessments and penetration tests
performed globally, as delivered by the Edgescan SaaS during 2021.
Compiling this report and delving into the underlying data is still a joy as it let us understand the true state of
cyber posture based on thousands of assessments and penetration tests. It gives unique insight into what’s
going on from a trends and statistics perspective and indeed a snapshot of the overall state of cyber security.
The Edgescan report has become a reliable source for truly representing the global state of cyber security
vulnerability management. This is becoming more evident as our unique dataset is now also part of other annual
security analysis reports, such as the Verizon DBIR (we are happy contributors for many years now).
This year we examined vulnerability metrics from a known vulnerability (CVE), Malware, Ransomware and
visibility standpoint (exposed services), coupling both internal and public Internet-facing systems. We also take
a look at how quick we are fixing various vulnerabilities based on risk.
We still see high rates of known (i.e. patchable) vulnerabilities, which have working exploits in the wild, used by
known nation state and cyber criminal groups.
We also decided to look at the state of cyber posture from an ASM (Attack Surface Management) standpoint.
Exposed services are a real risk. Statistically some of the exposures have a very low percentage but many of
them would result in a breach.
Remote access exposures across the attack surface are a worrying trend and accounted for 5% of total
exposures in 2021.
So yes, patching and maintenance is still a challenge, demonstrating that it is not trivial to patch production
systems. The MTTR (Mean Time to Remediation) stats also reflect on this issue. Detection on a constant basis
needs improvement and as I’ve always said, visibility is paramount. The web application layer is where the
majority of risk still resides, but some lower layer (Host/Operating system/Protocol) issues, if discovered, could
also present headaches if exploited. CVE’s as old as 2015 are being used by ransomware and malware toolkits
to exploit systems within “the perimeter“.
Attack Surface Management (Visibility) is a key driver to cyber security and based on our continuous asset
profiling, we discuss how common sensitive and critical systems are exposed to the public Internet. The
assumption here is that enterprises simply did not have the visibility or systems in place, to make them aware
of, or inform them of the exposure.
This report provides a glimpse of a global snapshot across dozens of industry verticals and how to prioritize on
what is important, as not all vulnerabilities are equal. We call out which threat actors are leveraging discovered
vulnerabilities, which should be food for thought.
This year we included a section on API security based on the assessment of thousands of API’s in 2021. We list
the Top API vulnerabilities and frequency of such.
Best Regards

2022 Vulnerability Statistics Report

3

2021 Year in Review
Breaches of note and root causes of 2021

Log4j:

(CVE-2021-44228 – CVSS Score: 10) A zero-day vulnerability in the Log4j Java
library, a remote code execution (RCE) flaw, has now been actively exploited in the
wild since December 2021. The vulnerability is known as Log4Shell and is now being
weaponized by botnets, including Mirai, CONTI, Konsari, and TellYouThePass groups,
currently leveraging it in their campaigns. See https://www.edgescan.com/log4shellquick-script/ for technical guidance. – Root cause: Remote Code Injection​

Bitmart:

In December, Bitmart said a security breach permitted cyberattackers to steal circa
$150 million in cryptocurrency, with total losses including damages, to reach $200
million. Criminals stole various crypto tokens on December 4, after using a stolen
privacy key to gain access to one of BitMart’s hot wallets. – Root cause: Stolen
authentication credentials​

Robinhood:

Number Of Individuals Impacted: 7 million. Robinhood disclosed a data breach
impacting five million users of the app. Email addresses, names, phone numbers,
and more were accessed via a customer support system. For the vast majority of
affected customers, the only information obtained was an email address or a full
name. For 310 people, the information taken included their name, date of birth, and
ZIP code. Of those, 10 customers had “more extensive account details revealed,”
Robinhood said in a statement. – Root cause: customer-service reps were socially
engineered into sharing information​

UC San Diego Health:

UC San Diego Health said employee email accounts were compromised by
criminals, leading to an exposure. Patient, student and employee data
potentially including medical records, claims information, prescriptions,
treatments, Social Security numbers, were exposed. – Root cause: Phishing attack​

Kaseya:

A vulnerability in a platform developed by IT services provider Kaseya was
exploited in order to hit an estimated 800 – 1500 customers, including MSPs. It is
believed that attackers carried out a supply chain ransomware attack by leveraging
a vulnerability in Kaseya’s VSA software against multiple managed service providers
(MSP) and their customers. – Root Cause: Supply chain attack ​

2022 Vulnerability Statistics Report

4

“Many attacks in 2021 were attributed to weaknesses such
as exposed remote login or exposed data stores.”

2022 Vulnerability Statistics Report

5

2021 Year in Review
Breaches of note and root causes of 2021
Volkswagen, Audi:

The car manufacturers disclosed a data breach impacting over 3.3 million
customers, the majority of which were based in the United States. It
occurred between August 2019 and May 2021. Audi and Volkswagen
customer data was being sold on a hacking forum after being stolen from
an exposed Azure BLOB container. – Root Cause: Exposed Database

Colonial Pipeline:
The fuel pipeline operator was struck by ransomware, via the DarkSide
cyber criminal collective. This resulted in fuel delivery disruption and panic
buying across the United States. The company paid a ransom. The
weakness was an exposed legacy VPN service, with only single-factor
authentication. – Root Cause: Exposed Remote Access Service

Facebook:

A data dump of information belonging to over 550 million Facebook users
was published online. Facebook IDs, names, dates of birth, genders,
locations, and relationship statuses were included in the logs, of which
Facebook (now known as Meta) said was collected via scraping in 2019. –
Root Cause: Unprotected personal data.

CNA Financial:

75,000 individuals impacted. CNA Financial employees were unable to
access corporate systems and were locked out following a ransomware
attack which also involved the theft of internal data. The company paid a
$40 million ransom. They were attacked via Phoenix Cryptolocker
Ransomware. – Root Cause: Exposed Remote Access Service

Microsoft Exchange Server:

Over 30,000 organizations across the United States impacted. Widespread
compromise of Microsoft Exchange servers caused by a set of zero-day
vulnerabilities known as ProxyLogon leveraging CVE-2021-26855,. Microsoft
became aware of the flaws in January and released emergency patches in
March. – Root Cause: Remote Code Execution / Server Side Request
Forgery​

OneMoreLead:

Number of individuals impacted 63 Million. OneMoreLead used an exposed
database to store the personal and professional information for to at least
63 million people. – Root Cause: Exposed Database

2022 Vulnerability Statistics Report

6

Some metrics
How we get the numbers
The statistics below are based on the full stack assessment of tens of thousands of individual assets during
2021.​
This included over 40,000 web application and API assessments, 3 million Network Endpoint assessments and
circa 1000 penetration tests delivered in 2021 by the edgescan team.​
40% of Edgescan clients leverage on-demand Penetration Testing as a Service (PTaaS)
65% of clients regularly request “Retest on-demand” to rapidly validate and close code, configuration and
patching fixes.​
Clients save an average of 4 hours per application per month in time saved with this approach resulting in
more rapid mitigation.

40,000

Web Application and
API Assessments

3,000,000
Network Endpoint
Assessments

1000

Penetration Tests

4 Hours*

Saved on average per
application per Month

*Based on an average Enterprise customer

“We have observed that the convergence of Attack Surface
Management (ASM), Full stack vulnerability management and
Penetration Testing as a Service (PTaaS) into a singular platform,
has resulted in better visibility and increased response rates to
discovered vulnerabilities.” – Ciaran Byrne, Head of Operations.

2022 Vulnerability Statistics Report

2

Organisations

Risks & Remediations

“Continuous improvement is better than delayed perfection”
Mark Twain

2022 Vulnerability Statistics Report

8

Risk Density
Risks Across the Full Stack
The following is a breakdown of the risks discovered across the full stack, Web applications and Network/Hosts. It
also depicts the risks associated with potential PCI (Payment Card Industry) failures – Not every vulnerability
results in a PCI fail. Across the full stack, 20.4% of all discovered vulnerabilities in 2021 were either High or Critical
risk weaknesses. 9% of all Web Application vulnerabilities were either High or Critical Weaknesses. In the end,
16.8% of all Network/Host vulnerabilities were either High or Critical Risk.

Full Stack
Vulnerability Risk

5.5%
Critical

15.4%
Low

PCI Failures: 86.3%

14.9%
High

64.1%
Medium

The “Full stack” includes both web application, API &
Network vulnerabilities discovered. We don’t believe
in silos of risk given cyber criminals don’t either.

6.1%

16.4%

3.6%

72.9%

Critical

Low

High

Medium

Out of all vulnerabilities found on the full stack,
86.3% resulted in PCI Failures.

How we measure Risk
Definition of a Critical Risk Vulnerability: “Exploitation of the vulnerability likely results in complete compromise
of services or data. Exploitation is relatively trivial in the sense that the attacker does not need any special
authentication credentials or knowledge about the system to initially exploit a system. Likelihood of exploitation
is generally very high”
Definition of a High Risk Vulnerability: “Exploitation of the vulnerability likely results in significant compromise
of services or data. Exploitation takes expertise in the sense that the attacker may need to be experienced.
Likelihood of exploitation is generally high
Edgescan depicts risk via the typical “Info/Low/Medium/High” risk nomenclature (similar to the OWASP Risk
Rating Methodology) and also via CVSS Score. CVSS scores may not always be accurate due to not taking the
context of a vulnerability into account.

2022 Vulnerability Statistics Report

9

Risk Density
Risks Across the Web Application and Network Layer
Looking at both the Web Application and Network Layer, we can see that web applications have more critical
vulnerabilities but also have more lower risk vulnerbilities. On the Network layer, the focus is mainly around
both High and Medium risk vulnerabilities which are more common.

Web Application
Vulnerability Risk

PCI Failures: 59%

4.6%

4.4%

53.7%

37.4%

Critical

Low

High

Medium

Web Application Layer risks cover Web applications,
API’s, Mobile apps and systems developed by bespoke
development teams. The risks are primarily due to
coding bugs. They generally have a CWE but not a CVE
as the systems are not commodity items.

