Exploited vulnerabilities and identity risk: what IAM teams miss

TL;DR: Across major incident reports, exploited vulnerabilities repeatedly lead to credential theft, malicious account creation, lateral movement, and privilege escalation, showing that initial access rarely stays isolated from identity risk, according to Hydden’s analysis of 2023 and 2024 CVE datasets. Vulnerability management and identity governance now need to be treated as one operating problem, not separate queues.

NHIMG editorial — based on content published by Hydden: Exploited vulnerabilities and identity risk in 2023 and 2024 CVE data

By the numbers:

• In 66% of these CVEs, we observe direct credential theft occurring on the exploited device or the installation of additional tools to steal credentials.
• In 46% of these CVEs, we observe threat actors leveraging built-in commands or installing third party tools to perform AD reconnaissance operations on victim networks.
• In 40% of these CVEs, we found documented evidence of new accounts being created on the exploited device by threat actors.

Questions worth separating out

Q: What breaks when a vulnerability exploit reaches identity stores or cached credentials?

A: Once exploitation reaches identity stores or cached credentials, the incident stops being a software flaw and becomes an access problem.

Q: Why do exploited systems create more identity risk than patching teams usually expect?

A: Exploited systems often hold credentials, privileged accounts, or trust relationships that are more valuable than the original flaw.

Q: How can security teams tell whether exploit activity has become an identity incident?

A: Look for account creation, privilege changes, anomalous administrative tools, directory reconnaissance, or sudden credential rotation needs on the affected host.

Practitioner guidance

• Correlate vulnerability response with identity revocation When a public-facing system is exploited, review local accounts, service credentials, API keys, and session tokens on that host before declaring containment complete.
• Monitor account creation and deletion on critical systems Alert on new accounts, privilege changes, and account removal on network, edge, and application servers because those events often follow exploitation.
• Inventory identities on every exploitable system Build a complete list of local, federated, and non-human identities on internet-facing and privileged systems so exploit response can include the right revocation steps.

What's in the full report

Hydden's full blog post covers the operational detail this post intentionally leaves for the source:

• The CVE-by-CVE evidence trail showing which post-exploit identity impacts appeared in each dataset.
• The appendix methodology for how the 2023 and 2024 vulnerability samples were selected and analysed.
• The examples of account creation, credential dumping, and AD reconnaissance that support the identity-risk conclusion.
• The dataset tables mapping CVEs to downstream identity effects and observed attacker behaviour.

👉 Read Hydden's analysis of how exploited vulnerabilities drive identity risk →

Exploited vulnerabilities and identity risk: what IAM teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →