Contactez-nous Suivez-nous sur Twitter En francais English Language

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Action1 Releases Inaugural Software Vulnerability Ratings Report 2024

June 2024 by Action1 Corporation

Action1 Corporation announced today the release of its “Software Vulnerability Ratings Report 2024.” As the National Vulnerability Database (NVD) continues to experience significant delays in vulnerability data enrichment, Action1’s latest report provides security teams with timely insights into vulnerability trends within commonly used enterprise software categories, focusing on exploitation rate and Remote Code Execution (RCE) vulnerabilities.

“With the NVD’s delay in associating Common Vulnerabilities and Exposures (CVE) identifiers with CPE (Common Platform Enumeration) data, our report comes at a critical moment, providing much-needed insights into the ever-evolving vulnerability landscape for enterprise software,” said Mike Walters, President and co-founder of Action1. “Our goal is to arm key decision makers with essential knowledge so that they can prioritize their efforts in vulnerability monitoring using alternative approaches while the traditional reliance on NVDs is challenged. In light of the NVD crisis, the cybersecurity community needs to share information and build stronger relationships amongst private cybersecurity firms, academic institutions, and other threat intelligence platforms to facilitate holistic and timely data sharing so that all organizations can enhance their security posture.”

Action1 researchers found an alarming increase in the total number of vulnerabilities across all enterprise software categories. The report delves into five key trends based on exploitability rates and the dynamics of RCE vulnerabilities within enterprise software categories and specific applications.

Key trends and findings include:
1. Attackers target load balancers with record exploitation rate: Action1 researchers discovered a high exploitation rate for NGINX (100%) and Citrix (57%). Vulnerabilities in load balancers pose significant risks, as just one exploit can provide attackers with broad access or disruption capabilities against targeted networks.
2. Threat actors target Apple operating systems: MacOS and iOS showed an increased exploitation rate of 7% and 8%, respectively. Additionally, although MacOS reduced its total vulnerability by 29% from 2023 to 2022, exploited vulnerabilities increased by over 30%. These findings underscore the targeted nature of attacks on iOS devices.
3. MSSQL RCE vulnerabilities surge, highlighting the risk of new exploits: In 2023, Microsoft SQL Server (MSSQL) experienced a 1600% surge in critical vulnerabilities, each being an RCE. This spike signals a potential risk that attackers are quickly discovering and exploiting the next unknown RCE.
4. Increased exploitability of MS Office as attackers take advantage of human error: MS Office’s critical vulnerabilities account for nearly 80% of the overall annual vulnerability count, up to 50% being RCEs. In 2023, Microsoft saw its exploitation rate rise to 7%, compared to 2% in 2022. These findings underscore threat actors’ exploitation of user-facing software prone to human error.
5. Spike in RCEs and exploited vulnerabilities raises concerns about Edge security: Over the three years analyzed, Edge experienced a record number of RCE vulnerabilities, spiking at 17% in 2023, following a 500% growth in 2022. Additionally, in 2023, Edge reported a 7% exploitation rate, representing a 2% increase from 2022.

The Software Vulnerability Ratings Report 2024 analyzed 2021, 2022, and 2023 data and drew insights from the NVD and Based on this data, the report quantifies vulnerabilities and provides a comprehensive view of how the threat landscape changes over time.

Additionally, the report utilized exploitation rate, a metric developed by the Action1 research team, to demonstrate the ratio of exploited vulnerabilities to the total number of vulnerabilities. This metric helps enterprises assess risks associated with a vendor’s software by indicating susceptibility to exploitation and the comprehensiveness of their vulnerability management programs. Action1 also counted RCE, a dangerous vulnerability that allows attackers to execute arbitrary code remotely and potentially compromise critical systems. An application with an increased RCE count may have more potential entry points for attackers to exploit.

These findings underscore the continuing evolution of threats and the need for proactive security strategies, including timely OS and third-party application patching. To stay abreast of the changing vulnerability landscape, Action1 experts advise enterprises to review their technology stack (potentially eliminating certain vulnerable technologies), anticipate future vulnerabilities based on trends, and continuously improve their security posture to adapt to new threats quickly.

See previous articles


See next articles

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55

All new podcasts