Select your country

Not finding what you are looking for, select your country from our regional selector:


In pursuit of more secure systems


Authors: Charl van der Walt, Head of security research & Wicus Ross, Senior security researcher


One of the challenges faced by security teams is determining the relative urgency and importance of different patches and mitigations. An average of approximately 18,000 new vulnerabilities per year were recorded from 2016 up to and including 20221. Combined with the overwhelming backlog of legacy vulnerabilities and the multitude of vulnerabilities that emerge from misconfiguration and other factors, these issues represent an overwhelming burden on IT and Security teams. 

Yet not all vulnerabilities are born equal. Some are more serious than others. Vulnerabilities have different impacts. Some have been weaponized with reliable exploits while others have not. Some require existing level of access to be exploited while others do not. The assets potentially impacted by missing patches and other vulnerabilities are also not all of equal value or importance. 

Does this then mean that security teams have a myriad of factors to consider when prioritizing vulnerabilities? Is this overthinking the approach? Are priorities assigned based on the severity rating of the vulnerability or do we assign higher priority to vulnerabilities that are valued more by attackers? Knowing that crafty attackers can, given the opportunity, leverage a mundane vulnerability on an endpoint then further develop their position to ultimately exploit other systems through lateral movement across the network if possible.  

We will compare several proprietary datasets with known exploited vulnerabilities to determine potential exposure, thus making a case to prioritize exploited vulnerabilities, especially older vulnerabilities over newer vulnerabilities.  

Patching intelligently 

The notion of ‘Vulnerability Intelligence’ promises to enrich vulnerability reports with this additional information to assist security teams in determining what vulnerabilities need to be patched, and how urgently. 

One valuable source of Vulnerability Intelligence is provided by the U.S. Cybersecurity and Infrastructure Security Agency or CISA, which keeps a catalog of vulnerabilities that are known to be exploited. It is officially referred to as the Known Exploited Vulnerabilities (KEV) Catalog. All U.S. Federal Civilian Executive Branch (FCEB) agencies must track the KEV Catalog and any vulnerability in the catalog must be patched by the required date. The KEV Catalog is freely available for download, indexed using the CVE ID, and at the time of writing contained more than 860 vulnerability entries. But one should note that it is primarily intended for US government agencies, and therefore might not perfectly reflect the priorities of civilian operations or organizations in other countries.  

Similarly, a commercial group consisting of CSW, Securin, Cyware, and Ivanti published an analysis of vulnerabilities that are used by attackers to deploy ransomware. The report is titled ‘Ransomware Through the Lens of Threat and Vulnerability Management Index Update Q2 – Q3 2022’. Included in the report is a “Ransomware Index” that shows that the number of vulnerabilities exploited by operators and Initial Access Brokers grew from 310 in Q1 2022 to 323 in Q3 2022. The table listed below from Appendix B of that report will form part of this discussion as it contains their assessment of the Top 10 most exploited vulnerabilities: 





Exploit Type

Probable Attack Vector



175 products



3 products



Exchange Server



Exchange Server



Exchange Server



16 products



10 products






13 products





Ransomware Index Top 10 most exploited vulnerabilities, Q2-Q3 20224


Remote Code Execution

Path Traversal

Elevation of Privilege




An examination of these vulnerabilities reveals a variety of different attack scenarios: 

  1. The Ransomware Index Top 10 has three vulnerabilities - namely CVE-2018-8174 (VBScript), CVE-2017-0199 (Word Rich Text Format), and CVE-2017-11882 (Microsoft Equation Editor) - that lends itself to be used as part of a phishing attack. All three vulnerabilities could possibly be exploited by malicious email attachments and one, CVE-2018-8174, could potentially be exploited through a malicious web site or malicious HTML attachment.  
  2. The Microsoft Exchange vulnerabilities (ProxyShell) can be exploited from the Internet and could potentially lead to code execution on the vulnerable server. This offers a springboard for other potential attacks into the network or using the Exchange Server for further phishing attacks or data theft. 
  3. The FortiNet vulnerability, CVE-2018-13379, is a path traversal vulnerability that could possibly lead to exposure of sensitive data such as plaintext SSL VPN session credentials located at a known location on the impacted FortiNet device. This vulnerability can be exploited remotely over the Internet. 
  4. The F5 BIG-IP Traffic Management User Interface (TMUI) vulnerability, CVE-2020-5902, could possibly be exploited remotely over the Internet and could possibly result in either sensitive data disclosure, such as password hashes, or result in remote code execution. 
  5. The Atlassian vulnerability CVE-2022-26134 affects certain versions of Confluence Server and Data Center and could possibly result in arbitrary code execution on the impacted host if exploited remotely. 
  6. The Log4J vulnerability, CVE-2021-44228, impacted several products and libraries because Log4J is a very popular Java logging library. The vulnerability could possibly lead to remote code execution and can be triggered in many ways even indirectly.  

