Remote code execution. Nearly all of the vulnerabilities allowed remote code execution. This isn’t destructive, it’s information gathering or access to internal systems that the attackers are looking for.
Established exploits. For nearly all of the vulnerabilities on the list, exploits are publicly-available. In most cases, exploits for these vulnerabilities were developed and released more than six months ago. The list even includes an Oracle Weblogic vulnerability from 2015.
Available on the internet. The vulnerabilities target applications or services that are publicly-available on the internet from anywhere in the world.
Patches are available for all of them. Of the 25 vulnerabilities, all of them have patches available and many of them have had patches for years.
54.7% of surveyed managers said at least one of their corporate subsidiaries were involved in a cyberattack chain launched against their company. SC Media spoke with experts from the research firm and cyber company that launched the study.