As we look back at the cybersecurity landscape over the past few years, it is clear that 2024 stands out as a remarkable year in terms of the sheer volume of critical vulnerabilities discovered. However, one thing sticks out like a sore thumb. The number of CVEs (Common Vulnerabilities and Exposures) with a perfect CVSS (Common Vulnerability Scoring System) score of 10.0 reached an all-time high in 2024, smashing the previous year’s totals. In fact, more 10.0 CVSS vulnerabilities were discovered last year than the combined total for the past 5 years!
To put this into perspective, let us take a look at the number of CVEs with a CVSS score of 10.0 from 2017 to 2024 in this chart:
From 2017 to 2023, the number of CVEs with a perfect CVSS score fluctuated within a narrow range, with an average of around 40 per year. However, 2024 saw an exponential increase, with a staggering 231 critical vulnerabilities reported. This represents a more than fivefold increase compared to previous years.
The dramatic rise in CVSS 10.0 vulnerabilities in 2024 can be attributed to several factors:
1. Increased Sophistication of Attackers: Cybercriminals are continuously evolving their tactics, techniques, and procedures (TTPs), making it more challenging for defenders to keep pace. This has led to the discovery of more sophisticated and critical vulnerabilities.
2. Expanding Attack Surface: The proliferation of connected devices, cloud services, and remote work has expanded the attack surface, providing more opportunities for attackers to exploit vulnerabilities.
3. Improved Detection Capabilities: Advances in threat intelligence and vulnerability detection technologies have enabled security researchers to identify and report critical vulnerabilities more effectively.
4. Collaboration and Information Sharing: Greater collaboration and information sharing within the cybersecurity community have contributed to the identification and disclosure of a higher number of critical vulnerabilities.
Implications
Most organizations are prioritizing their patching approach using a risk-based prioritization strategy. It would not be uncommon to hear a CISO say “ we rush a patch with a CVSS score of 9.8 or above). And that would have been fine when there was an average annual total of 40, the chances of you having more than 1 of those would be small. But when that number increases to 231, the odds stop being in your favour. And every time you have a “rush” patch job, resources are consumed, and other, (still critical) vulnerabilities are delayed in patching. So, if this trend continues, we are likely to see an even larger Patch gap appear, as teams struggle to keep up with even the most critical vulnerabilities.
Data sources (and special thanks to):
40,000+ CVEs Published In 2024, Marking A 38% Increase From 2023
2023 CVE Data Review – JerryGamblin.com
