Full Report
Almost nine in 10 major companies exposed to actively exploited cyber vulnerabilities remain at risk for six months or more, despite available fixes, according to a new study by cyber risk analytics provider KYND. The analysis examined more than 2,000 organizations, including companies from the FTSE 350 and S&P 500. Researchers found that 11% were…
Analysis Summary
This article summary focuses on the high-level findings of a study regarding vulnerability remediation delays, rather than detailing specific, named vulnerabilities (CVEs). Therefore, most fields requiring specific CVE data will be generalized or marked as "Not specified in context."
# Vulnerability: Widespread Delays in Patching Actively Exploited Vulnerabilities
## CVE Details
- CVE ID: Not specified in context (Study examined many vulnerabilities)
- CVSS Score: Not specified in context
- CWE: Not specified in context
## Affected Systems
- Products: Enterprise software and infrastructure including **Oracle, WordPress, Apache**, networking hardware, and secure communication protocols.
- Versions: Unspecified, but the finding relates to organizations exposed to *any* actively exploited vulnerability.
- Configurations: Organizations running the specified software/hardware that have not applied available fixes.
## Vulnerability Description
The study by KYND analyzed over 2,000 major organizations (including FTSE 350 and S&P 500) and found that 11% were exposed to vulnerabilities currently being exploited in real-world attacks. The key technical finding relates to the **delay in applying fixes** for known, exploited flaws.
## Exploitation
- Status: Actively exploited in the wild (by definition of the subset being reported on).
- Complexity: Not specified, but the implication is that these are accessible enough to be leveraged by threat actors.
- Attack Vector: Broadly related to web applications, enterprise software, and network devices, suggesting varied vectors (Network, Application Layer).
## Impact
- Confidentiality: High (Implied, as exploited vulnerabilities often lead to data breaches)
- Integrity: High (Implied, as exploitation allows unauthorized modification)
- Availability: Medium/High (Implied, depending on the nature of the exploited flaw)
## Remediation
### Patches
- **General Finding:** Patches are available for the identified vulnerabilities, but 88% of exposed organizations failed to apply them for six months or more.
- [List available patches with versions]: Specific patch versions are not mentioned in the summary, as the study focuses on *the existence of a fix* versus its application status.
### Workarounds
- Not specified in context. The focus is on the organizational failure to implement permanent remediation.
## Detection
- **General Finding:** The detection of the flaw itself must have occurred, as KYND identified the exposure. The failure lies in the transition from detection to remediation.
- [Indicators of Compromise]: Not specified; detection would rely on monitoring for exploitation attempts targeting known vulnerabilities in Oracle, WordPress, Apache, etc.
- [Detection methods and tools]: Organizations must rely on vulnerability scanning tools and exploit monitoring to determine if they are part of the exposed 11%.
## References
- Vendor advisories: N/A (References would be specific to the individual CVEs discovered, not the study itself).
- [Relevant links - defanged]:
- Source Article: hxxps://threatbeat.com/firms-leave-cyber-vulnerabilities-unpatched-for-months-study-shows/