← Back to Publications List

An Analytical Study of Common Vulnerabilities and Exposures (CVE): Trends, Risks, and Mitigation Approaches

Students & Supervisors

Student Authors
Adnan Akib
Bachelor of Science in Computer Science & Engineering, FST
Md. Tamzid Rahman
Bachelor of Science in Computer Science & Engineering, FST
Md. Ariful Hoque
Bachelor of Science in Computer Science & Engineering, FST
Raisa Tasrin Ridi
Bachelor of Science in Computer Science & Engineering, FST
Supervisors
Md. Mortuza Ahmmed
Associate Professor, Faculty, FST

Abstract

Security flaws in software, which are called CVEs, are increasing every year. From 2018 to 2023, the number of CVEs reported grew a lot—by over 74%, in fact. Just in 2023, almost 29,000 vulnerabilities were published. Around 36% of those were either High or Critical in severity, which means they were serious. What’s more worrying is that many of these issues already had been fixed, but attacks still happened. This shows that having a patch isn’t enough if it isn’t applied on time. The study focused on finding out why this is still happening, and what can be done better. We worked with data from known security sources like the NVD, CISA, and reports from Mandiant and others. It wasn’t just about counting how many vulnerabilities showed up each year. We looked at how dangerous they were (using CVSS), how quickly they got exploited (using EPSS), and how fast companies fixed them. We also looked at CWE categories to understand which types of flaws were common, like memory issues and SQL problems. Vendor data and average patch times were also included. The study found that in 2023, more than one-third of CVEs were critical or high risk. Attackers are also moving faster now going from CVE disclosure to real attacks in just 22 days, compared to 45 days in 2018. About 70% of successful breaches happened through known flaws that had patches already available. The worst types were memory bugs (CWE-787, CWE-416), input validation errors, and injection attacks. Microsoft, Apache, and Google were among the most targeted. Some firms patched quickly, but the average time was still over 80 days globally. The biggest problem isn’t a lack of awareness. It’s the delay in action. This delay is what’s giving attackers the time they need. Using tools like EPSS to figure out which CVEs are most likely to be attacked can help. So can automated patching and better coding practices. Fixing known issues quickly is the most effective step any organization can take to avoid serious security problems.

Keywords

CVE CWE EPSS Patch Management Vulnerabilities Cybersecurity Trends

Publication Details

  • Type of Publication:
  • Conference Name: 7th International Conference on Integrated Sciences (ICIS) 2025
  • Date of Conference: 25/10/2025 - 25/10/2025
  • Venue: Eastern University Campus, Ashulia Model Town, Dhaka, Bangladesh
  • Organizer: Eastern University, Bangladesh
View on Publisher