Software Vulnerability

Ratings Report 2024

June 2024
Contents

Introduction 3

Executive Summary 4

Methodology 7

Enterprise Software Categories 9

Software Vulnerability Ratings 10

Vulnerability Analysis and Year-Over-Year Comparison 12

Vulnerability Summary Overview 12

Desktop Operating Systems 15

Mobile Operating Systems 17

Office Apps 19

Remote Management Software 21

Document Viewers 23

Password Managers 25

Antiviruses 27

Image Editors 29

Web Browsers 31

VPN Clients 33

Load Balancers 35

Databases 37

Recommendations 39

Appendix 40

Software Vulnerability
Software Ratings
Vulnerability Report
Ratings 2024
Report 2024 22
Introduction

This report analyzes the security landscape of Armed with this report, CISOs and CIOs gain
enterprise software. Its primary objective is to strategic insights into their software ecosystem.
identify vulnerability trends within commonly used They can make informed decisions about risk
enterprise software categories, with a particular management, resource allocation, and technology
focus on exploitation rate and remote code investments.
execution (RCE) vulnerabilities.
Moreover, CISOs and CIOs can use the report to
Exploitation rate is the metric developed by the evaluate software vendors based on their security
Action1 research team aimed at helping enterprises track record. This informs procurement decisions
assess the risks associated with certain vendors’ and strengthens partnerships with security-
software and the comprehensiveness of the their conscious vendors.
vulnerability management programs.
Finally, the report can help organizations be more
RCE is a dangerous type of vulnerability as it allows proactive in risk mitigation as it enables them to
attackers to execute arbitrary code remotely, focus on critical vulnerabilities, reducing the attack
potentially compromising critical systems. When surface and enhancing overall security posture.
an application has an increased count of RCE
vulnerabilities, it suggests that there are more
potential entry points for attackers to exploit the
organization’s IT environment.

To facilitate trend identification within a

representative timeframe, the Action1 research
team considered the data from the years 2023,
2022, and 2021.

The report draws insights from two critical sources:

the National Vulnerability Database (NVD) and
cvedetails.com. By leveraging NVD data and CVE
details, the report quantifies the vulnerabilities,
providing a comprehensive view of how the threat
landscape changes over time.

Software Vulnerability
Software Ratings
Vulnerability Report
Ratings 2024
Report 2024 33
Executive Summary
The report provides essential insight into the evolving vulnerability landscape for enterprise software. In light of the
current crisis at the National Vulnerability Database (NVD), where new vulnerability uploads have been suspended
since May 9, 2024*, this information is invaluable to cybersecurity professionals because it shows the trends for
vulnerabilities in popular software, which can help prioritize software for vulnerability monitoring using alternative
tools and approaches while the traditional reliance on NVDs is challenged and allocate resources accordingly.

The report highlights a troubling increase in the total number of vulnerabilities across all categories of enterprise
software, particularly in the number of exploited vulnerabilities, which increased by 22% in 2023.

The key trends, based on exploitability rates and the dynamics of RCE vulnerabilities within enterprise software
categories as well as specific applications, are outlined below.

TREND 1 TREND 2

Load Balancers Are Becoming an Attractive Apple Operating Systems Are Increasingly
Target with a Record Exploitation Rate. Under Attackers’ Radar.

The trend that catches the eye first is the astonishingly Apple operating systems, MacOS and iOS, showed
high exploitation rate for NGINX (100%) and Citrix an increased exploitation rate in 2023, 7% and
(57%). Vulnerabilities in load balancers pose 8% respectively, suggesting that attackers are
significant risks, as a single exploit in these systems increasingly exploiting these OS.
can provide broad access or disruption capabilities
against targeted networks. While the total number of Even though MacOS reduced its total vulnerability
vulnerabilities reported for load balancers over the number by 29%, it reported 30% more exploited
three-year period analyzed accounts for only 0.2% vulnerabilities in 2023 than in 2022, totaling 18.
of the total number of vulnerabilities analyzed, the While Windows desktop operating systems have the
impact of these severe vulnerabilities, as exemplified highest number of vulnerabilities, including critical
by the infamous CitrixBleed, demonstrates that high and RCE, their exploitation rates remain stable at 4%,
exploitation rates of vulnerabilities can be more which shows that Microsoft has a stable vulnerability
significant indicators than their number. management process with low fluctuation.

For organizations, this means they need to pay close MS Windows Server 2016 is the absolute leader
attention to ensuring regular updates for the Citrix in terms of the total number of vulnerabilities. It
load balancer or look for alternatives, considering also reported a record 177 RCEs in 2023. Although
the company’s needs. Linux reported fewer RCE vulnerabilities in 2023
compared to other operating systems analyzed,

Software Vulnerability
Software Ratings
Vulnerability Report
Ratings 2024
Report 2024 44
totaling 13, their 63% surge is concerning, especially The growth in critical RCEs calls for
as it continues a 60% increase from 8 RCEs in 2022. immediate attention from OS vendors,
The growth in dangerous RCEs underscores the researchers, and organizations.
need for both Windows and Linux researchers to
prioritize the discovery and mitigation of this type
of vulnerability. For organizations, this highlights
the need for proper patching. Nevertheless, our
research shows that Linux is the least vulnerable
OS to hacker attacks due to the small number
of exploited vulnerabilities, which is decreasing TREND 3
further.
MSSQL RCE Vulnerabilities Surge 1600%,
In the segment of mobile operating systems, there Highlighting Increased Risk of New
is an even greater disparity between the total Exploits.
number of vulnerabilities and their exploitation
between Google and Apple OS. Specifically, Android In 2023, Microsoft SQL Server (MSSQL)
reported an absolute record of 1421 vulnerabilities experienced an astonishing 1600% surge in
in 2023, with only 3 exploited, resulting in a low critical vulnerabilities, totaling 17, all of which are
exploitation rate of 0.2%. In contrast, while iOS RCEs, raising immediate concerns for database
reported 268 vulnerabilities last year, a significant administrators and cybersecurity teams. This spike,
20 of them were exploited, resulting in a significant contrasting with previous years, signals a potential
exploitation rate of 8%. It’s notable that iOS is risk that attackers might one day be faster than
also the leader in RCE counts over the three years researchers in discovering and exploiting the next
analyzed. These findings underscore the targeted unknown RCE. The current increase in known RCEs
nature of attacks on iOS devices, possibly due to suggests to attackers that there might be other
the perception of the valuable data they store. undiscovered RCE vulnerabilities in this system.

The increase in exploited vulnerabilities for MSSQL is a lucrative target for hackers due to
MacOS and iOS is a concerning trend for Apple. its widespread use in enterprise environments,
For some reason, the company is not managing housing valuable data like customer information
to fix vulnerabilities before attackers exploit and financial records. Its remote accessibility
them. For organizations, this means they should makes it susceptible to exploitation from anywhere.
not only ensure regular updates for Apple OS but Consequently, organizations must prioritize robust
also consider implementing additional security security measures to safeguard their MSSQL
measures for Mac devices. servers and prevent potential data breaches.

Overall, vulnerabilities in operating systems MySQL, despite having the highest total number of
account for around 75% of vulnerabilities analyzed vulnerabilities over three years, shows promising
in this research. progress with a 64% decrease in total vulnerabilities
in 2023.

Software Vulnerability
Software Ratings
Vulnerability Report
Ratings 2024
Report 2024 55
 MSSQL experienced an astonishing TREND 5
1600% surge in critical vulnerabilities,
totaling 17, all RCEs. Spike in RCEs and Exploited Vulnerabilities
Raises Concerns about Edge Security.

While Chrome has the highest number of total

vulnerabilities over the three-year period analyzed,
Edge’s record number of 14 RCE vulnerabilities
over the same timeframe, which continues to
TREND 4 grow, is an alarming insight for us. Specifically, it
spiked at 17% in 2023, following a staggering 500%
Increased Exploitability of MS Office, growth in 2022. This trend is concerning for the
Highlighting Attackers’ Preferences to vendor, despite Edge having a relatively lower total
Exploit Human Error. number of vulnerabilities. Overall, the total number
of RCEs accounts for 1% for Chrome and Firefox
Microsoft Office has the expected highest total and 10% for Edge. Additionally, Edge reported
number of vulnerabilities among office apps 4 exploited vulnerabilities in 2023, resulting in
analyzed and a worrying exploitation rate of 7%, a 7% exploitation rate for this web browser – an
an increase from 2% in 2022, illustrating increased increase from 2022’s 5%.
threat actors’ preference in exploiting user-facing
software where human error can be utilized. The fact that Edge faces an increase in RCE and
Additionally, its numerous critical vulnerabilities, exploited vulnerabilities, despite having a relatively
accounting for around 80% of the overall vulnerability low number of total vulnerabilities, suggests
count annually, with 40%-50% being RCEs, raise that Microsoft does not yet actively enforce a
significant concerns. This trend suggests we can vulnerability management program for this web
expect more phishing attacks aimed at exploiting browser as rigorously as Google does for Chrome
MS Office vulnerabilities. or Mozilla does for Firefox. This implies that it
might not be a good idea to use Edge as the main
This underscores the need for CISOs to enforce corporate web browser.
security awareness among employees and enhance
endpoint monitoring with endpoint protection Overall, vulnerabilities in web browsers account
systems, in addition to robust patching. for around 13% of vulnerabilities analyzed in this
research.

* THE NOTE:

While security experts noted a significant drop in enrichment data uploads on the NVD starting February 12, 2024, the
above note was made after the enrichment was completely suspended starting May 9, 2024. However, within the next
five days, the vulnerability upload process started again, albeit slowly, with months of vulnerability backlog remaining.