It is not clear how the Ransomware Index Top 10 was calculated, but we assume it is based on collected telemetry and information obtained from incident response teams.  

We took our own vulnerability datasets extracted from the World Watch Advisories, Vulnerability Operations Center (VOC) scanning data, and Penetration Testing reports to determine the extent to which the Ransomware Index Top 10 and the KEV Catalog features in what we observe and report on our client’s estates. 

If these are the most serious and urgent vulnerabilities we know about, how often are we warning our clients about them, and encountering them on our clients’ systems? 

Exploited vulnerabilities in our World Watch Vulnerability Intelligence

Our World Watch service works on behalf of the customer to collect, analyze, prioritize, contextualize and summarize the essential threat and vulnerability data customers need to make informed decisions. The Orange Cyberdefense Computer Emergency Response Team (CERT) analyses information from public and partner sources that is enriched with our proprietary threat intelligence. The information is triaged to determine accuracy, significance, relevance, and risk level before being shared to our clients. 

Our World Watch Advisories covered 8 of the 10 Ransomware Index Top 10 CVEs during the period October 2021 to September 2022.  

The Log4J vulnerability, CVE-2021-44228, was mentioned in 6 World Watch Advisories or updates. At the time, the flaw was considered extremely serious. Security professionals were convinced that this flaw, if left unpatched, could result in devastating breaches. 

World Watch Advisories

The vulnerabilities not covered by our World Watch Advisories are CVE-2020-5902 - a remote code execution vulnerability in the Traffic Management User Interface (TMUI) of F5 BIG-IP - and a remote code execution vulnerability in the Microsoft VBScript Engine, tracked as CVE-2018-8174. We opted not to publish advisories containing explicit references to these CVEs. 

When comparing vulnerabilities mentioned in the World Watch Advisories with the full KEV Catalog we see a slightly different story, but with familiar elements. Bear in mind that the KEV Catalog has over 860 entries at the time of writing, so we are sampling across a much larger set.  

World Watch Advisories

Our CERT team warned customers of 95 of the 860+ vulnerabilities that appear in the KEV Catalog, the first ten of which are shown above. Log4J was discussed the most, as already mentioned.  

The second highest number of mentions is a tie between a remote code execution vulnerability impacting Microsoft MSHTML (CVE-2021-40444), a vulnerability in Atlassian Confluence (CVE-2022-26134), and a vulnerability impacting the Microsoft Windows Support Diagnostics Tool (CVE-2022-30190). 

Six of the 10 vulnerabilities mentioned here overlap with the Ransomware Index Top 10. These are CVE-2021-44228, CVE-2022-26134, CVE-2017-11882, CVE-2021-31207, CVE-2021-34473, andCVE-2021-34523.

Ransomware top-10 vulnerabilities discovered by scanning

Now let’s consider the occurrence of the Ransomware Index Top 10 CVEs in the findings recorded in our VOC scanning data for October 2021 to September 2022.  

On the assumption that our vulnerability scanners have a reasonable chance of detecting these vulnerabilities, we’re asking whether we ever identify these issues on client estates. 

We only see half of the potential Ransomware Index Top 10 vulnerabilities reported in the sample of client assets we examined.  

Ransomware Index Top 10 Vulns reported on client assets in a subset of OCD VOC Scanning Data 

  • The one vulnerability that was absent in our World Watch Advisories (CVE-2018-8174) was in fact reported on client estates (but never exploited by our penetration testing teams). 
  • The three most prominent CVEs here are all related to Microsoft desktop application products and are thus not directly exploitable over the network: CVE-2017-0199 and CVE-2017-11882 impact Microsoft Office 2007-2016; and CVE-2018-8174, impacts the VBScript Engine. We assume that these three vulnerabilities are exploited through phishing emails with malicious attachments or links to malicious Office documents.  
  • The Log4J vulnerability, CVE-2021-44228 is present to no surprise and was discovered at 17% of sampled clients.  
  • Our VOC team also identified vulnerable Atlassian Confluence servers, CVE-2022-26134. 

Percentage of Assets impacted by vulnerabilities listed in Ransomware Index Top 10 

Looking at the number of impacted assets, we see that the Microsoft vulnerabilities CVE-2017-11882, CVE-2018-8174, and CVE-2017-0199 impacts the most assets of all the vulnerabilities listed in the Ransomware Top 10. The Log4J vulnerability, CVE-2021-44228, still looms close to the forefront. Comparably the Atlassian Confluence Server vulnerability impacts a handful of assets compared to the first four present on assets scanned.  

