The average software container has 604 known vulnerabilities in its underlying software components, a new study claims, with over 45% of these vulnerabilities being 2 to 10-plus years old. According to new research by NetRise, 7.9% of vulnerabilities encountered by the cybersecurity firm were over five years old, while 4.2% of vulnerabilities deemed ‘Critical’ or ‘High’ were additionally classified as ‘weaponised’ and actively exploited in real-world attacks.

“The adoption of container technology is rapidly growing, largely because it is lightweight and easy to manage,” said NetRise’s CEO Thomas Pace. “However, while containers have changed how many modern applications are designed, deployed, and managed, they appear to be among the weakest cybersecurity links in the software supply chain.”

Containers: A growing risk in software supply chains

NetRise’s research underscores the complexity of containerised software, with each container image analysed containing an average of 389 software components. Alarmingly, 12.4% of components lacked essential metadata, or manifests, which provide crucial details like dependencies and version numbers. These “manifestless” components hinder traditional scanning tools, leaving organisations with visibility gaps that could be exploited by threat actors. Additionally, 4.8 misconfigurations per container were found on average, with common issues including 146 directories with overly permissive permissions and an average of 19.5 unique usernames per container, increasing the attack surface for potential breaches. Further analysis revealed that 28% of containers had configurations that could allow root access, amplifying risks to sensitive data.

NetRise utilised an advanced Software Bill of Materials (SBOM) approach, generating detailed SBOMs for 70 randomly selected container images from Docker Hub’s most downloaded repositories. This method enabled the firm to identify all software components within each container, including third-party libraries and dependencies. The study’s risk assessment evaluated both known vulnerabilities (CVEs) and non-CVE risks, such as outdated components and misconfigurations. Vulnerability prioritisation was carried out using Common Vulnerability Scoring System (CVSS) rankings, focusing on weaponised vulnerabilities that are actively exploited in the wild.

Despite these vulnerabilities, container usage continues to rise. A 2022 Anchore survey, cited in the study, found that 88% of enterprises plan to expand container adoption within two years, with 31% expecting significant growth. However, security concerns are influencing deployment strategies. A 2024 Red Hat study revealed that 67% of organisations have delayed or slowed down application deployments due to container security issues.

The study also emphasised how traditional tools often fail to address the full range of risks associated with containerised software. NetRise found that 3,390 out of 27,261 analysed components were “manifestless,” posing a critical gap in visibility that complicates compliance and auditing efforts. This lack of transparency makes it difficult to identify non-CVE vulnerabilities.

The NetRise study stresses the importance of adopting advanced SBOM practices to improve visibility into containerised software components. By generating detailed SBOMs, organisations can better manage risks associated with 16,557 identified CVEs across the analysed containers. The study also recommended the integration of automated tools for detecting outdated components, misconfigurations, and potential security flaws that may not yet be disclosed publicly. Furthermore, it highlighted that 40.9% of CVEs were categorised as Critical or High severity, underscoring the need for immediate remediation efforts. Advanced threat intelligence systems can provide actionable insights to help organisations prioritise vulnerabilities more effectively.

Read more: Cybersecurity flaw in Nvidia Container Toolkit affects cloud and AI systems, warns Wiz