Security researcher Jerry Gamblin has released his annual CVE data review. 2024 saw an unprecedented surge in published Common Vulnerabilities and Exposures (CVEs), reaching a record high of 40,009. This represents a 38% increase from 2023 and marks the seventh consecutive year of record-breaking CVE growth.
CVE Statistics by the Numbers
- Daily Publications: On average, 108 CVEs were disclosed daily, with Tuesdays emerging as the busiest day, contributing 24.3% of the year’s total.
- Peak Month: May led the charts with 5,010 CVEs, including the year’s most active day, May 3rd, which saw 845 vulnerabilities disclosed.
- Growth Trend: This marked the seventh consecutive year of record-breaking CVE disclosures, with 15.32% of all existing CVEs published in 2024.
Severity and Impact
The average CVSS (Common Vulnerability Scoring System) score for 2024 vulnerabilities stood at 6.67, reflecting moderate to high severity. Notably:
- Critical Scores: 231 vulnerabilities achieved a perfect 10.0 CVSS score, denoting critical risks.
- Low-End Outlier: CVE-2024-2365 recorded a minimal score of 1.6, indicating limited impact.
Spotlight on Top CVEs
One of the standout vulnerabilities, CVE-2024-20433, involved the Resource Reservation Protocol (RSVP) feature in Cisco IOS and IOS XE Software. This CVE alone encompassed 2,434 unique configurations, illustrating its extensive reach.
The Role of CNAs
CVE Numbering Authorities (CNAs) played a pivotal role, with 433 authorized entities collectively publishing CVEs. The top five CNAs—Patchstack, Kernel.org, Wordfence, VulDB, and GitHub—focused on open-source projects and WordPress plugins, contributing 43.67% of the year’s disclosures.
Challenges and Trends
The report highlights a critical issue: 15.73% of CVEs lacked assigned CWE (Common Weakness Enumeration) data, underscoring the need for improved classification. CWE-79, representing cross-site scripting (XSS), remained the most frequently assigned weakness, accounting for 15.56% of all CVEs.
Related Posts:
- ASUS Joins the Ranks of CVE Numbering Authorities
- Microsoft Issues CVE Numbers for Cloud Service Vulnerabilities
- Google Cloud Enhances Transparency with Expanded CVE Reporting
- com Launches $2 Million Bug Bounty Program with HackerOne
- Minecraft Server Hit with Record-Breaking 3.15 Billion Packet Rate DDoS Attack
