Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Many Media Industry Vendors Slow to Patch Critical Vulnerabilities: Study

A cybersecurity analysis of hundreds of media industry vendors showed that many companies are slow to patch critical vulnerabilities, according to MDR and third-party risk management provider BlueVoyant.

A cybersecurity analysis of hundreds of media industry vendors showed that many companies are slow to patch critical vulnerabilities, according to MDR and third-party risk management provider BlueVoyant.

The media industry faces various types of cybersecurity incidents, including content leaks on torrent sites and dark web forums, disruptions to the channels used to deliver content to consumers, and other disruptive attacks, such as ransomware and denial of service (DoS).

BlueVoyant has analyzed nearly 500 vendors. This includes 49 companies that supply content management, production, monetization and distribution services to most media companies, and 436 firms that represent suppliers whose products and services are widely used but not common across the entire industry.

Of all these companies, 143 had what the security firm calls ‘zero tolerance findings’, which are critical vulnerabilities in internet-facing systems that are commonly targeted by threat actors.

One or more such vulnerabilities were identified at roughly 30% of media vendors, which BlueVoyant says is nearly double compared to the multi-industry average it has observed across more than one million companies.

Looking at the distribution of these vulnerabilities, content management providers seem to be the most impacted, with half of these vendors hosting vulnerable systems. The monetization segment is the best when it comes to securing systems, with less than 15% exposing their systems to attacks.

Vulnerabilities across the media industry

As a specific example, BlueVoyant provided the Confluence vulnerability tracked as CVE-2022-26134. Atlassian released a patch in early June, but malicious exploitation started at least one week prior.

While this is a serious vulnerability that can be exploited remotely to take complete control of the targeted system and cause serious problems for affected organizations, BlueVoyant found that eight of the monitored media industry vendors had still not applied the patch six weeks after its release.

“Media companies need to take strong action with their vendors and suppliers, particularly in Content Management. Supply chain attacks are a common attack vector, and protecting against ecosystem vulnerabilities is critical to preventing leaks, downtime, and disruptions to the production process,” BlueVoyant said in its report (direct PDF download).

Earlier this summer, the cybersecurity firm analyzed 300 SMB subcontractors for the defense industrial base sector and found that many were vulnerable to attacks and some had likely already been compromised.

Related: Over 28,000 Vulnerabilities Disclosed in 2021

Related: Ransomware-Related Data Leaks Nearly Doubled in 2021

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.