Software Vulnerability
Software Ratings
Vulnerability Report
Ratings 2024
Report 2024 66
Methodology

Data for this research was obtained from NVD and

cvedetails.com. The criticality of vulnerabilities was
described as follows: Number of exploited
Critical vulnerabilities have CVSS scores greater
vulnerabilities /
than 7.0. total number of
Moderate vulnerabilities have CVSS scores less
than 7.0 but greater than 4.0 vulnerabilities * 100
Low severity vulnerabilities have CVSS scores
less than 4.0.

Enterprise software categories were defined This metric is valuable because it indicates
based on criteria of popularity, criticality in use by the software’s susceptibility to exploitation,
organizations, and the total number of vulnerabilities highlighting the diligence of developers in preventing
found. Some categories, such as text editors, vulnerabilities rather than merely addressing them
database management clients, cloud storage apps, after they have been exploited by hackers. For
and archivers, were excluded due to a lack of a example, if the metric is high, meaning that most
representative number of vulnerabilities in apps known vulnerabilities were exploited despite a low
within the category, rendering them not relevant to total number of vulnerabilities, it can signify a lack
this study. of an efficient vulnerability management process
in a vendor’s organization. Conversely, if the
The criteria used are based on the CISA KEV catalog. metric is low, even with a high number of exploited
vulnerabilities but with a significantly larger total
We also kept track of RCE vulnerabilities, which number of vulnerabilities, it can suggest a working
are the most dangerous because they enable vulnerability management process on the vendor’s
remote code execution on a target system via the side. The latter scenario could also indicate that the
vulnerable software. product’s code is either lacking in security or highly
attractive to threat actors due to its popularity, as
Additionally, the report utilizes the exploitation rate seen with Microsoft or Google. If the software has
as a metric to demonstrate the ratio of exploited zero exploited vulnerabilities and a large number
vulnerabilities to the total number of vulnerabilities. of total vulnerabilities, it is a sign of a proper patch
The exploitation rate formula** is as follows: management process in a vendor’s company.

Software Vulnerability
Software Ratings
Vulnerability Report
Ratings 2024
Report 2024 77
Although the exploitation rate formula alone is not sufficient to evaluate the risks associated with certain
software, it can be part of a broader set of metrics to measure a vendor’s security performance, especially if
combined with other qualitative and quantitative data points.

The data on vulnerabilities for 2021, including their types and exploitation rates, and the data on total vulnerabilities
over the three-year period analyzed, are presented in the Appendix.

In the tables with vulnerability data per category year over year, exclamation marks were added to highlight
dominating values of vulnerabilities in specific apps, whether by total number or by a specific type of vulnerability.

** DISCLAIMER:

ƒ The formula only considers the number of exploited vulnerabilities in relation to the total number of known
vulnerabilities. It doesn’t take into account the severity of the vulnerabilities, the potential impact of exploitation,
the number of exploitation attempts, or the ease of exploitation – criteria that should also be considered when
evaluating risks associated with a particular software.

ƒ Not all exploited vulnerabilities are reported, so the numerator in the formula may be underestimated. Similarly, not
all vulnerabilities in software may have been discovered or disclosed.

ƒ The timing of the patch release and vulnerability exploitation are other important criteria that are not considered
within the formula.

Software Vulnerability
Software Ratings
Vulnerability Report
Ratings 2024
Report 2024 88
Enterprise Software Categories

Desktop Operating Systems Mobile Operating Systems Office Apps

MS Windows 10 iOS Microsoft Office

MS Windows Server 2016 Android Libre Office
MacOS HarmonyOs Open Office
Linux

Remote Management Software Document Viewers Password Manager Сlients

TeamViewer Adobe Reader Keepass

DameWare Foxit Reader Keepass XC
Splashtop Nitro PDF 1Password
AnyDesk Bitwarden
RealVNC LastPass

Antiviruses Image Editors VPN Clients

Avast Adobe Photoshop Cisco Any Connect

Bitdefender Gimp FortiClient
Malwarebytes Paint.Net OpenVPN
ESET Adobe Illustrator WireGuard
Kaspersky
McAfee

Web Browsers Load Balancers Databases

Chrome HaProxy MSSQL

Firefox Citrix Mysql
Edge NGINX Oracle
Postgresql

Software Vulnerability Ratings Report 2024 9

Software Vulnerability Ratings
TABLE 1. TOP EXPLOITED SOFTWARE IN 2023 VS. 2022.

Name Exploitation Rate 2023 Exploitation Rate 2022

NGINX 100% NEW 0

Citrix 57% NEW 0

iOS 8% 4%

Microsoft Office 7% 2%

MacOS 7% 3%

Edge 7% 5%

MS Windows Server 2016 4% 4%

MS Windows 10 4% 4%

Firefox 3% 4%

Adobe Reader 2% 0

In 2023, the software analyzed in this research exhibited the highest exploitation rates compared to other years
under review, indicating an intensified threat landscape. The table above showcases the ratings of the software
applications with the highest exploitation rates in 2023, along with their rates back in 2022, enabling us to observe
any changes where applicable. The software marked as ‘New’ indicates that these applications appeared for the
first time during the three-year period analyzed (meaning they reported exploited vulnerabilities in 2023 only).
This highlights the emergence of a new trend among hackers in exploiting perimeter software, specifically load
balancers.

Software Vulnerability Ratings Report 2024 10

What immediately draws attention is NGINX’s 100% exploitation rate. Notably, this high percentage is attributed
to a single reported vulnerability that was exploited. Interestingly, this scenario is exceptional; we didn’t observe it
with any of the 47 software applications presented in this research report. *** These findings suggest that NGINX
may lack sufficient vulnerability management and remediation processes and might even be prone to other
vulnerabilities which were not disclosed. Overall, it seems that NGINX should pay attention to its vulnerability
management program.

Another significant finding is Citrix with an exploitation rate of 57%, which experienced several exploited
vulnerabilities under the name CitrixBleed.

Additionally, there are unusually high exploitation rates for iOS, Microsoft Office, MacOS, and Microsoft Edge in
2023, all showing a significant increase from 2022.

A concerning trend of the growth in exploitation rates may continue in 2024.

Note: The exploitation rate values here and in the main part of the report have been rounded for ease of visual
perception and clarity. Detailed values with decimal places are provided in the Appendix.

*** None of the 62 analyzed applications reported in total only one vulnerability that was exploited. (We excluded
detailed analysis on 15 applications from the research report due to the low significance of the findings.)

Software Vulnerability Ratings Report 2024 11

Vulnerability Analysis and Year-Over-
Year Comparison

Vulnerability Summary Overview

The report reveals a concerning trend for cybersecurity specialists: the overall number of vulnerabilities has
increased from 2021 to 2023 across software categories analyzed, as well as the number of exploited and RCE
vulnerabilities.

ΤΑΒLE 2. TOTAL VULNERABILITIES, EXPLOITED, RCE, BY YEAR

2021 2022 2023

All Vulnerabilities 3942 4449 4359

RCE 519 536 540

Exploited 74 88 107

Software Vulnerability Ratings Report 2024 12

For many categories, the number of critical vulnerabilities remains high or increased since 2021, underscoring
the constant intensity of the threat landscape and the need for prioritized patch management. The trend of
critical vulnerabilities outnumbering medium vulnerabilities is seen in 10 out of 12 groups.

TABLE 3. TOTAL CRITICAL VS. TOTAL MEDIUM BY CATEGORY

Category Name Total Critical 2021-2023 Total Medium 2021-2023

Desktop Operating Systems 3393 1435

Mobile Operating Systems 2188 2390

Office Apps 226 51

Remote Management Software 12 4

Document Viewers 270 148

Password Manager Clients 4 8

Antivirus 61 25

Image Editors 86 44

Video Editors 39 16

Web Browsers 1024 624

VPN Clients 42 17

Load Balancers 25 5

Databases 37 263

Software Vulnerability Ratings Report 2024 13

Desktop operating systems and mobile operating systems have a significantly higher number of reported
vulnerabilities compared to other groups, accounting for 75% of all vulnerabilities examined in our research. This
proportion underscores that operating systems are a consistent target area for attackers due to their widespread
use and critical role in IT infrastructures.

TABLE 4. TOTAL VULNERABILITIES BY CATEGORY

Category Name Total Vulnerabilities 2021-2023 Percentage

Desktop Operating Systems 4885 38.4%

Mobile Operating Systems 4760 37.4%

Office Apps 279 2.2%

Remote Management Software 17 0.1%

Document Viewers 418 3.3%

Password Manager Clients 12 0.1%

Antivirus 86 0.7%

Image Editors 130 1.0%

Video Editors 57 0.4%

Web Browsers 1655 13.0%

VPN Clients 60 0.5%

Load Balancers 30 0.2%

Databases 322 2.5%

Total 12711

Software Vulnerability Ratings Report 2024 14

Desktop Operating Systems

TABLE 5. DESKTOP OS VULNERABILITIES 2023 ANALYSIS

Vulnerabilities

Medium 2023
Critical 2023
YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-
RCE 2023
Low 2023

Exploited
Name
2023

2022

2022

2022

2022

2022

2023

2022
All

Desktop Operating
1562 -9% 1033 -15% 504 5% 25 47% 396 1% 56 0%
Systems

MS Windows 10 489 -6% 388 -8% 101 1% 0 -100% 156 8% 17 -15%

MS Windows
501 -3% 390 -6% 111 12% 0 -100% 177 13% 18 0%
Server 2016

MacOS 260 -29% 113 -53% 126 6% 21 200% 50 -39% 18 50%

Linux 312 1% 142 1% 166 2% 4 -50% 13 63% 3 -50%

TABLE 6. DESKTOP OS VULNERABILITIES 2022 ANALYSIS

Vulnerabilities

Medium 2022
Critical 2022
YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-
RCE 2022
Low 2022

