Vulnerability management has become indispensable for organizations these days, according to a report by Redscan, a provider of managed security services. The organization ran the analysis of the National Vulnerability Database (NVD) of the United States National Institute of Standards and Technology (NIST) and has provided some unprecedented statistics.
The collected NIST data on Common Vulnerabilities and Exposures (CVEs) shows that the security and vulnerability trends have outnumbered the sum total of vulnerabilities reported in the 10 years prior.
- A total of 18,103 vulnerabilities were reported in 2020, at an average rate of 50 CVEs per day, by security professionals, researchers, and vendors.
- Fifty-seven percent (i.e. 10,342) of the total were classified as critical or high severity.
- Four thousand vulnerabilities were described as the worst of the worst, while 63% of the total were low complexity CVEs.
- Among all the CVEs recorded in 2020, 68% of those require no user interaction of any kind to exploit.
- Overall 15% (2,708) were classified as critical, 42% (7,634) as high, 40% (7,359) as medium, and 2% (402) as low severity.
Some of the prominent vulnerabilities disclosed in 2020 include:
- Vulnerabilities that require no user interaction: CVE-2020-0610 (Windows Remote Desktop Gateway), CVE-2020-0688 (Microsoft Exchange), and CVE-2020-5902 (BIG-IP).
- The worst of the worst vulnerabilities: CVE-2020-0022 (Android), CVE-2020-21270 (OctopusDSC), and CVE-2020-25990 (WebsiteBaker).
- A two-factor authentication bypass vulnerability: CVE-2020-12812 (FortiOS).
Recent notable incidents
- In December 2020, Dark Halo actor (association with UNC2452) had exploited a vulnerability (CVE-2020-0688) in the SolarWinds’s Microsoft Exchange Control Panel.
- The Fox Kitten group was seen exploiting several vulnerabilities, including (CVE-2020-5902) (in BIG-IP), CVE-2019-11510 (Pulse Secure), and CVE-2018-13379 (Fortinet FortiOS), among others.
The threat continues
Vulnerability management has gradually turned into an increasingly critical and complicated task for organizations due to the high number of critical vulnerabilities being disclosed. Therefore, organizations and vendors should have a robust patch management process and prioritize vulnerability patches to minimize possible attack surfaces.