KEV vulnerabilities discovered by scanning

When cross-referencing the VOC scanning data with the 860+ entries in the full KEV Catalog, we see a rather different picture: Microsoft vulnerabilities dominate the first 20 records, as pictured below. We also observe a large chunk of Cisco IOS vulnerabilities relating to an SNMP flaw in the assets we scanned.  

Relevant vulnerabilities related to the VOC/KEV Catalog chart

The table lists the descriptions of the relevant vulnerabilities related to the VOC/KEV Catalog chart. 




Exploit Type

Probable Attack Vector


Windows Common Log File System Driver


Microsoft Windows Support Diagnostic Tool (MSDT)


Simple Network Management Protocol (SNMP) subsystem of Cisco IOS


Simple Network Management Protocol (SNMP) subsystem of Cisco IOS


Simple Network Management Protocol (SNMP) subsystem of Cisco IOS


Simple Network Management Protocol (SNMP) subsystem of Cisco IOS


Simple Network Management Protocol (SNMP) subsystem of Cisco IOS


Simple Network Management Protocol (SNMP) subsystem of Cisco IOS


Simple Network Management Protocol (SNMP) subsystem of Cisco IOS


Cisco IOS and Cisco IOS XE


Windows CSRSS


Active Directory Domain Services


Windows LSA


Windows Common Log File System


Windows User Profile


NET Framework, SharePoint Server, and Visual Studio


Windows COM+ Event System 


Windows Print Spooler Elevation of Privilege Vulnerability




Windows Print Spooler


First 20 Vulns found when comparing vulns in VOC with the KEV Catalog


Remote Code Execution

Path Traversal

Elevation of Privilege



Authentication Bypass

Denial of service




As we can see the top 20 vulnerabilities discovered by the VOC in terms of the KEV is dominated by two enterprise vendors namely Microsoft and Cisco. Microsoft products are very popular, and any vulnerability in a core Microsoft product will quickly result in many reported vulnerabilities.  

The chart below also includes the Log4J vulnerability, CVE-2021-44228, tacked on to show its relative impact. There are at least 10 other KEV vulnerabilities we reported at VOC clients more often than Log4J. 

Top 10 KEV CVEs with Log4J Vuln impacting percentage of VOC clients

Top 10 KEV CVEs with Log4J Vuln impacting percentage of VOC clients

A more useful perspective, perhaps, is to consider: At how many clients did we see vulnerabilities in the KEV catalog reported. We can search a sample of vulnerability scan reports for a significant subset of our clients to determine how frequently vulnerabilities in the KEV are reported on client assets. We note that this is a limited sample biased by the obvious fact that these clients have implemented robust, professional vulnerability management programs, and would thus not be fully representative of the entire cyberspace. 

This perspective is reflected below: 

Distribution of KEV CVE across our scanning client base

Distribution of KEV CVE across our scanning client base

The chart above depicts what proportion of the KEV catalog has been reported across our client base between October 2021 and September 2022. The Y-axis reflects a proportion of KEV, while the X-axis reflects the proportion of the clients we sampled. 

The resulting distribution is illustrated above. An examination of this data reveals the following: 

  1. An astonishing 52% (450 CVEs) of the vulnerabilities listed in the KEV were not reported at any of the clients sampled. It’s hard to understand why this would be, except that these vulnerabilities exist in technologies that are not very widely deployed and very specific to U.S. Government FCEB agencies. 
  2. Not a single vulnerability in the KEV impacted more than 44% of the clients sampled. 
  3. One CVE, CVE-2021-40438, impacted assets associated with 44% of clients. The vulnerability is found in Apache HTTP Server. 
  4. Seven CVEs of the KEV list were reported at 17% of clients - 6 of these 7 CVEs are sequential (CVE-2017-0143 to CVE-2017-0148) and are related to SMBv1 within Windows operating systems, including ‘EternalBlue’ (CVE-2017-0144). The final CVE follows a similar pattern, in that it is another Windows vulnerability which received significant attention from the community – CVE-2019-0708 ‘BlueKeep’. These are vulnerabilities dating back to 2017 and 2019 respectively. Many of the affected hosts would eventually have been patched by our clients, of course, but on average these 7 CVE persisted on hosts for 451 days! In our 2023 ‘Security Navigator’ report we note that the average age of a vulnerability on our client estates is ‘only’ about 215 days. Considering the ubiquity and severity of these issues, this is a very concerning figure indeed. 
  5. Interestingly, 14% (121 CVEs) were reported at 15% of clients, depicted by the ‘bump’ in the graph featured above.  These 121 vulnerabilities mostly impact common Windows components, which accounts for the large proportion of our clients that are impacted by them. The oldest vulnerabilities were in this set was allocated to Oracle Java dating back to 2011! Several browser vulnerabilities were also present, and spread between Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer. 
  6. A total of 159 vulnerabilities from the KEV each impacted less than 10% of our client base. This seems like an important observation, as it suggests that businesses can be severely impacted by an exploitable vulnerability in a technology that is not widely deployed, or an uncommon vulnerability that has not been patched. This serves as a reminder that security managers need to take the severity and exploitability of a vulnerability into account, not just the frequency with which it occurs. 

