{"id":4650,"date":"2026-02-27T08:38:44","date_gmt":"2026-02-27T08:38:44","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/02\/27\/exploitable-vulnerabilities-present-in-87-of-organizations\/"},"modified":"2026-02-27T08:38:44","modified_gmt":"2026-02-27T08:38:44","slug":"exploitable-vulnerabilities-present-in-87-of-organizations","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/02\/27\/exploitable-vulnerabilities-present-in-87-of-organizations\/","title":{"rendered":"Exploitable Vulnerabilities Present in 87% of Organizations"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"https:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Eighty-seven percent of organizations have at least one exploitable software vulnerability in production, affecting 40% of all services, a new report from DataDog has revealed.<\/p>\n<p>The observability and security specialist revealed the findings in its <em>State of DevSecOps Report<\/em>, which is based on telemetry from tens of thousands of applications and additional datasets.<\/p>\n<p>It noted that vulnerabilities are most common in Java services (59%), followed by .NET (47%) and Rust (40%).<\/p>\n<p>However, not all CVEs need prioritizing. DataDog claimed that only 18% of critical dependency vulnerabilities stay critical after adjusting the severity score according to runtime and CVE context.<\/p>\n<p>This is most common in .NET environments: Datadog said that 98% of .NET dependency vulnerabilities are downgraded from critical once context is considered.<\/p>\n<p>By context, it means whether the vulnerability is in production, whether the affected service is under active attack, the availability of an exploit, and the likelihood of exploitation.<\/p>\n<p><em>Read more on open source vulnerabilities: Researchers Uncover 454,000+ Malicious Open Source Packages.<\/em><\/p>\n<p>\u201cWhen almost everything is labeled \u2018critical,\u2019 nothing is,\u201d argued Andrew Krug, head of security advocacy at\u00a0Datadog.<\/p>\n<p>\u201cTeams get paged for noise while threats that pose\u00a0real\u00a0risk slip through. Without context, prioritization becomes harder \u2013 leading to burnout, slower response times and accumulated risk. Teams need better visibility into what\u00a0<em>actually<\/em>\u00a0requires action.\u201d<\/p>\n<h2><strong>Update Quickly, but Not Too Quickly<\/strong><\/h2>\n<p>The report also revealed security risks at both ends of the software lifecycle.<\/p>\n<p>The median software dependency is now 278 days out of date \u2013 63 days\u00a0more than last year\u2019s figure. Java (492 days) and Ruby (357) dependencies fared even worse.<\/p>\n<p>This matters, because older versions are more likely to have more vulnerabilities, the report claimed.<\/p>\n<p>Broken down by service, libraries published in 2025 have on average 1.3 vulnerabilities, compared to 1.9 in 2024 and 3.8 in 2023.<\/p>\n<p>However, updating dependencies too quickly could also land developers in trouble.<\/p>\n<p>The report found that half of organizations (50%) adopt new library versions within 24 hours of release, and only 4% pin all public GitHub Actions to a specific version using commit hashes.<\/p>\n<p>This unwittingly exposes build and deployment pipelines to silent changes in third-party code, Datadog claimed.<\/p>\n<p>Supply chain attacks like s1ngularity and Shai-Hulud spread in part due to DevOps teams using malicious versions of libraries as soon as they were released, the report noted. To mitigate this risk, Datadog recommended pinning dependency versions to a full-length commit Secure Hash Algorithm (SHA).<\/p>\n<p>Krug argued that security practices haven\u2019t kept pace with the way software is built today.<\/p>\n<p>\u201cDevSecOps teams are caught between moving too slowly and moving too fast. Go slow, and outdated software accumulates known vulnerabilities. Go fast, and automation can introduce unvetted code,\u201d he added.<\/p>\n<p>\u201cThe real challenge, though, isn\u2019t speed \u2013 it\u2019s clarity. As environments grow more complex, AI-assisted workflows help ensure top priorities get attention first.\u201d<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Eighty-seven percent of organizations have at least one exploitable software vulnerability in production, affecting 40% of all services, a new report from DataDog has revealed. The observability and security specialist revealed the findings in its State of DevSecOps Report, which is based on telemetry from tens of thousands of applications and additional datasets. It noted<\/p>\n","protected":false},"author":2,"featured_media":4651,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4650","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4650-5c906fee-8398-42b2-8f7b-0771aa9119ef.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4650-5c906fee-8398-42b2-8f7b-0771aa9119ef-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4650-5c906fee-8398-42b2-8f7b-0771aa9119ef.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4650-5c906fee-8398-42b2-8f7b-0771aa9119ef.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4650-5c906fee-8398-42b2-8f7b-0771aa9119ef.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4650-5c906fee-8398-42b2-8f7b-0771aa9119ef.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4650-5c906fee-8398-42b2-8f7b-0771aa9119ef.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4650-5c906fee-8398-42b2-8f7b-0771aa9119ef.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4650-5c906fee-8398-42b2-8f7b-0771aa9119ef.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4650-5c906fee-8398-42b2-8f7b-0771aa9119ef.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4650-5c906fee-8398-42b2-8f7b-0771aa9119ef-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4650","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4650"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4650\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4651"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4650"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4650"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4650"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}