Beyond Severity: Rethinking Vulnerability Prioritization
Dec 29, 2024
ENTRYZERO
In this blog, we reflect on vulnerability data from 2024 to argue that effective vulnerability prioritization cannot rely solely on severity ratings - organizations patching critical vulnerabilities immediately, while scheduling others for the next patch cycle. We contend that an effective prioritization strategy must incorporate additional factors, such as threat intelligence on exploitation status, the availability of proof-of-concept (PoC) exploits, and more.
Why Effective Prioritization Requires More Than Severity Ratings?
In 2024, 32,958 vulnerabilities were published, with 3,082 of them rated as critical — an average of approximately 9 critical vulnerabilities per day. An organization relying solely on severity ratings to immediately patch its systems would be rebooting its systems continuously, making it impossible to focus on business goals. Moreover, while the volume of critical vulnerabilities is high and trending upward, these account for only 37.4% of exploited vulnerabilities, according to the EPSS Study. Additionally, as shown in our previous comparison between the U.S. and Chinese national vulnerability databases, severity ratings for the same vulnerability could differ significantly. This discrepancy highlights the limitations of relying solely on severity ratings for patch prioritization. So how can resource allocation be optimized to effectively minimize risks associated with vulnerabilities? To address this, we must first analyze the challenges through a data-driven lens.
CISA’s KEV: Top 50 Exploited Vulnerabilities of 2024 Analyzed by Exploitation Speed
The table below highlights the top 50 vulnerabilities from 2024 listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog. These are vulnerabilities for which CISA has evidence of active exploitation. The last column of the table shows how many days elapsed between the publication of the CVE and CISA adding the vulnerability to its KEV list. As the data reveals, evidence of exploitation for these top 50 vulnerabilities was available within one day at most, necessitating immediate patching or mitigation. However, as shown in the table, the majority of these vulnerabilities are not rated as critical. Instead, many are rated as high, and a significant number are even rated as medium. This underscores the limitations of relying solely on severity ratings for prioritization, as exploitation often does not align with traditional severity classifications.
| CVE ID | Vendor/Project | Severity | Days Until KEV Listing |
|---|---|---|---|
| CVE-2024-43093 | Android | HIGH | -6 |
| CVE-2024-49138 | Microsoft | HIGH | -2 |
| CVE-2024-21887 | Ivanti | CRITICAL | -2 |
| CVE-2024-29745 | Android | MEDIUM | -1 |
| CVE-2024-4671 | CRITICAL | -1 | |
| CVE-2024-29748 | Android | HIGH | -1 |
| CVE-2024-32896 | Android | HIGH | 0 |
| CVE-2024-3400 | Palo Alto Networks | CRITICAL | 0 |
| CVE-2024-38080 | Microsoft | HIGH | 0 |
| CVE-2024-38112 | Microsoft | HIGH | 0 |
| CVE-2024-20353 | Cisco | HIGH | 0 |
| CVE-2024-30051 | Microsoft | HIGH | 0 |
| CVE-2024-5274 | CRITICAL | 0 | |
| CVE-2024-30040 | Microsoft | HIGH | 0 |
| CVE-2024-23222 | Apple | HIGH | 0 |
| CVE-2024-21893 | Ivanti | HIGH | 0 |
| CVE-2024-21762 | Fortinet | CRITICAL | 0 |
| CVE-2024-21351 | Microsoft | HIGH | 0 |
