Skip to main content

Exploitation of Cyber Vulnerabilities Has Surged, Says New S&P Report

S&P Global Ratings champions the Common Vulnerability Scoring System (CVSS) and Exploit Prediction Security Score (EPSS) in assessing risk.

As digital infrastructures become more complex, organizations are grappling with an ever-expanding attack surface, making them susceptible to breaches that can have far-reaching consequences. With this growing concern in mind, a recent report from S&P Global Ratings, a provider of credit ratings and risk research, explained the critical role of governance and risk assessment in managing cyber vulnerabilities.

Analyzing data from more than 7,000 entities, the Oct. 28 report found that exploitation of cyber vulnerabilities has surged, nearly tripling in 2023. This trend is largely driven by an increase in the number of identified vulnerabilities, with 29,000 new vulnerabilities discovered last year alone, up by about 4,000 from the previous year.

At the heart of the report is an urgent call for organizations to prioritize vulnerability management by taking a systematic approach to remediation, focusing on the probability of a breach and the potential severity of its impact. While management of cyber vulnerabilities may appear to be a technical issue on the surface, there is a deeper governance challenge that could adversely affect an organization’s overall risk management evaluation.

Common Vulnerability Scoring System and Exploit Prediction Security Score

The report highlights the role of two crucial tools in vulnerability assessment: the Common Vulnerability Scoring System (CVSS) and the Exploit Prediction Security Score (EPSS). 

CVSS scores provide a standardized method for categorizing the severity of vulnerabilities, providing a clear picture of which flaws could be most damaging. Meanwhile, EPSS estimates the likelihood that a vulnerability will be exploited, helping organizations prioritize remediation efforts.

Combining CVSS and EPSS scores provides a more comprehensive and nuanced understanding of the risks posed by different vulnerabilities. This dual approach allows for more strategic allocation of resources, ensuring that high-risk vulnerabilities are addressed promptly, thereby minimizing exposure to potential attacks.

Old Vulnerabilities Pose Ongoing Threats

The report also warns about the threat of older vulnerabilities. These vulnerabilities present a continual risk because they are often well known to hackers. Alarmingly, a substantial portion of the vulnerabilities analyzed in the report were over seven years old, with some dating back more than two decades.

Despite the clear risks, the report finds that many organizations are sluggish in their remediation efforts. This delay increases the likelihood of exploitation, particularly for vulnerabilities on the attack surface. Such negligence can lead to dire consequences, including operational disruptions, theft of intellectual property, significant financial losses and damage to an organization’s reputation.

Ultimately, the report sends a clear message: Poor vulnerability management is a material risk factor that can reflect broader issues in an organization’s cybersecurity strategy. Effective vulnerability management, the report emphasizes, is not merely a technical necessity but a crucial component of corporate governance.