Vulnerability detail

Tenable Blog · May 27, 2026

Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploitation, and organizational risk.Key takeawaysThe "patch everything" strategy is dead: Vulnerability prioritization based on exploitation risk offers a path forward. A directed graph model linking 600+ threat actors to vulnerabilities in 7,800 customer environments reveals that 68% of organizations carry at least one CVE previously exploited by a named adversary, and 321 tracked threat groups can reach at least one customer environment through an active vulnerability. Prevalence of "Elite Arsenal" CVEs requires immediate attention: The 242 "Elite Arsenal" CVEs — those meeting all three criteria of critical VPR (≥ 9), CISA KEV listing, and documented threat group exploitation — are nearly universally present across the studied customer base, with 241 of 242 actively detected. More than half are five or more years old, and 78% of the persistently exploited core are simultaneously weaponized by nation-state APTs, commodity malware operators, and ransomware gangs. Non-CVE exposures are universally dangerous: Non-CVE exposures, including misconfigurations, weak credentials, and end-of-life software, are present in virtually 100% of studied organizations, with 60% carrying at least one that maps to a tracked threat actor's preferred techniques. Preliminary modeling suggests these exposures may confer more breach risk than CVE-linked findings, yet no industry-standard scoring infrastructure exists to prioritize them.While the first two posts in this blog series documented the accelerating vulnerability flood and the widening remediation gap, today we answer the outstanding question: Where do these forces actually collide inside customer environments? Using a directed graph model that maps more than 600 tracked threat groups to vulnerabilities observed across 7,800 organizations,...

Tenable Blog · Apr 25, 2025

Timely vulnerability remediation is an ongoing challenge for organizations as they struggle to prioritize the exposures that represent the greatest risk to their operations. Existing scoring systems are invaluable but can lack context. Here’s how Tenable’s Vulnerability Watch classification system can help.BackgroundOver the past six years working in Tenable’s research organization, I’ve watched known vulnerabilities and zero-day flaws plague organizations in the immediate aftermath of disclosure or even years afterwards. Following each blog post or threat report we’ve published, I kept coming back to the same question: Why are so many organizations struggling to remediate vulnerabilities in a timely manner?As someone who followed the evolution of COVID-19 variants throughout the beginning of the pandemic, I saw that the World Health Organization (WHO) began to label new variants under a classification system as the virus began to mutate. This classification system was designed to help prioritization efforts for monitoring and research. It included accessible labels like variants of interest and variants of concern to help communicate urgency and focus global attention.I began to wonder: What if we borrowed from the same type of classification system used by the WHO and applied it to vulnerability intelligence? Numeric-based systems like the Common Vulnerability Scoring System (CVSS) and Exploit Prediction Scoring System (EPSS) provide mechanisms for prioritization based on scoring. However, they don’t always provide enough context to help decision makers. So, what if we used simple, clear and status-based terminology to communicate risks surrounding vulnerabilities in order to guide action?This led us to develop Vulnerability Watch, a classification system for vulnerabilities inspired by the WHO’s classification of COVID-19 variants. Vulnerability Watch is a small, but important part of Tenable’s Vulnerability Intelligence offering that was launched in 2024. Now,…