| CVE-2024-21412 | Microsoft | HIGH | 0 |
| CVE-2024-20359 | Cisco | MEDIUM | 0 |
| CVE-2024-38014 | Microsoft | HIGH | 0 |
| CVE-2024-38217 | Microsoft | MEDIUM | 0 |
| CVE-2024-8963 | Ivanti | CRITICAL | 0 |
| CVE-2024-43572 | Microsoft | HIGH | 0 |
| CVE-2024-43573 | Microsoft | MEDIUM | 0 |
| CVE-2024-47575 | Fortinet | CRITICAL | 0 |
| CVE-2024-49039 | Microsoft | HIGH | 0 |
| CVE-2024-38107 | Microsoft | HIGH | 0 |
| CVE-2024-38226 | Microsoft | HIGH | 0 |
| CVE-2024-38106 | Microsoft | HIGH | 0 |
| CVE-2024-38193 | Microsoft | HIGH | 0 |
| CVE-2024-38213 | Microsoft | MEDIUM | 0 |
| CVE-2024-43451 | Microsoft | MEDIUM | 0 |
| CVE-2024-38178 | Microsoft | HIGH | 0 |
| CVE-2024-0012 | Palo Alto Networks | CRITICAL | 0 |
| CVE-2024-38189 | Microsoft | HIGH | 0 |
| CVE-2024-9474 | Palo Alto Networks | HIGH | 0 |
| CVE-2024-1709 | ConnectWise | CRITICAL | 1 |
| CVE-2024-0519 | HIGH | 1 | |
| CVE-2024-44309 | Apple | MEDIUM | 1 |
| CVE-2024-45519 | Synacor | CRITICAL | 1 |
| CVE-2024-43047 | Qualcomm | HIGH | 1 |
| CVE-2024-44308 | Apple | HIGH | 1 |
| CVE-2024-20481 | Cisco | MEDIUM | 1 |
| CVE-2024-9379 | Ivanti | MEDIUM | 1 |
| CVE-2024-23296 | Apple | HIGH | 1 |
| CVE-2024-9380 | Ivanti | HIGH | 1 |
| CVE-2024-20399 | Cisco | MEDIUM | 1 |
| CVE-2024-23225 | Apple | HIGH | 1 |
| CVE-2024-39717 | Versa | HIGH | 1 |
PoCs in GitHub: Top 50 Vulnerabilities of 2024 Analyzed by Number of PoCs
A Proof of Concept (PoC) provides ready-made code that simplifies the exploitation of a vulnerability. By demonstrating how the vulnerability can be exploited, a PoC removes much of the guesswork and technical barriers for attackers. Once a PoC is publicly available, it significantly reduces the time, effort, and expertise required to weaponize the vulnerability. This lowers the threshold for exploitation, making it accessible even to less sophisticated threat actors. The following table highlights the top 50 vulnerabilities from 2024 based on the number of published PoCs available on GitHub. In other words, those that garnered the most attention from ’ethical’ hackers. This table shows a stronger correlation with severity ratings. However, it also shows that vulnerabilities rated as high were nearly as compelling as those rated critical. Additionally, it is worth noting that fewer than half of the vulnerabilities in this table overlap with those in the first table. This emphasizes the importance of a model that accounts for multiple factors.
| CVE ID | Vendor/Project | Severity | Days Difference |
|---|---|---|---|
| CVE-2024-6387 | OpenBSD OpenSSH | HIGH | 90 |
| CVE-2024-32002 | Git | CRITICAL | 64 |
| CVE-2024-3094 | Tukaani XZ | CRITICAL | 58 |
| CVE-2024-24919 | Check Point | HIGH | 55 |
| CVE-2024-4577 | PHP-CGI | CRITICAL | 54 |
| CVE-2024-3400 | Palo Alto Networks | CRITICAL | 37 |
| CVE-2024-23897 | Jenkins | CRITICAL | 34 |
| CVE-2024-38063 | Microsoft Windows 10 1507 | CRITICAL | 29 |
| CVE-2024-34102 | Adobe Commerce and Magento | CRITICAL | 21 |
| CVE-2024-4956 | Sonatype Nexus Repository Manager | HIGH | 17 |
| CVE-2024-21413 | Microsoft 365 Apps | CRITICAL | 16 |
| CVE-2024-36401 | OSGeo GeoServer | CRITICAL | 16 |
| CVE-2024-4040 | CrushFTP | CRITICAL | 16 |
| CVE-2024-27956 | ValvePress WordPress Automatic Plugin | CRITICAL | 14 |
| CVE-2024-21626 | LinuxFoundation runc | HIGH | 14 |
| CVE-2024-23334 | Aiohttp | HIGH | 13 |