Ransomware top-10 vulnerabilities exploited during penetration tests

Are our penetration testing teams exploiting these vulnerabilities?

When we compare the Top 10 vulnerabilities from the Ransomware Index with the vulnerabilities reported by our Penetration Testing teams (represented by a sample of 1,400 test reports we analyzed), the only vulnerability in common between the two is the Log4J vulnerability (CVE-2021-44228), and that was only reported once.

The three Microsoft vulnerabilities; (CVE-2018-8174, CVE-2017-0199, and CVE-2017-11882), for example, are potentially suited to phishing attacks, which is often considered out of scope of ‘traditional’ penetration testing engagements.

KEV vulnerabilities exploited during penetration tests

Comparing the vulnerabilities in the penetration testing dataset with the much larger KEV Catalog, we observe a small number of vulnerabilities shared across the datasets:

CVE found when comparing vulnerabilities in sample Penetartion Test Data




Exploit Type

Probable Attack Vector


Microsoft Remote Desktop Protocol


Microsoft Windows SMB


Microsoft Windows SMB




Microsoft Server Active Directory


Microsoft Server Active Directory




Remote Code Execution

Elevation of Privilege



These vulnerabilities are therefore being listed in the KEV catalogue and being exploited by our analysts during penetration tests. Here’s what we see:

  • The Remote Desktop Protocol flaw, CVE-2019-0708 aka BlueKeep, in Microsoft Terminal Service is a serious vulnerability that has reliable proof-of-concept exploits readily available. Penetration testing team found this flaw is sometimes accompanied by Eternal Blue and Eternal Synergy (CVE-2017-0144/CVE-2017-0143), as well as the two Microsoft Active Directory vulnerabilities CVE-2021-42278 and CVE-2021-42287. 
  • The presence of the Microsoft Windows SMB protocol flaw in the form of Eternal Blue and Eternal Synergy highlights the very real risk posed by these wide-reaching flaws with reliable exploits.

Once again, we can determine how frequently vulnerabilities in the KEV are reported at our clients, this time in penetration testing reports. We note again that, because these clients have robust, professional vulnerability management programs, our sample is biased and not necessarily representative of the entire Internet.

Distribution of KEV CVE across our penetration test client base

The chart above is based on an examination of a sample of 1,400 test Penetration Test reports that we analyzed. Each colored series reflected in the legend reflects a proportion of our sample client base, while the size of the segment in the pie reflects the proportion of the KEV observed.

The following very small numbers emerge:

  • 99.2% of the CVEs in the KEV did not feature in even one of the Penetration Test reports we examined. This is not entirely surprising due to the observer bias we emphasized above, but also because of the way we expect our testers to work, in other words do not focus purely on finding CVEs.
  • The 0.8% of the KVE that we did reference in our Penetration Test reports amounts to just 7 CVEs.
  • One of these CVEs, CVE-2019-0708 - A remote code execution vulnerability exists in Remote Desktop Services (BlueKeep), was referenced at about 2% of the sampled clients and was also listed under vulnerability scanning section earlier. CVE-2017-0144 - Windows SMB Remote Code Execution Vulnerability (EternalBlue) – was referenced at about 1% of sampled clients and the other 5 CVEs from the KEV were each referenced at only about 0.4% of sampled clients.

This is rather surprising, as one would think the list presents prime vulnerability candidates for penetration testing teams to exploit. Exposed services such as Atlassian Confluence Server, Microsoft Exchange, Fortinet FortiOS devices, and F5 TMUI would be easy pickings for our testers. It appears that we are simply not encountering vulnerable versions of these platforms within the scope of the tests we sampled, or that exploiting these vulnerabilities is being precluded by the test scope.

Pentesting considered harmful to your health

At the 44Con security conference in London in 2011, a security researcher called Haroon Meer delivered a presentation titled ‘Penetration Testing considered harmful’.