Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Management & Strategy

Many Media Industry Vendors Slow to Patch Critical Vulnerabilities: Study

A cybersecurity analysis of hundreds of media industry vendors showed that many companies are slow to patch critical vulnerabilities, according to MDR and third-party risk management provider BlueVoyant.

A cybersecurity analysis of hundreds of media industry vendors showed that many companies are slow to patch critical vulnerabilities, according to MDR and third-party risk management provider BlueVoyant.

The media industry faces various types of cybersecurity incidents, including content leaks on torrent sites and dark web forums, disruptions to the channels used to deliver content to consumers, and other disruptive attacks, such as ransomware and denial of service (DoS).

BlueVoyant has analyzed nearly 500 vendors. This includes 49 companies that supply content management, production, monetization and distribution services to most media companies, and 436 firms that represent suppliers whose products and services are widely used but not common across the entire industry.

Of all these companies, 143 had what the security firm calls ‘zero tolerance findings’, which are critical vulnerabilities in internet-facing systems that are commonly targeted by threat actors.

One or more such vulnerabilities were identified at roughly 30% of media vendors, which BlueVoyant says is nearly double compared to the multi-industry average it has observed across more than one million companies.

Looking at the distribution of these vulnerabilities, content management providers seem to be the most impacted, with half of these vendors hosting vulnerable systems. The monetization segment is the best when it comes to securing systems, with less than 15% exposing their systems to attacks.

Vulnerabilities across the media industry

As a specific example, BlueVoyant provided the Confluence vulnerability tracked as CVE-2022-26134. Atlassian released a patch in early June, but malicious exploitation started at least one week prior.

Advertisement. Scroll to continue reading.

While this is a serious vulnerability that can be exploited remotely to take complete control of the targeted system and cause serious problems for affected organizations, BlueVoyant found that eight of the monitored media industry vendors had still not applied the patch six weeks after its release.

“Media companies need to take strong action with their vendors and suppliers, particularly in Content Management. Supply chain attacks are a common attack vector, and protecting against ecosystem vulnerabilities is critical to preventing leaks, downtime, and disruptions to the production process,” BlueVoyant said in its report (direct PDF download).

Earlier this summer, the cybersecurity firm analyzed 300 SMB subcontractors for the defense industrial base sector and found that many were vulnerable to attacks and some had likely already been compromised.

Related: Over 28,000 Vulnerabilities Disclosed in 2021

Related: Ransomware-Related Data Leaks Nearly Doubled in 2021

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.