Report: 35% of educational institutions have a SQLi vulnerability

According to a new study by Invicti Security, 35% of educational institutions and 32% of government organizations were found to be vulnerable to SQL injection (SQLi) in 2021. SQLi, a type of web vulnerability that allows malicious actors to modify or replace queries an application sends to its database, is especially threatening to these sectors because it has the potential to expose deeply personal information that attackers can use to assume identities. 

Although these sectors were among the worst-affected categories analyzed, they were by no means anomalous. Despite being one of the oldest vulnerability types and having multiple well-known mitigation methods, 21% of organizations across all industries were vulnerable to SQLi attacks last year.

These findings highlight a much larger trend: direct-impact vulnerabilities are not reducing in frequency. Remote code execution (RCE), cross-site scripting (XSS) and SQL injection each saw increases in frequency or hovered around the same alarming numbers year-over-year, presenting a significant threat to organizations.

Remote code execution (RCE), the ultimate goal of any cyberattacker and the vector behind last year’s Log4Shell disaster, has risen by over 5% since 2018. Cross-site scripting (XSS, which is low-impact but can open the door to sensitive data exposure) saw small signs of improvement in 2020 only to come roaring back with a 6% uptick in 2021. These trends were echoed throughout the report findings, revealing a worrying state of affairs for our national cybersecurity posture. 

However, the growing abundance of effective cybersecurity strategies and scanning technologies is cause for optimism. With adequate security measures in place, these persistent threats become less frequent and it’s easier to close skills gaps that are inherent to continued talent shortages in cybersecurity.

The Spring 2022 Edition of the Invicti AppSec Indicator analyzed web vulnerabilities from over 939 customers worldwide. The sample was derived from Invicti’s largest data set ever, representing more than 23 billion security checks, which uncovered over 282,000 direct-impact vulnerabilities.

Read the full report by Invicti Security.