8%

7%

Critical

High

85%

62%

Low

Medium

Out of all vulnerabilities found on the Web
Application layer, 59% resulted in PCI Failures.

Network
Vulnerability Risk

PCI Failures: 68%

4.3%

12.5%

8%

52%

Critical

Low

High

Medium

When we talk about “Network” risks we really mean
device, servers and systems which require patching
or confirguration. Most issues raised have an
associated CVE or known configuration fix and are
not “developer” code related issues (even though
ultimately everything is just software!).

6%

17.4%

1.9%

74.7%

Critical

Low

High

Medium

Out of all vulnerabilities found on the Network layer,
68% resulted in PCI Failures.

2022 Vulnerability Statistics Report

10

Mean Time to Remediate (MTTR) Vulnerabilities​
Time it takes to fix Vulnerabilities across the Full Stack
The measurements below include remediation and verification that the fixes are robust (including reassessments
& retesting). Mean time to Remediate (i.e. acode fix) for a critical risk on the web application/API layer is 47.6 days.
Mean time to Remediate (i.e. patch or reconfigure) a device/host layer critical risk is 61.4 days. The quickest
remediation on a vulnerability that was found was 0.5 days.

Full Stack
100

75

63.2 days

59.8 days

51.4 days

56.2 days

60 days

Average MTTR

57.5 days

50

25

0

Info

Low Risk

Medium

High Risk

Critical

Informational risks are commonly risk accepted resulting in an MTTR of 51.4 days. As an industry we need to
improve the MTTR for high and critical risks.

2022 Vulnerability Statistics Report

11

Mean Time to Remediate (MTTR) Vulnerabilities​
Looking at Web App/API & Device/Host Layer
Looking now to both the Web App/API & Device/Host layers, we can see a big difference on the web/app layer
compared to the Device/Host layer. In particular that the length of time to remediate on the Web App/API layer
is 63.8 days compared to the average of 57 days on the Device/Host layer.

Web App/API Layer
100

79.4 days
75

68.4 days
58.3 days

61.4 days
47.6 days

50

Average MTTR

63.8 days
25

0

Info

Low Risk

Medium

High Risk

Critical Risk

The average time to fix a Critical Risk issue, comes in at only 47.6 days, which shows that organisations are
focusing on prioritising fixing vulnerabilities in the application layer. This is overshadowed however by both the
Medium and High Risks which come in at 68.4 Days and 61.4 Days respectfully.

Device/Host Layer
100

75

65.4 days
59.4 days
50.7 days

56 days

61.4 days

50

Average MTTR

57 days
25

0

Info

Low Risk

Medium

High Risk

Critical Risk

The Device/Host layer has the lowest average MTTR of 57 days, but it also has the highest MTTR for Critical
risks of 61.4 Days.

2022 Vulnerability Statistics Report

12

MTTR by Industry
Industry Mean Time to Remediate Vulnerabilities
Public Administration
(NAICS* 92)

Manufacturing (NAICS 31-33)

Professional, Scientific &
Technical Services
(NAICS 54)

Accomindation & Food
Services (NAICS 72)

Information (NAICS 51)

61 days

Arts, Entertainment and
Recreation (NAICS 71)

Education Services
(NAICS 61)

Financial & Insurance
(NAICS 52)

Retail (NAICS 44-45)

Healthcare (NAICS 62)

92 days

68 days

51 days

47 days

78 days

64 days

58 days

48 days

44 days

Through the Edgescan platform, we examined ten different industries to report on their average rates
of MTTR within that industry. We can see that the shortest MTTR can be seen in Healthcare (NAICS 62)
while the longest is Public Administration (NAICS 92). The second longest MTTR is seen to be
manufacturing (NAICS 31-33) with an average of 78 days. This means that both Public Administration
and Manufacturing take approximately double the length of time compared to the Healthcare industry,
to fix vulnerabilities.

*The North American Industry Classification System (NAICS) is the standard used by Federal statistical agencies in classifying business establishments for
the purpose of collecting, analyzing, and publishing statistical data related to the U.S. business economy. – https://www.naics.com/

2022 Vulnerability Statistics Report

13

MTTR by Region
Region Mean Time to Remediate Vulnerabilities

56
59

58

North America
59 Days

Europe (EMEA)
56 Days

Asia-Pacific
58 Days

As we can see from the above figures, the North America region has the highest MTTR for companies
with an average of 59 days while Europe (EMEA) has an average of 56 days.
This gives us a global MTTR average of 57.5 Days for companies to fix their vulnerabilities.

2022 Vulnerability Statistics Report

14

MTTR Based on Company Size
Company Mean Time to Remediate Vulnerabilities
We believe the size of an organization does not impact speed of security.
It appears that company size generally has little or no impact in relation to the time it takes to fix
vulnerabilities, similar to the 2021 report. We measured time-to-fix for critical risk vulnerabilities for a number
of company sizes and the average is much the same across these organizations.
IT and Information Security generally does not grow linearly with the size of a business.
Larger organizations have more to secure, more data and systems, but generally not relatively more security
staff!

Staff Count: 11-100
68
Days

Staff Count: 101-1000
61
Days

Staff Count: 1001-10000
75
Days

Staff Count: 10000+
84
Days

2022 Vulnerability Statistics Report

15

Vulnerabilities

Growing threats to orgs

“If you always do what you’ve always done, you’ll always get what you’ve always got”
Henry Ford

2022 Vulnerability Statistics Report

16

Vulnerability Age
Full Stack

One common theme that we find each year, is the prevalence of ‘older’ known vulnerabilities that are found.
This section highlights the age of known vulnerabilities that were found in a system during 2021. All of these
issues already have patches available to address them. We can see 57% of such issues could be considered old
– issues that range from being first discovered back in 1999, right up to recent years!

% of all discovered CVE’s
30%

25%

20%

15%

10%

5%

0%

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021

57%
17%
16%
Over 16% of discovered vulnerabilities are from 2016​. Circa 17% of vulnerabilities are older than 5 years old​with
57% of discovered vulnerabilities are more than 2 years old. We can see that most common CVE in 2021: CVE2015-4000 at 8.25% is “Logjam”​while the most common CWE in 2021: CWE-310 at 21.31% is “Cryptographic
Issues”

0.1%

1999

0%

2000 2001

2002

0%

1.5%

9.9%

18.2%

2021

2020
26.2%

2019

0.2%

0.3%

0.5%

0.3%

2003 2004 2005 2006 2007 2008 2009 2010
0%
7.4%

2018
6.7%

2017

0.6%

2016
16.2%

7.8%

2015

0.1%

2014
2.7%

0.3%

2013

0.8%
0.5%

2012

2011

1.4%

2022 Vulnerability Statistics Report

17

Most Common Critical & High Risk API Vulnerabilities
This examines the most common high and critical
risk API issues discovered in 2021 – those with
a CVSS score of 7.0 and above. The percentage
stated is the rate of occurrence compared to all
critical risk vulnerabilities discovered in 2021.
Edgescan validates vulnerabilities based on
context of the unique issue and does not always
tally with CVSS scoring.

Many API vulnerabilities are similar to Web
application vulnerabilities but the devil is in the
detail; It appears to be more common to have
issues regarding Rate Limiting requests, Direct
object access (IDOR) and Authorization issues. ​
When developing API’s it’s assumed the “client” is
not a person directly but another piece of
software (e.g. website, app etc). This may give
rise to a false sense of security because users do
not directly interact with the API and the exposed
features are hidden.

Name
Injection Attacks
Lack of resources and rate limiting

Broken authentication

Broken object level authorization
(BOLA)
Excessive data exposure
(Information disclosure)
Mass assignment

Broken function level authorization

9.9%

Broken Function

19.3%

Injection Attacks

10.6%

Mass assignment

12.9%

17%

Information disclosure

Resource Limiting

15.0%
BOLA

Vulnerability References & Notes

15.3%

Broken Authentication

CWE/OWASP

% of Discovered
Vulnerabilities

SQL, NoSQL, LDAP, OS Injections, Code Injections,
ORM based vulnerabilities, Parsers such as
XMLTraversal based attacks.
The API does not restrict the number or frequency
of requests from a particular API client. This can be
abused to make thousands of API calls per second,
or request hundred or thousands of data records at
once, resulting in a Denial of Service condition. This
weakness also enables arbitrary scraping of other
parties API’s and violate fair usage agreements.
Weak authentication allowing compromise of
authentication tokens or exploitation of common
implementation flaws to assume other users identity
or bypass authentication completely. Compromising
a system’s ability to identify the client/user,
compromises API security overall.

CWE-79, CWE-725,
API8:2019

19.3%

CWE-770 / API4:2019

17.0%

API2:2019/CWE-287

15.3%

AKA Insecure Direct Object Reference (IDOR). As its
name implies, the ability to directly access
resources without privileges or authorization.
Exposure of all object properties of an API endpoint
without consideration for use-case or requirement.
Results in the reliance on API clients to perform the
data filtering before displaying it to the user.
API does not control which object attributes can
be modified providing the potential for access to
opaque data, outcomes or functions. This can be
used to create new parameters that were never
intended which in turn creates or overwrites new
variable or objects in program code.
Admin or sensitive functions exposed in error to
unauthorized clients resulting in data disclosure or
privileged execution for unauthorized API clients. In
effect resulting in an overly large attack surface and
unintended exposure risk.

