Security Experts:

Connect with us

Hi, what are you looking for?



Old Vulnerabilities Still Popular Targets for Hackers: HP

What is old may not always be new, but when it comes to hacking, it’s still effective.

What is old may not always be new, but when it comes to hacking, it’s still effective.

According to the latest edition of Hewlett-Packard’s Cyber Risk Report, 44 percent of known breaches in 2014 came from vulnerabilities that were between two and four years old. While more than 30 CVE-2014 exploits were spotted by HP being used by malware, the majority of the exploits found by their security team attempted to exploit older vulnerabilities. 

By far the most common exploits targeted CVE-2010-2568, which accounted for roughly a third of all discovered exploit samples. The Microsoft Windows vulnerability was one of the infection vectors for Stuxnet and quickly became a popular weapon for malware writers.

Other popular vulnerabilities included CVE-2010-0188 Adobe Reader and Acrobat (11 percent) and CVE-2013-0422 Oracle Java (9 percent). Rounding out the top five are CVE-2012-1723 and CVE-2012-0507, which both impact Oracle Java and accounted for seven and four percent of the exploit samples found by HP, respectively. Of the top 10, three were Microsoft vulnerabilities and six were tied to Oracle Java. 

“Many vulnerabilities exploited in 2014 took advantage of code written many years ago—some are even decades old,” the report noted. “Adversaries continue to leverage these classic avenues for attack. Exploitation of widely deployed client-side and server-side applications are still commonplace. These attacks are even more prevalent in poorly coded middleware applications, such as software as a service (SaaS). While newer exploits may have garnered more attention in the press, attacks from years gone by still pose a significant threat to enterprise security.”

The most targeted 2014 CVE was CVE-2014-0322, a vulnerability in Microsoft Internet Explorer.

HP cited web server misconfiguration as a major challenge for organizations during 2014 as well. For mobile applications, web server misconfiguration leading to information disclosure was linked to 33 percent of mobile app vulnerabilities. For Web applications, misconfigurations leading to unprotected files and unprotected directories were the second and fourth most common vulnerabilities, respectively.

“Our findings show that access to unnecessary files and directories seems to dominate the misconfiguration related issues,” according to the report. “The information disclosed to attackers through these misconfigurations provides additional avenues of attack and allows attackers the knowledge needed to ensure their other methods of attack succeed. Regular penetration testing and verification of configurations by internal and external entities can identify configuration errors before attackers exploit them.”

“Many of the biggest security risks are issues we’ve known about for decades, leaving organizations unnecessarily exposed,” said Art Gilliland, senior vice president and general manager of Enterprise Security Products at HP, in a statement. “We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology; rather, organizations must employ fundamental security tactics to address known vulnerabilities and in turn, eliminate significant amounts of risk.”

Download the full 2015 HP Cyber Risk Report

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet