CVE volumes set to increase 25% this year

The total number of Common Vulnerabilities and Exposures (CVEs) reported in IT hardware and software products and services looks set to continue to grow in 2024, according to figures published by active cyber insurance specialist Coalition, which predicts CVE volume will increase by 25% to 34,888 vulnerabilities – approximately 2,900 every month.

CVEs are the unique identifiers attached to newly disclosed security flaws, including zero-days. They follow the same format – CVE-2024-XXXXX – where the first set of digits represents the year, and the second is a number assigned out of a block.

The CVE programme is overseen out of the US by the Mitre Corporation, with support from the Cybersecurity and Infrastructure Security Agency (CISA). Mitre does not always assign CVE numbers – this is more usually done by a CVE Numbering Authority (CNA), of which there are many, including suppliers such as Cisco, IBM, Microsoft or Oracle, and security firms and researchers.

The system is designed to give security professionals and defenders a quick, easy and reliable way to recognise vulnerabilities, and for the security community, helps coordinate the development of patches and other solutions.

However, the system is not perfect. The number of CVEs is growing exponentially and security teams are stretched thin enough as it is, added to which, the system is not equipped to highlight practical real-world exploitation, so users must often rely on researchers and media coverage of “celebrity CVEs” – such as those behind the MOVEit incident or Citrix Bleed – to make sense of such issues.

“New vulnerabilities are published at a rapid rate and growing. With an influx of new vulnerabilities, often sprouting via disparate flagging systems, the cyber risk ecosystem is hard to track. Most organisations are experiencing alert fatigue and confusion about what to patch first to limit their overall exposure and risk,” said Tiago Henriques, head of research at Coalition.

“In today’s cyber security climate, organisations can’t be expected to manage all of the vulnerabilities on their own; they need someone to manage these security concerns and help them prioritise remediation.”

“Most organisations are experiencing alert fatigue and confusion about what to patch first to limit their overall exposure and risk”

Coalition said there were a number of drivers contributing to the surge of vulnerabilities. These include the commercialisation and professionalisation of cyber criminal activity, and the ever-growing use of underground forums where exploit kits, credentials and access to compromised networks are sold.

There has also been an increase in the number of CNAs, which has increased the number of vulnerabilities noted.

Additionally, the growing popularity of bug bounty programmes may also be having an impact, as ethical hackers are incentivised to look for problems that may otherwise go unnoticed.

Coalition noted that the growing number of vulnerabilitiess was also leading to an increased focus on finding new ones among threat actors.

All this is adding up to a headache for security teams, being frequently under-resourced as they are, as one cannot possibly expect them to respond to up to 3,000 issues every month.

Coalition claims the breadth of data it collects from around the web, including a network of honeypots, enables it to make sense of cyber risk and share actionable insights with its customers and the security community.

It has also developed its own exploit scoring system, which it hopes will ease some of the pressure and enable its policyholders to adopt a more risk-based, prioritised approach to their unique vulnerability profile, rather than patching in a blind panic on the second Tuesday of the month.