Businesses are taking their eye off the ball with vulnerability patching
Security leaders are overconfident in their organization’s security posture while allowing vulnerability patching to fall by the wayside, new research suggests.
According to penetration testing firm Cobalt’s 2025 State of Pentesting Report , only 48% of exploitable vulnerabilities uncovered during penetration testing are fixed – although this increases to 69% for those that have a severity rating of high or critical.
Of particular concern is an apparent blindspot when it comes to AI applications. Of the firms surveyed, 95% had performed penetration testing with their generative AI apps in the last year, of which 32% found vulnerabilities with a rating of high or critical.
These include risks of prompt injection, model manipulation, and data leakage.
Despite this – and despite 72% of respondents ranking AI attacks as their number one concern – only 21% of these high risk vulnerabilities were patched following their discovery.
Additionally, while 81% of security leaders surveyed said they are confident in their organization’s security posture, this bumps up against cold reality when only 50% said they fully trust they can identify and prevent a vulnerability from their software suppliers.
AI security is a growing area of concern for IT and business leaders. Concerns have been raised about the use of AI generated code, the use of ‘shadow AI’, and data privacy compliance – particularly in the public sector.
Gunter Ollman, CTO of Cobalt, struck a fairly sanguine tone over the findings, saying: “It’s a concern that 31% of serious vulnerabilities are not being fixed, however at least these firms are aware of the problem and can develop strategies to mitigate the risk.”
Ollman added: “Organizations that do take an offensive security approach are … getting ahead of any compliance requirements and reassuring their customers that they’re safe to do business with.”
This may be cold comfort for the 52% of respondents who said they were being pressured to support speed at the cost of security, however.
MORE FROM ITPRO
Source link
