Vulnerability Management, Threat Management, Incident Response

Half of 10.0 CVSS vulnerabilities reported so far in 2022 scored incorrectly

Laptops, chords and wifi and power chords are seen on a table top.
The vulnerability disclosure landscape is highly volatile, says an expert at threat intelligence firm Flashpoint. (Tech. Sgt. R.J. Biermann/Air Force)

Flashpoint on Thursday released its mid-year vulnerability intelligence report which found that while Flashpoint collected 11,860 vulnerabilities in the first six months of 2022, the CVE/NVD services failed to report and detail some 27.3% of them.

Brian Martin, vice president of vulnerability intelligence at Flashpoint, said organizations need to understand that the vulnerability disclosure landscape is highly volatile, with “standard” days potentially introducing volumes traditionally seen only on Patch Tuesdays and other similar industry events.

The report also found that security teams using CVSSv2 scores as a basis for prioritization may be misguided, as Flashpoint found that 52% of all 10.0 vulnerabilities reported in 2022 thus far are likely scored incorrectly.

“When there’s a lack of details about a vulnerability, you 'score for the worst,' which gives artificially high numbers for many vulnerabilities,” Flashpoint’s Martin explains.

Bud Broomhead, CEO at Viakoo, said vulnerability scoring under CVSSv2 has never been fully accurate, as it will not take into account factors that evolve over time. CVSSv2 was launched in 2007, and later versions (specifically CVSS v3.1 that was released in 2019) takes into account more real-life implications of a vulnerability. “In future versions of CVSS better refinement, especially for IoT/OT vulnerabilities, will help security professional prioritize risk to their organizations more accurately,” Broomhead said.

Flashpoint’s Martin said their researchers have also observed a discrepancy of 85% concerning “discovered-in-the-wild” vulnerabilities reported in the first half of 2022, compared to resources such as Google’s Project Zero that shows exploitation more often occurs outside of advanced persistent threat (APT) attacks.

Jerrod Piker, product marketing manager at Deep Instinct, said this means that there’s a large gap between what the CVSS model identifies as critical vulnerabilities that require immediate attention and which vulnerabilities are most likely to actually cause problems in the real world. Piker said a new model, referred to as the Exploit Prediction Scoring System (EPSS) — aims to address the CVSS model’s issue of inaccuracy, which can both leave an organization exposed and waste a lot of time in the patch management process.

“Utilizing this new scoring system, the EPSS model has been able to increase the efficiency of patch management from 5% to 42.5% by much more effectively identifying which reported vulnerabilities hackers are most likely to exploit in the wild,” Piker said. “This saves a lot of time by avoiding needless patching of vulnerabilities that attackers are highly unlikely to ever exploit. It also can help organizations more quickly and efficiently address those vulnerabilities that are the most critical and the ones attackers are likely to exploit.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.