CWE-639 / API1:2019

15.0%

CWE-22, CWE-23,
CWE-200,CWE-269,
CWE-250 / API3:2019

12.9%

CWE-915 / API6:2019

10.6%

CWE-285 / API5:2019

9.9%

2022 Vulnerability Statistics Report

18

Most Common Critical and High Risk Vulnerabilities
Full Stack View
SAP Gateway 0.08%
SAP Message Server 0.10%
SMB 0.10%
OpenBSD OpenSSH 0.11%

MS-NRPC Zerlogon Vuln 0.11%

0.13%
0.14%

OS EOL
Windows 7/Server EOL

3.09%

jQuery EOL 0.19%
PrintNightmare
ChangeCipherSpec

0.19%

0.21%

SAP internet
Graphics

0.21%

SMB Login

0.23%

Dropbear

0.23%

Windows IEpress

SSL 64-bit block
size cipher

0.24%

Microsoft OneDrive
– July 2020

0.25%

Microsoft OneDrive
– Sep 2020

0.25%

Deprecated SSH-1

0.31%

0.36%

OpenStage SIP

Vulnerability Name

0.79%

SNMP Agent Default

Risk

Layer (Web/Network)

% of Discovered
Vulnerabilities

SSL 64-bit Block Size Cipher Suites Supported (SWEET32)

High

Network

SNMP Agent Default Community Names

High

Network

0.79%

OpenStage SIP Webinterface Default Password

High

Network

0.36%

Deprecated SSH-1 Protocol Detection

High

Network

0.31%

Microsoft OneDrive Multiple Vulnerabilities – Sep 2020

High

Network

0.25%

Microsoft OneDrive Privilege Escalation Vulnerability – July
2020
Windows IExpress Untrusted Search Path Vulnerability

High

Network

0.25%

High

Network

0.24%

Dropbear < 2020.79 Mishandling Filenames Vulnerability

High

Network

0.23%

Microsoft Windows Unquoted Path Vulnerability (SMB Login)

High

Network

0.23%

SAP Internet Graphics Server Multiple XXE Vulnerabilities

High

Network

0.21%

OpenSSL ‘ChangeCipherSpec’ MiTM Vulnerability

High

Network

0.21%

Microsoft Windows Print Spooler RCE Vulnerability
(KB5005010, PrintNightmare)

High

Network

0.19%

jQuery End of Life (EOL) Detection

Critical

Network

0.19%

Microsoft Windows 7 / Server 2008 End Of Life Detection

Critical

Network

0.14%

OS End Of Life Detection

Critical

Network

0.13%

Microsoft Windows MS-NRPC Zerologon Vulnerability (CVE2020-1472) – Active Check
OpenBSD OpenSSH <= 7.9 Multiple Vulnerabilities
Server Message Block (SMB) Protocol Version 1 Enabled

Critical

Network

0.11%

High
High

Network
Network

0.11%
0.10%

SAP Message Server acl_info Configuration Vulnerability

Critical

Network

0.10%

SAP Gateway ACL Misconfiguration Vulnerability

Critical

Network

0.08%

3.09%

2022 Vulnerability Statistics Report

19

Most Common Critical Risk Vulnerabilities
Web Applications
The Application Security Critical Risk Top
10 depicts the most common critical risk
issues discovered by Edgescan in 2021. ​

Excutable Code Injection 2.1%
File Path Traversal

SQL Injection is still the main
contender which is interesting to note as
we can easily develop code which is not
vulnerable to such attacks. ​

2.5%

OS Command Injection 3.9%
Authorisation Issue

7.0%
33.0%

SQL Injection

Something which is overlooked quite
4.6%
Server-Side Request
frequently is malicious file uploads. This
Forgery
can give rise to ransomware, malware and
5.3%
internal network breach pivot points for Server-Side Template
attackers. ​
Injection
Executable code injection is commonly
used by exploit kits to get access to data
and the source code of a system. The root
cause is due to a system interpreting data
as code and executing it. ​
Authorization issues cover privilege
escalation or access to restricted
functionality which would result in a data
breach.

Name
SQL Injection
Cross Site Scripting
XML external entity injection (XXE)
Malicious File Upload
Server-Side Request Forgery
Server-side template injection
Authorisation Issue
OS Command Injection
File path traversal / Information
disclosure
Executable Code injection

7.0%

Malicious File Upload

8.1%
XXE

26.7%

Cross Site Scripting

Vulnerability References & Notes

CWE

Data extraction, manipulation and database access via
injection attack.
(Reflected & Stored) The XSS risk is based on context
of where the vulnerability was discovered.
XML injection which resulted in application compromise
or forcing the application to perform functions not intended.
Potential for malware, Trojan, DoS (Large) upload via
upload functionality.
Induce the backend application to make HTTP requests
to an arbitrary domain of the attacker’s choosing.
Injection of malicious input into a template to execute
commands on the backend system
Bypassing controls to access data and functions
without authorization. Horizontal and vertical privilege
escalation is included in this category
Ability to execute arbitrary system commands on the
attacked party’s host operating system (OS)
Vulnerability that allows one to read arbitrary files on
the server and disclose potentially sensitive
information.
Malicious injection or introduction of code into an
application which can be executed in the context of the
system being breached.

% of discovered
Vulnerabilities

CWE-89

33.0%

CWE-79,
CWE-725
CWE-611,
CWE-1030

26.7%

CWE-434

7.0%

CWE-918

5.3%

CWE-1336

4.6%

CWE-285

7.0%

CWE-78

3.9%

CWE-22, CWE23, CWE-200

2.5%

8.1%

CWE-94,CWE-96, 2.1%
CWE-78

2022 Vulnerability Statistics Report 20

Most Common High Risk Vulnerabilities
Web Applications
As in previous years, Cross-Site Scripting
(XSS) (49.8%) is still king of the hill for High
risk issues. This can be used for phishing
attacks, redirection to malicious sites,
malware proliferation, but to name a few.
Think of XSS as a payload delivery
vulnerability.​

1.8%
XXE 2.3%
Executable Code Injection 2.8%
Deserialization Attacks 3.2%
SSRF

3.2%

Malicious File Upload
Direct Object Access

Authorisation Issue

Broken Authentication (22.1%) is high on the
list for 2021. This relates to misconfiguration,
broken logic, username enumeration or
insecure authentication functionality.​

5.1%

6.0%
49.8%

Cross-Site Scripting XSS (Reflected)

6.9%

File Path Traversal

22.1%

Broken Authentication

Name

XML external entity injection (2.3%) (also
known as XXE) is lower than last year (4.7%).
It is a vulnerability that allows an attacker
to manipulate an applications processing of
XML data. By virtue of injecting specific
payloads, it can allow an attacker to do
things such as gain unauthorized access to
files on the application server filesystem or
interact with downstream back-end/external
systems that the application itself can
access. In the case of these high risks, the
XXE in question would result in system
compromise and data exfiltration.

Vulnerability References & Notes

CWE

Cross-Site Scripting – XSS (reflected) Context of where the XSS was discovered deemed
the risk to be high. In many cases XSS is a medium
risk due to evolving built-in web browser controls.
Broken Authentication/Poor Session Broken CAPTCHA, Bypass, Insecure Authentication,
Management, Brute Forcing Possible Weak Password, Username Enumeration,
Unencrypted Authentication. Lack of MFA, No
Lockout controls or alerting.
File path traversal/Information
Vulnerability that allows one to read arbitrary files
disclosure/Source Code Disclosure
on the server and disclose potentially sensitive
information.
Authorisation Issue – Privilege
Escalation
File path traversal/Direct Object
Access
Malicious File Upload
Deserialization Attacks

Executable Code injection
XML External Entity Injection (XXE)
Server-Side Request Forgery (SSRF)

% of discovered
Vulnerabilities

CWE-79, CWE-725

49.8%

CWE-287

22.1%

CWE-22, CWE-23,
6.9%
CWE-200, CWE-269,
CWE-250

Business logic and authorization access escalation. CWE-285

6.0%

Direct access to assets without requirement for
authorization or authentication
Potential for malware, Trojan, DoS (Large) upload
via upload functionality.
Insecure deserialization is when user-controllable
data is deserialized by a website. Results in
manipulation of serialized objects in order to pass
harmful data into the application.
Malicious injection or introduction of code into an
application which can be executed in the context
the system being breached
XML injection which resulted in application
compromise or forcing the application to perform
functions not intended.
Induce the backend application to make HTTP
requests to an arbitrary domain of the attackers
choosing.

CWE-22, CWE-23,
CWE-200
CWE-434

5.1%

CWE-502

3.2%

CWE-94,CWE-96,
CWE-78

2.8%

3.2%

CWE-611, CWE-1030 2.3%
CWE-918

1.8%

2022 Vulnerability Statistics Report

21

CVE & CWE

The Evolving Landscape

“Weak Crypto is king of the hill.”
Eoin Keary

2022 Vulnerability Statistics Report 22

Most Common CVE discovered in 2021
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity
vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered
then assigned and published by organizations from around the world that have partnered with the CVE Program.

The CVE age-landscape is always an interesting one each year. This list represents the most common known
vulnerabilities found in 2021 and include one high risk and 3 medium risk issues. The most concerning trend
here, is the actual age of these issues – most were first reported six or seven years ago and one right back to
2003! Also, it is no surprise that the majority of these issues are related to some kind of crypto weakness.
CVE-2015-4000: TLS man-in-the-middle. An Attacker can conduct a cipher-downgrade, aka the “Logjam“.​
CVE-2015-2808: The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine
state data with key data during the initialization phase, which makes it easier for remote attackers to conduct
plaintext-recovery attacks, aka the “Bar Mitzvah” issue.​
CVE-2013-2566: The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases,
which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of
ciphertext in a large number of sessions that use the same plaintext.​

CVE-2016-2183: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPsec protocols and other
protocols and products, have a weakness which makes it easier for remote attackers to obtain cleartext data via
a birthday attack, aka a “Sweet32” attack.​

CVE-2003-0661: The NetBT Name Service (NBNS) for NetBIOS in Windows NT 4.0, 2000, XP, and Server 2003 may
include random memory in a response to a NBNS query, which could allow remote attackers to obtain sensitive
information.​

CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, has a weakness
that makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka
the “POODLE” issue.

