Choosing Which Vulnerabilities to Patch

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


A lot has been written about how security teams struggle to prioritize and patch common vulnerabilities and exposures (CVEs). With limited resources, vulnerability management teams must choose to remediate some CVEs over others – at their peril. 

In the Blue Report 2023, our analysis of 14 million attack simulations found that organizations are making four “impossible” tradeoffs when it comes to managing their threat exposure. One trade-off is choosing which vulnerabilities to patch.

The Blue Report 2023 identified a list of vulnerabilities – including high severity vulnerabilities and vulnerabilities over 3 years old – for which over 80% of organizations remain exposed.

Spotlight on Vulnerabilities

Software vulnerabilities, often referred to as common vulnerabilities and exposures (CVEs), are frequently targeted by attackers. And for good reason. 

For example, we identified the ten least prevented vulnerability exploits as part of the analysis of attack simulations done for this report. Organizations are only able to prevent them 11-16% of the time. Moreover, organizations are clearly not very effective at prioritizing vulnerability patching. Many of these vulnerabilities are either high severity or remain exposed despite having been known for years.


The 10 least prevented vulnerability exploits
The 10 least prevented vulnerability exploits

Several of the vulnerabilities in this list have drawn substantial media attention due to their high severity and widespread impact, including CVE-2021-30588 (affecting Chrome's JavaScript Engine), CVE-2021-33564 (affecting Linux distributions), and CVE-2021-22885 (impacting Ruby on Rails). Their continued exploitability underscores the ongoing need for vulnerability managers to prioritize patching them.

The presence of CVE-2019-9947 and CVE-2019-14234, both now 4 years old, highlights the fact that vulnerabilities can pose long-term security risks. Timely identification and remediation of vulnerabilities is essential, even in older systems.

Another finding is that these vulnerabilities affect a broad array of systems – from web browsers to operating systems. Organizations’ vulnerability management programs should span their entire IT ecosystem, but they are clearly having to make trade-offs about what to protect. With that in mind, organizations may need to go beyond vulnerability management to reduce their threat exposure.

Overcoming the Trade-Off

What are security teams to do? Threat exposure management, sometimes referred to as continuous threat exposure management (CTEM), is one approach to cybersecurity that organizations can use to overcome this trade-off. Implementing a continuous threat exposure management (CTEM) program can allow you to effectively prioritize potential risks and corresponding remediation efforts.

Picus Security’s CTEM solution helps you discover and prioritize these at-risk assets, among other exposures like high-risk attack paths, that attackers could use to access critical systems and users. 

With Picus, you can quickly mature your security posture and move beyond basic vulnerability management. Instead of spending your days making impossible trade-offs that leave gaps in your defenses, you can consistently and successfully defend against sophisticated multi-pronged attacks. On average, our customers prevent twice as many attacks, within just three months.

Picus customers prevent twice as many attacks, within just 3 months

Picus customers prevent twice as many attacks, within just 3 months

To learn more about other trade-offs organizations face managing their threat exposure, download the Blue Report 2023, or read our other blogs in this series.