Security leaders work hard to securing potential data vulnerabilities within their organizations. Edgescan released its 2023 Vulnerability Statistics report analyzing data collected of security assessments and penetration tests performed on assets.

The report provides a model of the most common weaknesses faced by enterprises and provides insight into how quickly vulnerabilities are being fixed based on risk. Unfortunately, high rates of known types of risk are still being found (i.e., patchable) exploitable vulnerabilities, with working exploits in the wild being used by nation states and cyber-criminal groups against organizations who are slow to patch. Additional findings include:

  • Non-internet facing systems have a significant risk density resulting in an easy time for criminals once the network perimeter is breached.
  • Mean time to remediation (MTTR) for critical severity vulnerabilities is 65 days.
  • 33% of all vulnerabilities across the full stack discovered in 2022 were either high or critical severity.
  • The most common application layer and API vulnerabilities are still Injection related.
  • 13.5% of vulnerabilities in an enterprise's backlog are either high or critical severity.
  • 12% of all risk accepted vulnerabilities in 2022 were considered (in isolation) critical severity.