Summary of  Monthly Vulnerability Insights: The Log4j vulnerability is still being detected/reported by vendors after almost 9 months mostly by IBM: IBM Security Identity Manager IBM Infosphere Master Data Management IBM Data Risk Manager CommVault This month, the trend that we’ve seen for the last few months with hackers focusing on the Low and Medium Vulnerabilities has lowered again.  We are seeing more focus this month on Highly Critical Vulnerabilities being exploited, but Moderately and Less Critical Vulnerabilities are still a target for hackers to create exploits. Please make sure you include Threat Intelligence in your Software Vulnerability Management Process to improve your prioritization.  Important conclusions from this month's report are: No extremely critical advisories were reported by the Secunia Research Team. 6 Zero-Day Advisory reported ( 4x Apple (iOS, Safari,macOS)   , 1x Google Chrome, 1x Microsoft Edge) Over 1,982 CVEs were covered in the 591 Advisories Threat Intelligence indicates that more Medium and Highly Critical Vulnerabilities are targeted by hackers. More than half of all advisories are disclosed by IBM, SUSE, Ubuntu (Canonical), RedHat, and Gentoo. Last month we reported that 64.23% of all Secunia Advisories had a Threat ( exploits, malware, ransomware, etc.) associated with them, this month the number has been slightly higher to 68.70%, with an increase in the lower and medium criticality range. Using Threat Intelligence is going to help you with prioritizing what needs to be patched immediately. Software Vulnerability – and Patch Management is becoming more and more important. Due to the ongoing Russia-Ukraine conflict, attacks on critical infrastructures in many countries are increasing. Back in 2019 (just before Covid) patching was recommended within 30 days (or 14 days for a CVSS score of 7 or higher) Right now, hackers are able to deploy exploits within 1 week and even within 24 hours. This means that organizations need to prioritize even better to quickly patch vulnerabilities (especially the ones with threats associated with them) ... View more

Summary of  Monthly Vulnerability Insights: July reported more advisories than June’s sudden dip. (the first half year was a continued monthly increase until June) The Log4j vulnerability is still being detected/reported by vendors after almost 8 months: IBM Operations Analytics IBM Tivoli Network IP Edition IBM Enterprise Content Management System Monitor The trend that we’ve seen for the last few months with hackers focusing on the Low and Medium Vulnerabilities has increased again ( with May being an exception). These Moderate and Less Critical Vulnerabilities are normally not a priority for many organizations, but please make sure you include Threat Intelligence in your Software Vulnerability Management Process to improve your prioritization.  Important conclusions from this month's report are: 2 extreme critical advisories were reported ( Google Chrome and  Microsoft Edge are both also Zero-day) 8 Zero-Day Advisory reported ( 6x Microsoft OS, 1x Google Chrome, 1x Microsoft Edge) Over 2,645 CVEs were covered in the 548 Advisories which is more than double from last month. (1,281) Threat Intelligence indicates that more Medium and Low Vulnerabilities are targeted by hackers. Most vulnerabilities  (57.34%) are disclosed by IBM, SUSE, Ubuntu (Canonical), Oracle, and Amazon. (Red Hat this month outside the top 5 /  top +50%)   Last month we reported that 62.60% of all Secunia Advisories had a Threat ( exploits, malware, ransomware, etc.) associated with them, this month the number has been slightly lower to 64.23%↓ , with an increase in the lower and medium criticality range. Using Threat Intelligence is going to help you with prioritizing what needs to be patched immediately. Software Vulnerability – and Patch Management is becoming more and more important. Due to the ongoing Russia-Ukraine conflict, attacks on critical infrastructures in many countries are increasing. Back in 2019 (just before Covid) patching was recommended within 30 days (or 14 days for a CVSS score of 7 or higher) Right now, hackers are able to deploy exploits within 1 week and even within 24 hours. This means that organizations need to prioritize even better to quickly patch vulnerabilities (especially the ones with threats associated with them) ... View more

Summary of  Monthly Vulnerability Insights: Total advisories:  517 ↓ (last month: 688). June reported fewer advisories after we have seen an increase each month since the beginning of this year. The Log4j vulnerability is still being reported by vendors  after almost  7 months: Atlassian Confluence Atlassian Jira TRAVIS – Corporate IBM PureData System for Operational Analytics Amazon Linux The trend that we’ve seen for the last few months with hackers focusing on the Low and Medium Vulnerabilities has increased again ( with May being an exception). These Moderate and Less Critical Vulnerabilities are normally not a priority for many organizations, but please make sure you include Threat Intelligence in your Software Vulnerability Management Process to improve your prioritization.  Important conclusions from this month's report are: No Extremely Critical Advisory reported Only 1 Zero-Day Advisory was reported ( Atlassian) No Browser Zero-Day Advisories were reported, which is still very rare. Threat Intelligence indicates that more Medium and Low Vulnerabilities are targeted by hackers. Most vulnerabilities  (54.5%) are disclosed by IBM, SUSE, Ubuntu (Canonical), and Redhat  Last month we reported that 62.65% of all Secunia Advisories had a Threat ( exploits, malware, ransomware, etc.) associated with them, this month the number has been higher to 64.60%↑ , with an increase in the lower and medium criticality range.   ... View more

