Organizations take an average of 60 days to patch critical risk vulnerabilities

NEW YORK, March 7, 2022 /PRNewswire/ — Edge sweep, the intelligent vulnerability management provider, today announces the findings of its 2022 Vulnerability Statistics Report, which, for the 7th consecutive year, provides a comprehensive view of the state of vulnerability management around the world. This year’s report takes a deeper look at trends by industry and provides details on known and patchable vulnerabilities that are currently being exploited by threat actors.

The report finds that organizations are still taking nearly two months to remediate critical risk vulnerabilities, with the average mean time to fix (MTTR) across the stack set at 60 days.

High rates of “known” (i.e. patchable) vulnerabilities that have functional exploits in nature, used by known nation states and cybercriminal groups are not uncommon.

Remote access exposures on the attack surface are a concerning trend and accounted for 5% of total attack surface exposures in 2021.

Importantly, 57% of all observed vulnerabilities are more than two years old, and up to 17% are more than five years old. These are all vulnerabilities that have functional exploits in nature, used by known nation states and cybercriminal groups. Edgescan also observed about 1.5% of known, unpatched vulnerabilities that are more than 20 years old, dating back to 1999.

While the size of an organization has little bearing on MTTR, Edgescan observed significant differences across industries. Health organizations (NAICS 62) – despite the extreme pressure they have been under over the past two years – came out on top, with an MTTR of just 44 days. At the opposite end of the spectrum, the public administration sector (NAICS 92) took an average of 92 days to fix known vulnerabilities – a month longer than the cross-industry average.

“We are delighted to be able to share our intelligence with the entire security community for the 7th year in a row,” said Eoin Keary, CEO and co-founder of Edgescan. “Remediation and maintenance remains a challenge, as does detection. Managing and visibility of the attack surface is paramount, and with our report, we aim to inform organizations of the most common exposures”

The findings of the Edgescan 2022 Vulnerability Statistics Report are based on data collected from tens of thousands of individual assets. The analyzed sample included over 40,000 web application and API reviews, 3 million network endpoint reviews, and approximately 1,000 penetration tests performed in 2021 by the Edgescan team.

Edgescan is an award-winning security-as-a-service (SaaS) web/API vulnerability management and attack surface management solution. Edgescan™ protects and manages thousands of assets around the world for Fortune 500 and SMB customers by helping them continuously detect, prioritize, monitor and remediate security weaknesses in Internet-connected systems, such as web-based applications, APIs, network/peripheral systems and IoT Services. Thanks to expert validation of all discovered vulnerabilities, the solution is highly accurate and virtually free of false positives.

This press release was published via For more information, visit

SOURCE Edge Scan

Comments are closed.