Exploited
Name
2022

2022

2022

2022

2022

2022

2022

2022
All

Desktop Operating
1709 6% 1212 6% 480 6% 17 13% 391 27% 56 30%
Systems

MS Windows 10 521 7% 420 11% 100 -7% 1 0% 144 25% 20 33%

MS Windows
514 2% 414 6% 99 -12% 1 0% 157 25% 18 13%
Server 2016

MacOS 364 -21% 238 -20% 119 -25% 7 40% 82 30% 12 0%

Linux 310 91% 140 75% 162 119% 8 0% 8 60% 6 0

Software Vulnerability Ratings Report 2024 15

Key Takeaways:
The number of RCE vulnerabilities has been steadily OTHER TAKEAWAYS:
increasing for Windows and Linux for two years in
a row. Specifically, in Windows Server 2016, the The total number of vulnerabilities reported for
number of RCE vulnerabilities increased by 13% in operating systems in 2023 was 1562, which represents
2023, totaling 177, and by 25% in 2022, totaling 157. a downward trend from the 1709 vulnerabilities
In Windows 10, the number of RCE vulnerabilities reported in 2022 and even from the 1614 vulnerabilities
increased by 8% in 2023, totaling 156, and by 25% reported in 2021. Microsoft’s trend is stable – it reports
in 2022, totaling 144. Linux reports a smaller total around 500 vulnerabilities per year.
number of RCE vulnerabilities in 2023, totaling 13,
but its 63% surge is concerning, especially as it Another interesting finding is that the numbers of
continues a 60% surge from 8 RCEs in 2022. This vulnerabilities reported for MS Windows 10 and MS
negative trend suggests a need to closely monitor Windows Server 2016 are very similar, even though
developments in Linux operating systems in 2024. they are two different versions of the same operating
system. This suggests that the underlying code base
Apple has reduced its total number of for these versions may have similar vulnerabilities.
vulnerabilities steadily, by 29% in 2023, and It’s interesting to note that while MacOS may not
by 21% in 2022. Additionally, it reduced the have as many critical vulnerabilities as some other
number of critical vulnerabilities in MacOS by operating systems, it still has a significant number
an astonishing 62% over 2021-2023. However, of vulnerabilities that could harm the system –
it reported a significant number of exploited specifically, it has a high number of medium severity
vulnerabilities in 2023, resulting in a significant vulnerabilities, with 403 reported in 2021-2023.
exploitation rate of 7%, which suggests that
MacOS may be increasingly vulnerable to It’s also notable that the number of exploited
attacks that exploit known vulnerabilities. vulnerabilities reported for Windows systems and
MacOS is very similar – for example, in 2023 Windows
From 2021 to 2023, MS Windows Server 2016 2016 and MacOS reported 18, and MS Windows 10
reported the highest total number of vulnerabilities, – 17, which challenges common perceptions about
totaling 1518. Additionally, it recorded the highest their security.
number of critical vulnerabilities during the same
period, with 1194 reported. In contrast, Linux In 2022 and 2023, Linux leads in terms of the number
reported the smallest number of vulnerabilities of medium-severity vulnerabilities. Additionally,
over the same period, with only 784. while the number of critical vulnerabilities is
generally lower than in other operating systems
While Windows operating systems have many analyzed, it increases every year. Although its RCE
vulnerabilities, including critical and RCE, and exploitation rates remain significantly lower,
their exploitation rates have not deteriorated, underscoring its strength in certain aspects of
suggesting improved security responses. Every security, the overall trend of growing vulnerabilities
year, there is a stable 3 - 4% exploitation rate, which could affect its reputation if it continues.
shows that Microsoft has a stable vulnerability
management process with low fluctuation. Our analysis underscores the continuing evolution
of threats and the need for proactive security
Linux is the least vulnerable OS to hacker strategies across all operating systems.
attacks due to the small number ofSoftware
exploited
Vulnerability Ratings Report 2024 16
vulnerabilities, which is decreasing further.
Mobile Operating Systems

TABLE 7. MOBILE OS VULNERABILITIES 2023 ANALYSIS

Vulnerabilities

Medium 2023
Critical 2023
YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-
RCE 2023
Low 2023

Exploited
Name
2023

2022

2022

2022

2022

2022

2023

2022
All

Mobile Operating
1883 9% 685 -21% 1152 51% 46 -54% 67 -25% 23 109%
Systems

iOS 268 10% 121 -22% 122 54% 25 178% 43 -40% 20 100%

Android 1421 16% 401 -19% 1001 54% 19 -77% 24 41% 3 200%

HarmonyOs 194 -25% 163 -23% 29 -15% 2 -80% 0 N/A 0 N/A

TABLE 8. MOBILE OS VULNERABILITIES 2022 ANALYSIS

Vulnerabilities

Medium 2022
Critical 2022
YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-
RCE 2022
Low 2022

Exploited
Name
2022

2021

2021

2021

2021

2021

2022

2021
All

Mobile Operating
1723 49% 862 34% 761 60% 100 178% 89 31% 11 -21%
Systems

iOS 243 -36% 155 -35% 79 -40% 9 -18% 72 85% 10 -29%

Android 1223 86% 494 55% 648 104% 81 286% 17 -39% 1 N/A

HarmonyOs 257 118% 213 148% 34 21% 10 150% 0 -100% 0 N/A

Software Vulnerability Ratings Report 2024 17

Although iOS shows a decrease in total HarmonyOS, with its high rate of critical
vulnerabilities from 2021 to 2023, it is the leader vulnerabilities but minimal RCE and exploitation
in total RCE count over the three years analyzed. instances, presents a unique security profile that
Additionally, it has a 100% increase in the number warrants close observation as it continues to grow.
of exploited vulnerabilities in 2023, resulting in 20 At the same time, HarmonyOS’s high percentage
exploited vulnerabilities and an exploitation rate of critical vulnerabilities, despite its lower total
of 8%, highlighting the growing targeted nature of number, suggests that the vulnerabilities affecting
attacks, possibly due to the perception of valuable it may be more severe on average - a critical insight
data stored on iOS devices. for users and developers.

Overall, mobile operating systems saw an increase

The top RCE count and high exploitation from 1154 vulnerabilities in 2021 to 1883 in 2023,
rate highlight the growing targeted highlighting the growing importance of mobile
nature of attacks against iOS devices. security.

Despite a negative trend showing steady growth

in vulnerabilities, totaling the absolute record
summary of 3,300 vulnerabilities, Android only
reported 69 RCE vulnerabilities and 4 instances of
exploitation over the past three years within our
research, resulting in a low exploitation rate of 0.2%
in 2023, 0.1% in 2022, and 0% in 2021. A low rate of
exploitation and low number of RCE vulnerabilities
suggest potential resilience against sophisticated
threats. Additionally, this discovery challenges the
prevailing perception of Android’s susceptibility
to attacks. Despite its expansive attack surface,
potentially attributable to its open-source nature
and higher market share, the low number of
exploited vulnerabilities suggests either the
implementation of effective mitigation strategies
or a reduced interest from attackers in exploiting
these vulnerabilities.

Android’s low exploitation rate and

RCE vulnerabilities number suggest
potential resilience against high-level
threats.

Software Vulnerability Ratings Report 2024 18

Office Apps

TABLE 9. OFFICE APPS 2023 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2023
Critical 2023
YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-
RCE 2023
Low 2023

Exploited
Name
2023

2022

2022

2022

2022

2022

2023

2022
All

Office Apps 93 31% 78 59% 14 -33% 1 0% 32 14% 6 500%

Microsoft Office 85 33% 72 67% 12 -40% 1 0% 32 19% 6 500%

Libre Office 5 0% 3 -25% 2 100% 0 N/A 0 -100% 0 N/A

Open Office 3 50% 3 50% 0 N/A 0 N/A 0 N/A 0 N/A

TABLE 10. OFFICE APPS 2022 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2022
Critical 2022
YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-
RCE 2022
Low 2022

Exploited
Name
2022

2021

2021

2021

2021

2021

2022

2021
All

Office Apps 71 -38% 49 -51% 21 31% 1 N/A 28 -44% 1 -86%

Microsoft Office 64 -38% 43 -53% 20 54% 1 N/A 27 -46% 1 -86%

Libre Office 5 25% 4 33% 1 0% 0 N/A 1 N/A 0 N/A

Open Office 2 -71% 2 -60% 0 0 N/A 0 N/A 0 N/A

Software Vulnerability Ratings Report 2024 19

In 2023, Microsoft Office showed a significant saw a decrease in the total number of reported
exploitation rate of 7%, which decreased from 2% vulnerabilities from 2021 to 2023.
in 2022 (in 2021, it was 7%, too). This illustrates
its attractiveness to threat actors and reflects Both LibreOffice and OpenOffice did not have any
attackers’ preference for exploiting user-facing vulnerabilities exploited over the analyzed period.
software where human error can often be utilized. The low vulnerability numbers by LibreOffice and
Microsoft Office’s numerous critical vulnerabilities, OpenOffice suggest less focus from attackers and
accounting for around 80% of the overall vulnerability security researchers. We do not believe that they
amount annually, with roughly 40%-50% being RCEs, benefit from their open-source nature in terms of
along with numerous exploited vulnerabilities, raise faster vulnerability identification and remediation.
growing concerns.

MS Office’s growing number of critical,

RCE, and exploited vulnerabilities
illustrates its increased
attractiveness to threat actors.