Summary of May Vulnerability Insights : May was the month with the highest number of vulnerabilities in the last 18 months. 7  Zero-day Vulnerabilities are reported by Microsoft and Cisco and it was 9 last month. The Log4j vulnerability is still being reported by vendors ( Oracle Linux 6 and IBM PureData) after 6 months. The trend that we’ve seen for the last few months with hackers focusing on the Low and Medium Vulnerabilities has been slowed down. This month we have seen more Moderately and Highly Critical Vulnerabilities being exploited. Important conclusions from this month's report are: Only 1 extreme (and Zero-Day) critical Vulnerability was reported affecting all Windows operating systems. No Browser Zero-Day Advisories were reported, which is very rare. Threat Intelligence indicates that hackers target more Medium and Highly Vulnerabilities. Most vulnerabilities are disclosed by Red Hat, Suse, and Ubuntu 11.77% (last month: 15.36% ) of all advisories are linked to recent cyber exploits which are significantly lower. Last month, we reported that 56% of all Secunia Advisories had a Threat ( exploits, malware, ransomware, etc.) associated with them. This month, the number has been higher to 62.65%↑ , with an increase in the lower and medium criticality range. Flexera SVM Threat Intelligence is going to help you with prioritizing what needs to be patched immediately. Monthly Vulnerability Insights   ... View more

Summary of April  Vulnerability Insights : April was the month with the highest number of vulnerabilities in the last 18 months. 9 Zero-day Vulnerabilities were reported including Google Chrome, Microsoft Edge, and VMWare Cloud Foundation. The Log4j vulnerability is still being reported by (new) vendors and products for the 5 th month in a row. The trend that we’ve seen for the last few months is continuing with hackers focusing on the Low and Medium Vulnerabilities. Exploits for these vulnerabilities are more complex but have a longer lifespan due to the lack of Threat Intelligence in many organizations. Besides financial gain, many attacks are state-sponsored with the goal to disrupt companies and infrastructures. Important conclusions from this month's report are: Threat Intelligence indicates that more Low and Medium Vulnerabilities are targeted by hackers. Most vulnerabilities are within the Linux families  15.36% (last month: 37% ) of all advisories are linked to recent cyber exploits which are significantly lower. Last month we reported that 69% of all Secunia Advisories had a Threat ( exploits, malware, ransomware, etc.) associated with them, this month the number has been lower to 56%↓ , however an increase in the lower and medium criticality range The added article from CISA (the US Gov.  Cybersecurity & Infrastructure Security Agency) Known Exploited Vulnerabilities Catalog. They presented their key findings based on the top 2021 vulnerabilities including some interesting remediation tips that are 100% matching the remediation capabilities that Flexera Software Vulnerability Manager (SVM) offers. Monthly Vulnerability Insights   ... View more

Summary of March Vulnerability Insights : March was the month with the second-highest number of vulnerabilities in the last 12 months. Most Browsers disclosed zero-day vulnerabilities that also had high threats associated with them. The Log4j vulnerability is still being reported by (new) vendors and products for the 4 th month in a row. Important conclusions from this month's report are: Threat Intelligence indicates that more Low and Medium Vulnerabilities are targeted by hackers. Most vulnerabilities are within the Linux families  (SUSE, Ubuntu, RHEL, Debian, Linux) 37% of all advisories are linked to recent cyber exploits Last month we reported that 62% of all Secunia Advisories had a Threat ( exploits, malware, ransomware, etc.) associated with them, unfortunately, this month the number has risen to almost 69%↑ This means that these vulnerabilities are actively being exploited or attacked. Using Threat Intelligence is going to help you with prioritizing what needs to be patched immediately. Software Vulnerability – and Patch Management is becoming more and more important. Due to the ongoing Russia-Ukraine conflict, attacks on critical infrastructures in many countries are increasing. Back in 2019 (just before Covid) patching was recommended within 30 days (or 14 days for a CVSS score of 7 or higher) Right now, hackers are able to deploy exploits within 1 week and even within 24 hours. This means that organizations need to prioritize even better to quickly patch vulnerabilities (especially the ones with threats associated with them) The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this month 226 more security flaws to its Known Exploited Vulnerabilities Catalog, taking the total number of actively exploited vulnerabilities to 613. It is strongly recommended to immediately mitigate these risks. (CISA requires federal agencies to mitigate critical vulnerabilities within 15 days and high-risk vulnerabilities within 30 days). Monthly Vulnerability Insights   ... View more

Check our summary of vulnerability data from February 2022! You'll see the total number of vulnerabilities reported this month are 502. And there have been threats associated with these vulnerabilities.  Vulnerability Insights   ... View more

Check our summary of vulnerability data from January 2022! You'll see an increase in the number of vulnerabilities reported compared to last month. And there's been an increase in the number of threats associated with these vulnerabilities. The total advisories published was 620 (an increase from 572 last month).  Vulnerability Insights  ... View more

Check our summary of vulnerability data from December 2021! You'll see an increase in the number of vulnerabilities reported compared to last month. However, there's been an increase in the number of threats associated with these vulnerabilities. In December, Apache Log4j, vulnerability caught widespread public attention. Secunia Research published a whopping 572 advisories in December, 147 of which were around the recent activity regarding Log4j.  Vulnerability Insights  ... View more