Critical and high risk vulnerabilities receive all the attention, while low and medium-severity vulnerabilities are usually relegated to the back burner, however this may not be the wisest choice. Over time, these vulnerabilities can mature, compound, and even escalate into severe threats with far-reaching impact. When left unaddressed, these “small” issues can not only expose an organization to more complex attacks but also reveal underlying, systemic security weaknesses.
There are over 40,000 known low – medium severity vulnerabilities (see a breakdown at CVE Metrics here), while many of them will never be a problem, there is nonetheless a real risk that if left unchecked, major issues can arise…
Why should I care about these vulnerabilities?
Critical and high severity issues are of course an immediate concern and may present the risk of a major breach.
1. Increased Risk Over Time: Even if a vulnerability starts with a low or medium severity, this doesn’t guarantee that it will remain so. Vulnerabilities evolve. The time since initial discovery allows attackers to refine exploits, making what was once a low-severity vulnerability much easier to leverage.
2. The Power of Vulnerability Chaining: Attackers have developed ways to chain multiple lower-severity vulnerabilities together to create a more powerful exploit. For instance, a medium-severity vulnerability that exposes certain application data could be paired with another medium vulnerability to allow lateral movement across systems – See our articles cracked open and once you pop you just can’t stop for an example of how this can occur.
3. Signs of Systemic Weaknesses: Even seemingly benign vulnerabilities often point to more significant issues within the organization’s security practices. Persistent low or medium vulnerabilities, for instance, may reveal patterns of misconfigurations, poor security hygiene, or outdated software practices. When left untreated, they can be indicative of a lack of cohesive security strategy, inadequate patch management, or technical debt. They can also lead to regulatory and compliance issues.
A well known, real life example of this problem is the 2013 Target breach where attackers exploited a series of minor vulnerabilities to create a high-impact data compromise. This breach, which exposed credit and debit card information of over 40 million customers, is a prime case study on how low/medium issues, when left unaddressed, can be chained together to produce catastrophic results.
The Target Breach – Lower Severity Issues to Big Problem
In summary- Vendor access (low-severity) → Weak network segmentation (medium-severity) → Lateral movement (medium-severity) → POS malware installation (high-severity) → Massive data breach
The Target breach illustrates how chaining low and medium-severity vulnerabilities can create a domino effect, enabling attackers to escalate their impact exponentially. Addressing these smaller issues proactively is essential in mitigating compounded risks and ensuring that lower-severity issues don’t spiral into large-scale incidents.
How did we get here?
Multiple factors have contributed to the lack of attention given to low and medium issues:
1) Overload: A typical vulnerability scan (or a questionable penetration test) will usually produce a deluge of medium and low risk issues. Security departments typically have limited time and resources so inevitably will focus on the high risk issues (as well as dealing with a hundred other items).
2) Lack of context: Huge amounts of vulnerabilities which are reported have no consideration of context – the CVSS score is XX so the vulnerability is rated as XX.
3) Lack of time: Connected to item #1 (the bad pen test part), when time and resources are short, it’s unlikely that low and medium issues can be tested to determine the actual risk level.
4) Bug bounty programs: The money is in critical and high issues, so if your program solely relies on bug bounties, you aren’t going to get a lot of help on the lower severity issue front, and you’re going to get even less context. Also finding complex attack chains takes time, that may not work for the majority of bug bounty hunters.
5) Compliance: To be clear, compliance has many uses, however, the need to check a box in regards to various vulnerabilities means that the dots joining multiple lower risk issues will never be connected.
Ultimately, its hard to do this without skilled technical analysis, and because of that the risk is vague and not really considered outside of extremely mature security programs.
What Should I Do About It?
You have limited resources, yet vulnerability management poses a problem. Taking a deep dive into every low and medium issue is likely impossible, and an inefficient use of resources. At the same time ignoring them completely, no matter how effective you believe your internal controls to be, is a dangerous choice.
An effective vulnerability management program doesn’t just address high-severity vulnerabilities; it encompasses all risks, including the less severe. Here’s how organizations can take a comprehensive approach to lower-severity issues:
1. Prioritize Based on Context: Contextualize vulnerabilities based on where they appear within the organization’s architecture and where possible, their potential impact (both financially and operationally). A medium vulnerability in a production environment requires more attention than one in a test system.
2. Assess Vulnerability Chains: If possible conduct penetration testing (either point in time tests, or look at continuous penetration testing tools like Incenter ) to see if lower-severity issues could be chained together in ways that weren’t initially apparent. This helps identify where multiple minor issues might collectively lead to a major compromise. Continuous testing tools provide the benefit that more time is allocated to uncovering these chains.
3. Regularly Reevaluate Risk Scores: Vulnerabilities should be reevaluated periodically, as circumstances may elevate their risk. Conduct quarterly or semi-annual reviews of medium and low-severity vulnerabilities to reassess their potential impact.
4. Address Root Causes: Instead of treating each low or medium vulnerability as an isolated issue, look for root causes—such as outdated libraries, weak patch management, or poor access control. Fixing these core issues reduces the overall vulnerability footprint.
Conclusion: Treat Every Vulnerability as an Opportunity to Strengthen Security
While high and critical vulnerabilities may always be front and center, a strong cybersecurity posture requires attention to every vulnerability, regardless of severity. Low and medium-severity vulnerabilities, if ignored, can escalate and eventually allow attackers a path into sensitive systems. Additionally, these vulnerabilities often reveal areas where organizational security practices can improve, providing a valuable opportunity to address root causes.
By embracing a thorough approach to vulnerability management, organizations can minimize risks across the board, not just for the issues that seem most urgent. In cybersecurity, it’s often the cumulative, compounding risks that pose the greatest danger. Addressing low and medium vulnerabilities today can prevent tomorrow’s crises, reinforcing security and resilience for the long term.