1.14%

CVE-2014-3566

1.67%

CVE-2003-0661

8.25%

CVE-2015-4000

3.95%

CVE-2016-2183

4.59%

CVE-2013-2566

4.59%

CVE-2015-2808

CVE Name

CVE-2015-4000
CVE-2015-2808
CVE-2013-2566
CVE-2016-2183
CVE-2003-0661
CEV-2014-3566

Percentage of Occurence

8.25%
4.59%
4.59%
3.95%
1.67%
1.14%

Risk (CVSS Score)

Low
Medium
Medium
High
Medium
Low

2022 Vulnerability Statistics Report 23

Most Common CWE discovered in 2021
Common Weakness Enumeration (CWE™) is a community-developed list of common software and hardware
weakness types that have security ramifications. “Weaknesses” are flaws, faults, bugs, or other errors in
software or hardware implementation, code, design, or architecture, that if left unaddressed could result in
systems, networks, or hardware being vulnerable to attack. The CWE List and associated classification taxonomy
serve as a language that can be used to identify and describe these weaknesses in terms of CWEs.

“Cryptographic issues top the board. ​Probably due to the
prevalence of crypto across the full stack”

CWE-125 1.74%

2.13%
CWE-119 3.16%
CWE-79

CWE-264

3.61%
21.31%

3.64%

CWE-310

CWE-269

4.21%

CWE-20

9.42%

CWE-327

13.15%

CWE-200

10.09%
CWE-326

CWE Code Percentage of Occurrence

CWE-310
CWE-200
CWE-326
CWE-327
CWE-20
CWE-269
CWE-264
CWE-119
CWE-79
CWE-125

21.31%
13.15%
10.09%
9.42%
4.21%
3.64%
3.61%
3.16%
2.13%
1.74%

Description

Cryptographic Issues
Exposure of Sensitive Information to an Unauthorized Actor
Inadequate Encryption Strength
Use of a Broken or Risky Cryptographic Algorithm
Improper Input Validation
Improper Privilege Management
Permissions, Privileges, and Access Controls
Improper Restriction of Operations within the Bounds of a Memory Buffer
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Out-of-bounds Read

2022 Vulnerability Statistics Report 24

Most Common Device/Framework/Network Layer Vulnerabilities
we refer to Device/Network/Framework vulnerabilities as opposed to API/Web Application
Critical Risk When
vulnerabilities, they are generally components or products and not systems written by

development teams. The normally have an associated CVE and require a patch or upgrade. The
Top 20 Critical risks discovered in 2021 account for 80% of all critical risks discovered.​PHP (as per
2020) still is most prevalent. Many of the issues discovered are used by Ransomware and
Crypto-miner malware.​The associated CVE’s (where applicable) range from 2011 to 2021.
Adobe Flash Player : EOL Detection,
Patching: 1.6%

Oracle MySQL: Multiple Multiple
Vulnerabilities: Security Bypass,
Unpatched: 2.1%

Samba: Information Disclosure Vulnerability,
Zerologon: 2.0%

CVE-2020-9633

CVE-2020-14318, CVE-2020-1472

CWE-416

CVE-2016-5584, CVE-2016-6662, CVE-2016-7440, CVE-2016-9840,
CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2018-3133,
CVE-2018-3174, CVE-2018-3282, CVE-2021-22922, CVE-2021-22923,
CVE-2021-22924, CVE-2021-22925, CVE-2021-22926,
CVE-2021-22945, CVE-2021-22946, CVE-2021-22947,
CVE-2021-35604, CVE-2021-35624, CVE-2021-3711, CVE-2021-3712

CWE-269

Microsoft Windows RDP ‘CVE-2019-0708’
RCE Vulnerability (BlueKeep): 2.1%

CWE-189, CWE-200, CWE-264, CWE-310, CWE-120, CWE-125,
CWE-295, CWE-319, CWE-345, CWE-354, CWE-415, CWE-522,
CWE-706, CWE-908

SAP NetWeaver AS: Java Multiple
Vulnerabilities: Bypass, Execution 1.5%

CVE-2019-0708

CVE-2020-6286, CVE-2020-6287

CWE-416

CWE-22, CWE-287

PHP Multiple Vulnerabilities: EOL, DoS,
Use-After-Free, RCE, Buffer Overflow: 23.1%

Oracle Weblogic Server – Multiple Vulnerabilities: RCE, Unpatched, bypass: 2.1%
CVE-2015-4852, CVE-2016-0572, CVE-2016-0573, CVE-2016-0574, CVE-2016-0577, CVE-2016-0638, CVE-2016-0675, CVE-2016-0688,
CVE-2016-0696, CVE-2016-0700, CVE-2016-3416, CVE-2016-3445, CVE-2016-3505, CVE-2016-3510, CVE-2016-3586, CVE-2016-5488,
CVE-2016-5531, CVE-2016-5535, CVE-2016-7103, CVE-2017-10063, CVE-2017-10137, CVE-2017-10147, CVE-2017-10148, CVE-2017-10152,
CVE-2017-10178, CVE-2017-10271, CVE-2017-10334, CVE-2017-10336, CVE-2017-10352, CVE-2017-3248, CVE-2017-3506, CVE-2018-1257,
CVE-2018-2628, CVE-2018-2893, CVE-2018-2894, CVE-2018-2902, CVE-2018-2933, CVE-2018-2935, CVE-2018-2987, CVE-2018-2998,
CVE-2018-3191, CVE-2018-3213, CVE-2018-3245, CVE-2018-3248, CVE-2018-3249, CVE-2018-3250, CVE-2018-3252, CVE-2019-11358,
CVE-2019-17571, CVE-2019-2568, CVE-2019-2615, CVE-2019-2618, CVE-2019-2645, CVE-2019-2646, CVE-2019-2647, CVE-2019-2648,
CVE-2019-2649, CVE-2019-2650, CVE-2019-2658, CVE-2019-2725, CVE-2019-2729, CVE-2019-2824, CVE-2019-2827, CVE-2019-2887,
CVE-2019-2888, CVE-2019-2890, CVE-2019-2891, CVE-2020-11022, CVE-2020-14572, CVE-2020-14588, CVE-2020-14589, CVE-2020-14622,
CVE-2020-14645, CVE-2020-14652, CVE-2020-14820, CVE-2020-14841, CVE-2020-14859, CVE-2020-14882, CVE-2020-14883, CVE-2020-2519,
CVE-2020-2544, CVE-2020-2546, CVE-2020-2547, CVE-2020-2548, CVE-2020-2549, CVE-2020-2550, CVE-2020-2551, CVE-2020-2552,
CVE-2020-2766, CVE-2020-2798, CVE-2020-2801, CVE-2020-2811, CVE-2020-2828, CVE-2020-2829, CVE-2020-2869, CVE-2020-2883,
CVE-2020-2884, CVE-2020-2963, CVE-2020-2966, CVE-2020-2967, CVE-2020-9488, CVE-2021-1994, CVE-2021-1995, CVE-2021-1996,
CVE-2021-2047, CVE-2021-2075, CVE-2021-2109, CVE-2021-2142, CVE-2021-2157, CVE-2021-2204, CVE-2021-2211, CVE-2021-2214,
CVE-2021-2294, CVE-2021-2376, CVE-2021-2378, CVE-2021-2382, CVE-2021-2394, CVE-2021-2397, CVE-2021-2403, CVE-2019-2725

CVE-2011-1148, CVE-2011-1657, CVE-2011-1938, CVE-2011-2202, CVE-2011-2483,
CVE-2011-3182, CVE-2011-3267, CVE-2011-3268, CVE-2012-2376,
CVE-2014-9425, CVE-2014-9709, CVE-2015-1351, CVE-2015-1352,
CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389,
CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394,
CVE-2015-8865, CVE-2016-10158, CVE-2016-10159, CVE-2016-10160,
CVE-2016-10161, CVE-2016-3141, CVE-2016-3142, CVE-2016-4070,
CVE-2016-4071, CVE-2016-4072, CVE-2016-4073, CVE-2016-4537,
CVE-2016-4539, CVE-2016-4540, CVE-2016-4542, CVE-2016-5385,
CVE-2016-5399, CVE-2016-6207, CVE-2016-6289, CVE-2016-6290,
CVE-2016-6291, CVE-2016-6292, CVE-2016-6293, CVE-2016-6294,
CVE-2016-6295, CVE-2016-6296, CVE-2016-6297, CVE-2016-7124,
CVE-2016-7125, CVE-2016-7126, CVE-2016-7127, CVE-2016-7128, CVE-2016-7129,
CVE-2016-7130, CVE-2016-7131, CVE-2016-7132, CVE-2016-9935,
CVE-2017-11142, CVE-2017-11143, CVE-2017-11144, CVE-2017-11145,
CVE-2017-11146, CVE-2017-6004, CVE-2017-7890, CVE-2017-9224,
CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229,
CVE-2016-7411, CVE-2016-7412, CVE-2016-7413, CVE-2016-7414, CVE-2016-7416,
CVE-2016-7417, CVE-2016-7418, CVE-2019-13224, CVE-2019-11043,
CVE-2020-7059, CVE-2020-7060

CWE-200, CWE-284, CWE-295, CWE-502, CWE-74, CWE-77, CWE-79

Dell IDrac: Multiple Vulnerabilities: Buffer
Overflow, Multiple Vulnerabilities: 1.7%

CWE-125, CWE-119,CWE-264,CWE-310,CWE-399, CWE-787, CWE-416, CWE-22

CVE-2018-1000116, CVE-2018-1207, CVE-2018-1211, CVE- 2020-5344,
CVE-2018-15774, CVE-2018-15776, CVE-2019-3705

1.50%1.50% 1.40%
1.60%
1.70%

CWE-22, CWE-787, CWE-94, CWE-863, CWE-200, CWE-79

2.0%
2.10%

23.1%

2.10%
2.10%
2.40%
2.40%
2.50%
3.2%
8.7%

3.7%
3.70%
4.0%

5.0%

5.0%

QNAP NAS / QTS Devices:Command Injection
Vulnerability, Zerologon, Arbitrary Command
Execution: 2.5%
Microsoft Windows MS-NRPC
Zerologon Vulnerability: 3.2%

CVE-2018-0719, CVE-2018-0721, CVE-2018-14746, CVE-2018-14747,
CVE-2018-14748, CVE-2018-14749
CWE-119, CWE-476, CWE-77, CWE-863, CWE-200, CWE-78

