Top three vulnerabilities of 2023 not covered by CVEs

As we approach the end of the year, a new report from Detectify shows that none of the top three vulnerabilities found across all industries in 2023 were covered by a CVE.

What's more, 75 percent of the total vulnerabilities regularly scanned by Detectify, primarily crowdsourced from its community of ethical hackers, don't have a CVE assigned. This suggests that over-reliance on frameworks like the CVE program can weaken an organization's security posture and give it an unrealistic sense of security.

There were no critical findings present among the top 30 vulnerabilities for the internet software (or SaaS) industry either, as defined by the public security scoring system CVSS.

"Our research evidences the flaws of established systems like CVE or CVSS. Security teams spend valuable time on vulnerabilities that often don't even have an exploit available while significant threats are overlooked," says Rickard Carlsson, CEO of Detectify.

Among other findings, the banking and financial services industry and public sector have experienced the largest share of critical-severity vulnerabilities due to their aggressive modernization efforts. SQL Injection is the most common critical threat for these industries, which could be attributed to the sensitivity of the data they store and how it's frequently targeted by attackers.

The overall most common vulnerabilities found across organizations' attack surfaces in 2023 include SSL/TLS hostname mismatch, expired certificates, path-based XSS, CVE-2021-40438 (Apache mod_proxy SSRF), and HTTPS/HTTP mixed content.

"Effective prioritization will be key in 2024; organizations must reduce their vulnerability backlog by leveraging solutions that offer highly accurate findings and integrate their unique business context into the equation. One-size-fits-all strategies don't fit the bill," adds Carlsson.

The full State of EASM 2023 report is available from the Detectify site.

Image credit: billiondigital/depositphotos.com