Upfort's SMB Vulnerability & Exposure Report
A three-year survey of CVEs in small business domains illustrates a persistently (and needlessly) risky cyber landscape
Table of Contents
Tick, tick tick…
Cybercriminals don’t need to be creative, ambitious, or well-resourced to cause mayhem. Research has shown that the most common attack vector is, by far, the exploitation of documented, but unpatched vulnerabilities in business networks.
These virtual backdoors are often first discovered by “ethical” security researchers and/or intrusion-testers who share them with the affected tech vendor so a fix can be disseminated to users and the wider IT community. In a perfect world, every user downloads the resultant patch before it can be exploited.
Unfortunately, we don’t live in a perfect world.
Few people have the time and resources to keep up with all the latest digital threats, so many of these backdoors remain open. Unpatched vulnerabilities are more prevalent in small organizations than in large enterprises with dedicated security resources, which is one big reason why criminals have shifted their focus to small businesses.
While successful cyberattack against a Wal-Mart may be more lucrative than one against a “Wally’s Shoe Store,” there are far more “Wally’s” out there. This opens a world of opportunities for cybercriminals as attacks can be launched easily from anywhere in the world and ill-gotten funds can be rapidly crypto-laundered with just a few keystrokes.
82% of ransomware attacks were against companies with fewer than 1,000 employees—and 37% were against organizations with fewer than 100
Consider a recent report that found 82% of ransomware attacks were against companies with fewer than 1,000 employees—and 37% were against organizations with fewer than 100. (The true extent of the damage will probably never be known, as most companies hide the fact that they were infiltrated, but preliminary data shows that 2024 will be a record year for ransomware payouts.) The good news? There are tools companies can use to surface vulnerabilities and take proactive action.
Upfort’s proprietary AI-powered vulnerability scans help businesses of all sizes identify and address known vulnerabilities in their networks. Over time, our data—culled from thousands of business domain scans—has illustrated the grander SMB risk & vulnerability landscape. The findings are eye-opening.
The following report details Upfort scan data collected between 2020 and 2023. We found a wide variety of exploitable vulnerabilities hiding in business networks, some of which have been around for years (and an outsized number of which fall into the “severe” category). While most issues can easily fixed via a simple patch or update, few small businesses are aware of how truly vulnerable their systems are.
What’s a CVE?
As the internet became more ubiquitous in the run-up to the millennium, so did the threat posed by hackers and other malevolent actors.
To help businesses secure their digital networks, the US government established a system in 1999 to organize and disseminate information about Common Vulnerabilities and Exposures (CVEs) which could be exploited by cybercriminals and other malevolent players.
Each CVE is published by the National Vulnerability Database (NVD), a continuously updated US government repository that describes the type of vulnerability (i.e., which component of a digital network is impacted) along with a score based on the Common Vulnerability Scoring System (CVSS). CVSS scores are based on several factors, but which essentially boil down to:
- How easy is the CVE to exploit?
- Has the CVE already been exploited?
- How damaging would the CVE be if exploited?
The higher the score, the more potentially impactful the CVE:
CVEs are organized by the year they are discovered. For example, “CVE-2011-1939,” a critical SQL injection vulnerability was discovered in 2011, whereas “CVE-2014-4078,” a medium-risk Microsoft Internet Information Services vulnerability was discovered in 2014. Additionally, each CVE entry in the NVD provides information on how the issue can be addressed and fixed.
Like most North American cybersecurity vendors, Upfort incorporates the CVE framework into its services and technology. Upfort’s AI-powered scans automatically search through public-facing domains and email servers to identify and surface any known CVEs.
Our report window goes through 2023 with at least one instance of a vulnerability dating back to 2006 (for the record, this 18-year-old vulnerability was CVE-2006-20001, a high-severity Apache-based issue).
Age of vulnerabilities
2016 was a banner year for unpatched vulnerabilities.
One might expect to find smaller occurrences of CVEs from older years, as they would inherently have more opportunities to be resolved. Yet, that’s not reflected in our dataset of top-500 most common CVEs.
As you can see in the graph above, far and away the largest year-pool of CVEs comes from 2016, accounting for 18% of all CVEs within our list of top-500 most common vulnerabilities. This was followed by 2015-based CVEs, which accounted for 14.8% of scanned vulnerabilities.
All together, our data finds that 52% of vulnerabilities are at least eight years old. This data jives with the conclusions of independent security researchers, who found that 61% of vulnerabilities in corporate networks were disclosed on or before 2016.
