2024 seeing more CVEs than ever before, but few are weaponised

Over the first seven-and-a-half months of 2024, the number of newly-disclosed common vulnerabilities and exposures (CVEs) soared 30% year-on-year from 17,114 to 22,254, according to data published by Qualys researchers.

However, out of this huge number of flaws, barely a hundredth – 204 or 0.9% – were weaponised by threat actors, said Qualys, the majority of whom exploit public-facing applications or remote services, which are useful to obtain initial access and conduct lateral movement.

Read at face value this statistic may feel like good news, but it offers only meagre solace for cyber professionals, Qualys said, for these vulnerabilities still present a significant threat and necessitate ever-more focused defensive measures.

“This very small fraction of vulnerabilities accounts for the most severe threats. This subset represents the highest risk, characterised by weaponised exploits, active exploitation through ransomware, use by threat actors, malware, or confirmed wild exploitation instances,” said Qualys’ Threat Research Unit (TRU) product manager, Saeed Abbasi.

“To effectively mitigate such threats, it’s crucial to prioritise actively exploited vulnerabilities, leverage threat intelligence, and regularly schedule scans to detect new vulnerabilities. A vulnerability management tool that integrates threat intelligence could be pivotal for an enterprise.”

According to Qualys’ data collection and analysis exercise, the most exploited vulnerabilities of 2024 to date are as follows:

1. CVE-2024-21887, a command injection flaw in Ivanti Connect and Policy Secure Web;
2. CVE-2023-46805, a remote authentication bypass flaw in Ivanti Connect and Policy Secure Web;
3. CVE-2024-21412, a security feature bypass flaw in Microsoft Windows;
4. CVE-2024-21893, a elevation of privilege flaw in Ivanti Connect and Policy Secure Web;
5. CVE-2024-3400, a command injection flaw in Palo Alto Networks PAN-OS;
6. CVE-2024-1709, an authentication bypass flaw in ConnectWise ScreenConnect;
7. CVE-2024-20399, a command line interface command injection flaw in Cisco NX-OS Software;
8. CVE-2024-23897, a remote code execution flaw in Jenkins Core;
9. CVE-2024-21762, an out-of-bound write flaw in Fortinet FortiOS;
10. CVE-2023-38112, a MSHTLM platform spoofing flaw in Microsoft Windows.

With the exception of the Jenkins Core vulnerability, all of the Qualys top 10 also appear on the US Cybersecurity and Infrastructure Security Agency (CISA) known exploited vulnerabilities (KEV) catalogue mandating patching across US government bodies.

Many of these vulnerabilities, notably those in Ivanti’s product set and ConnectWise ScreenConnect, have already been at the centre of some of the most impactful cyber security incidents of the year so far. The final vulnerability on the list, in the Windows MSHTML Platform, was only disclosed a few weeks ago in the July Patch Tuesday update, and although it has likely been exploited since 2023, its inclusion on Qualys’ top 10 list serves as a warning to admins of the speed with which threat actors pick up on publicised vulnerabilities.