2020 Saw 6% Rise in Number of CVEs Reported
New analysis of the 2020 vulnerability and threat landscape has found that the total number of Common Vulnerabilities and Exposures (CVEs) reported last year was 6% higher than the total reported in 2019.
While the increase between 2019 and 2020 may seem slight, the team found that from 2015 to 2020, the number of CVEs reported rose 183%, from 6,487 to 18,358.
“For the last three years, we have seen over 16,000 CVEs reported annually—reflecting a new normal for vulnerability disclosures,” noted researchers.
Among the 2020 vulnerabilities disclosed were 29 Tenable identified as net-new zero-day vulnerabilities. Of the 29 vulnerabilities, over 35% were browser-related vulnerabilities, while nearly 29% were within operating systems. Font libraries were also popular, accounting for nearly 15% of zero-day vulnerabilities.
Reviewing at which points in the year critical CVEs were reported, researchers uncovered what they termed a “CVE Season” that coincided with summertime.
“Summer 2020—from June to August—was particularly unique for both the sheer volume and number of critical CVE disclosures,” noted researchers. “547 flaws were disclosed in the summer months, including major disclosures in F5, Palo Alto Networks, PulseSecure, vBulletin and more.”
An analysis of the CVE data for breach trends found that from January through October 2020, 730 publicly disclosed events resulted in the exposure of over 22 billion records. Of the industries impacted by breaches, healthcare and education made up the largest share, accounting for 25% and 13% of the breaches.
Government and the technology industry were also popular targets, accounting for 12.5% and 15.5% of the breaches respectively.
Ransomware was found to be the most popular attack vector in 2020, being cited in 259 incidents. Email compromise was the cause of 105 breaches, while unsecured data led to 83 security incidents. For 179 data breaches, the root cause was unknown.
The coronavirus pandemic was used time and again by cyber-attackers to lure their victims. By the first two weeks of April, 41% of organizations had experienced at least one business-impacting cyber-attack resulting from COVID-19 malware or phishing schemes.