Specifically, in 2023, the total number of

vulnerabilities in Microsoft Office increased by 33%,
critical vulnerabilities by an astonishing 67%, RCE
vulnerabilities by 19%, and exploited vulnerabilities
by 500%. Of the 85 vulnerabilities detected, 72
were critical, and 32 were RCE-related. Microsoft
Office is the only application among the three with
6 exploited vulnerabilities, totaling 14 over the
period analyzed. This illustrates that Microsoft
Office, with its large user base and integral role in
organizations’ operations, is a preferred tool for
hackers in phishing campaigns. They lure users
with “important” documents containing malicious
code that facilitates control over the victim’s
system.

OpenOffice has the lowest total number of

vulnerabilities among the three, which could be
interpreted as it being the safer option or as it
being a less audited/tested product. OpenOffice

Software Vulnerability Ratings Report 2024 20

Remote Management Software

TABLE 11. REMOTE MANAGEMENT SOFTWARE 2023 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2023
Critical 2023
YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-
RCE 2023
Low 2023

Exploited
Name 2023

2022

2022

2022

2022

2022

2023

2022
All

Remote Management
2 -67% 1 -75% 1 0% 0 -100% 0 -100% 0 N/A
Software

TeamViewer 1 -67% 0 -100% 1 0% 0 -100% 0 -100% 0 N/A

DameWare 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A

Splashtop 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A

AnyDesk 1 0% 1 0% 0 N/A 0 N/A 0 N/A 0 N/A

RealVNC 0 -100% 0 -100% 0 N/A 0 N/A 0 N/A 0 N/A

TABLE 12. REMOTE MANAGEMENT SOFTWARE 2022 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2022
Critical 2022
YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-
RCE 2022
Low 2022

Exploited
Name
2022

2021

2021

2021

2021

2021

2022

2021
All

Remote Management
6 -33% 4 -43% 1 -50% 1 N/A 2 100% 0 N/A
Software

TeamViewer 3 50% 1 -50% 1 N/A 1 N/A 2 100% 0 N/A

DameWare 0 -100% 0 -100% 0 N/A 0 N/A 0 N/A 0 N/A

Splashtop 0 -100% 0 -100% 0 N/A 0 N/A 0 N/A 0 N/A

AnyDesk 1 -67% 1 -50% 0 N/A 0 N/A 0 N/A 0 N/A

RealVNC 2 100% 2 N/A 0 N/A 0 N/A 0 N/A 0 N/A

Software Vulnerability Ratings Report 2024 21

The data indicates a positive trend in the decreasing number of vulnerabilities in remote management software
over the analyzed period, particularly in the reduction of RCE and total vulnerabilities. This is significant,
considering that such software has always been targeted by hackers. Specifically, the three vendors analyzed
reported only 2 vulnerabilities in 2023, 6 in 2022, and 9 in 2021. Although TeamViewer reported 2 RCEs in 2022
and 1 in 2021, it reversed this trend to 0 in 2023. No other vendor reported RCEs during the analyzed period.

The absence of reported exploited vulnerabilities suggests that effective mitigation strategies are in place.

The trend of critical vulnerabilities is also decreasing, which is promising. The highest number of critical
vulnerabilities was found in AnyDesk - 4, second is TeamViewer with 3, third place is split between RealVNC
and Splashtop - 2.

AnyDesk stands out for having 1 critical vulnerability out of a total of 5 in 2023, highlighting the need for
continued vigilance even in years when fewer vulnerabilities are reported overall.

Software Vulnerability Ratings Report 2024 22

Document Viewers

TABLE 13. DOCUMENT VIEWERS 2023 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2023
Critical 2023
YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-
RCE 2023
Low 2023

Exploited
Name
2023

2022

2022

2022

2022

2022

2023

2022
All

Document Viewers 98 -23% 64 -14% 34 -36% 0 N/A 4 -60% 2 N/A

Adobe Reader 92 -27% 58 -21% 34 -36% 0 N/A 3 -70% 2 N/A

Foxit Reader 6 500% 6 500% 0 N/A 0 N/A 1 N/A 0 N/A

Nitro PDF 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A

TABLE 14. DOCUMENT VIEWERS 2022 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2022
Critical 2022
YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-
RCE 2022
Low 2022

Exploited
Name
2022

2021

2021

2021

2021

2021

2022

2021
All

Document Viewers 127 -34% 74 -44% 53 -13% 0 N/A 10 -84% 0 -100%

Adobe Reader 126 37% 73 26% 53 56% 0 N/A 10 900% 0 -100%

Foxit Reader 1 -99% 1 -99% 0 0 N/A 0 -100% 0 N/A

Nitro PDF 0 -100% 0 -100% 0 N/A 0 N/A 0 N/A 0 N/A

Software Vulnerability Ratings Report 2024 23

The number of RCE vulnerabilities reported for PDF Nitro PDF had the fewest vulnerabilities among
viewers is generally decreasing over the period the three, with only 3 reported in 2021 and none
analyzed, suggesting improved security measures. in the subsequent two years. This could indicate
In 2021, Foxit Reader reported an astonishing 63 a smaller user base, making it a less attractive
RCE vulnerabilities, and Adobe – 1; in 2022, Foxit target, or less thorough vulnerability detection and
Reader disclosed 0 RCEs, and Adobe Reader – 10; reporting mechanisms.
in 2023, Foxit Reader showed 1 RCE, and Adobe
Reader – 3.

Adobe Reader is the most targeted PDF viewer

analyzed, accounting for 74% of all vulnerabilities
in the category, stressing the need for proactive
vulnerability management and updates. Notably, it
is also the only PDF viewer to exhibit 2 exploited
vulnerabilities in 2023 and 1 in 2021. Adobe
Reader has consistently reported a high number
of vulnerabilities over the years, with a total of 310
vulnerabilities, a significant portion of which are
critical (58 of 92 in 2023 and 73 of 126 in 2022).

The number of RCE vulnerabilities

reported for PDF viewers is
decreasing.

An unusual trend observed in Foxit PDF Reader,

which reduced the number of vulnerabilities from
98 in 2021 to 1 in 2022 and 6 in 2023, representing
a more than 90% decrease – quite unbelievable.
Additionally, 71 of its 98 vulnerabilities disclosed
in 2021 were rated as critical, and 63 – as RCEs.
The sharp drop in reported vulnerabilities in
subsequent years may indicate an aggressive
response to this issue or some serious changes
in their vulnerability management program.
Nevertheless, it’s possible that we may see a spike
in vulnerabilities in 2024, so it’s something to keep
an eye on.

Software Vulnerability Ratings Report 2024 24

Password Managers

TABLE 15. PASSWORD MANAGERS 2023 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2023
Critical 2023
YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-
RCE 2023
Low 2023

Exploited
Name 2023

2022

2022

2022

2022

2022

2023

2022
All

Password Manager
6 100% 3 200% 3 50% 0 N/A 0 N/A 0 N/A
Clients

Keepass 2 100% 1 0% 1 N/A 0 N/A 0 N/A 0 N/A

Keepass XC 1 N/A 0 N/A 1 N/A 0 N/A 0 N/A 0 N/A

1Password 0 -100% 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A

Bitwarden 3 N/A 2 N/A 1 N/A 0 N/A 0 N/A 0 N/A

LastPass 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A

TABLE 16. PASSWORD MANAGERS 2022 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2022
Critical 2022
YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-
RCE 2022
Low 2022

Exploited
Name
2022

2021

2021

2021

2021

2021

2022

2021
All

Password Manager
3 0% 1 N/A 2 -33% 0 N/A 0 -100% 0 N/A
Clients

Keepass 1 N/A 1 N/A 0 N/A 0 N/A 0 N/A 0 N/A

Keepass XC 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A

1Password 2 -33% 0 N/A 2 -33% 0 N/A 0 -100% 0 N/A

Bitwarden 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A

LastPass 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A

Software Vulnerability Ratings Report 2024 25

Password manager vendors are grappling with the LastPass stands out for having no reported
growing number of vulnerabilities in their products, vulnerabilities across all years, which could indicate
likely due to the increasing popularity of password either an excellent security posture or potentially
managers among regular users. The total number underreported/undiscovered vulnerabilities.
of vulnerabilities reported for password managers However, the breach in 2022 suggests that
in 2023 was 6, which marks a significant increase LastPass’ security is not impervious and that it
from the 3 vulnerabilities reported in 2022 and the may be susceptible to older vulnerabilities. Though
3 vulnerabilities reported in 2021. their reporting dates extend beyond this research,
these vulnerabilities could still do harm. Thus, it is
Keepass XC has the fewest number of advisable to monitor this software closely for any
vulnerabilities among the analyzed password emerging vulnerabilities.
managers, with the sole vulnerability appearing in
2023.

Keepass reports only 3 vulnerabilities over three

years, with a slight increase noted in 2023.

While LastPass reported no

vulnerabilities across the years
analyzed, its 2022 breach suggests
that its security is not impervious,
and it may be susceptible to older
vulnerabilities.

1Password has encountered 5 vulnerabilities

over the three-year period, with a downward trend
observed in 2023.

Bitwarden reported only 3 vulnerabilities in 2023.

The sudden increase in Bitwarden’s vulnerabilities
in 2023, following years with none reported, may
prompt questions regarding newly introduced
features, heightened scrutiny due to growing
popularity, or changes in their vulnerability
assessment processes.

