Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses

Our telemetry data from the past two years shows the most widespread network attacks on SMBs are well-known older vulnerabilities.


When you hear phrases like “increasingly sophisticated cyber threats” or “the ever-evolving cyber threat landscape”, it’s easy to glean from that that the most pressing, dangerous threats must be unknown threats. And for many, this may be true. Unknown threats are dangerous because they’re new. We haven’t had years to study these threats, the way they’re used or the best defenses to combat them. But what if I told you that – for small businesses at least – the most likely attacks used against them are several years old or older?

That’s what our recent review of our telemetry data suggests. It appears that the most widely used network vulnerabilities on small- to medium-sized businesses (SMBs) are taking advantage of older vulnerabilities that have a large amount of publicly available information and primarily affect major vendors.

The Data

We looked at our IPS data from between January 2022 and March 2024 to find the top five most widespread network attacks used against SMBs, which you can see below.

Figure 1: Top 5 most widespread network attacks

When you take a deeper look, you can see that the “newest” vulnerability among these five is nearly three years old, with the oldest being ten years old, which is ancient in the modern cyber threat landscape.

What Does This Mean?

With the top five threats to SMBs ranging from three to ten years old, this means CISOs and other organizational cybersecurity leaders need to ensure that they’re assessing threats based on a healthy understanding of the risk landscape as it pertains to their own organizations. The buzz in cybersecurity is typically focused on new, scary threats, whether those be zero-day threats or AI-based threats, and those are concerning and need to be taken seriously. But this IPS data shows that SMBs need to also maintain focus on threats that we’ve seen before and have been seeing for years. It still pays dividends to spend time and resources protecting yourself from threats like Heartbleed and Log4j. For many SMBs, focusing on protecting your organization from those threats may be more valuable than worrying about the latest zero-day or AI threats.

Why Is This the Trend?

If patches exist for these older threats, it begs the question, why is this the trend? Like most humans, attackers are more likely to take the easiest path to obtain their end goal. This means that they’ll often test older attacks just to see if they work. And if it does, well, there you have it. Another factor to consider is that the longer a vulnerability has been around, the more time and research threat actors can put into perfecting these techniques. This means that, despite their age and available patches, they may still be more reliable attack methods than many newer threats. And, for smaller businesses especially, patching can be a struggle. In highly regulated industries like healthcare, finance and OT, what may be a simple patch for others could result in mission-critical systems becoming unusable or even require the purchase of a new device altogether. And that’s on top of other challenges SMBs face such as having the personnel in place to patch effectively to begin with.

What Can You Do?

The identification of a problem is key, but a solution is better.  Like many issues in cybersecurity, there isn’t one easy solution; however, we can take several steps to improve, starting with not ignoring what the data is indicating.  Notice two of the five identified vulnerabilities (Log4j and Heartbleed) are underlying library issues, in other words, part of the supply chain. What makes these so effective for attackers is that there are likely many places where a small business has no idea that they’re using these libraries. The hardest step is identification. Product security testing is a fantastic methodology and concept to help reduce this problem. By doing deep technical testing of the products you are or plan to use in your networks, you can seek out and possibly prevent these types of older underlying supply chain issues.

As resources are often the second largest issue which can lead to less effective patching, MSPs are a key difference maker in helping to elevate these issues for small businesses.  An MSP partner can remove the need to hire and train new employees and purchase expensive tools.  Many times, MSPs can very quickly set up automated patching in your environment and even perform product security testing where needed.

Prioritization Is Key

What this  boils down to is that leadership needs to properly prioritize threats and resources based on threat intelligence for their industry. You must understand the attacks, vulnerabilities and tactics that your enemies are using to exploit your organization and organizations like yours. You must also have a deep understanding of your own organization’s risk landscape to determine where attacks are most likely to come from. While some circumstances require the acceptance of risk, this should be used sparingly and only when a deep understanding of the risk to your organization is understood. Relying too heavily on industry best practices or any isolated factor could lead to an incomplete view of the risks associated with any vulnerability.

In order to stay ahead of nefarious actors in an increasingly dangerous world, you must focus on prioritization, and, to prioritize correctly, you have to know the biggest threats to you.

Douglas McKee
Executive Director, Threat Research | SonicWall
Douglas McKee is the Executive Director of Threat Research at SonicWall, where he and his team focus on identifying, analyzing and mitigating critical vulnerabilities through daily product content. He is also the lead author and instructor for SANS SEC568: Combating Supply Chain Attacks with Product Security Testing. Doug is a regular speaker at industry conferences such as DEF CON, Blackhat, Hardware.IO and RSA, and in his career has provided software exploitation training to many audiences, including law enforcement. His research is regularly featured in publications with broad readership, including Politico, Bleeping Computer, Security Boulevard, Venture Beat, CSO, Politico Morning eHealth, Tech Republic and Axios.