Businesses are taking their eye off the ball with vulnerability patching
Most exploitable vulnerabilities go unresolved, according to new research
Security leaders are overconfident in their organization’s security posture while allowing vulnerability patching to fall by the wayside, new research suggests.
According to penetration testing firm Cobalt’s 2025 State of Pentesting Report , only 48% of exploitable vulnerabilities uncovered during penetration testing are fixed – although this increases to 69% for those that have a severity rating of high or critical.
Of particular concern is an apparent blindspot when it comes to AI applications. Of the firms surveyed, 95% had performed penetration testing with their generative AI apps in the last year, of which 32% found vulnerabilities with a rating of high or critical.
These include risks of prompt injection, model manipulation, and data leakage.
Despite this – and despite 72% of respondents ranking AI attacks as their number one concern – only 21% of these high risk vulnerabilities were patched following their discovery.
Additionally, while 81% of security leaders surveyed said they are confident in their organization’s security posture, this bumps up against cold reality when only 50% said they fully trust they can identify and prevent a vulnerability from their software suppliers.
AI security is a growing area of concern for IT and business leaders. Concerns have been raised about the use of AI generated code, the use of ‘shadow AI’, and data privacy compliance – particularly in the public sector.
Gunter Ollman, CTO of Cobalt, struck a fairly sanguine tone over the findings, saying: “It’s a concern that 31% of serious vulnerabilities are not being fixed, however at least these firms are aware of the problem and can develop strategies to mitigate the risk.”
Ollman added: "Organizations that do take an offensive security approach are ... getting ahead of any compliance requirements and reassuring their customers that they’re safe to do business with.”
This may be cold comfort for the 52% of respondents who said they were being pressured to support speed at the cost of security, however.
MORE FROM ITPRO
-
UK wants an AI-powered anti-hacking systemNews GCHQ is building a national cyber defence capability powered by AI – though it may take five years
-
UK and Australia agree to work more closely on AI securityNews A new deal sees Australia set up a new AI safety institute, which will share research with the UK AI Security Institute
-
AI is getting better at security – and it's doing it faster than expectedNews UK AISI warns that AI models are already exceeding existing benchmarks for testing
-
AI and Data are reshaping the MSP landscape, but hackers are getting in on the hot AI actionNews AI is no longer just a buzzword; it's a hacker's dream and the channel's biggest opportunity
-
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secretsNews The groups are increasingly using face-changing or voice-changing software to make their fake identities more plausible
-
Using AI to code? Watch your security debtnews Black Duck research shows faster development may be causing risks for companies
-
Multichannel attacks are becoming a serious threat for enterprises – and AI is fueling the surgeNews Organizations are seeing a steep rise in multichannel attacks fueled in part by an uptick in AI cyber crime, new research from SoSafe has found.