Software Vulnerability Ratings Report 2024 26

Antiviruses

TABLE 17. ANTIVIRUSES 2023 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2023
Critical 2023
YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-
RCE 2023
Low 2023

Exploited
Name 2023

2022

2022

2022

2022

2022

2023

2022
All

Antivirus 21 5% 14 -13% 7 75% 0 N/A 0 -100% 0 N/A

Avast 6 50% 4 33% 2 100% 0 N/A 0 -100% 0 N/A

Bitdefender 2 -67% 2 -60% 0 N/A 0 N/A 0 N/A 0 N/A

Malwarebytes 6 500% 5 400% 1 N/A 0 N/A 0 N/A 0 N/A

Eset 3 -40% 3 -25% 0 N/A 0 N/A 0 N/A 0 N/A

Kaspersky 0 -100% 0 -100% 0 N/A 0 N/A 0 -100% 0 N/A

McAfee 4 300% 0 -100% 4 N/A 0 N/A 0 -100% 0 N/A

TABLE 18. ANTIVIRUSES 2022 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2022
Critical 2022
YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-
RCE 2022
Low 2022

Exploited
Name
2022

2021

2021

2021

2021

2021

2022

2021
All

Antivirus 20 -56% 16 -48% 4 -71% 0 N/A 3 -25% 0 -100%

Avast 4 -43% 3 -50% 1 0% 0 N/A 1 N/A 0 N/A

Bitdefender 6 -57% 5 -50% 1 -75% 0 N/A 0 -100% 0 N/A

Malwarebytes 1 0% 1 0% 0 N/A 0 N/A 0 N/A 0 N/A

Eset 5 150% 4 N/A 1 -50% 0 N/A 0 N/A 0 N/A

Kaspersky 3 -63% 2 -60% 1 -67% 0 N/A 1 N/A 0 N/A

McAfee 1 -92% 1 -89% 0 N/A 0 N/A 1 0% 0 -100%

Software Vulnerability Ratings Report 2024 27

Bitdefender and Kaspersky show a steadily decreasing trend in vulnerabilities over the three-year period, while
others fluctuate. Interestingly, Bitdefender has decreased the number of its critical vulnerabilities by 67% in
2023, and by 57% in 2022. This steady decrease suggests that the potential impact of these vulnerabilities
was significant enough for the company to improve its critical vulnerability remediation strategies. Avast and
Malwarebytes stand out with 6 total vulnerabilities reported in 2023, showing a 50% and 500% YoY increase
respectively.

RCE vulnerabilities have been identified in Bitdefender, Kaspersky, and McAfee over the three-year period, with
Bitdefender having the most (3). Since RCEs can allow attackers to run arbitrary code on victim machines, their
presence is concerning despite the low numbers. The lack of widespread exploitation of these vulnerabilities
may indicate that antivirus vendors are generally quick to patch them, or that these vulnerabilities are not
easily exploitable. At the same time, the presence of a single exploited vulnerability in McAfee back in 2021
demonstrates that risks to end users can materialize.

While there are variations in the number and severity of vulnerabilities across
antivirus vendors, the overall trend suggests security improvements.

Software Vulnerability Ratings Report 2024 28

Image Editors

TABLE 19. IMAGE EDITORS 2023 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2023
Critical 2023
YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-
RCE 2023
Low 2023

Exploited
Name
2023

2022

2022

2022

2022

2022

2023

2022
All

Image Editors 32 -52% 23 -36% 9 -71% 0 N/A 1 -80% 0 N/A

Adobe Photoshop 14 -52% 6 -76% 8 100% 0 N/A 0 -100% 0 N/A

Gimp 0 -100% 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A

Paint.Net 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A

Adobe Illustrator 18 -50% 17 55% 1 -96% 0 N/A 1 0% 0 N/A

TABLE 20. IMAGE EDITORS 2022 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2022
Critical 2022
YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-
RCE 2022
Low 2022

Exploited
Name
2022

2021

2021

2021

2021

2021

2022

2021
All

Image Editors 67 116% 36 33% 31 675% 0 N/A 5 150% 0 N/A

Adobe Photoshop 29 93% 25 79% 4 300% 0 N/A 4 N/A 0 N/A

Gimp 2 100% 0 -100% 2 N/A 0 N/A 0 N/A 0 N/A

Paint.Net 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A

Adobe Illustrator 36 140% 11 -8% 25 733% 0 N/A 1 -50% 0 N/A

Software Vulnerability Ratings Report 2024 29

The analysis reveals a stark contrast in the A fewer number of vulnerabilities in non-Adobe
vulnerability landscape between Adobe and non- software can indicate better inherent security,
Adobe image editors, with Adobe products having less scrutiny by researchers, smaller user base, or
more vulnerabilities. simply because these products are open source
and not direct competitors to Adobe.
Both Adobe Photoshop and Illustrator have
a high number of vulnerabilities, with critical
vulnerabilities making up a significant portion.
Notably, although there is a 50%-52% decrease
in the overall vulnerability number for both Adobe
image editors, Illustrator reported 54% more critical
vulnerabilities in 2023 than in 2022, indicating
increased security risks for this specific editor.

Both Illustrator and Photoshop reported RCE

vulnerabilities over 2023-2021, 4 and 4 accordingly,
but none of those were actively exploited. This is
a positive sign, indicating either a quick response
time by vendors to patch vulnerabilities or a
lack of interest by attackers in exploiting these
vulnerabilities.

Both Illustrator and Photoshop

reported RCE vulnerabilities over
2023-2021, but none of those were
actively exploited.

However, the trend toward fewer vulnerabilities in

Adobe products in 2023 may indicate improved
security measures.

Paint.Net stands out with zero reported

vulnerabilities over the three years. This could reflect
exceptional security measures, low reporting/
disclosure rates, or possibly a lower detection rate
due to a smaller user base or other factors. The
absolute lack of reported vulnerabilities makes
Paint.Net remarkably noteworthy.

Software Vulnerability Ratings Report 2024 30

Web Browsers

TABLE 21. WEB BROWSERS 2023 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2023
Critical 2023
YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-
RCE 2023
Low 2023

Exploited
Name
2023

2022

2022

2022

2022

2022

2023

2022
All

Web Browsers 536 -3% 294 -19% 238 29% 4 100% 14 133% 14 -22%

Chrome 296 -17% 180 -30% 115 15% 1 N/A 5 N/A 5 -50%

Firefox 180 15% 87 6% 91 23% 2 100% 2 N/A 5 -17%

Edge 60 62% 27 8% 32 191% 1 0% 7 17% 4 100%

TABLE 22. WEB BROWSERS 2022 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2022
Critical 2022
YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-
RCE 2022
Low 2022

Exploited
Name
2022

2021

2021

2021

2021

2021

2022

2021
All

Web Browsers 551 -3% 364 -1% 185 -8% 2 100% 6 0% 18 157%

Chrome 357 1% 257 3% 100 -3% 0 N/A 0 -100% 10 67%

Firefox 157 17% 82 28% 74 7% 1 0% 0 N/A 6 N/A

Edge 37 -54% 25 -52% 11 -62% 1 N/A 6 500% 2 100%

Software Vulnerability Ratings Report 2024 31

Unsurprisingly, Chrome has the highest total While Chrome leads in the number of critical
number of vulnerabilities reported over the vulnerabilities reported each year, reflecting
three years, with 1,006 vulnerabilities. It leads both its widespread use and possibly its
significantly over Firefox (471 vulnerabilities) and greater emphasis on reporting and patching
Edge (178 vulnerabilities). This suggests that vulnerabilities, it’s worth noting that Chrome’s
Chrome’s massive codebase and extensive feature critical vulnerabilities dropped by 30% in 2023,
set may contribute to a larger attack surface. suggesting improvements. Another explanation
Additionally, Edge shares the same engine as for this could be a change in classification or
Chrome, and most Chrome vulnerabilities affect reporting mechanisms, as the number of medium
Edge as well. vulnerabilities increased by 15%.

While Chrome has the highest number of total Notably, Chrome reduced its exploited vulnerabilities
vulnerabilities over the three-year period analyzed, by 50% in 2023, totaling 5 and bringing it to the
Edge’s record number of 14 RCE vulnerabilities same number as Firefox, indicating security
over the same timeframe, which continues to improvements. However, its tally of exploited
grow, is an alarming insight for us. Specifically, vulnerabilities over three years - 21 - is the highest
it spiked at 17% in 2023, following a staggering among the web browsers analyzed, suggesting
500% growth in 2022. This trend is concerning for Chrome may be a more targeted browser for
the vendor, despite Edge having a relatively lower attackers, likely due to its massive user base.
total number of vulnerabilities. Overall, the total
number of RCEs accounts for 1% for Chrome and The trends and facts underscore the continued
Firefox and 10% for Edge. need for aggressive vulnerability management,
timely patching, and the importance of security
research to uncover and mitigate potential threats
across all browsers.
Edge’s record number of 14 RCE
vulnerabilities over three years,
which continues to grow, is
alarming.

Firefox shows a steady increase in critical

vulnerabilities, surging by 28% in 2022 and by
6% in 2023, which may necessitate the vendor
to strengthen security. The overall number of
vulnerabilities is also growing.