| CVE-2024-47176 | OpenPrinting CUPS | MEDIUM | 13 |
| CVE-2024-38077 | Microsoft Windows Server 2008 | CRITICAL | 13 |
| CVE-2024-27198 | JetBrains TeamCity | CRITICAL | 13 |
| CVE-2024-25600 | BricksBuilder Bricks | CRITICAL | 12 |
| CVE-2024-23692 | Rejetto HTTP File Server | CRITICAL | 12 |
| CVE-2024-50379 | Apache Tomcat | CRITICAL | 11 |
| CVE-2024-0044 | Google Android | HIGH | 11 |
| CVE-2024-10914 | D-Link DNS-320 Firmware | CRITICAL | 10 |
| CVE-2024-4367 | PDF.js | HIGH | 10 |
| CVE-2024-4879 | ServiceNow | CRITICAL | 9 |
| CVE-2024-0012 | Palo Alto Networks | CRITICAL | 9 |
| CVE-2024-24576 | Rust-Lang Rust | CRITICAL | 9 |
| CVE-2024-10924 | Really Simple Plugins | CRITICAL | 9 |
| CVE-2024-28995 | SolarWinds Serv-U | HIGH | 9 |
| CVE-2024-48990 | NeedRestart Project NeedRestart | HIGH | 9 |
| CVE-2024-3273 | D-Link Multiple NAS Devices | HIGH | 9 |
| CVE-2024-53677 | Apache Struts | HIGH | 8 |
| CVE-2024-7954 | SPIP | CRITICAL | 8 |
| CVE-2024-38856 | Apache OFBiz | CRITICAL | 7 |
| CVE-2024-29269 | Telesquare TLR-2005KSH Firmware | HIGH | 7 |
| CVE-2024-24590 | Clear ClearML | HIGH | 7 |
| CVE-2024-21887 | Ivanti Connect Secure and Policy Secure | CRITICAL | 7 |
| CVE-2024-1071 | Ultimate Member Plugin for WordPress | CRITICAL | 7 |
| CVE-2024-21762 | Fortinet FortiOS | CRITICAL | 7 |
| CVE-2024-23113 | Fortinet Multiple Products | CRITICAL | 7 |
| CVE-2024-1086 | Linux Kernel | HIGH | 7 |
| CVE-2024-2961 | GNU Glibc | HIGH | 7 |
| CVE-2024-21338 | Microsoft Windows Kernel | HIGH | 6 |
| CVE-2024-5084 | Hash Form Plugin for WordPress | CRITICAL | 6 |
| CVE-2024-30088 | Microsoft Windows Kernel | HIGH | 6 |
| CVE-2024-26229 | Microsoft Windows 10 1507 | HIGH | 6 |
| CVE-2024-42327 | Zabbix | CRITICAL | 6 |
| CVE-2024-1709 | ConnectWise ScreenConnect | CRITICAL | 6 |
| CVE-2024-29973 | Zyxel NAS326 Firmware | CRITICAL | 6 |
How To Effectively Prioritize?
We recommend adopting more nuanced, context-sensitive approaches like the Stakeholder-Specific Vulnerability Categorization (SSVC) introduced by CISA. SSVC proposes a decision tree model that allows for customized prioritization based on threat landscape and organization’s specific needs.
To help organizations allocate resources effectively and address the most risky vulnerabilities, we have been publishing weekly blog posts since Week 32 of 2024 (end of July), highlighting the top 5 vulnerabilities each week. This prioritization is based on such a decision-tree model trained on over 150,000 vulnerabilities. During this period, approximately 14,915 vulnerabilities were published, of which 119 were shortlisted. Below are some statistics about them:
Severity Distribution:
Included in CISA KEV: 28 - When comparing the timelines, on average, the series was 9 days ahead of CISA KEV in identifying risky vulnerabilities. That is, our prioritization process shortlisted those vulnerabilities earlier before industry bodies formally recognize them.
Availability of PoCs:
- Shortlisted vulnerabilities with PoC-in-GitHub repositories: 63
- Shortlisted vulnerabilities with Nuclei Templates: 35
- Shortlisted vulnerabilities with Nessus Plugins: 41
- Number of active Nessus Plugins: 8
In a nutshell, adopting a flexible and risk-aware approach to vulnerability patch prioritization is the way forward. Thank you for following our Top 5 series. Stay tuned for more insights in the coming year!
