Measuring the Exploitation of Weaknesses in the Wild

TL;DR

This paper introduces a metric to measure the exploitation of software weaknesses in real-world attacks using public data feeds, revealing most weaknesses are not persistently exploited.

Contribution

It proposes a simple, data-driven metric to estimate the likelihood of weaknesses being exploited in the wild over a 30-day period.

Findings

92% of weaknesses are not constantly exploited

The metric effectively identifies frequently exploited weaknesses

Analysis covers 130 common vulnerabilities from 2021-2024

Abstract

Identifying the software weaknesses exploited by attacks supports efforts to reduce developer introduction of vulnerabilities and to guide security code review efforts. A weakness is a bug or fault type that can be exploited through an operation that results in a security-relevant error. Ideally, the security community would measure the prevalence of the software weaknesses used in actual exploitation. This work advances that goal by introducing a simple metric that utilizes public data feeds to determine the probability of a weakness being exploited in the wild for any 30-day window. The metric is evaluated on a set of 130 weaknesses that were commonly found in vulnerabilities between April 2021 and March 2024. Our analysis reveals that 92 % of the weaknesses are not being constantly exploited.