Software Vulnerability Ratings Report 2024 32

VPN Clients

TABLE 23. VPN CLIENTS 2023 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2023
Critical 2023
YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-
RCE 2023
Low 2023

Exploited
Name
2023

2022

2022

2022

2022

2022

2023

2022
All

VPN Clients 16 33% 10 0% 5 150% 1 N/A 1 0% 0 N/A

Cisco 3 N/A 1 N/A 2 N/A 0 N/A 1 N/A 0 N/A

FortiClient 9 13% 7 17% 1 -50% 1 N/A 0 -100% 0 N/A

OpenVPN 3 -25% 2 -50% 1 N/A 0 N/A 0 N/A 0 N/A

WireGuard 1 N/A 0 N/A 1 N/A 0 N/A 0 N/A 0 N/A

TABLE 24. VPN CLIENTS 2022 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2022
Critical 2022
YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-
RCE 2022
Low 2022

Exploited
Name
2022

2021

2021

2021

2021

2021

2022

2021
All

VPN Clients 12 -63% 10 -55% 2 -80% 0 N/A 1 -91% 0 N/A

CIsco 0 -100% 0 -100% 0 N/A 0 N/A 0 -100% 0 N/A

FortiClient 8 14% 6 50% 2 -33% 0 N/A 1 N/A 0 N/A

OpenVPN 4 -56% 4 -43% 0 N/A 0 N/A 0 N/A 0 N/A

WireGuard 0 -100% 0 N/A 0 N/A 0 N/A 0 N/A 0 N/A

Software Vulnerability Ratings Report 2024 33

The data reveals that Fortinet is the only VPN WireGuard has the lowest number of reported
client vendor experiencing a consistent rise in vulnerabilities compared to other products
total vulnerabilities within its FortiClient software. analyzed, with only two reported, neither critical
In 2023, vulnerabilities increased by 13%, following nor RCE, nor exploited. This suggests that it is
a 14% increase in 2022 - a worrisome trend. either more secure or less targeted.
Notably, FortiClient holds the highest vulnerability
count, totaling 24 from 2021 to 2023. Furthermore, The number of vulnerabilities reported not only
its critical vulnerabilities have seen a rapid surge, reflects the security of a certain VPN client but
rising by 50% in 2022 and by 17% in 2023 - could also indicate its popularity, the attention
highlighting further cause for concern. of its community, and possibly its transparency
in reporting vulnerabilities. While WireGuard
presents itself as the client with the fewest
disclosed vulnerabilities, caution should be
FortiClient is the only VPN client exercised in interpreting this as greater security
experiencing a consistent rise in without considering other factors such as
total vulnerabilities over years. market penetration and the extent of third-party
security auditing. For Cisco AnyConnect and
FortiClient, the higher numbers, especially for
critical vulnerabilities, highlight the importance of
OpenVPN’s vulnerabilities show a steady decrease constant vigilance, rapid patching protocols, and
over the years, suggesting efforts to improve perhaps more in-depth security auditing.
security. Specifically, vulnerabilities dropped
by 56% in 2022 and by 25% in 2023. Data from
2021-2023 reveals a consistent presence of
critical vulnerabilities, with 13 out of 16 total.
Concurrently, their number decreases each year
from 7 in 2021 to 2 in 2023, indicating a positive
trend. Interestingly, no RCE vulnerabilities have
been reported during this period.

Cisco AnyConnect shows a significant decrease in

vulnerability numbers starting in 2021. It is the only
VPN client which reported a significant number of
RCEs, 12, mainly in 2021. However, none of the
VPN client vulnerabilities were exploited, which is
positive.

Software Vulnerability Ratings Report 2024 34

Load Balancers

TABLE 25. LOAD BALANCERS 2023 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2023
Critical 2023
YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-
RCE 2023
Low 2023

Exploited
Name
2023

2022

2022

2022

2022

2022

2023

2022
All

LoadBalancers 14 100% 13 225% 1 -67% 0 N/A 1 N/A 5 N/A

HaProxy 6 500% 5 400% 1 N/A 0 N/A 0 N/A 0 N/A

Citrix 7 N/A 7 N/A 0 N/A 0 N/A 1 N/A 4 N/A

NGINX 1 -83% 1 -67% 0 N/A 0 N/A 0 N/A 1 N/A

TABLE 26. LOAD BALANCERS 2022 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2022
Critical 2022
YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-
RCE 2022
Low 2022

Exploited
Name
2022

2021

2021

2021

2021

2021

2022

2021
All

LoadBalancers 7 -22% 4 -50% 3 200% 0 N/A 0 N/A 0 N/A

HaProxy 1 -75% 1 -67% 0 N/A 0 N/A 0 N/A 0 N/A

Citrix 0 -100% 0 -100% 0 N/A 0 N/A 0 N/A 0 N/A

NGINX 6 100% 3 0% 3 N/A 0 N/A 0 N/A 0 N/A

Software Vulnerability Ratings Report 2024 35

Despite the relatively low total number of balancer in terms of actual attacks and breaches
vulnerabilities, load balancers saw a significant of the three in that year.
number of vulnerabilities exploited in 2023,
with CitrixBleed as the most notable one (5 NGINX shows variability over the years, with a drop
exploited out of 14 total vulnerabilities). The total to only one vulnerability in 2023, but an increase in
vulnerabilities for load balancers increased by 2022. The single vulnerability in 2023 was critical
100% in 2023, rising from 7 in 2022 to 14 in 2023. and exploited, indicating that while the number
Interestingly, HaProxy and Citrix both show that all may be low, the impact is significant.
vulnerabilities discovered in their systems in 2023
were critical, indicating their severity. The statistics present an interesting contrast
where Citrix had fewer total vulnerabilities than
Despite having fewer critical vulnerabilities HaProxy over three years, but had one year (2023)
compared to operating systems, load balancers where all of its vulnerabilities were rated critical
have a record exploitation rate in our research of and exploited. This contrast highlights how the
17%, which marks a new trend of the increased severity and exploitation of vulnerabilities can be
attractiveness of this group as a target for threat more telling than their number.
actors, likely due to the critical position of load
balancers in network architectures. A single exploit
in these systems can provide broad access or
In 2023, Citrix had fewer
disruption capabilities against targeted networks.
vulnerabilities than HaProxy, but all
were critical and exploited, showing
Citrix shows 9 vulnerabilities over the three-year
severity matters more than quantity.
period analyzed, with a notable spike in 2023.
Citrix experienced a significant security challenge
last year, with all of its reported vulnerabilities
being both critical and exploited, all due to the The analysis suggests that while load balancers
devastating vulnerability known as CitrixBleed, are generally secure with a low number of reported
which was used in massive cyberattacks on vulnerabilities, the severity and exploitation of
organizations and whose exploit is still in the these vulnerabilities can vary widely.
arsenal of many APTs. Citrix is the only load
balancer of the three to have a devastating RCE
vulnerability, which is particularly concerning
given that RCE vulnerabilities allow attackers
to execute arbitrary commands on the affected
system. HaProxy and NGINX did not have any
RCE vulnerabilities over the three years, indicating
either a robust design against such vulnerabilities
or effective mitigation strategies. Finally, Citrix’s
vulnerabilities in 2023 were not only critical but
also exploited, making it the most vulnerable load

Software Vulnerability Ratings Report 2024 36

Databases

TABLE 27. DATABASES 2023 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2023
Critical 2023
YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-
RCE 2023
Low 2023

Exploited
Name
2023

2022

2022

2022

2022

2022

2023

2022
All

Databases 68 -44% 21 163% 44 -55% 3 -82% 20 1900% 0 -100%

MYSQL 41 -64% 1 -67% 38 -60% 2 -88% 0 N/A 0 -100%

Postgresql 9 50% 3 0% 5 67% 1 N/A 3 N/A 0 N/A

MSSQL 18 800% 17 750% 1 N/A 0 N/A 17 1600% 0 N/A

Oracle DB 10 233% 1 N/A 5 67% 4 N/A 0 N/A 0 N/A

TABLE 28. DATABASES 2022 VULNERABILITIES ANALYSIS

Vulnerabilities

Medium 2022
Critical 2022
YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-
RCE 2022
Low 2022

Exploited
Name
2022

2021

2021

2021

2021

2021

2022

2021
All

Databases 122 -8% 8 0% 97 -20% 17 750% 1 -50% 2 N/A

MYSQL 114 -8% 3 -25% 94 -20% 17 750% 0 N/A 2 N/A

Postgresql 6 -14% 3 0% 3 -25% 0 N/A 0 -100% 0 N/A

MSSQL 2 100% 2 100% 0 N/A 0 N/A 1 N/A 0 N/A

Oracle DB 3 -57% 0 N/A 3 -50% 0 -100% 0 N/A 0 N/A,

Software Vulnerability Ratings Report 2024 37

MSSQL reports an astonishing 17 critical PostgreSQL reported a consistent number of
vulnerabilities out of a total of 18 in 2023, marking 3 critical vulnerabilities each year. Notably,
a 750% spike in critical vulnerability numbers. All PostgreSQL has a moderate but notable presence
reported critical vulnerabilities were RCEs, raising of RCE vulnerabilities, with 5 over the period
significant concerns. This pattern is in stark analyzed, which is proportionally significant given
contrast to previous years, requiring immediate its 22 total number of vulnerabilities reported
attention from database administrators and over three years. This indicates that while its
cybersecurity teams. It indicates not only the vulnerabilities number might not be high, their
discovery of more serious vulnerabilities but also a severity and potential impact are serious.
potential increase in the attractiveness of MSSQL
as a target for attackers. Oracle DB shows a consistently low to moderate
number of vulnerabilities. Variations over the
years are minimal, suggesting a steady state of
security concerns. Just like MySQL, it reported a
MSSQL reports an astonishing 17
low number of critical vulnerabilities compared
RCE vulnerabilities out of a total
to its total number of vulnerabilities, indicating a
of 18 in 2023, indicating increased
wider distribution of vulnerability severity.
attractiveness for attackers.
The relative stability of PostgreSQL and Oracle
DB in terms of vulnerability numbers underscores
Although MySQL stands out with the highest a potentially effective security management
total number of reported vulnerabilities over the approach.
three years (279) compared to other databases,
its 64% decrease in total vulnerabilities number This comparison illustrates the dynamic nature of
in 2023 is promising. MySQL’s higher number database security, highlighting the importance of
of vulnerabilities may reflect its popularity and proactive vulnerability detection, timely patching,
extensive reporting mechanisms. An interesting and adapting security measures to evolving
fact is that while its total number of vulnerabilities threats. It also underscores the critical role of the
is 12 times higher than in MSSQL, its number of security community in identifying and reporting
critical vulnerabilities is 17 times lower than in vulnerabilities, thereby supporting the collective
MSSQL. defense against potential database exploits.