CVE-2020-1472
CWE-269

Aerohive Networks HiveOS:LFI
Vulnerability, PHP Code Execution:
1.5%
CVE-2020-16152
CWE-829

Intel Active Management
Technology: Multiple
Vulnerabilities: 1.4%

Microsoft Exchange Server 2013 / 2016 / 2019
Multiple RCE Vulnerabilities: Unpatched: 2.4%
CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE- 2021-28483,
CVE-2021-33766, CVE-2021-34473, CVE-2021-34523, CVE-2021-26855,
CVE-2020-17117, CVE-2020-17132, CVE-2020-17141, CVE-2020-17142,
CVE-2020-17143
CWE-269, CWE-287,

VMware vCenter Server Multiple Vulnerabilities
(VMSA-2021-0020):Unpatched, file upload,
privilege escalation, bypass, information
disclosure, path traversal, reflected XSS,
RCE, DoS, SSRF: 2.4%

CVE-2020-12356, CVE-2020-8746, CVE-2020-8747,
CVE-2020-8749,
CVE-2020-8752, CVE-2020-8753, CVE-2020-8754,
CVE-2020-8757,
CVE-2020-8760, CVE-2017-5689, CVE-2020-8758

CVE-2021-21991, CVE-2021-21992, CVE-2021-21993, CVE-2021-22005,
CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, CVE-2021-22009,
CVE-2021-22010, CVE-2021-22011, CVE-2021-22012, CVE-2021-22013,
CVE-2021-22014, CVE-2021-22015, CVE-2021-22016, CVE-2021-22017,
CVE-2021-22018, CVE-2021-22019, CVE-2021-22020

CWE-125, CWE-190, CWE-787, CWE-119

CWE-269, CWE-400, CWE-434, CWE-668, CWE-79, CWE-918, CWE-434,
CWE-863, CWE-20, CWE-415

Microsoft Windows Multiple Vulnerabilities
(KB4519998): Bypass, RCE, Information
Disclosure: 8.7%
CVE-2019-0608, CVE-2019-1060, CVE-2019-1166, CVE-2019-1192,
CVE-2019-1238, CVE-2019-1307, CVE-2019-1308, CVE-2019-1311, CVE-2019-1315,
CVE-2019-1316, CVE-2019-1317, CVE-2019-1318, CVE-2019-1319, CVE-2019-1325,
CVE-2019-1326, CVE-2019-1333, CVE-2019-1334, CVE-2019-1335, CVE-2019-1339,
CVE-2019-1341, CVE-2019-1342, CVE-2019-1343, CVE-2019-1344, CVE-2019-1345,
CVE-2019-1346, CVE-2019-1347, CVE-2019-1356, CVE-2019-1357, CVE-2019-1358,
CVE-2019-1359, CVE-2019-1365, CVE-2019-1366, CVE-2019-1367, CVE-2019-1371
CWE-125, CWE-200, CWE-290, CWE-354, CWE-59, CWE-611, CWE-755,
CWE-787, CWE-863

jQuery End of Life (EOL) Detection:
5.0%
SAP Gateway ACL Misconfiguration
Vulnerability: Unauthorized Access
risk: 5.0%
Microsoft Windows Server 2008
End Of Life Detection: Unsupported
OS, Ransomware Exposure: 4.0%
OS End Of Life Detection:
Unsupported OS, Ransomware
Exposure: 3.7%
Apache HTTP Server Multiple Vulnerabilities Linux: 3.7%
CVE-2020-13938, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691
CWE-476, CWE-787, CWE-862

2022 Vulnerability Statistics Report 25

Most Common Device/Framework/Network Layer Vulnerabilities
Top 20 High risks discovered in 2021 account for 88% of all Critical risks discovered.
High Risk The
Cryptographic vulnerability CVE-2016-2183 is most prevalent. Since 2018 Cryptographic issues are in
the top 3 due to the proliferation of cryptographic technology (It’s everywhere!). PHP vulnerabilities
are also prevalent in the Top 10 High Risk at #2. Many of the vulnerabilities listed are actively used by
ransomware, malware and cyber criminal based attacks.
Oracle MySQL: Multiple Multiple Vulnerabilities: Security Bypass,
Unpatched: 4.4%

Brocade Fabric OS: 0.9%
CVE-2020-15387, CVE-2016-8202, CVE-2020-15383, CVE-2021-27792,
CVE-2021-27790, CVE-2021-27794, CVE-2018-6448, CVE-2018-6449,
CVE-2019-16204

CVE-2021-2478, CVE-2021-2479, CVE-2021-2481, CVE-2021-35546, CVE-2021-35575, CVE-2021-35577,
CVE-2021-35591, CVE-2021-35596, CVE-2021-35602, CVE-2021-35607, CVE-2021-35608, CVE-2021-35610,
CVE-2021-35612, CVE-2021-35622,CVE-2021-35623, CVE-2021-35625, CVE-2021-35626, CVE-2021-35627,
CVE-2021-35628, CVE-2021-35630, CVE-2021-35631, CVE-2021-35632, CVE-2021-35633, CVE-2021-35634,
CVE-2021-35635, CVE-2021-35636, CVE-2021-35637, CVE-2021-35638, CVE-2021-35639, CVE-2021-35640,
CVE-2021-35641, CVE-2021-35642, CVE-2021-35643, CVE-2021-35644, CVE-2021-35645, CVE-2021-35646,
CVE-2021-35647, CVE-2021-35648, CVE-2021-36222, CVE-2020-14773, CVE-2020-14777, CVE-2020-14785,
CVE-2020-14786, CVE-2020-14791, CVE-2020-14794, CVE-2020-14800, CVE-2020-14804, CVE-2020-14809,
CVE-2020-14814, CVE-2020-14821, CVE-2020-14828, CVE-2020-14829, CVE-2020-14830, CVE-2020-14836,
CVE-2020-14837, CVE-2020-14838, CVE-2020-14839, CVE-2020-14844, CVE-2020-14845, CVE-2020-14846,
CVE-2020-14848, CVE-2020-14852, CVE-2020-14860, CVE-2020-14861, CVE-2020-14866, CVE-2020-14868,
CVE-2020-14870, CVE-2020-14873, CVE-2020-14878, CVE-2020-14888, CVE-2020-14891, CVE-2020-14893,
CVE-2020-14539, CVE-2020-14540, CVE-2020-14547, CVE-2020-14553, CVE-2020-14559, CVE-2020-14568,
CVE-2020-14575, CVE-2020-14576, CVE-2020-14586, CVE-2020-14591, CVE-2020-14597, CVE-2020-14614,
CVE-2020-14619, CVE-2020-14620, CVE-2020-14623, CVE-2020-14624, CVE-2020-14631, CVE-2020-14632,
CVE-2020-14633, CVE-2020-14634, CVE-2020-14641, CVE-2020-14643, CVE-2020-14651, CVE-2020-14654,
CVE-2020-14656, CVE-2020-14663, CVE-2020-14678, CVE-2020-14680, CVE-2020-14697, CVE-2020-14702,
CVE-2020-14725, CVE-2020-1967

CVE-2020-9484, CVE-2019-0232, CVE-2019-12418, CVE-2017-5647,
CVE-2021-25329, CVE-2016-0762, CVE-2016-5018, CVE-2016-6794,
CVE-2016-6796, CVE-2016-6797, CVE-2016-0706, CVE-2016-0714,
CVE-2019-17563, CVE-2018-1336, CVE-2009-3548

CWE-532, CWE-79, CWE-532, CWE-287, CWE-20, CWE-400, CWE-264,
CWE-326

CWE-20, CWE-918, CWE-352, CWE-399, CWE-667, CWE-400, CWE-772,
CWE-295, CWE-200, CWE-22, CWE-119, CWE-835, CWE-78, CWE-502

SNMP Agent Default Community Names: 7.6%
CVE-1999-0517

SSL 64-bit Block Size Cipher Suites Supported
(SWEET32): 29.5%

CWE-327, CWE-476, CWE-189, CWE-125, CWE-200, CWE-674, CWE-787, CWE-416, CWE-190, CWE-125, CWE-787,
CWE-399, CWE-125, CWE-674, CWE-327, CWE-20, CWE-416, CWE-668, CWE-787, CWE-909, CWE-399

Apache HTTP Server Multiple
Vulnerabilities: 2.2%

Apache Tomcat: 4.6%

CVE-2017-0715, CVE-2021-34355, CVE-2020-2491,CVE-2020-2502, CVE-2018-0716, CVE-2018-0719, CVE-2018-0721,
CVE-2018-14746, CVE-2018-14747, CVE-2018-14748, CVE-2018-14749, CVE-2018-0714, CVE-2018-0712,
CVE-2017-13072, CVE-2021-28816, CVE-2021-34343, CVE-2019-7198, CVE-2020-25847, CVE-2020-2508,
CVE-2021-28800, CVE-2018-0711, CVE-2017-7632, CVE-2021-28798, CVE-2020-25684, CVE-2020-25685,
CVE-2020-25686, CVE-2018-19957, CVE-2017-5227, CVE-2017-6359, CVE-2017-6360, CVE-2017-6361,
CVE-2017-7418, CVE-2019-18217, CVE-2019-19269, CVE-2019-19270, CVE-2019-19271, CVE-2019-19272,
CVE-2020-10745, CVE-2020-9272, CVE-2020-9273, CVE-2019-7192, CVE-2019-7193,
CVE-2019-7194, CVE-2019-7195, CVE-2018-19943, CVE-2018-19949, CVE-2018-19953, CVE-2020-2490,
CVE-2020-2492, CVE-2020-2495, CVE-2020-2496, CVE-2020-2497, CVE-2020-2498, CVE-2020-36197,
CVE-2021-20254, CVE-2021-28806, CVE-2020-36194

