Security News > 2024 > May > Critical vulnerabilities take 4.5 months on average to remediate
Over a third of organizations had at least one known vulnerability in 2023, with nearly a quarter of those facing five or more, and 60% of vulnerabilities remained unaddressed past CISA's deadlines, according to Bitsight.
Organizations struggle to remediate critical vulnerabilities.
"Even critical severity vulnerabilities take 4.5 months to remediate on average. The situation creates significant risk and speaks to the need for business leaders on the board and in the C-suite to recognize these vulnerabilities as the serious threats they are and demand a security posture that prioritizes deep insight and swift action. From there, organizations have an opportunity to grow," added Vadala.
Vulnerabilities included in the Known Exploited Vulnerabilities catalog are highly prevalent and over a third of organizations had at least one in 2023.
"CISA's KEV catalog is a major step forward in the identification of high-risk vulnerabilities. Unfortunately, we still have a major problem with management of those vulnerabilities as security leaders often lack clear responsibility and authority for remediation, visibility across their environment, and metrics to measure their effectiveness," said Roland Cloutier, former Fortune 100 CSO and Bitsight advisor.
"While we are pleased to see that inclusion of a vulnerability in our Known Exploited Vulnerabilities catalog is associated with faster remediation, we know that the current model of 'patch faster' is unsustainable and every software company must reduce the prevalence of vulnerabilities by design."
News URL
https://www.helpnetsecurity.com/2024/05/13/kev-catalog-prevalent-vulnerabilities/
Related news
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical vulnerabilities persist in high-risk sectors (source)
- Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities (source)
- CISA Adds Critical Flaw in BeyondTrust Software to Exploited Vulnerabilities List (source)