However, MySQL is the only database in this

analysis that has reported exploited vulnerabilities,
albeit only 2 over the entire period. This suggests
that while vulnerabilities are prevalent, the
exploitation rate may not be as high, or at least not
as widely reported.

Software Vulnerability Ratings Report 2024 38

Recommendations
The changing vulnerability landscape highlighted in analysis that should be applied to all categories
the research requires organizations to constantly of software used within the organization. This
monitor emerging threats and adjust their security is particularly important for systems exposed
strategies to address these evolving risks. Here are the to the Internet, as well as those integral to
recommendations we derived based on the research: business operations or containing sensitive
data. Specifically, such an analysis should cover
1. The data shows that operating systems and not only critical software groups like operating
web browsers have the highest total number of systems but also lesser-known software groups
vulnerabilities, including critical and exploited (e.g., image editors, password managers) in
vulnerabilities, which is indicative of their their vulnerability management framework,
widespread use and complex functionality. especially as the research has recognized that
any software can be an attack vector.
2. Given the high number of critical vulnerabilities in
desktop operating systems and mobile operating 6. When choosing third-party software, conduct a
systems, organizations should prioritize these comprehensive risk assessment that covers not
systems in their patch management programs only the number of vulnerabilities but also their
and allocate resources and time to ensure that severity and the software vendor’s response time
these systems are updated in a timely manner. to patch those vulnerabilities. While software
The significant presence of RCE, especially in with fewer vulnerabilities may appear to be
desktop operating systems, requires robust more secure, the severity of those vulnerabilities
monitoring and rapid action to mitigate potential might be critical. Software with fewer exploited
threats before they are exploited. vulnerabilities may indicate better security;
however, it’s important to consider the criticality
3. The exploited vulnerabilities in web browsers of the software to the organization’s operations.
highlight the importance of educating end- In fact, the extent to which a certain software
users on safe browsing practices, timely can be called vulnerable depends more on how
patching, and the need to deploy additional the vendor manages its existing vulnerabilities
security solutions to monitor and control web (e.g., timely patching, mitigation strategies)
traffic. than on the total number of vulnerabilities.
Additionally, the functionality of software with
4. Most vulnerabilities require specific actions low vulnerabilities may be poorer than that of
by employees to be exploited. So, educate software with higher vulnerabilities and might
employees about the potential risks associated not meet the organization’s needs.
with using corporate applications, especially
Microsoft Office, and the importance of In summary, a CISO should ensure that their
following security best practices, such as organization has robust security measures in place,
avoiding suspicious attachments or links, even including regular updates, employee awareness
in seemingly safe documents. training, and advanced threat detection and response
mechanisms. A CISO’s role is not only to address
5. While the report does not analyze all available current vulnerabilities but also to anticipate potential
application groups, it offers an actionable future vulnerabilities based on trends and improve
example for CIOs and CISOs, illustrating a similar their organization’s security posture to quickly adapt
to new threats.
Software Vulnerability Ratings Report 2024 39
Appendix

TABLE 29. TOTAL VULNERABILITIES 2023

Vulnerabilities

Medium 2023
Critical 2023
YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-

YoY 2023-
RCE 2023
Low 2023

Exploited
Name
2023

2022

2022

2022

2022

2022

2023

2022
All

Total 4359 -2% 2254 -15% 2023 22% 82 -41% 540 1% 107 22%

TABLE 30. TOTAL VULNERABILITIES 2022

Vulnerabilities

Medium 2022
Critical 2022
YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-

YoY 2022-
RCE 2022
Low 2022

Exploited
Name
2022

2021

2021

2021

2021

2021

2022

2021
All

Total 4449 13% 2658 6% 1653 20% 138 156% 536 3% 88 19%

TABLE 31. TOTAL VULNERABILITIES 2021

All Vulnerabilities
Name 2021 Critical 2021 Medium 2021 Low 2021 RCE 2021 Exploited

Total 3942 2515 1373 54 519 74

TABLE 32. OVERALL VULNERABILITIES

Name Total Vulnerabilities Total RCE Total Exploited Exploitation Rate, %

Total 12750 1595 269 2

Software Vulnerability Ratings Report 2024 40

TABLE 33. DESKTOP OS VULNERABILITIES 2021

All Vulnerabilities Exploited

Name 2021 Critical 2021 Medium 2021 Low 2021 RCE 2021
2021

Desktop Operating
1614 1148 451 15 309 43
Systems

MS Windows 10 487 379 107 1 115 15

MS Windows Server
503 390 112 1 126 16
2016

MacOS 462 299 158 5 63 12

Linux 162 80 74 8 5 0

TABLE 34. DESKTOP OS VULNERABILITIES 2023-2021 SUMMARY

Total All Vulnera- Exploitation

Name bilities Total RCE Total Exploited
Rate, %

Desktop Operating
4885 1096 155 3
Systems

MS Windows 10 1497 415 52 3

MS Windows Server
1518 460 52 3
2016

MacOS 1086 195 42 4

Linux 784 26 9 1

Software Vulnerability Ratings Report 2024 41

TABLE 35. MOBILE OS VULNERABILITIES 2021 ANALYSIS

All Vulnerabilities Exploited

Name 2021 Critical 2021 Medium 2021 Low 2021 RCE 2021
2021

Mobile Operating
1154 641 477 36 68 14
Systems

iOS 380 237 132 11 39 14

Android 656 318 317 21 28 0

HarmonyOs 118 86 28 4 1 0

TABLE 36. MOBILE OS VULNERABILITIES SUMMARY 2021-2023

Name Total Vulnerabilities Total RCE Total Exploited Exploitation Rate, %

Mobile Operating
4760 224 48 1
Systems

iOS 891 154 44 5

Android 3300 69 4 0.12

HarmonyOs 569 1 0 0

TABLE 37. OFFICE APPS 2021 VULNERABILITIES ANALYSIS

All Vulnerabilities Exploited

Name 2021 Critical 2021 Medium 2021 Low 2021 RCE 2021
2021

Office Apps 115 99 16 0 50 7

Microsoft Office 104 91 13 0 50 7

Libre Office 4 3 1 0 0 0

Open Office 7 5 2 0 0 0

Software Vulnerability Ratings Report 2024 42

TABLE 38. OFFICE APPS VULNERABILITIES SUMMARY 2021-2023

Name Total Vulnerabilities Total RCE Total Exploited Exploitation Rate, %

Office Apps 279 110 14 5

Microsoft Office 253 109 14 6

Libre Office 14 1 0 0

Open Office 12 0 0 0

TABLE 39. REMOTE MANAGEMENT SOFTWARE 2021 VULNERABILITY ANALYSIS

All Vulnerabilities Exploited

Name 2021 Critical 2021 Medium 2021 Low 2021 RCE 2021
2021

Remote Management
9 7 2 0 1 0
Software

TeamViewer 2 2 0 0 1 0

DameWare 1 1 0 0 0 0

Splashtop 2 2 0 0 0 0

AnyDesk 3 2 1 0 0 0

RealVNC 1 0 1 0 0 0

TABLE 40. REMOTE MANAGEMENT SOFTWARE VULNERABILITY SUMMARY 2021-2023

Name Total Vulnerabilities Total RCE Total Exploited Exploitation Rate, %

Remote Management
17 3 0 0
Software

TeamViewer 6 3 0 0

DameWare 1 0 0 0

Splashtop 2 0 0 0

AnyDesk 5 0 0 0

RealVNC 3 0 0 0
Software Vulnerability Ratings Report 2024 43
TABLE 41. DOCUMENT VIEWERS 2021 VULNERABILITY ANALYSIS

