Decoding CISA Known Exploited Vulnerabilities

CSW Analysis: Top Scanners Missed Vulnerabilities Tied to Ransomware in 2021

Posted on Feb 4, 2022 | By Pavithra Shankar

Our Ransomware Spotlight Report 2022 revealed that 288 vulnerabilities were linked to ransomware threat groups in 2021, marking a 29% surge from 2020. Cyber Security Works researchers analyzed the data further by comparing the CVEs with some of the popular scanners (Nessus, Qualys, and Nexpose) and observed that they missed detecting 21 vulnerabilities tied to ransomware strains.


Clearly, this demonstrates that even when a scanning script is available, it is difficult to discern whether it generates reliable scan outcomes. Read on to know more about our analysis and download the necessary patches.


Attack Surface

When analyzing the vulnerabilities that were missed by popular scanners, we found that -

  • 21 vulnerabilities weaponized with ransomware strains missed scanner detection.

  • Two of the CVEs have known exploits, which are classified under Remote Code Execution and Web Application exploit categories.

  • CVE-2019-13608 and CVE-2019-16920 are red-flagged by CISA (1, 2) and NSA (2).

  • CVE-2010-1592 and  CVE-2019-16920 are associated with APT41 and Slingshot threat groups.

  • There are five CVEs that remain unpatched.

CSW security experts have called out six of these 21 vulnerabilities in our blogs. Considering our multiple warnings, users are recommended to patch these vulnerabilities immediately.

Old Vulnerabilities

20 out of 21 vulnerabilities missed by the scanners are old vulnerabilities ranging from the year 2010 to 2019, approximately covering a decade of flaws. Seven CVEs are classified as critical, five CVEs as high, and five are of medium severity.


The purpose of a vulnerability scanner is to detect and fix vulnerabilities before they are exploited. Despite the fact that prominent ransomware groups are associated, there are a number of old vulnerabilities that remain unpatched for almost a decade, and popular scanners are still oblivious to them. We recommend organizations to patch these vulnerabilities immediately and urge vendors to push fixes for the unpatched ones as soon as possible.

CWE Analysis

When analyzed based on the weaknesses in code, we noticed that 85% of the scanner missed vulnerabilities are categorized under 2021 CWE Top 40 Most Dangerous Software Weaknesses published by MITRE.


  • CWE-79 is the most exploited weakness with 66% of CVEs, ranking second in the most dangerous software weaknesses of 2021.

  • 24% of CVEs are classified under CWE-78, ranking fifth amongst the most dangerous software weaknesses of 2021.

  • 10% of these CVEs are not assigned with a CWE identifier. These are old vulnerabilities from the years 2015 and 2017.

  • 81% of these CVEs are categorized under OWASP CWE Top 10:2021.


Note: OWASP Top 10 CWE Category | Top 25 Software Weaknesses by MITRE


Affected Products

We next analyzed the products vulnerable to these scanner-missed vulnerabilities tied to ransomware and found a total of 16 vendors affected by these CVEs. Further, we observed that 19% of CVEs impact Qnap, followed by IBM, Dlink, and Gigabyte with 10% each. 

Threat Associations

Many organizations tend to focus on new vulnerabilities, however, our analysis shows that even old vulnerabilities from 2010 are still being used for ransomware campaigns.  Around 95% of the vulnerabilities missed by popular scanners were from 2010 to 2019 (20 out of 21), and four of the vulnerabilities remained trending for the past 30 days.


Our report identified 58 unique ransomware families associated with these vulnerabilities. Alarmingly, none of the popular scanners could identify these vulnerabilities, despite their ransomware association and their longevity. 


  • CVE-2013-0322 has the highest count of 32 different ransomware families associated with it. This flaw exists in Ubercart and Drupal and has a patch available.

  • Two CVEs (CVE-2010-1592 and CVE-2019-16920) are associated with APT41 and Slingshot threat groups.


A note of interest is that CVE-2015-2551 is a rejected CVE by NVD belongs to the 17 ransomware families without a patch and is ranked second on the list.  


Adopt Risk-based Vulnerability Management Strategy!

Vulnerability scanning relies only on known vulnerability databases and the downside with outdated scanners is that you may be liable to miss vulnerabilities and get a false sense of security. These scanner-missed vulnerabilities tied to ransomware pose a critical security threat to multiple organizations. Therefore, patching them immediately should be your top priority.


We suggest organizations to adopt Vulnerability Management as a Service (VMaaS), which provides comprehensive coverage across your entire IT environment, detecting, prioritizing, and resolving vulnerabilities in your organization's infrastructure.


Check out our Ransomware Spotlight Report 2022 to download the patches.

CSW’s in-depth research helps organizations become more resilient against ransomware. We recommend organizations to download our Ransomware Spotlight 2022 report to build a continuous and risk-based vulnerability management strategy.



Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!


Secure your environment from cyber-attacks!

Know How