The variety of vulnerabilities publicly reported as exploited in assaults for the primary time elevated considerably in 2024 in comparison with the earlier 12 months, a contemporary VulnCheck report reveals.
In response to the vulnerability intelligence agency, 768 CVEs have been reported as exploited within the wild for the primary time final 12 months, up 20% from 2023, when that quantity reached 639. Nonetheless, just one% of all of the printed CVEs have been marked as exploited.
Final 12 months, 23.6% of the recognized exploited vulnerabilities have been “recognized to be exploited on or earlier than the day their CVEs have been publicly disclosed, a slight lower from 2023’s 27%”, VulnCheck says.
“Regardless of the thrill round ‘zero-day’ exploitation, these findings point out that exploitation can occur at any time in a vulnerability’s lifecycle,” VulnCheck notes.
The variety of CVEs first reported as exploited in 2024, the agency says, was aggregated from 112 distinctive sources based mostly on proof of exploitation, and never all of the recognized CVEs made it to the Recognized Exploited Vulnerabilities record of the US cybersecurity company CISA.
Total, the variety of exploited CVEs may develop, as exploitation is usually uncovered lengthy after the vulnerability is publicly disclosed, VulnCheck notes.
Taking a look at month-to-month tendencies, a mean of 30 to 50 CVEs have been reported as exploited every month final 12 months, with notable spikes when The Shadowserver Basis was onboarded as a supply in January, when end-of-quarter and RSA studies have been launched, following authorities risk disclosures, and because of coordination with Wordfence to problem CVEs for exploited flaws with out an identifier.
“These spikes underscore how trade occasions and new assets affect reporting volumes on exploitation. We encourage organizations to publicly disclose any situations the place there may be exploitation exercise,” VulnCheck notes.
The cybersecurity agency factors out that the 112 distinctive sources used to realize visibility into the exploited vulnerabilities will not be complete, probably resulting in lacking CVEs.
