According to data compiled by Skybox Security, the number of new vulnerabilities reported by the US government in 2022 will increase by a quarter each year to 25,096, a new record high.
Security vendors analyze the National Vulnerability Database (NVD) to Vulnerability and Threat Trends Report 2023.
The findings mean that 2022 will mark the sixth consecutive year of record high volumes of newly discovered vulnerabilities. According to Skybox Security, the increase is his largest since 2017, with more than 192,000 CVEs published in the last decade.
For more information about vulnerabilities, Google: Achieving a zero-day record in 2021.
Approximately 80% of reported CVEs in 2022 will be of moderate or high severity, and 16% will be considered critical.
Although the percentage of critical bugs has decreased from 20% last year, Skybox Security still allows malicious actors to exploit less severe vulnerabilities for things like remote code execution (RCE) and privilege escalation. Many argued that severity and risk do not equate.
Therefore, an ongoing risk assessment should be performed to prioritize patching based not only on the severity of the CVE, but also on its exploitability, danger, asset criticality, and business impact. The report points out that there are
“There are letters on the wall. It’s outdated,” Skybox CEO Mordecai Rosen warned.
“There are too many vulnerabilities, it takes too long to find and fix them, and in any case many are unpatchable. Understaffed cybersecurity organizations cannot keep up.”
Perhaps unsurprisingly, the top CVE targeted by new malware last year was the Log4j bug CVE-2021-44228, which actually went public at the end of December 2021. Second place and his third place was the Atlassian Confluence RCE vulnerability CVE-2022-26134. , and the Microsoft Windows Support Diagnostic Tool (MSDT) “Follina” RCE flaw, CVE-2022-30190.
The backdoor category was the most common newly discovered malware program in 2022 exploiting known vulnerabilities, according to the report.
