Saved in:
Bibliographic Details
Main Authors: Sinterhauf, Lena, Aßmuth, Andreas, Kaltefleiter, Roland
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2604.20765
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908987309424640
author Sinterhauf, Lena
Aßmuth, Andreas
Kaltefleiter, Roland
author_facet Sinterhauf, Lena
Aßmuth, Andreas
Kaltefleiter, Roland
contents Critical vulnerabilities with Common Vulnerability Scoring System scores of 9.0 or higher pose severe risks to organisations' information systems. Timely detection and remediation are essential to minimise economic and reputational damage from cyberattacks. This paper provides a thorough analysis of the identification and resolution timelines of such critical vulnerabilities. A mixed-methods approach is employed, integrating quantitative data from global vulnerability databases analysing 245,456 Common Vulnerabilities and Exposures records spanning from 2009 to 2024, of which 12.8 % were critical, with qualitative case studies of notable incidents. This methodical combination of quantitative and qualitative data sources enables the identification of patterns and delay factors in vulnerability management. The findings indicate significant delays in public disclosure and patch deployment, influenced by industry-specific factors, resource availability and organisational processes. The paper concludes with a series of actionable recommendations to improve the efficiency of vulnerability responses. Despite faster disclosure, the remediation gap for critical vulnerabilities remains a systemic risk, driven by organisational inertia and system complexity.
format Preprint
id arxiv_https___arxiv_org_abs_2604_20765
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle CVEs With a CVSS Score Greater Than or Equal to 9
Sinterhauf, Lena
Aßmuth, Andreas
Kaltefleiter, Roland
Cryptography and Security
Critical vulnerabilities with Common Vulnerability Scoring System scores of 9.0 or higher pose severe risks to organisations' information systems. Timely detection and remediation are essential to minimise economic and reputational damage from cyberattacks. This paper provides a thorough analysis of the identification and resolution timelines of such critical vulnerabilities. A mixed-methods approach is employed, integrating quantitative data from global vulnerability databases analysing 245,456 Common Vulnerabilities and Exposures records spanning from 2009 to 2024, of which 12.8 % were critical, with qualitative case studies of notable incidents. This methodical combination of quantitative and qualitative data sources enables the identification of patterns and delay factors in vulnerability management. The findings indicate significant delays in public disclosure and patch deployment, influenced by industry-specific factors, resource availability and organisational processes. The paper concludes with a series of actionable recommendations to improve the efficiency of vulnerability responses. Despite faster disclosure, the remediation gap for critical vulnerabilities remains a systemic risk, driven by organisational inertia and system complexity.
title CVEs With a CVSS Score Greater Than or Equal to 9
topic Cryptography and Security
url https://arxiv.org/abs/2604.20765