Threat Watch

Attackers Scan for Vulnerabilities Within 15 Minutes of Disclosure

System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed. According to Palo Alto’s 2022 Unit 42 Incident Response Report, attackers are constantly monitoring software vendor bulletin boards for new vulnerability announcements they can leverage for initial access to a corporate network or to perform remote code execution. However, the speed at which threat actors begin scanning for vulnerabilities puts system administrators in the crosshairs as they race to patch the bugs before they are exploited. “The 2022 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced,” reads a companion blog post. Since scanning isn’t particularly demanding, even low-skilled attackers can scan the internet for vulnerable endpoints and sell their findings on dark web markets where more capable hackers know how to exploit them. Then, within hours, the first active exploitation attempts are observed, often hitting systems that never had the chance to patch. Unit 42 presents CVE-2022-1388 as an example, a critical unauthenticated remote command execution vulnerability impacting F5 BIG-IP products. The flaw was disclosed on May 4, 2022, and according to Unit 42, by the time ten hours had passed since the announcement of the CVE, they had recorded 2,552 scanning and exploitation attempts. This is a race between defenders and malicious actors, and the margins for delays on either side are dwindling with every year that passes. Based on the data collected by Palo Alto, the most exploited vulnerabilities for network access in H1 2022 are the ProxyShell exploit chain, accounting for 55% of the total recorded exploitation incidents. ProxyShell is an attack exploited by chaining together three vulnerabilities tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Log4Shell follows at second place with 14%, various SonicWall CVEs accounted for 7%, ProxyLogon had 5%, while the RCE in Zoho ManageEngine ADSelfService Plus was exploited in 3% of the cases. As it becomes evident from these stats, the lion’s share of the exploitation volume is captured by semi-old flaws and not the most recent ones. This happens for various reasons, including the attack surface size, exploitation complexity, and practical impact. More valuable and better-protected systems whose admins are quick to apply security updates are targeted with zero-days or attacks that unfold immediately after the disclosure of flaws. It is also worth noting that according to Unit 42, exploiting software vulnerabilities for initial network breaches accounts for roughly one-third of the methods used. In 37% of the cases, phishing was the preferable means for achieving initial access. Brute-forcing or using compromised credentials is how attackers penetrated networks in 15% of the cases. Finally, using social engineering tricks against privileged employees or bribing a rogue insider to aid in network access corresponds to 10% of the incidents. With system administrators, network administrators, and security professionals already under significant stress as they try to keep up with the latest security threats and OS issues, the speed at which threat actors target their devices only adds additional pressure.


Understanding the attack surface is key for all organizations. Regular vulnerability scans and port scanning should be conducted against the network from an outside perspective in order to determine what is accessible from the public Internet. Any instance of a public IP address that allows connections from outside of the organization should be evaluated for necessity, patch application, sanitized inputs, etc. VPNs or other security gateways are great options for devices that must be exposed. By restricting access to servers, admins not only reduce the risk of exploits, but provide additional time to apply security updates before the vulnerabilities could be targeted. Unfortunately, some services must be publicly exposed, requiring admins to tighten security as much as possible through access lists, exposing only the necessary ports and services, and applying updates as quickly as possible. While quickly applying a critical update may lead to downtime, this is much better than the ramifications of a full-blown cyberattack.