Key Takeaways:

  • From January to mid-July, the annual count of reported Common Vulnerabilities and Exposures (CVEs) rose by about 30%, from 17,114 in 2023 to 22,254 in 2024. This trend highlights a growing security challenge and the need for enhanced cybersecurity measures.
  • In 2024, 0.91% of vulnerabilities (204 vulnerabilities) have been weaponized; they present a substantial threat, necessitating focused security measures.
  • The primary security concerns of these weaponized vulnerabilities include exploiting public-facing applications for initial access and using remote services for lateral movement within networks.
  • Qualys research reveals a 10% increase in the weaponization of old CVEs in 2024 (discovered prior to 2024), highlighting the need to address previously identified vulnerabilities.

Dubai, UAE: According to new research from the Qualys Threat Research Unit (TRU), between January to mid-July, the CVE count rose by 30% from 17,114 in 2023 to 22,254 in 2024. The increase in CVEs reflects rising software complexity and the broader use of technology, necessitating advanced and dynamic vulnerability management strategies to mitigate evolving cybersecurity threats.

A thorough analysis of the 22,254 reported vulnerabilities during the initial seven and a half months of 2024 (up until the research cut-off date of July 21, 2024) reveals that a precise subset of 0.91% (almost 1%) has been weaponized, and a very small fraction accounts for the most severe threats. This subset represents the highest risk, characterized by weaponized exploits, active exploitation through ransomware, threat actors, malware, or confirmed wild exploitation instances.

The analysis also indicates an increase in the weaponization of old CVEs since the onset of 2024. Over the last 7.5 months, there has been a notable increase, slightly over 10%, in the weaponization of older CVEs identified before 2024, which is a stark reminder that cybersecurity is not just about staying ahead but also about not falling behind. Some of these vulnerabilities have been trending on the dark web for months. An example is CVE-2023-43208 NextGen Mirth Connect Java XStream (Qualys Vulnerability Score 95/100), which heavily involves systems used by healthcare organizations.

“This resurgence of previously identified vulnerabilities, which mainly impact remote services and public-facing applications, highlights a significant oversight in updating and enforcing cybersecurity protocols. It emphasizes the need to shift from a purely reactive security posture to a more proactive, predictive, and preventative approach,” commented Saeed Abbasi, Product Manager, Vulnerability Research at Qualys TRU. “By adopting a holistic view that incorporates continuous monitoring, rapid patch management, and a deep understanding of the evolving threat landscape, businesses can significantly reduce their vulnerability to cyberattacks. This strategic foresight will protect critical assets and foster trust and resilience in our increasingly interconnected world.”

Mid-2024’s Most Wanted: Top 10 Exploited Vulnerabilities

In 2024, a select group of vulnerabilities have emerged as particularly prevalent targets for cyberattacks. Qualys ranks vulnerabilities based on their prevalence and impact, integrating multiple factors such as CVSS base scores, exploit code maturity, real-time threat indicators, and evidence of active exploitation, among others, for a comprehensive assessment.

This Top 10 ranking reflects their current significance in the cyber threat landscape. This designation is derived from an analysis incorporating data from over 25 distinct threat intelligence sources utilized by Qualys.

Critical Contenders: Just Missed the Cut

While the top 10 list captures the most crucial vulnerabilities of mid-2024, a few just missed the cut but demanded attention due to their high severity and potential impact. These vulnerabilities are critical for organizations to address immediately.

  • CVE-2023-22527 (Atlassian Confluence): This severe remote code execution vulnerability, with a QVS of 95 and a CVSS score of 9.8, allows attackers to run arbitrary code on affected installations.
  • CVE-2023-48788 (FortiClient EMS): This SQL injection flaw, which scores a QVS of 95 and a CVSS of 9.8, poses a high risk by allowing attackers to manipulate databases and access sensitive information.
  • CVE-2024-24919 (Check Point Security Gateways): This information disclosure vulnerability, although it has a slightly lower CVSS score of 8.6, and a QVS of 95, can leak sensitive data.

All of the above vulnerabilities are listed on the CISA KEV, highlighting their recognized significance, exploitation in the wild, and potential impact. While not included in the top 10, each presents a clear and present danger to network security and requires prompt attention from cybersecurity teams to mitigate risks effectively and protect sensitive systems.

“Adopting a hybrid vulnerability management strategy that combines agent-based and agent-less methods, including network, external, and passive scans, is crucial. This approach is particularly pertinent given that 21.74% of CVEs in the CISA KEV catalog are actively exploited on network and perimeter devices, underscoring the need for a comprehensive security posture to effectively identify and mitigate vulnerabilities. Organizations must ensure regular updates, diligent patch management, and advanced threat detection systems are in place to mitigate the risks associated with high-critical vulnerabilities,” added Abbasi.