CVE count set to rise by 25% in 2024

The report from Coalition indicates an anticipated 25% rise in the total count of published common vulnerabilities and exposures (CVEs) for 2024, reaching 34,888 vulnerabilities, equivalent to approximately 2,900 per month.

Sharp CVE increase heightens software vulnerability concerns

Vulnerabilities are one of the top three vectors ransomware actors use to compromise victims, making it essential to understand their impact. Vulnerabilities are primarily tracked as CVEs, although some may have an incorrect or nonexistent CVE identifier.

The sharp spike in CVEs has led to an increased focus on identifying vulnerable software from both threat actors seeking a means of ingress and defenders trying to protect against exploitation.

The number of vulnerabilities continues to grow exponentially, with thousands announced each month. Unfortunately, businesses tend to optimize for growth, not cyber risk management, and many security and IT teams are stretched thin.

“New vulnerabilities are published at a rapid rate and growing. With an influx of new vulnerabilities, often sprouting via disparate flagging systems, the cyber risk ecosystem is hard to track. Most organizations are experiencing alert fatigue and confusion about what to patch first to limit their overall exposure and risk,” commented Coalition’s Head of Research, Tiago Henriques.

“In today’s cybersecurity climate, organizations can’t be expected to manage all of the vulnerabilities on their own; they need someone to manage these security concerns and help them prioritize remediation,” Henriques continued.

Zero-day vulnerabilities have received significant attention over the last year, but the Citrix Bleed vulnerability reminds us that many threat actors still build exploits for vulnerabilities where the vendor has already issued a patch.

Published CVEs lack timely scoring, leaving defenders vulnerable to exploits

Defenders need a timely, objective method for scoring vulnerabilities. In many cases, exploits are already available to threat actors before a CVE is published, which means threat actors often have a head start on defenders.

For a significant minority, exploits became publicly available before the CVE was published. An even higher fraction had exploits privately available before publication.

The delay in CVE scoring often means that defenders face two uphill battles regarding vulnerability management. First, they need a prioritization method to determine which of the thousands of CVEs published each month they should patch first. Second, they must patch these CVEs before a threat actor leverages them to target their organization.

Honeypot data

Unique IP addresses scanning for remote desktop protocol (RDP) increased by 59%. This is particularly concerning because Coalition data also reveals that businesses with RDP exposed to the internet are the most likely to experience a ransomware event.

Scans found that around 10,000 businesses are running the end-of-life (EOL) database Microsoft SQL Server 2000, and over 100,000 businesses are running EOL Microsoft SQL servers.

While honeypots provide a wealth of information on threat actor behavior, they also create a great deal of noise. One of the core problems with identifying the needle in the haystack of honeypot data is the volume of benign traffic, which makes determining malicious traffic challenging. Honeypot (sensor) activity spiked by 1,000% 16 days before Progress Software issued its MOVEit security advisory.

“MDR can reduce attack response time by 50% or more – a massive impact to help protect businesses from cyber threats,” said John Roberts, GM, Security, at Coalition.

“We’re at the point where just setting and forgetting a technology solution is not enough anymore, and experts need to be involved in vulnerability and risk management. With MDR, after technology detects suspicious activity, human experts can intervene in numerous ways, including isolating impacted machines or revoking privileges,” Roberts concluded.