2024 seeing more CVEs than ever before, but few are weaponised

[Pelican Press 0]

This is the hidden content, please

• Sign In
• or
• Sign Up

2024 seeing more CVEs than ever before, but few are weaponised

Over the first seven-and-a-half months of 2024, the number of newly-disclosed

This is the hidden content, please

• Sign In
• or
• Sign Up

(CVEs) soared 30% year-on-year from 17,114 to 22,254, according to new data published today by Qualys researchers.

And interestingly, said Qualys, out of this huge number of flaws, barely a hundredth of these, 204 or 0.9%, were weaponised by threat actors. The majority of those exploit public-facing applications or remote services, which are useful to obtain initial access and conduct lateral movement.

Read at face value this statistic may feel like good news, but it offers only the tiniest quantum of solace for cyber *****, Qualys said, for these vulnerabilities still present a significant threat and necessitate ever more focused defensive measures.

“This very small fraction of vulnerabilities accounts for the most severe threats. This subset represents the highest risk, characterised by weaponised exploits, active exploitation through ransomware, use by threat actors, malware, or confirmed wild exploitation instances,”

This is the hidden content, please

• Sign In
• or
• Sign Up

.

“To effectively mitigate such threats, it’s crucial to prioritise actively exploited vulnerabilities, leverage threat intelligence, and regularly schedule scans to detect new vulnerabilities. A vulnerability management tool that integrates threat intelligence could be pivotal for an enterprise,” he said.

According to Qualys’ own data collection and analysis exercise, the most exploited vulnerabilities of 2024 to date are as follows:

1. CVE-2024-21887, a command injection flaw in Ivanti Connect and Policy Secure Web;
2. CVE-2023-46805, a remote authentication bypass flaw in Ivanti Connect and Policy Secure Web;
3. CVE-2024-21412, a security feature bypass flaw in
   This is the hidden content, please

   • Sign In
   • or
   • Sign Up
   Windows;
4. CVE-2024-21893, a elevation of privilege flaw in Ivanti Connect and Policy Secure Web;
5. CVE-2024-3400, a command injection flaw in Palo Alto Networks PAN-OS;
6. CVE-2024-1709, an authentication bypass flaw in ConnectWise ScreenConnect;
7. CVE-2024-20399, a command line interface command injection flaw in Cisco NX-OS Software;
8. CVE-2024-23897, a remote code ********** flaw in Jenkins Core;
9. CVE-2024-21762, an out-of-bound write flaw in Fortinet FortiOS;
10. CVE-2023-38112, a MSHTLM platform spoofing flaw in
    This is the hidden content, please

    • Sign In
    • or
    • Sign Up
    Windows.

With the exception of the Jenkins Core vulnerability, all of the Qualys top 10 also appear on the US’ Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) catalogue mandating patching across ********* government bodies.

Many of these vulnerabilities, notably those in Ivanti’s product set and ConnectWise ScreenConnect, have already been at the centre of some of the most impactful cyber security incidents of the year so far. The final vulnerability on the list, in the Windows MSHTML Platform, was only disclosed a few weeks ago in the July Patch Tuesday update, and although

This is the hidden content, please

• Sign In
• or
• Sign Up

, its inclusion on Qualys’ top 10 list serves as a warning to admins of the speed with which threat actors pick up on publicised vulnerabilities.

Old vulns prove their worth

The overall upward trend in CVE volumes underscores a “persistent and substantial escalation” in vulnerability discovery, explained Abbasi.

“The increase in CVEs reflects rising software complexity and the broader use of technology, necessitating advanced and dynamic vulnerability management strategies to mitigate evolving cyber security threats,” he said.

However, the Qualys TRU’s analysis has also indicated an increase in the weaponisation of old CVEs this year. While older bugs often resurface and exploits are developed well after disclosure, there has been a 10% increase in this sort of activity so far this year. Abbasi said this was a “stark reminder” that security was not just about staying ahead of threat actors, but also not falling behind them.

Many of the older weaponised vulnerabilities in circulation have been trending on the dark web for month, one prominent example being CVE-2023-43208 in NextGen Mirth Connect Java XStream, heavily used by the health sector. And just this week, CISA added a six year-old remote code ********** bug in

This is the hidden content, please

• Sign In
• or
• Sign Up

COM to the KEV catalogue, after Cisco Talos researchers found it being merrily exploited by a ******** government APT in an ******* chain used against a Taiwanese victim.

“This resurgence of previously identified vulnerabilities, which mainly impact remote services and public-facing applications, highlights a significant oversight in updating and enforcing cyber security protocols. This re-emergence emphasises the need to shift from a purely reactive security posture to a more proactive, predictive, and preventative approach,” advised Abbasi.

This is the hidden content, please

• Sign In
• or
• Sign Up

#CVEs #weaponised

This is the hidden content, please

• Sign In
• or
• Sign Up

This is the hidden content, please

• Sign In
• or
• Sign Up