Often underestimated by CISOs, hardware and network vulnerabilities are on the rise as IoT proliferates and AI creates increasingly larger attack surfaces.
That’s according to an analysis by Bugcrowd, which found the last year has seen a massive 88% increase in hardware vulnerabilities and a doubling in network flaws.
In a new report, Inside the Mind of a CISO 2025: Resilience in an AI-Accelerated World, the firm said that 81% of security researchers had encountered new hardware vulnerabilities in the past 12 months.
Bugcrowd pointed to a 40% rise in broken access control vulnerabilities as a key factor behind rising threats. Meanwhile, sensitive data exposure was another problem area, with a 42% increase in critical vulnerabilities tied to personal information like names, addresses, and account details.
"We are in a high-stakes innovation race, but with every AI advance, the security landscape becomes exponentially more complex," said Nick McKenzie, Bugcrowd CISO. "Attackers are exploiting this complexity, but still targeting foundational layers like hardware and APIs."
The good news is that the number of critical vulnerabilities has gone down slightly year-over-year. The number of critical flaws in API targets fell by about 25%, for example, while vulnerabilities in website targets decreased by 30%.
There was a slight rise in critical vulnerabilities for Android, hardware, iOS, and network targets. Of these, broken access control is now the top category at 36%.
However, there's also been a 42% increase in sensitive data exposure and a 10% increase in API vulnerabilities as attack surfaces expand. Network vulnerabilities doubled, according to the report.
Pentesters are having a field day
This increasingly perilous threat landscape has sparked a boom time for ethical hackers and pentesters, the report noted. Across 2024, there was a 32% increase in average bug bounty payouts for critical vulnerabilities.
Bugcrowd said enterprises are focusing on critical vulnerability payouts, paying more for P1 vulnerabilities and less for P3, P4, and P5 vulnerabilities.
Despite this helping hand, CISOs are still contending with heavy workloads and growing challenges. With applications going through multiple development cycles and teams under immense pressure to release features quickly, this is creating a frantic environment where mistakes are made.
New attack vectors and often forgotten targets like APIs and hardware typically among those overlooked.
With this in mind, Bugcrowd said organizations should consider adding APIs and hardware to the scope of their offensive security testing programs.
They should also adopt an integrated approach to attack surface intelligence - which, the firm noted, would help to secure budgets by showing measurable improvements in security efficiency.
Naturally, the company urged enterprises to make better use of ethical hackers, pentesters, and red teamers for offensive security training.
“By using adversarial testing and objective measurement, security leaders can shift from reactive firefighting to building true resilience, " said Trey Ford, chief strategy and trust officer at Bugcrowd.
"Ultimately, this enables CISOs to confidently articulate their security story and secure resources necessary to protect their organizations.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- This DeepSeek-powered pen testing tool could be a Cobalt Strike successor
- Everything you need to know about penetration testing
- Businesses are taking their eye off the ball with vulnerability patching
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
Generative AI attacks are accelerating at an alarming rateNews Two new reports from Gartner highlight the new AI-related pressures companies face, and the tools they are using to counter them
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
-
‘Channel their curiosity into something meaningful’: Cyber expert warns an uptick of youth hackers should be a ‘wake-up call’ after teens charged over TfL attackNews Encouraging youths to engage in positive tech initiatives will guide them down the right path and away from nefarious activities
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Cyber professionals are losing sleep over late night attacksNews Hackers are biding their time and launching attacks when businesses can’t respond
-
BreachForums founder resentenced to three years in prisonNews A US appeals court vacated his previous sentence and remanded the case for resentencing
-
Jaguar Land Rover says IT disruption set to continueNews The automotive manufacturer is still not fully operational after the recent cyber attack
