If you’re part of a security or IT team, you know the feeling of being constantly bombarded with alerts. A new zero-day here, a critical patch there…it’s a never-ending battle to keep your organization patched and secure. In the chaos, it’s easy for lower severity vulnerabilities to get lost in the shuffle. After all, they’re not labeled “critical,” right?
But here’s the sobering truth: attackers are increasingly exploiting these “less critical” flaws as a stepping-stone into your network. In fact, in research produced by Cyentia, results consistently showed that vulnerabilities with medium CVSS scores (which often fall into the “medium severity” category) are frequently exploited much sooner than those with higher scores. This highlights the idea that attackers prioritize easier targets over theoretically more severe vulnerabilities.
Why Lower Severity Vulnerabilities Are a Tempting Target
So, what defines the severity level of a vulnerability?
The Common Vulnerability Scoring System (CVSS) ranks vulnerabilities on a scale of 0-10:
| Severity | Severity Score Range |
| Low | 0.1-3.9 |
| Medium | 4.0-6.9 |
| High | 7.0-8.9 |
| Critical | 9.0-10.0 |
For many enterprises, critical severity vulnerabilities are where they focus their time and effort. Because vulnerabilities that score less than 9.0 might not enable immediate system takeover, they are often relegated to the ever-growing to-do list for IT and Security teams.
But they are far from harmless.
Attackers love lower severity flaws for several reasons:
- Less Scrutiny: Security teams, understandably, focus on patching critical vulnerabilities first. This leaves medium-severity issues lingering, giving attackers a wider window of opportunity.
- Easier Exploitation: Compared to high-severity vulnerabilities, medium ones are often less complex to exploit, requiring less sophisticated tools and techniques.
- Chain Reactions: A medium-severity vulnerability might not be devastating on its own, but it can often be chained with other vulnerabilities to achieve broader access – a classic example of the domino effect.
Non-Critical Vulnerability Exploited: CVE-2024-26169
A recent example is CVE-2024-26169. This CVE was publicly disclosed in March 2024, with a patch. It was labeled a high-severity vulnerability, with a CVSS score of 7.8, but this was against a backdrop of 59 Microsoft patches, including 2 critical vulnerabilities and 2 vulnerabilities with a CVSS score of 9.0 and above. Even more, there were an additional 14 vulnerabilities with a CVSS score of 8.8 and another 15 (excluding CVE-2024-26169) that scored 7.8.
Against this slew of vulnerabilities, CVE-2024-26169 seemed like a reasonable vulnerability. It affects Microsoft’s Error Reporting service, and while it could allow an attacker to elevate their access and privilege, Microsoft’s initial assessment on exploitability (less likely) and currently exploited status (none), meant that it likely received little attention.
This is unfortunate.
Because the vulnerability could allow an attacker to gain system privileges on an enterprise system, it can enable an attacker to gain access to sensitive data, install malware, or disrupt operations.
So, it should be no surprise to anyone that 2 months later, the Cybersecurity and Infrastructure Security Agency (CISA) warned that this vulnerability is being actively exploited by attackers. CISA also urged all users to apply the security updates released by Microsoft to address this vulnerability.
After CISA’s advisory, news outlets quickly reported that ransomware group, Black Basta, was actively exploiting CVE-2024-26169. CNN even reported that Black Basta may be linked to the recent Ascension Healthcare attack that took down the provider’s operations last month.
The Escalation Factor: From Low Severity to Meltdown
What makes some lower severity vulnerabilities particularly insidious is their potential to enable privilege escalation, like in the case of CVE-2024-26169. These vulnerabilities allow attackers to gain higher-level permissions within a system, turning a minor breach into a major crisis.
Imagine an attacker exploiting a medium-severity flaw to gain a foothold in your network. From there, they discover a privilege escalation vulnerability, elevating their access to that of an administrator. Suddenly, they have the keys to the kingdom: sensitive data, critical systems, and the ability to cause widespread damage.
The impact on your business could be catastrophic:
- Data Breaches: Loss of customer information, financial data, or intellectual property.
- Ransomware: Systems held hostage, with potentially millions of dollars demanded in ransom.
- Downtime: Disrupted operations, lost productivity, and damage to your reputation.
This isn’t just an exercise. As we can see with CVE-2024-26169, all of this is happening now.
Rethinking Vulnerability Management: A Proactive Approach
The good news is that you can protect your organization from the overlooked threat of lower severity vulnerabilities. It starts with rethinking your approach to vulnerability management.
- Risk-Based Prioritization: Don’t rely solely on CVSS scores. Consider the context of each vulnerability, the systems it affects, the potential business impact, and the breadth of that vulnerability across your enterprise. Prioritize vulnerabilities that could lead to privilege escalation or lateral movement.
- Comprehensive Patching and Continuous Monitoring: While it’s essential to patch critical vulnerabilities quickly, don’t neglect lower severity ones. Create a regular patching cadence and leverage your risk-based prioritization process to identify if and when you need to patch outside of standard cycles. Staying abreast of active exploits and continuously monitoring your environment can help you identify risks early on and remediate them quickly.
- Automation Is Your Ally: Security and IT teams are stretched thin. Automating vulnerability scanning, prioritization, patching, and remediation can dramatically improve your security posture while freeing up valuable time.
Syxsense: Tackle Lower Severity Vulnerabilities Easily with Proactive Management
At Syxsense, we understand the challenges you face. Our platform automates the entire vulnerability management lifecycle, from discovery to remediation. With Syxsense, you can:
- Reduce Your Attack Surface: Quickly identify and prioritize vulnerabilities, including those sneaky lower severity ones that attackers love.
- Accelerate Remediation: Automate patching processes to close vulnerabilities faster, minimizing your window of exposure.
- Strengthen Your Security Posture: Gain a comprehensive view of your vulnerabilities and proactively address emerging threats.
Don’t let lower severity vulnerabilities become your downfall. Schedule a demo today to see how Syxsense can help you stay one step ahead of attackers.
