Hackers scan for vulnerabilities within 15 minutes of disclosure


System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed.

According to Palo Alto’s 2022 Unit 42 Incident Response Report, hackers are constantly monitoring software vendor bulletin boards for new vulnerability announcements they can leverage for initial access to a corporate network or to perform remote code execution.

However, the speed at which threat actors begin scanning for vulnerabilities puts system administrators in the crosshairs as they race to patch the bugs before they are exploited.

“The 2022 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced,” reads a companion blog post.

Since scanning isn’t particularly demanding, even low-skilled attackers can scan the internet for vulnerable endpoints and sell their findings on dark web markets where more capable hackers know how to exploit them.

Then, within hours, the first active exploitation attempts are observed, often hitting systems that never had the chance to patch.

Unit 42 presents CVE-2022-1388 as an example, a critical unauthenticated remote command execution vulnerability impacting F5 BIG-IP products.

The flaw was disclosed on May 4, 2022, and according to Unit 42, by the time ten hours had passed since the announcement of the CVE, they had recorded 2,552 scanning and exploitation attempts.

This is a race between defenders and malicious actors, and the margins for delays on either side are dwindling with every year that passes.

Most exploited flaws in 2022

Based on the data collected by Palo Alto, the most exploited vulnerabilities for network access in H1 2022 are the “ProxyShell” exploit chain, accounting for 55% of the total recorded exploitation incidents. ProxyShell is an attack exploited by chaining together three vulnerabilities tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

Log4Shell follows at second place with 14%, various SonicWall CVEs accounted for 7%, ProxyLogon had 5%, while the RCE in Zoho ManageEngine ADSelfService Plus was exploited in 3% of the cases.

Most exploited flaws in H1 2022Most exploited flaws in H1 2022 (Unit 42)

As it becomes evident from these stats, the lion’s share in the exploitation volume is captured by semi-old flaws and not the most recent ones.

This happens for various reasons, including the attack surface size, exploitation complexity, and practical impact.

More valuable and better-protected systems whose admins are quick to apply security updates are targeted with zero-days or attacks that unfold immediately after the disclosure of flaws.

It is also worth noting that according to Unit 42, exploiting software vulnerabilities for initial network breaches accounts for roughly one-third of the method used.

In 37% of the cases, phishing was the preferable means for achieving initial access. Brute-forcing or using compromised credentials is how hackers penetrated networks in 15% of the cases.

How attackers achieved initial access in H1 2022How attackers achieved initial access in H1 2022 (Unit 42)

Finally, using social engineering tricks against privileged employees or bribing a rogue insider to aid in network access corresponds to 10% of the incidents.

A race against the clock

With system administrators, network admins, and security professionals already under significant stress as they try to keep up with the latest security threats and OS issues, the speed at which threat actors target their devices only adds additional pressure.

Therefore, it is extremely important to keep devices off the Internet if possible, and only expose them through VPNs or other security gateways. By restricting access to servers, admins not only reduce the risk of exploits, but provide additional time to apply security updates before the vulnerabilities could be targeted internally.

Unfortunately, some servives must be publicly exposed, requiring admins to tighten security as much as possible through access lists, exposing only the necessary ports and services, and applying updates as quickly as possible.

While quickly applying a critical update may lead to downtime, this is much better than the ramifications of a full-blown cyberattack.


  • safesploit Photo safesploit – 2 days ago

    This is a further reason for automation, but updates to production servers risks causing downtime if not properly tested first.
    ‘A race against the clock’ is not a joke, possibly as the article implied that segregation of critical systems should be used to mitigate the fallout of a breach, until updates can be issued without breaking functionality.

  • skedddggge Photo skedddggge – 1 day ago

    virtual servers are the only way forward

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.11 4M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 21,002 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 50,778 Downloads

  • Zemana AntiMalware Logo

    Zemana AntiMalware

    Version: NA 302,025 Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.0 2M+ Downloads


Related posts

New Buhti ransomware gang uses leaked Windows, Linux encryptors

Sarah Henriquez

FBI: Iranian hackers lurked in Albania’s govt network for 14 months

Sarah Henriquez

Over 1,800 Android phishing forms for sale on cybercrime market

Sarah Henriquez

Leave a Comment