Recent findings from Orange Cyberdefenses’ Security Navigator reveal a worrying trend in cybersecurity. Vulnerabilities that were first identified as far back as 1999 continue to be present in networks today, underscoring a persistently high risk landscape.
Analyzing Vulnerability Lifespan
The ongoing vulnerability scans conducted by Orange Cyberdefense allow for an assessment of the “Age” of findings by comparing the time of scan to the date of reporting for each vulnerability on an asset. If these vulnerabilities remain unresolved, their presence in future scans persists, thus extending their age. Over time, the data collected indicates a troubling retention of these vulnerabilities without effective remediation.
Data visualization from the analysis illustrates that the majority of existing vulnerabilities span between 75 and 225 days old, with an additional note of increased findings averaging 300 days—likely due to data legacy rather than active vulnerabilities. Notably, a smaller yet striking grouping at the 1,000-day mark indicates a “long tail” of unresolved issues, of which 75% are categorized as Medium Severity, and a concerning 16% as High or Critical Severity.
Tracking the average age of findings in the dataset reveals significant fluctuation correlating with both the onboarding of new clients and changes in asset management. Over a 24-month period, findings have shown a dramatic increase in average age, escalating by 241%, from 63 to 215 days. The analytics indicate that resolution efforts are lagging significantly, with only 20% of vulnerabilities being addressed in under 30 days, and 57% requiring 90 days or longer.
Severity and Resolution Timeline
Additionally, the data indicates that, on average, even Critical Vulnerabilities take approximately six months to resolve—36% quicker than lower-severity issues. While this aspect of vulnerability management showcases some progress, the maximum times recorded highlight ongoing systemic weaknesses, as they remain consistently high across all severity levels.
Sector Performance Review
When comparing industries, maximum and average ages of findings can indicate the effectiveness of vulnerability management across sectors. A high maximum age paired with a low average suggests strong remediation practices, whereas both being high raises red flags regarding the industry’s overall cyber hygiene. Low maximum ages generally indicate newer participants in the dataset, who may not be entirely comparable against more seasoned industries.
The concerning trend remains clear. The age of vulnerabilities indicates significant ongoing security debt that organizations are failing to mitigate effectively. A deeper analysis of common publicly reported vulnerabilities shows that some have been unaddressed for decades—0.5% being over 20 years old, and nearly half being at least five years old. This points to apathy or systemic issues in patch management protocols across the board.
Final Thoughts
With an average of over 22 vulnerabilities published daily, many carrying a CVSS score above 7, businesses face a growing imperative to manage these risks proactively. Both vulnerability scanning and penetration testing provide frameworks for identifying and addressing potential security gaps. However, the current extended timelines for addressing known vulnerabilities, averaging 215 days and significantly longer for medium to low severity, indicate a need for improved practices in vulnerability management.
Orange Cyberdefense’s findings emphasize the critical state of vulnerability management within organizations today. Through informed strategies and immediate actions based on the vulnerabilities identified, businesses can work to mitigate risk more effectively. For a comprehensive analysis of this data, including additional insights related to vulnerability criticality and evolving trends, the Security Navigator presents a valuable resource available to all stakeholders without charge.
Note: This article has been carefully prepared by Charl van der Walt, Head of Security Research at Orange Cyberdefense.