I frequently note that about 90% (sometimes I say 95%, as I think the former figure is conservative) of all Common Vulnerabilities and Exposures (CVE) identified in the National Vulnerability Database (NVD) are not exploitable in any given configuration.
I do so because it happens to be true but also because many security teams find themselves overwhelmed by the volume of CVEs detected by modern scanning tools. To address this problem, I have made some recommendations on how to evaluate and prioritize such findings.
With that said, sometimes people challenge my assertion about exploitability (some even implying I am insane for holding this position) or, more subtly, ask for a source for my information. Thus I thought it made sense to compile a list of studies backing up my claim. I have arrived at the 90% number through no scientific method but rather use it as a rough mental average of the figures listed in the various studies below.
Rezilion: β85% of Vulnerabilities Pose No Risk.β
Dark Reading: βOnly 3% of Open Source Software Bugs Are Actually Attackable, Researchers Say.β
Contrast Security: βStudy Finds That Less Than 10% Of Application Code Is Active Third-Party Library Code.β
Mend: βresearch shows that only 15% to 30% of vulnerabilities are indeed effective.β
Kenna Security: βEven though 20% of published CVEs have a clear threat (either actively exploited in the wild or a published exploit exists), only about 5% of them represent real risk right now for most firms.β
Forum of Incident Response and Security Teams: β2%-7% of published vulnerabilities are ever seen to be exploited in the wild.β
Tenable: βmore than 75% of all vulnerabilities with a [CVSS] score of 7 or above have never had an exploit published against them.β
Please let me know if there are any other studies relevant to this topic, and I will include them. I will also keep my eyes peeled for future research on this topic (and will adjust my 90% number if I find anything greatly contradicting this figure).