CWE-384, CWE-476, CWE-770, CWE-787, CWE-444. CWE-125, CWE-284,
CWE-20, CWE-399

PHP Multiple Vulnerabilities: 10.1%

CWE-79, CWE-1286, CWE-77, CWE-78, CWE-125, CWE-284, CWE-59, CWE-610, CWE-1021, CWE-23, CWE-284,
CWE-200

CVE-2011-3379, CVE-2011-4566, CVE-2011-4885, CVE-2012-0057, CVE-2012-0781,
CVE-2012-0788, CVE-2012-0789, CVE-2019-11044, CVE-2019-11045,
CVE-2019-11046, CVE-2019-11047, CVE-2019-11050, CVE-2020-7062,
CVE-2020-7063, CVE-2020-7067, CVE-2020-8169, CVE-2021-21702,
CVE-2018-19935, CVE-2011-0421, CVE-2011-0708, CVE-2011-1092, CVE-2011-1153,
CVE-2011-1464, CVE-2011-1466, CVE-2011-1467, CVE-2011-1468, CVE-2011-1469,
CVE-2011-1470, CVE-2006-7243, CVE-2015-4024, CVE-2015-4025,
CVE-2015-4026, CVE-2015-6831, CVE-2015-6832, CVE-2015-6833,
CVE-2015-8867, CVE-2015-8874, CVE-2015-8879, CVE-2017-7189,
CVE-2016-4343, CVE-2017-11142, CVE-2014-0185, CVE-2016-5385,
CVE-2016-6128, CVE-2016-10158, CVE-2016-10161, CVE-2015-8874,
CVE-2015-8877, CVE-2015-8879, CVE-2014-9425, CVE-2014-9709,
CVE-2014-0207, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480,
CVE-2014-3487, CVE-2014-3515, CVE-2015-6831, CVE-2015-6832,
CVE-2015-6833, CVE-2016-5094, CVE-2016-5095, CVE-2016-5096,
CVE-2013-7456, CVE-2016-5093, CVE-2018-19395, CVE-2018-19396,
CVE-2018-19518, CVE-2018-20783, CVE-2017-11144, CVE-2017-11145,
CVE-2017-11146, CVE-2017-11628, CVE-2017-7890, CVE-2020-22278,
CVE-2020-10802, CVE-2020-10803, CVE-2020-10804, CVE-2021-23840

CVE-2018-1683, CVE-2019-17566, CVE-2021-20354, CVE-2020-5258,
CVE-2020-4449, CVE-2020-4576, CVE-2020-4643, CVE-2018-1840,
CVE-2021-29754, CVE-2021-29736, CVE-2020-4276, CVE-2020-4464,
CVE-2021-20353, CVE-2020-4643, CVE-2021-20492, CVE-2020-4949
CWE-311, CWE-20, CWE-918, CWE-22, CWE-94, CWE-200, CWE-611, CWE-668,
CWE-269, CWE-502

CVE: CVE-2016-2183
CWE: CWE-200

QNAP NAS & QTS: 1.5%

CVE-2018-17199, CVE-2019-0217, CVE-2021-31618, CVE-2021-33193,
CVE-2019-10081, CVE-2019-9517, CVE-2020-11993, CVE-2020-9490,
CVE-2021-36160, CVE-2020-13950, CVE-2011-3192, CVE-2016-5387,
CVE-2016-2161, CVE-2018-8011, CVE-2017-9798, CVE-2019-10097

IBM WebSphere Application Server: 1.3%

OpenBSD OpenSSH OpenSSL Multiple
Vulnerabilities: 6.6%
CVE-2021-28041, CVE-2019-6110, CVE-2019-6109, CVE-2018-20685,
CVE-2016-6210, CVE-2016-10012, CVE-2016-8858, CVE-2016-6515,
CVE-2016-3115, CVE-2016-1908, CVE-2015-8325, CVE-2015-6565,
CVE-2015-5600, CVE-2014-1692, CVE-2016-1907, CVE-2016-0778,
CVE-2008-5161, CVE-2008-3259, CVE-2008-1657, CVE-2016-10009,
CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2010-5298,
CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221,
CVE-2014-0224, CVE-2014-3470, CVE-2014-8176, CVE-2015-0292,
CVE-2012-2110
CWE-119,CWE-264,CWE-320,CWE-426,CWE-78,CWE-190

Microsoft Windows Unquoted Path Vulnerability: 2.2%
CVE-2009-2761, CVE-2012-4350, CVE-2013-0513, CVE-2013-1092, CVE-2013-1609, CVE-2013-1610, CVE-2013-2151,
CVE-2013-2152, CVE-2013-2176, CVE-2013-2231, CVE-2013-5011, CVE-2013-6182, CVE-2014-0759, CVE-2014-4634,
CVE-2014-5455, CVE-2014-9646, CVE-2015-0884, CVE-2015-1484, CVE-2015-2789, CVE-2015-3987, CVE-2015-4173,
CVE-2015-7866, CVE-2015-8156, CVE-2015-8988, CVE-2016-3161, CVE-2016-4158, CVE-2016-5793, CVE-2016-5852,
CVE-2016-6803, CVE-2016-6935, CVE-2016-7165, CVE-2016-8102, CVE-2016-8225, CVE-2016-8769, CVE-2016-9356,
CVE-2017-1000475, CVE-2017-12730, CVE-2017-14019, CVE-2017-14030, CVE-2017-15383, CVE-2017-3005,
CVE-2017-3751, CVE-2017-3756, CVE-2017-3757, CVE-2017-5873, CVE-2017-6005, CVE-2017-7180, CVE-2017-9247,
CVE-2017-9644, CVE-2018-0594, CVE-2018-0595, CVE-2018-2406, CVE-2018-5470, CVE-2018-6016, CVE-2018-6321,
CVE-2018-6384

0.9%
1.0%
1.0%
1.3%
1.5%

2.2%

CWE-1236, CWE-79, CWE-89, CWE-77, CWE-416,CWE-502, CWE-20, CWE-125,
CWE-189, CWE-119, CWE-476, CWE-79, CWE-835, CWE-200, CWE-264, CWE-88,
CWE-119, CWE-200, CWE-754, CWE-502, CWE-190, CWE-399, CWE-94

CWE-22, CWE-254, CWE-264, CWE-284, CWE-399, CWE-426, CWE-428, CWE-77

2.0%

2.2%
2.3%
2.9%

29.5%

2.9%
3.1%
3.9%

4.4%
10.1%

4.6%
5.3%
6.6%

7.6%

Microsoft OneDrive Multiple Vulnerabilities: 5.3%
CVE-2020-1465, CVE-2020-16851, CVE-2020-16852, CVE-2020-16853
CWE-269,CWE-59

Windows IExpress Untrusted Search Path
Vulnerability: 2.3%
CVE-2018-0598
CWE-426

Server Message Block (SMB) Protocol Version 1
Enabled: 1.0%
US-CERT recommends that users disable SMBv1 per SMB best practices
to mitigate due to it being used by criminal groups to breach systems.

Microsoft Windows Multiple Vulnerabilities (KB4516044): 1.0%
CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-0787, CVE-2019-0788, CVE-2019-0928, CVE-2019-11091, CVE-2019-1138, CVE-2019-1142, CVE-2019-1208,C VE-2019-1214, CVE-2019-1215,
CVE-2019-1216, CVE-2019-1219, CVE-2019-1220, CVE-2019-1221, CVE-2019-1232, CVE-2019-1235, CVE-2019-1236, CVE-2019-1237, CVE-2019-1240, CVE-2019-1241, CVE-2019-1242, CVE-2019-1243,
CVE-2019-1244, CVE-2019-1245, CVE-2019-1246, CVE-2019-1247, CVE-2019-1248, CVE-2019-1249, CVE-2019-1250, CVE-2019-1252, CVE-2019-1254, CVE-2019-1256, CVE-2019-1267, CVE-2019-1268,
CVE-2019-1269, CVE-2019-1270, CVE-2019-1271, CVE-2019-1272, CVE-2019-1274, CVE-2019-1278, CVE-2019-1280, CVE-2019-1282, CVE-2019-1285, CVE-2019-1286, CVE-2019-1287, CVE-2019-1289,
CVE-2019-1290, CVE-2019-1291, CVE-2019-1292, CVE-2019-1293, CVE-2019-1298, CVE-2019-1300, CVE-2019-1453, CVE-2019-1458, CVE-2019-1465, CVE-2019-1466, CVE-2019-1467, CVE-2019-1468,
CVE-2019-1469, CVE-2019-1470, CVE-2019-1472, CVE-2019-1474, CVE-2019-1476, CVE-2019-1484, CVE-2019-1485, CVE-2019-1488, CVE-2020-0655, CVE-2020-0657, CVE-2020-0658, CVE-2020-0659,
CVE-2020-0660, CVE-2020-0661, CVE-2020-0662, CVE-2020-0665, CVE-2020-0666, CVE-2020-0667, CVE-2020-0668, CVE-2020-0670, CVE-2020-0673, CVE-2020-0674, CVE-2020-0675, CVE-2020-0676,
CVE-2020-0677, CVE-2020-0678, CVE-2020-0679, CVE-2020-0680, CVE-2020-0681, CVE-2020-0682, CVE-2020-0683, CVE-2020-0686, CVE-2020-0691, CVE-2020-0698, CVE-2020-0703, CVE-2020-0704,
CVE-2020-0705, CVE-2020-0706, CVE-2020-0707, CVE-2020-0708, CVE-2020-0709, CVE-2020-0710, CVE-2020-0712, CVE-2020-0713, CVE-2020-0715, CVE-2020-0716, CVE-2020-0719, CVE-2020-0720,
CVE-2020-0721, CVE-2020-0722, CVE-2020-0723, CVE-2020-0724, CVE-2020-0725, CVE-2020-0726, CVE-2020-0727, CVE-2020-0728, CVE-2020-0729, CVE-2020-0730, CVE-2020-0731, CVE-2020-0732,
CVE-2020-0734, CVE-2020-0735, CVE-2020-0737, CVE-2020-0738, CVE-2020-0739, CVE-2020-0742, CVE-2020-0743, CVE-2020-0744, CVE-2020-0745, CVE-2020-0747, CVE-2020-0748, CVE-2020-0749,
CVE-2020-0750, CVE-2020-0752, CVE-2020-0753, CVE-2020-0754, CVE-2020-0755, CVE-2020-0756, CVE-2020-0767, CVE-2020-0817, CVE-2020-0818, CVE-2021-26413, CVE-2021-26415, CVE-2021-26416,
CVE-2021-27072, CVE-2021-27079, CVE-2021-27089, CVE-2021-27093, CVE-2021-27094, CVE-2021-27095, CVE-2021-27096, CVE-2021-28309, CVE-2021-28311, CVE-2021-28315, CVE-2021-28316,
CVE-2021-28317, CVE-2021-28318, CVE-2021-28320, CVE-2021-28323, CVE-2021-28325, CVE-2021-28326, CVE-2021-28327, CVE-2021-28328, CVE-2021-28329, CVE-2021-28330, CVE-2021-28331,
CVE-2021-28332, CVE-2021-28333, CVE-2021-28334, CVE-2021-28335, CVE-2021-28336, CVE-2021-28337, CVE-2021-28338, CVE-2021-28339, CVE-2021-28340, CVE-2021-28341, CVE-2021-28342,
CVE-2021-28343, CVE-2021-28344, CVE-2021-28345, CVE-2021-28346, CVE-2021-28347, CVE-2021-28348, CVE-2021-28349, CVE-2021-28350, CVE-2021-28351, CVE-2021-28352, CVE-2021-28353,
CVE-2021-28354, CVE-2021-28355, CVE-2021-28356, CVE-2021-28357, CVE-2021-28358, CVE-2021-28434, CVE-2021-28435, CVE-2021-28436, CVE-2021-28437, CVE-2021-28439, CVE-2021-28440,
CVE-2021-28443, CVE-2021-28444, CVE-2021-28445, CVE-2021-28446, CVE-2021-28447
CWE-20, CWE-200, CWE-22, CWE-269, CWE-346, CWE-416, CWE-425, CWE-59, CWE-665, CWE-787, CWE-863, CWE-908, CWE-125, CWE-20, CWE-200, CWE-787

