Organizations cannot rely on a single source of data on which to base their entire cybersecurity strategy – particularly their vulnerability management programs.

Case in point: The National Vulnerability Database, or NVD.

This publicly available database of known vulnerabilities covers an enormous array of all the different vulnerabilities that currently affect applications, software and hardware applications.

However, based on Ivanti’s research and products ingesting potential vulnerabilities from well over 100 different vulnerability sources – including databases, human penetration tests, CVE Number Authorities (CNAs) and even online communities – we know that the NVD currently misses over 20% of all common vulnerabilities and exposures:

The National Vulnerability Database

Total Vulnerability Count

Difference

True Total CVEs

188,001

236,286

48,285 (20.43%)

Estimated Weaponized CVEs

13,856

29,313

15,457 (52.73%)

Estimated Vulnerabilities with RCE or PE

4,387

9,636

5,249 (54.48%)

Estimated Malware-related CVEs

411

1,336

925 (69.27%)

Estimated
CISA KEVs

187

660

473 (71.64%)

Date Retrieved

June 6, 2022

May 31, 2022

It’s not just the NVD that’s missing critical pieces of the vulnerability puzzle, either.

Previous research released in the Ransomware Spotlight Report 2022 found that three of the most popular vulnerability scanners – Nessus, Quals and Nexpose – detected just 77% of all exploitable vulnerabilities in 2021 between them.

Now, we’re not saying that every vulnerability should be patched or remediated as critical! Proper prioritization of resources and patch rollouts is key to every cybersecurity strategy.

An organization’s vulnerability management program should be contextualized for their unique risk environment composition, accounting for everything from exact devices and network accessibility to workflow analysis and application interactions

However, to assess whether a specific vulnerability matters to your organization, you need to know it exists in the first place.

And, if your sole source of information is a single database – even one as comprehensive and authoritative as the NVD – then you’re likely missing out on tens of thousands of potential vulnerabilities.

Methods

Estimates of NVD subset vulnerabilities were calculated based the Q1 2022 Ransomware Index Report – released in conjunction with Cyber Security Works (CSW), Securin, Cyware and Ivanti – which listed:

  • 142,133 total NVD vulnerabilities at time of publication.
  • 10,463 weaponized vulnerabilities (approximately 7.37% of all NVD vulnerabilities).
  • 3,312 vulnerabilities with remote code execution or privilege escalation exploits (approximately 31.66% of all weaponized vulnerabilities).
  • 310 malware-related CVEs (approximately 9.36% of all RCE / PE vulnerabilities).
  • 141 CISA KEVs (approximately 45.58% of all malware-related CVEs).

The above percentages were used to calculate vulnerability subset estimates from total amount NVD CVEs retrieved on June 6, 2022, to better reflect the current state of the database, as it has updated since the 2022 Q1 Ransomware report’s release.

Updated versions of this research will be published in tandem with future ransomware reports, to better demonstrate the difference between publicly reported vulnerabilities in the NVD and other databases versus the true state of the vulnerability landscape.

To determine the true number of vulnerabilities which exist beyond the NVD and other public databases, Ivanti researchers and products – including Ivanti Neurons for Risk-based Vulnerability Management (RBVM) – aggregated data from hundreds of sources, including:

  • Various vulnerability sources, including but not limited to the NVD, CISA, MITRE, Exploit Database and Packet Storm.
  • CNAsCVE Numbering Authorities – including but not limited to Microsoft, Cisco, Qualcomm and Google.
  • 100+ online sources and communities publicly posting vulnerability findings across Reddit, Twitter and other niche resources, including but not limited to Threatmeter, LinInfosec, TheHackerNews and Your AnonRiots.
  • Human penetration testing and other manual initiatives.

The exact list of vulnerability sources is proprietary in nature and cannot be fully disclosed due to security concerns of current clients.