2024 seeing more CVEs than ever before, but few are weaponised

Over the first seven-and-a-half months of 2024, the number of newly-disclosed common vulnerabilities and exposures (CVEs) soared 30% year-on-year from 17,114 to 22,254, according to data published by Qualys researchers. However, out of this huge …

2024 seeing more CVEs than ever before, but few are weaponised

Over the first seven-and-a-half months of 2024, the number of newly-disclosed common vulnerabilities and exposures (CVEs) soared 30% year-on-year from 17,114 to 22,254, according to data published by Qualys researchers.

However, out of this huge number of flaws, barely a hundredth – 204 or 0.9% – were weaponised by threat actors, said Qualys, the majority of whom exploit public-facing applications or remote services, which are useful to obtain initial access and conduct lateral movement.

Read at face value this statistic may feel like good news, but it offers only meagre solace for cyber professionals, Qualys said, for these vulnerabilities still present a significant threat and necessitate ever-more focused defensive measures.

“This very small fraction of vulnerabilities accounts for the most severe threats. This subset represents the highest risk, characterised by weaponised exploits, active exploitation through ransomware, use by threat actors, malware, or confirmed wild exploitation instances,” said Qualys’ Threat Research Unit (TRU) product manager, Saeed Abbasi.

“To effectively mitigate such threats, it’s crucial to prioritise actively exploited vulnerabilities, leverage threat intelligence, and regularly schedule scans to detect new vulnerabilities. A vulnerability management tool that integrates threat intelligence could be pivotal for an enterprise.”

According to Qualys’ data collection and analysis exercise, the most exploited vulnerabilities of 2024 to date are as follows:

  1. CVE-2024-21887, a command injection flaw in Ivanti Connect and Policy Secure Web;
  2. CVE-2023-46805, a remote authentication bypass flaw in Ivanti Connect and Policy Secure Web;
  3. CVE-2024-21412, a security feature bypass flaw in Microsoft Windows;
  4. CVE-2024-21893, a elevation of privilege flaw in Ivanti Connect and Policy Secure Web;
  5. CVE-2024-3400, a command injection flaw in Palo Alto Networks PAN-OS;
  6. CVE-2024-1709, an authentication bypass flaw in ConnectWise ScreenConnect;
  7. CVE-2024-20399, a command line interface command injection flaw in Cisco NX-OS Software;
  8. CVE-2024-23897, a remote code execution flaw in Jenkins Core;
  9. CVE-2024-21762, an out-of-bound write flaw in Fortinet FortiOS;
  10. CVE-2023-38112, a MSHTLM platform spoofing flaw in Microsoft Windows.

With the exception of the Jenkins Core vulnerability, all of the Qualys top 10 also appear on the US Cybersecurity and Infrastructure Security Agency (CISA) known exploited vulnerabilities (KEV) catalogue mandating patching across US government bodies.

Many of these vulnerabilities, notably those in Ivanti’s product set and ConnectWise ScreenConnect, have already been at the centre of some of the most impactful cyber security incidents of the year so far. The final vulnerability on the list, in the Windows MSHTML Platform, was only disclosed a few weeks ago in the July Patch Tuesday update, and although it has likely been exploited since 2023, its inclusion on Qualys’ top 10 list serves as a warning to admins of the speed with which threat actors pick up on publicised vulnerabilities.

Old vulnerabilities prove their worth

The overall upward trend in CVE volumes underscores a “persistent and substantial escalation” in vulnerability discovery, explained Abbasi.

“The increase in CVEs reflects rising software complexity and the broader use of technology, necessitating advanced and dynamic vulnerability management strategies to mitigate evolving cyber security threats,” he said.

However, the Qualys TRU’s analysis has also indicated an increase in the weaponisation of old CVEs this year. While older bugs often resurface and exploits are developed well after disclosure, there has been a 10% increase in this sort of activity so far this year. Abbasi said this was a “stark reminder” that security was not just about staying ahead of threat actors, but also not falling behind them.

Many of the older weaponised vulnerabilities in circulation have been trending on the dark web for months, one prominent example being CVE-2023-43208 in NextGen Mirth Connect Java XStream, heavily used by the health sector. And just this week, CISA added a six year-old remote code execution bug in Microsoft COM to the KEV catalogue, after Cisco Talos researchers found it being exploited by a Chinese government APT in an attack chain used against a Taiwanese victim.

“This resurgence of previously identified vulnerabilities, which mainly impact remote services and public-facing applications, highlights a significant oversight in updating and enforcing cyber security protocols. This re-emergence emphasises the need to shift from a purely reactive security posture to a more proactive, predictive, and preventative approach,” advised Abbasi.

Leave a Comment