Deprecated SSH-1 Protocol Detection: 2.9%
CVE-2001-0361,CVE-2001-0572,CVE-2001-1473
CWE-310

Microsoft Windows Print Spooler RCE
Vulnerability (KB5005010, PrintNightmare): 2.0%
CVE-2021-34527
CWE-269

SAP Internet Graphics Server, SAP
NetWeaver AS: 3.1%
CVE-2018-2492, CVE-2018-2503, CVE-2018-2392, CVE-2018-2393
CWE-611, CWE-862, CWE-20, CWE-611

Dropbear: 2.9%
CVE-2020-36254

System Default Password’s (OpenStage
SIP, APC Network Management, Apache
Guacamole, IPMI, Zebra, Websphere,
Mysql): 3.9%
CWE-521

2022 Vulnerability Statistics Report 26

Most Common Risk-Accepted Vulnerability
What Organizations sometimes accept

Most organizations maintain the concept of accepting known risks. There are lots of reasons why this is done
and some common ones include; the presence of some other compensating control, acknowledgement that the
risk is impractically low or the fact that an upcoming change might remove the risk completely​.
Edgescan clients with appropriate privileges can risk-accept vulnerabilities in the platform. A Risk-accepted
issue puts a discovered vulnerability in a “non-closed” state so it can be tracked but it is not deemed a risk by
the organization. The below table shows a list of the most common vulnerability types that our clients tend to
accept the risk posed by them.
SSH Brute Force 0.36%
Concurrent Logins 0.36%
Brute Force Possible 0.36%
Information Disclosure 0.71%
Username Enumeration 0.71%
CVE-2017-7198 0.71%
Dell iDRAC8 0.71%
Vulnerable Javascript 1.43%
Cross-Origin 1.43%
TLS Version 1.0 2.14%
SSL 64-bit block size

2.14%

5.71%

31.79%

Apache HTTP Server

Oracle Mysql Security

6.07%

HPE Integrated Lights-Out

12.50%

Cookie without HttpOnly Flag

22.14%

SSl Cookie

Vulnerability Name

Oracle Mysql Security Multiple Vulnerabilities
SSL cookie without secure flag set
Cookie without HttpOnly flag set
HPE Integrated Lights-Out (iLO) 4 and 5 Information Disclosure Vulnerability
Apache HTTP Server < 2.4.6 Multiple Vulnerabilities
SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
TLS Version 1.0 Protocol Detection
HTML5 cross-origin resource sharing
Vulnerable Javascript library
Dell iDRAC8 Multiple Vulnerabilities
PHP ‘CVE-2017-7189’ Improper Input Validation Vulnerability (Windows)
Username Enumeration
Web Server robots.txt Information Disclosure
Brute Forcing Possible
Concurrent Logins Permitted
SSH Brute Force Logins With Default Credentials

Percentage of Total

31.79%
22.14%
12.50%
6.07%
5.71%
2.14%
2.14%
1.43%
1.43%
0.71%
0.71%
0.71%
0.71%
0.36%
0.36%
0.36%

Average Risk

Medium
Low
Low
Medium
High
High
Medium
Medium
Low
Medium
High
Medium
Informational
High
Low
High

2022 Vulnerability Statistics Report 27

CVE Dispersion and Clustering
This provides a snapshot view of the health of assets in general, both public internet facing and internal hosts
combined. The % of Assets with more than ten CVE’s has increased significantly from the 2021 report (up from
4%). There is a marked increase of systems with at least one CVE (43% in 2021 report).

System with at least
one CVE
51%

System with at least
two CVEs
30%

System with at least
Ten CVEs
5%

The density of known vulnerabilities within a single system, can really say something about an organisation. For
the 5% of systems with more than ten CVE’s, the presence of such can often be a sign to an attacker that an
organisation does not have adequate security resources or perhaps they are running a large number of legacy
systems. Legacy systems, those which cannot be patched due to various reasons, should be further protected.
Organisations that hold a large number of systems which are in this 5% are susceptible to malware proliferation,
should a malware attack take hold.

2022 Vulnerability Statistics Report 28

Attack Surface
Unseen Threat Within

“You cannot protect what you cannot see”
Eoin Keary

2022 Vulnerability Statistics Report 29

Attack Surface​
Exposed Ports
Based on a sample of 2 million IP’s the table below depicts the most common ports and ports of note. The
highlighted rows with the exception of the common web ports, would be considered by most cyber security
professionals as ones which may pose a risk and generally should not be open to the public Internet.​
In particular Remote Access, Database and Network Management protocols should not be exposed and are also
commonly used by ransomware gangs to breach an organization.​
Remote Desktop Protocol (RDP) credentials can be found on the dark web, with some selling as cheaply as $20
each.

Protocol

Port

% of all devices

Description

tcp

80

11.54%

HTTP

tcp

22

3.33%

Secure Shell (SSH)

tcp
tcp
udp
tcp
tcp
udp

8443
25
123
3389
8080
161

2.17%
1.22%
1.19%
1.11%
0.99%
0.84%

HTTPS
Simple Mail Transfer Protocol (SMTP)
Network Time Protocol
RDP (Windows)
HTTP
Simple Network Management Protocol (SNMP)

tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
udp
udp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp

1720
53
111
445
135
179
444
222
21
500
53
139
110
3306
5060
5432
1723
1433
23
514
513

0.77%
0.75%
0.61%
0.57%
0.56%
0.51%
0.50%
0.50%
0.50%
0.46%
0.43%
0.37%
0.31%
0.28%
0.23%
0.12%
0.09%
0.09%
0.08%
0.04%
0.03%

H.323 (Microsoft NetMeeting) call setup protocol
DNS
Portmapper/RPC
Windows AD/SMB
RPC/Database
BGP
SNPP
Berkeley rshd
FTP
IPSEC
DNS
NetBios
PoP (Mail)
MySQL
SIP (IoT)
PostGreSQL
Microsoft PPTP VPN
MS SQL
Telnet
Syslog
rlogin, rsh, rexec

tcp
tcp
tcp
tcp
tcp

1434
512
3351
1583
3050

0.02%
0.02%
0.01%
0.01%
0.01%

MS SQL
rlogin, rsh, rexec
Pervasive SQL
Pervasive SQL
Interbase DB

tcp

443

14.34%

HTTPS

2022 Vulnerability Statistics Report 30

Attack Surface ​
Exposed Ports Continued
“Remote access exposures across the attack surface are a worrying trend and
accounted for 5% of total attack surface exposures in 2021. ”

Description

Secure Shell (SSH)

Notes

With SSH providing long term privileged access, this is not only a top targeted service for entry, but a larger
priority of REENTRY, SSH versions may be secure but the credential attacks are always a top priority, if this
fails and secure keys are in place it does not remove the risk of being a long term re-entry to the system, as
well as pivoting to additional systems with static SSH keys been a common issue.

