Over half of all reported vulnerabilities in Q1 2019 have a remote attack vector

There were 5,501 vulnerabilities aggregated by Risk Based Security’s VulnDB that were disclosed during the first three months of 2019. This represents a 1% increase over the same period in 2018, making this Q1 an all-time high. The results were released in the Q1 2019 Vulnerability QuickView Report.

CVSSv2 scores of 9.0+, deemed critical issues, accounted for 14.0% of all published Q1 2019 vulnerabilities.

Risk Based Security’s VulnDB published 2,539 (85%) more vulnerabilities than CVE/NVD in the first quarter. 45.8% of the vulnerabilities not published by NVD/CVE have a CVSS score of either 7.0 – 8.99 (high) or 9.0 – 10.0 (critical).

“This continues to illustrate the need for a comprehensive vulnerability intelligence feed and a mature process that can quickly determine the true risk and lead the organization to address issues in a risk-based methodology,” commented Brian Martin, VP of Vulnerability Intelligence at Risk Based Security.

Just over half of all reported vulnerabilities in Q1 2019 have a remote attack vector followed by almost a third having a user-assisted or context-dependent attack vector. Unlike previous quarters, over 13% of the reported vulnerabilities require local access to a system or device.

While many are quick to dismiss local attacks as less risky, the increasing use of virtual technology and mobile devices may give an attacker a foothold on a device making local privilege escalation attacks more worrisome.

“The year-after-year increase in vulnerabilities being disclosed is clear, but there is no better example of the growing threats than this: in the last 24 hours, while finishing the Q1 2019 report, we pushed 241 new vulnerabilities to VulnDB,” commented Martin.

“That should be an eye-opener and a serious concern to any organization, regardless of size or industry.”