There are potentially a few factors at play here:
- Most SMBs are unaware of lingering vulnerabilities in their system. Many companies may be surfacing these issues for the first time and not know they have been sitting in their systems for years.
- The mid-teens saw a boom in CVEs. According to the NIST, there was a mid-2010 surge in total number of described CVEs of all severities and ran through the pandemic, as shown in the visualization below.
An outsized number of CVEs from a specific period would naturally lead to a greater number of ones left unresolved. While this may be a contributing factor in the pandemic-era bump, it doesn’t explain the earlier (and larger) bump in our data from 2014 to 2016.
- Older technologies may no longer be supported. Sometimes, vendors stop providing support to older technologies, leaving them frozen in time without any fixes coming. Similarly, the software in question was superseded by another solution of the same company (perhaps during the transtion from on-prem to cloud) so there is no direct upgrade path.
- Some older vulnerabilities may have been “backported” by other components: The automated scans identify outdated versions of software components. However, in some instances, a software platform implements a “backport” to address a security flaw in one of its components. This could be because a fix needed to be applied quickly, there were stability issues with subsequent versions, or the component is no longer supported.
It should be noted that just because a CVE remains neglected by businesses for years, it is still dangerous. Cybercriminals don’t need to take advantage of the latest CVE and will happily take advantage of older, unaddressed vulnerabilities.
Severity breakdown
More than half of all surfaced CVEs are categorized as "high" severity.
When it comes to the severity of the unresolved CVEs, 32.8% of the top-500 CVEs were categorized as medium-level severe, while a full 65% were classified as high.
This data shows that many small businesses carry CVEs in their domains that could easily be exploited by hackers, ransomware gangs, and other malevolent players.
This information dovetails with our year-by-year breakdown above, which shows that high-severity CVEs made up the majority of issues in each surveyed year. The reason for their prevalence may also be due to the reasons detailed above.
CVE type
Apache & OpenSSH account for 94% of all surfaced CVEs in our top-50 most common CVEs.
The above graphic illustrates the top types of CVEs among the top 50 most common scanned vulnerabilities. Most are related to open-source protocols that can be fixed with a patch and update.
- Apache HTTP Server (64%): An open-source cross-platform web server software.
- OpenSSH (30%): An open-source tool that allows users to remotely control networked computers and transfer data between them.
- NGINX resolver (2%): An open-source software that functions as a web server, reverse proxy, load balancer, and catching tool
- ALPACA (2%): An application layer protocol content confusion attack (ALPACA) exploits TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates.
- Microsoft IIS (2%): Microsoft IIS is an extensible web server created by Microsoft for use with the Windows NT family.
As you can see, 94% of these CVEs come from just two main categories of related vulnerabilities: Apache and OpenSSH. These two solutions are heavily overrepresented in our Top 50 because they are very common open-source technologies woven into the fabric of the Internet. Outside of the Top 50, they are still represented, but at a lesser rate.
94% of scanned CVEs come from just two vulnerabilities: Apache and OpenSSH.
There is good news to be found in this data set: 1) because these are actively supported technologies, a simple upgrade or patch will likely address these known issues and 2) the prevalence of these CVEs may mean that businesses are seeing multiple issues from just one outdated implementation, which means a focus on upgrading and reconfiguring usage of just these two solutions may address multiple issues simultaneously.
You can protect yourself
A separate survey of CVE resolutions showed that when companies are presented with information, many are slow to act. Within 4 weeks, only 44.28% of reported CVEs were resolved. By eight weeks, the number increases to 64.27%, and within a year, it reached 78.48%.
While it’s certainly positive that the majority of issues are eventually addressed, nearly a quarter of these often-easily-resolved issues remain open for extended periods and can be exploited in the interim.
The longer that CVEs remain unmitigated the greater the risk that you’re exposing yourself to.
The good news is that there are ways to protect yourself. The first move is always to identify or quantify the problem. Upfort’s AI-powered scans empower businesses to find known vulnerabilities in their systems and recommend actions to address them. Because many of the CVEs (especially new ones) are for actively supported technologies, a simple version upgrade or patch is likely to address these findings. Furthermore, because many CVEs are related, it means that a single upgrade might fix many issues at once.
Our scans often reveal other information as well; open ports, forgotten domains, staging instances, unrelated IP addresses, dark web exposed emails and personal information, etc. So a scan is a great start to digging deeper and getting started on the path to making your company ever more secure.
If you haven’t yet, you can sign up for a free Upfort scan, by filling out your business information here.