The 20 Year Old Vulnerability Still in the Wild
Two decades after it was first identified, a severe vulnerability is still on thousands of live systems across the world, according to research by edgescan. Here’s the key details
In 1999, a vulnerability affecting File Transfer Protocol (FTP), a method for transferring files, was identified.
The vulnerability, known as CVE-1999-0017, allowed attackers to exploit a system’s FTP to begin an FTP bounce attack. This allows the attacker to steal files, including sensitive data, stored on a target system.
With a risk rating of 7.5 out of 10, this is a fairly severe attack type. In the right circumstances, it can be used to enact a significant data breach, exposing files that otherwise would not be accessible to the outside world.
If all organisations followed cybersecurity best-practice, this vulnerability would have been consigned to history years ago.
But in 2019, 20 years after it was first discovered, it is still out in the wild.
In fact, as of today more than 3,000 systems across Europe and North America remain vulnerable.
And more recent vulnerabilities are not being patched much faster.
The most common vulnerability of 2018 was first discovered four years ago, and the average time to patch remains far longer than is operationally safe.
“The average window of exposure for critical infrastructure vulnerabilities is 65 days, and for web application vulnerabilities is 69 days, both averaging over nine weeks before issues are resolved,” said Eoin Keary, CEO of edgescan. “This leaves many organisations open to the next Wannacry or NotPetya taking advantage of unprotected entry points.”