Connect with us

Hi, what are you looking for?


Cloud Security

Study Finds 400,000 Vulnerabilities Across 2,200 Virtual Appliances

Virtual appliances, even if they are provided by major software or cybersecurity vendors, can pose a serious risk to organizations, according to a report published on Tuesday by cloud visibility firm Orca Security.

Virtual appliances, even if they are provided by major software or cybersecurity vendors, can pose a serious risk to organizations, according to a report published on Tuesday by cloud visibility firm Orca Security.

Virtual appliances can be highly useful to organizations as they eliminate the need for dedicated hardware, they are often inexpensive or free, they are easy to configure and maintain, and they can be easily deployed on cloud platforms. Many virtual appliances can be used as provided.

Orca Security used its SideScanning technology to check virtual appliances for vulnerabilities and outdated operating systems. The company scanned a total of more than 2,200 virtual appliances from 540 vendors in April and May, and identified over 400,000 vulnerabilities.

The virtual appliances were obtained from marketplaces associated with cloud platforms such as AWS, VMware, Google Cloud Platform, and Microsoft Azure, but Orca says these virtual appliances are in many cases the same as the ones provided directly by vendors.

Orca’s analysis, which involved giving each appliance a security risk score ranging between 0 and 100, found that appliances from 8% of vendors had no issues. These vendors, which got an A+ grade, include Trend Micro, Pulse Secure, BeyondTrust and Versasec.

Nearly a quarter of the tested vendors had virtual appliances that got an A grade and 12% got a B. However, 15% of the tested appliances got an F, including ones from CA Technologies, Software AG, Intel, Zoho, Symantec, A10 Networks, Cloudflare and Micro Focus.

However, Orca noted that some vendors had some of their appliances graded A or A+ and other appliances graded F. This includes Intel, Symantec, Soho, Cognosys and Tibco.

Advertisement. Scroll to continue reading.

Vulnerabilities in virtual appliances

Orca contacted each of the impacted vendors before making its findings public. The company says vendors have addressed roughly 36,000 of the 400,000 identified vulnerabilities, either by deploying patches or by removing the virtual appliance altogether. Specifically, 287 products have been updated and 53 have been removed.

The list of companies that have taken action includes Dell EMC, Cisco, IBM, Symantec, Splunk, Oracle, Kaspersky, Cloudflare, Zoho, and Qualys.

On the other hand, some vendors said it was up to customers to ensure that their virtual appliances are patched, while others refused to take any action, arguing that the identified vulnerabilities were not exploitable. Unsurprisingly, some vendors threatened to take legal action against Orca.

One interesting observation made by the cybersecurity firm is that more expensive products did not obtain a higher score compared to less expensive and even free products.

“Simply because a vendor scores top marks doesn’t mean all its virtual appliances are guaranteed to be risk-free. The data presented serves only as a guide, providing an idea as to how vendors approach the support and maintenance of their virtual appliances. Some scored well and deserve a measure of trust. Others have done badly, and their products should be approached with caution,” Orca said in its report.

The company has also shared some recommendations for organizations to reduce the risk posed by the use of virtual appliances. This includes asset management for keeping track of virtual appliances, vulnerability management tools that can discover weaknesses, and a vulnerability management process that prioritizes the most serious issues.

Orca’s State of Virtual Appliance Security 2020 Report is available on the company’s website.

Related: Virtualized Cloud Visibility Firm Orca Security Raises $20.5 Million

Related: Over 22,000 Vulnerabilities Disclosed in 2019: Report

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...