CVE volumes set to increase 25% this year

The number of reported CVEs is likely to grow significantly in 2024, hitting a new high of almost 35,000 vulnerabilities, according to Coalition, a cyber insurance specialist

Alex Scroxton,
Security Editor

Published: 21 Feb 2024 19:29

The total number of Common Vulnerabilities and Exposures (CVEs) reported in IT hardware and software products and services looks set to continue to grow in 2024, according to new figures published by active cyber insurance specialist Coalition, which predicts CVE volume will increase by 25% to 34,888 vulns, approximately 2,900 every month.

CVE’s are the unique identifiers attached to newly-disclosed security flaws, including zero-days. They follow the same format, CVE-2024-XXXXX, where the first set of digits represents the year, and the second a number assigned out of a block.

The CVE programme is overseen out of the US by the MITRE Corporation, with support from the Cybersecurity and Infrastructure Security Agency (CISA), but MITRE does not always assign CVE numbers, this is more usually done by a CVE Numbering Authority (CNA), of which there are many, including suppliers such as Cisco, IBM, Microsoft or Oracle, and security firms and researchers.

The system is designed to give security pros and defenders a quick, easy and reliable way to recognise vulnerabilities, and for the security community, helps coordinate the development of patches and other solutions.

However, the system is not perfect. The number of CVEs is growing exponentially and security teams are stretched thin enough as it is, added to which the system is not equipped to highlight practical real-world exploitation, so users must often rely on researchers and media coverage of “celebrity CVEs” – such as those behind the MOVEit incident or Citrix Bleed – to make sense of such issues.

“New vulnerabilities are published at a rapid rate and growing. With an influx of new vulnerabilities, often sprouting via disparate flagging systems, the cyber risk ecosystem is hard to track. Most organisations are experiencing alert fatigue and confusion about what to patch first to limit their overall exposure and risk,” said Tiago Henriques, head of research at Coalition.

“In today’s cyber security climate, organisations can’t be expected to manage all of the vulnerabilities on their own; they need someone to manage these security concerns and help them prioritise remediation.”

Coalition said there were a number of drivers contributing to the surge of vulnerabilities. These include the commercialisation and professionalisation of cyber criminal activity, and the ever-growing use of underground forums where exploit kits, credentials and access to compromised networks are sold.

There has also been an increase in the number of CNAs, which has increased the number of vulnerabilities noted.

Additionally, the growing popularity of bug bounty programmes may also be having an impact, as ethical hackers are incentivised to look for problems that may otherwise go unnoticed.

Coalition noted that the growing number of vulns was also leading to an increased focus on finding new ones among threat actors.

All this is adding up to a headache for, security teams, being frequently under-resourced as it is, as one cannot possibly expect them to respond to up to 3,000 issues every month

Coalition claims its breadth of data it collects from around the web, including a network of honeypots, enables it to make sense of cyber risk and share actionable insights with both its customers and the security community.

It has also developed its own exploit scoring system which it hopes will ease some of the pressure and enable its policyholders to adopt a more risk-based, prioritised approach to their unique vulnerability profile, rather than patching in a blind panic on the second Tuesday of the month.

MDR: An early warning system for defenders

Coalition’s report additionally highlighted how its network of honeypots and other threat tracking tools has become particularly adept at spotting threat actor exploitation of impactful CVEs before they are disclosed.

The firm said that in the case of CVE-2023-34362, which led to the mass abuse of Progress Software’s MOVEit managed file transfer tool by the Clop/Cl0p ransomware gang beginning at the end of May 2023, its honeypot network identified activity targeting MOVEit over a fortnight before Progress Software issued its first advisory.

It said such events, such as MOVEit, but also Citrix Bleed, could very well have been much less problematic than they were had more organisations had dedicated managed detection and response (MDR) solutions in place.

Coalition general manager for security, John Roberts, said he believed MDR could reduce attack response time by half.

“We’re at the point where just setting and forgetting a technology solution is not enough anymore, and experts need to be involved in vulnerability and risk management,” he said.

“With MDR, after technology detects suspicious activity, human experts can intervene in numerous ways, including isolating impacted machines or revoking privileges. Coalition has experience doing exactly this to stop cyber criminals mid-attack.”

Read more on Data breach incident management and recovery

Coalition: Vulnerability scoring systems falling short