Why Chasing the Wrong Vulnerabilities Can Leave You Wide Open
Ever feel like the world of cyber threats is a bit of a moving target? You’re not alone. There’s always talk about “critical” vulnerabilities, but sometimes the ones everyone’s watching aren’t the ones actually causing the most trouble. Let’s dig into why that happens and what really matters when it comes to staying safe.
Spotting Patterns in Vulnerabilities
Looking at the top vulnerabilities, some patterns start to show up. It’s interesting how the biggest “critical” threats are often tied to Oracle and Apache, while the ones actually getting exploited at scale are mostly Microsoft. So, what’s going on here?
If you’re just chasing after criticality—meaning only patching what’s labeled “critical”—you might be missing the real threats. Sometimes, the vulnerabilities that attackers are actually targeting aren’t even on the “most critical” list. That’s a bit of a wake-up call, right?
Why Popularity Matters
Some vulnerabilities, like those in Oracle and Log4j, pop up everywhere. This usually comes down to how widely these programs are installed. The more common the software, the more likely attackers are to go after it. But here’s the twist: when you look at who’s targeting these vulnerabilities, especially from a ransomware angle, Microsoft suddenly jumps to the top. Turns out, just being popular makes you a bigger target.
Not All Criticals Are Truly Critical
There’s a saying that not all criticals are actually critical, and not every source of information is a good one. Comparing different sources—like GitHub, NVD, CISA, and EPSS—shows some big differences. If you only look at what’s rated as critical, you’ll see Oracle, Apache, and Microsoft leading the pack. But when you check which vulnerabilities are actually being exploited at scale, Microsoft, Adobe, and Apple shoot up the list.
So, just picking vulnerabilities based on their “critical” label can lead you to focus on the wrong things. It’s more important to look at what’s actually being exploited out in the wild.
| Source/Approach | Top Vendors (Critical Label) | Top Vendors (Exploited at Scale) |
|---|---|---|
| Severity/Criticality Lists (e.g., NVD, GitHub) | Oracle, Apache, Microsoft | Microsoft, Adobe, Apple |
| Exploitation Data (e.g., CISA, EPSS) | Microsoft, Adobe, Apple | Microsoft, Adobe, Apple |
EPSS Score Distribution (Real Data)
The chart below uses real EPSS data from 2024, showing the percentage of vulnerabilities in each score range. Source: FIRST EPSS Data Stats
Chart: Over 90% of vulnerabilities have an EPSS score below 0.2. Only a tiny fraction are highly likely to be exploited. Source: FIRST EPSS Data (2024)
How Exploitation Really Works
Only a small fraction of vulnerabilities with public exploits are actually being used by attackers. That’s why some experts use EPSS scores above 0.6 or 0.7. Most vulnerabilities—over 90%—score so low that the chance of real-world exploitation is almost zero.
Who’s Getting Targeted?
CISA shows that Microsoft tops the chart. With a massive presence, it has the biggest attack surface—making it a frequent target for ransomware groups.
Focusing on What Matters
- Probability of exploitation (EPSS helps)
- Threat intel showing active ransomware targets
- Asset exposure on your network
- Availability of exploits in public tools
Wrapping Up
Don’t chase every “critical” label. Instead, focus on what’s being actively exploited. Use EPSS, CTI, and business context to fix what truly matters.