All Vulnerabilities Exploited

Name 2021 Critical 2021 Medium 2021 Low 2021 RCE 2021
2021

Document Viewers 193 132 61 0 64 2

Adobe Reader 92 58 34 0 1 2

Foxit Reader 98 71 27 0 63 0

Nitro PDF 3 3 0 0 0 0

TABLE 42. DOCUMENT VIEWERS VULNERABILITY SUMMARY 2021-2023

Name Total Vulnerabilities Total RCE Total Exploited Exploitation Rate, %

Document Viewers 418 78 4 1

Adobe Reader 310 14 4 1

Foxit Reader 105 64 0 0

Nitro PDF 3 0 0 0

TABLE 43. PASSWORD MANAGERS 2021 VULNERABILITY ANALYSIS

All Vulnerabilities Exploited

Name 2021 Critical 2021 Medium 2021 Low 2021 RCE 2021
2021

Password Manager
3 0 3 0 1 0
Сlients

Keepass 0 0 0 0 0 0

Keepass XC 0 0 0 0 0 0

1Password 3 0 3 0 1 0

Bitwarden 0 0 0 0 0 0

LastPass 0 0 0 0 0 0

Software Vulnerability Ratings Report 2024 44

TABLE 44. PASSWORD MANAGERS VULNERABILITY SUMMARY 2021-2023

Name Total Vulnerabilities Total RCE Total Exploited Exploitation Rate, %

Password Manager
12 1 0 0
Сlients

Keepass 3 0 0 0

Keepass XC 1 0 0 0

1Password 5 1 0 0

Bitwarden 3 0 0 0

LastPass 0 0 0 0

TABLE 45. ANTIVIRUSES 2021 VULNERABILITY ANALYSIS

All Vulnerabilities Exploited

Name 2021 Critical 2021 Medium 2021 Low 2021 RCE 2021
2021

Antivirus 45 31 14 0 4 1

Avast 7 6 1 0 0 0

Bitdefender 14 10 4 0 3 0

Malwarebytes 1 1 0 0 0 0

Eset 2 0 2 0 0 0

Kaspersky 8 5 3 0 0 0

McAfee 13 9 4 0 1 1

Software Vulnerability Ratings Report 2024 45

TABLE 46. ANTIVIRUSES VULNERABILITY SUMMARY 2021-2023

Name Total Vulnerabilities Total RCE Total Exploited Exploitation Rate, %

Antivirus 86 7 1 1

Avast 17 1 0 0

Bitdefender 22 3 0 0

Malwarebytes 8 0 0 0

Eset 10 0 0 0

Kaspersky 11 1 0 0

McAfee 18 2 1 6

TABLE 47. IMAGE EDITORS 2021 VULNERABILITY ANALYSIS

All Vulnerabilities Exploited

Name 2021 Critical 2021 Medium 2021 Low 2021 RCE 2021
2021

Image Editors 31 27 4 0 2 0

Adobe Photoshop 15 14 1 0 0 0

Gimp 1 1 0 0 0 0

Paint.Net 0 0 0 0 0 0

Adobe Illustrator 15 12 3 0 2 0

Software Vulnerability Ratings Report 2024 46

TABLE 48. IMAGE EDITORS 2021 VULNERABILITY ANALYSIS

Name Total Vulnerabilities Total RCE Total Exploited Exploitation Rate, %

Image Editors 130 8 0 0

Adobe Photoshop 58 4 0 0

Gimp 3 0 0 0

Paint.Net 0 0 0 0

Adobe Illustrator 69 4 0 0

TABLE 49. WEB BROWSERS 2021 VULNERABILITY ANALYSIS

All Vulnerabilities Exploited

Name 2021 Critical 2021 Medium 2021 Low 2021 RCE 2021
2021

Web Browsers 568 366 201 1 6 7

Chrome 353 250 103 0 5 6

Firefox 134 64 69 1 0 0

Edge 81 52 29 0 1 1

TABLE 50. WEB BROWSERS VULNERABILITY SUMMARY 2021-2023

Name Total Vulnerabilities Total RCE Total Exploited Exploitation Rate, %

Web Browsers 1655 26 39 2

Chrome 1006 10 21 2

Firefox 471 2 11 2

Edge 178 14 7 4

Software Vulnerability Ratings Report 2024 47

TABLE 51. VPN CLIENTS 2021 VULNERABILITY ANALYSIS

All Vulnerabilities Exploited

Name 2021 Critical 2021 Medium 2021 Low 2021 RCE 2021
2021

VPN Clients 32 22 10 0 11 0

CIsco Any Connect 15 11 4 0 11 0

FortiClient 7 4 3 0 0 0

OpenVPN 9 7 2 0 0 0

WireGuard 1 0 1 0 0 0

TABLE 52. VPN CLIENTS VULNERABILITY ANALYSIS SUMMARY 2021-2023

Name Total Vulnerabilities Total RCE Total Exploited Exploitation Rate, %

VPN Clients 60 13 0 0

CIsco Any Connect 18 12 0 0

FortiClient 24 1 0 0

OpenVPN 16 0 0 0

WireGuard 2 0 0 0

TABLE 53. LOAD BALANCERS 2021 VULNERABILITY ANALYSIS

All Vulnerabilities Exploited

Name 2021 Critical 2021 Medium 2021 Low 2021 RCE 2021
2021

LoadBalancers 9 8 1 0 0 0

HaProxy 4 3 1 0 0 0

Citrix 2 2 0 0 0 0

NGINX 3 3 0 0 0 0

Software Vulnerability Ratings Report 2024 48

TABLE 54. LOAD BALANCERS VULNERABILITY SUMMARY

Name Total Vulnerabilities Total RCE Total Exploited Exploitation Rate, %

LoadBalancers 30 1 5 17

HaProxy 11 0 0 0

Citrix 9 1 4 44

NGINX 10 0 1 10

TABLE 55. DATABASES 2021 VULNERABILITY ANALYSIS

All Vulnerabilities Exploited

Name 2021 Critical 2021 Medium 2021 Low 2021 RCE 2021
2021

Databases 132 8 122 2 2 0

MYSQL 124 4 118 2 0 0

Postgresql 7 3 4 0 2 0

MSSQL 1 1 0 0 0 0

Oracle DB 7 0 6 1 0 0

TABLE 56. DATABASES VULNERABILITY SUMMARY 2021-2023

Name Total Vulnerabilities Total RCE Total Exploited Exploitation Rate, %

Databases 322 23 2 1

MYSQL 279 0 2 1

Postgresql 22 5 0 0

MSSQL 21 18 0 0

Oracle DB 20 0 0 0
Software Vulnerability Ratings Report 2024 49
TABLE 57. TOP EXPLOITED SOFTWARE SUMMARY 2021-2023 TABLE 58. TOP EXPLOITED SOFTWARE 2022

Category Name Total Exploitation Rate, % Category Name Exploitation Rate 2022, %

Citrix 44 Edge 5

NGINX 10 iOS 4

McAfee 6 MS Windows 10 4

Microsoft Office 6 Firefox 4

iOS 5 MS Windows Serv-

4
er 2016
Edge 4
MacOS 3

MacOS 4
Chrome 3

MS Windows 10 3
Linux 2
MS Windows
3 MYSQL 2
Server 2016

Firefox 2 Microsoft Office 2

TABLE 59. TOP EXPLOITED SOFTWARE 2021

Category Name Exploitation Rate 2021, %

McAfee 8

Microsoft Office 7

iOS 4

MS Windows Server 2016 3

MS Windows 10 3

MacOS 3

Adobe Reader 2

Chrome 2

Edge 1
Software Vulnerability Ratings Report 2024 50
TABLE 60. EXPLOITATION RATES OF SOFTWARE PER CATEGORY 2021-2023

Exploitation Rate Exploitation Rate Exploitation Rate

Software Category Name
2021 2022 2023

MS Windows 10 3.1% 3.8% 3.5%

MS Windows Server
3.2% 3.5% 3.6%
Desktop Operating 2016
Systems
MacOS 2.6% 3.3% 6.9%

Linux 0.0% 1.9% 1.0%

iOS 3.7% 4.1% 7.5%

Mobile Operating
Android 0.0% 0.1% 0.2%
Systems

HarmonyOs 0.0% 0.0% 0.0%

Microsoft Office 6.7% 1.6% 7.1%

Office Packets Libre Office 0.0% 0.0% 0.0%

Open Office 0.0% 0.0% 0.0%

TeamViewer 0.0% 0.0% 0.0%

DameWare 0.0% 0.0% 0.0%

Remote Management
Splashtop 0.0% 0.0% 0.0%
Software

AnyDesk 0.0% 0.0% 0.0%

RealVNC 0.0% 0.0% 0.0%

Adobe Reader 2.2% 0.0% 2.2%

Document Viewers Foxit Reader 0.0% 0.0% 0.0%

Nitro PDF 0.0% 0.0% 0.0%

Software Vulnerability Ratings Report 2024 51

 Exploitation Rate Exploitation Rate Exploitation Rate
Software Category Name
2021 2022 2023

Keepass 0.0% 0.0% 0.0%

Keepass XC 0.0% 0.0% 0.0%

Password Manager
1Password 0.0% 0.0% 0.0%
Сlients

Bitwarden 0.0% 0.0% 0.0%

Lastpass 0.0% 0.0% 0.0%

Avast 0.0% 0.0% 0.0%

Bitdefender 0.0% 0.0% 0.0%

Malwarebytes 0.0% 0.0% 0.0%

Antiviruses
Eset 0.0% 0.0% 0.0%

Kaspersky 0.0% 0.0% 0.0%

McAfee 7.7% 0.0% 0.0%

Adobe Photoshop 0.0% 0.0% 0.0%

Gimp 0.0% 0.0% 0.0%

Image Editors
Paint.Net 0.0% 0.0% 0.0%

Adobe Illustrator 0.0% 0.0% 0.0%

Chrome 1.7% 2.8% 1.7%

Web Browsers Firefox 0.0% 3.8% 2.8%

Edge 1.2% 5.4% 6.7%

Cisco Any Connect 0.0% 0.0% 0.0%

FortiClient 0.0% 0.0% 0.0%

VPN Clients
OpenVPN 0.0% 0.0% 0.0%

WireGuard 0.0% 0.0% 0.0%

Software Vulnerability Ratings Report 2024 52

 Exploitation Rate Exploitation Rate Exploitation Rate
Software Category Name
2021 2022 2023

HaProxy 0.0% 0.0% 0.0%

Load Balancers Citrix 0.0% 0.0% 57.1%

NGINX 0.0% 0.0% 100.0%

MYSQL 0.0% 1.8% 0.0%

Postgresql 0.0% 0.0% 0.0%

Databases
MSSQL 0.0% 0.0% 0.0%

Oracle DB 0.0% 0.0% 0.0%

Software Vulnerability Ratings Report 2024 53

About Action1 Research
The report is brought to you by Action1 Research, which conducts industry surveys among cybersecurity
practitioners worldwide to discover trends in cybersecurity. For more information, please visit:

www.action1.com/resources/research/

About Action1 Corporation

Action1 reinvents patch management with an infinitely scalable and highly secure platform configurable in 5
minutes that just works. With integrated real-time vulnerability assessment and automated remediation for third-
party software and OS, peer-to-peer patch distribution, and IT ecosystem integrations, it ensures continuous
patch compliance and reduces ransomware and security risks – all while lowering costs. Action1 is certified for
SOC 2/ISO 27001 and is trusted by thousands of enterprises managing millions of endpoints globally.

Action1 was founded by cybersecurity veterans Alex Vovk and Mike Walters, who previously founded Netwrix,
which was acquired by TA Associates. Learn more at: www.action1.com.

Software Vulnerability Ratings Report 2024

2929 Allen Parkway Suite 200, Houston, TX 77019
54