Simple Mail Transfer Protocol SMTP being internet facing exposed leads to a serious issue – there may be no mechanisms implemented to
(SMTP)
stop unauthorized access, or protection such as a SPF in place to prevent Open Relay attacks leading to both
spam and phishing, or malware. This can also be used as a form of DoS attacks by flooding servers.
RDP (Windows)
RDP is greatly misunderstood as not being a significant risk if exposed to the internet. This could not be
more incorrect – RDP servers can suffer from poorly implemented security, such as not having rate-limiting
or failed login limits. This exposes the server to become an entry point into private networks. RDP should be
protected further by implanting an additional layer of security, such as a VPN.
Simple Network Management SNMP should be also have a firewall rule to block UDP:161, UDP:162 – SNMP can be misunderstood as secure
Protocol (SNMP)
as no vulnerability may exist – but this is overlooking the fact that SNMP is inherently an insecure protocol
that was designed predating what we know as security today. It is unencrypted and provides very useful
management advantages, however these can also be abused by a malicious user.
H.323 (Microsoft NetMeeting) This is common when VOIP is being used. Misconfigured H.323 can result in VOIP system breach and access
call setup protocol
to internal numbers resulting in potential evesdropping.
Windows AD/SMB
There is no practical reason for SMB to be exposed to the internet, and inbound traffic should be blocked.
Unlike other less complicated/limited sandboxed protocols, SMB is deeply integrated to the OS and will
continue to be a top 5 attack which we have experienced with EternalBlue, WannaCry, NotPetya
Berkeley rshd
Remote Access
FTP

SIP (IoT)

FTP is one of the big 5, with it being an unecrypted protocol. It is one of the top 5 ports checked for by BOTs
along with SFTP. An exposed FTP service often tells hackers “They cant even set up SFTP and so must have
little security experience”
Exposed Database: These may and usually contain data, which is a big priority to organisations, their clients
and therefore to attackers. Databases are invaluable assets to attack and will always be a high priority target
if found. Exposed databases are often misunderstood to be secure due to password protection or being
fully patched. However, this is often not the case and databases are highly susceptible to credential bruteforce attacks and other authentication based attacks.
VOIP

PostGreSQL

Exposed Database

Microsoft PPTP VPN

Remote Access

MS SQL

Exposed Database

Telnet
rlogin, rsh, rexec

With telnet being one of the earliest remote login protocols it is also important to note that in the early days
these protocols were built with the purpose to perform high privilege tasks. Cleartext packet sniffing and
credential attacks are still widely used against this protocol.
Remote Access

MS SQL

Exposed Database

rlogin, rsh, rexec

Remote Access

Pervasive SQL

Exposed Database

Pervasive SQL

Exposed Database

Interbase DB

Exposed Database

MySQL

2022 Vulnerability Statistics Report

31

Attack Surface
Exposed Services and Systems
Struggling With Visibility:​
In general we see that organizations struggle with visibility of their own IT estates, knowing what is running and
where, at any given time. This can and likely has lead to many security breaches, some of which were hot topics
during the year. ​
Attack Surface Management (ASM) is a trending solution, something Edgescan has delivered since 2016 and can
provide continuous visibility across an enterprise estate, helping to detect exposures and vulnerabilities as they
occur. ASM scanning can occur from multiple geographic locations in order to circumvent geo-locked source IP
scans.

2,000,000

Based on sample IP’s during 2021

Exposed Remote Access
22,109

66,506

10,932

RDP

SSH

rLogin & rshrexec

1,679

1,815

Telnet

Microsoft PPTP VPN

Exposed Administration Consoles
3,469

Administrative Access Portals

Exposed IoT/Communication Systems
15,436

4,627

H.323 – Call setup protocol

SIP

Exposed Data Systems
2,129

4,78

MS SQL Databases

Pervasive SQL

5,609

MySQL Databases

983

Exposed Data

Oracle Databases

135

Exposed Backup Directories/Files
2022 Vulnerability Statistics Report 32

Edgescan

What makes us tick

“I fear not the man who has practiced 10,000 kicks once, but I fear the man who has
practiced one kick 10,000 times”
Bruce Lee

2022 Vulnerability Statistics Report 33

What
is Edgescan?
Edgescan
Information
Application Security

• Continuous Application/API vulnerability
assessment
• Pentesting as a Service (PTaaS)
• API Security assessment and Pentesting
AWARDS
• Alerting and integration

SCREENSHOTS
Host Security
REVIEWS
•LINKS
Continuous External /Internal Vulnerability
• Fullstack
Assessment
SALES DEC/DIFFERENTIABLE DEFFERENTIATORS
• Pentesting as a Service (PTaaS)
GLOSSARY
• Alerting and integration

Continuous Monitoring

• Live system and service 24/7 discovery
• Alerting and integration
• Exposed service alerting

coverage

• Validated by experts
• Mitigation Support
• On-demand

API Discovery

• Continuous API discovery and enumeration
• Eliminate blind spots

What does Edgescan do?

Simply, we detect & validate cyber vulnerabilities
in your IT systems; Web, Network, API, CI/CD,
IoT, Internal, External – fullstack! We provide
continuous visibility to help you maintain security.
We provide on-demand Pen Testing as a Service
(PTaaS)

Why should I use Edgescan?

We deliver a dedicated vulnerability detection
solution (SaaS). We’re extremely accurate and
provide support to guide you through your journey.
We deliver a comprehensive and cost effective
solution. We’re PCI Approved Scanning Vendors.

40%

Reduce Mean Time To
Remediation (MTTR) by 40%

2.1+

Save on average the equivalent
of 2.1 full time staff members
per month using Edgescan
2022 Vulnerability Statistics Report

2

2022 Vulnerability Statistics Report 34

What is Edgescan?
What’s different?

• All vulnerabilities are validated for accuracy

Does this help me?

The Edgescan Team are experts at vulnerability
detection. We save you time and money by helping

and risk.
• We’re a fullstack cyber SaaS (Web
applications and Network security).
• We support our clients to help them
understand and fix issues with our certified
penetration testing team.
• We can scale to thousands of assessments.
• Unlimited assessments.

you focus on items that matter.

How?

We deliver a cyber assessment service from our
cloud which provides continuous and on-demand
detection.

Why?

Finding weaknesses in IT Systems helps prevent a
data breach or cyber attack.

What are the main features?
• Continuous fullstack security testing

• Automatic assessments of new endpoints
as they are discovered
• Validation and support for all issues
discovered
• Continuous asset and API monitoring and
detection
• Internal and External Assessments
• On-demand assessments and penetration
testing.
• Alerting and Integration customizable for
you.

If you think Edgescan can help your organisation increase its security posture,
get in touch with our sales team for a trial at sales@edgescan.com

100%

Full OWASP Application Security
Coverage

24/7/365

Continuous asset profiling and discovery

2022 Vulnerability Statistics Report 35

Edgescan Whitepaper
Links to Whitepapers hosted on Edgescan
Want to find out more? Click on any of the links below to get indepth look at popular subjects such as the
Evolving Attack Surface, Security Tool and Vendor Consolidation and more. Learn more about how you can
protect your organization.

2022 Vulnerability Statistics Report 36

Award wining Platform

Check out our Gartner Reviews
2022 Vulnerability Statistics Report 37

Edgescan Platform

Centralized Dashboard

Get all your information in one location with an
interactive & exportable risk metrics dashboard

Assets

Keep track of all assets and perform
assessments on-demand for a holistic
management of assets across your organization

Vulnerabilities

Receive actionable risk intelligence with the
ability to rescan on-demand to ensure that
your hosts and asset vulnerabilities are fixed

2022 Vulnerability Statistics Report 38

Edgescan Platform

Hosts

Always know what’s going on with our 24/7/365
visibility of your external exposures that have
been added to the platform, allowing you to
know exactly what is going on at any given time

Reporting

The Edgescan platform has an extensive
reporting system that allows you to
generate a report on any page that you are on

Events & Integrations

Edgescan has introduced a new vital service
which is called Events. Using integrations with
events allows users and organizations to create
live alerts for any changes and to connect the
platform into many other services, allowing you
to extend the capabilities of your security team

2022 Vulnerability Statistics Report 39

Customer
Edgescan Anecodotes
Information

Skills for Care
The main return on investment that Skills for Care noticed following the commencement of the Edgescan SaaS,
was the time resource saved.
“Any time the security team had to onboard a new penetration testing provider, it would typically take two
members of staff an entire week to collate all the necessary information. With Edgescan, this can be done in
seconds. Being a charity with a small security team, this is a huge advantage for the business as whole! The
scalability of Edgescan’s solution is another advantage – should the Department of Health assign more systems
to Skills for Care to use, Edgescan can integrate them immediately and seamlessly into their platform. “

Immedis
After following a robust procurement process, the Edgescan bid came out on top for its simplicity of use and
broad coverage as well as the willingness to provide a proof of value. The exercise confirmed that Edgescan’s
claims on having a solution that is virtually free of false positives were not just a sales pitch. The human validation component of the Edgescan SaaS guaranteed Immedis that every single alert was an issue worth investigation.
“It wouldn’t be a hyperbole to call them unsung heroes. What they do is excellent, and their product deserves
all the praise it receives.” – David Quirke, CISO, Immedis.

2022 Vulnerability Statistics Report 33
40

Customer Anecodotes
EMEA

Customer
Anecodotes
Edgescan Information

CX Index
Skills for Care

Continuous vulnerability assessments have made it a lot easier for us to identify gaps or concerns in the

The main return on investment Skills for Care noticed following the commencement of the Edgescan SaaS, was
security posture of our product offering. The amount of detail provided when a vulnerability is detected makes

the time resource saved.

it easy for us to address them quickly. Plus, we can sleep more easily in the knowledge that we are doing our
utmost to ensure the data of our customers and their customers is protected!

Any time the security team had to onboard a new penetration testing provider, it would typically take two
members of staff an entire week to collate all the necessary information. With Edgescan, this can be done in

“Seamless deployment and unparalleled customer service: how Edgescan helped CX Index up their vulnerability

seconds. Being a charity with a small security team, this is a huge advantage for the business as whole! The
management game” David Heneghan, CEO and Co-founder of CX Index

scalability of Edgescan’s solution is another advantage – should the Department of Health assign more systems
to Skills for Care to use, Edgescan can integrate them immediately and seamlessly into their platform.

Archroma
Immedis
Edgescan gives us the peace of mind that comes with knowing that our vulnerability management solution is

After following a robust procurement process, the Edgescan bid came out on top for its simplicity of use and
virtually false-positive free. The accuracy that comes with human validation, paired with the efficiency of

broad coverage as well as the willingness to provide a proof of value. The exercise confirmed that Edgescan’s
automatic continuous scanning, means that my team now knows that whenever a vulnerability is flagged, the

claims on having a solution that is virtually free of false positives were not just a sales pitch. The human validavulnerability is there, and they can continue working until they find it and fix it.

tion component of the Edgescan SaaS guaranteed Immedis that every single alert was an issue worth investigation.
“It wouldn’t be a hyperbole to call them unsung heroes. What they do is excellent, and their product deserves all
the praise it receives.” – David Quirke, CISO, Immedis.

2022Vulnerability
VulnerabilityStatistics
StatisticsReport
Report 33
41
2022