2021 has officially been a record-breaking year for vulnerabilities.
Our latest analysis of the National Vulnerability Database (NVD) has revealed that 2021 has now officially broken the record for common vulnerabilities and exposures (CVEs) logged by researchers.
NIST is the US National Institute of Standards and Technology, and its National Vulnerability Database (NVD) is a repository of Common Vulnerabilities and Exposures (CVEs). As one of the most trusted sources of information for IT and security professionals around the world, the NVD helps security teams around the world to stay up to date with security vulnerabilities as they are discovered.
More than 50 CVEs logged every day
2021 was an especially difficult year for security teams, with the rise of ransomware attacks and the growing need to secure a remote workforce. There have been more security vulnerabilities disclosed in 2021 (18,439)* than in any other year-to-date – averaging more than 50 CVEs logged each day.
This analysis follows our in-depth investigation of CVEs logged to NIST in 2020, issued at the beginning of this year. Many of the trends identified at the start of the year have continued through 2021. These include a record number of vulnerabilities, with the volume of low and medium severity vulnerabilities growing the most during the last 12 months.
Additional key findings
Our analysis also showed that:
- 90% of all CVEs discovered in 2021 so far can be exploited by attackers with limited technical skills
- CVEs which require no user interaction, such as clicking a link, downloading a file or sharing their credentials, accounted for 61% of the total volume up to now
- Fifty-four percent of vulnerabilities so far this year are classified as having “high” availability, meaning they are readily accessible/exploitable by attackers
Decline in ’no privilege’ CVEs
There was some positive news. Our analysis showed that ‘no privilege’ CVEs continued to decline in 2021. Just over half (55%) of 2021 CVEs require no privileges to exploit, down from 59% in 2020 and 66% in 2019. Meanwhile, vulnerabilities with a high confidentiality rating decreased from 59% to 53% of CVEs over the last 12 months – these are CVEs deemed likely to impact confidential data.
“The prominence of highly available CVEs that require limited technical skills to exploit and no user interaction is naturally a concern for security teams. Sadly, 2021 being a record-breaking year for vulnerabilities is in line with our expectations at the start of a year that has proved very difficult for security pros.”
“Cybercrime and security vulnerabilities are evolving all the time, and security teams are struggling to stay up-to-date. This milestone is also a reminder of the continued importance of patch management and defence in depth. Not all vulnerabilities are known and patched, which means security teams must have controls in place to detect and respond to attacks in their infancy before they can do real damage.”
George Glass, Head of Threat Intelligence
*All figures correct at the time of research at 09:00 (GMT) on 8th December 2021 and taken from the NIST National Vulnerability Database (NVD) at https://nvd.nist.gov/ based on CVSS v3.x.
Read our in-depth analysis of the vulnerabilities identified in 2020