High-severity and critical bugs disclosed in 2020 outnumber the sum total of vulnerabilities reported 10 years prior

An analysis of data collected by the United States’ National Institute of Standards and Technology (NIST) about common vulnerabilities and exposures (CVEs) has found that 2020 saw more reports of security loopholes than any other year to date.

The report by Redscan, a provider of managed security services, reveals that 18,103 vulnerabilities were reported last year, with most (10,342) classified as high or critical in severity. In fact, high-severity and critical bugs disclosed in 2020 outnumbered the sum total of vulnerabilities disclosed in 2010.

Among the key findings was a surge in security flaws that don’t require any user interaction. These accounted for 68% of all CVEs reported to NIST in 2020. “Security professionals should be concerned about the fact that more than two-thirds of vulnerabilities recorded in 2020 require no user interaction of any kind to exploit. Attackers exploiting these vulnerabilities don’t even need their targets to unwittingly perform an action, such as clicking a malicious link in an email. This means that attacks can easily slip under the radar,” warned Redscan.

There are multiple prominent examples of such vulnerabilities, including a critical remote code execution flaw indexed as CVE-2020-5902 that affected F5 Networks’ BIG-IP multi-purpose networking devices.

The share of security loopholes that don’t require any user privileges dropped from 71% in 2016 to 58% in 2020; meanwhile, the number of vulnerabilities that require high-level privileges has been on the rise. This translates into more effort from cybercriminals who will resort to time-tested classic attacks such as phishing when targeting high-value marks.

“Users with a high degree of privileges, such as system administrators, are a prize target because they are able to open more doors for attackers,” Redscan explained.

RELATED READING: Vulnerabilities, exploits and patches

The report goes on to outline other aspects of vulnerabilities beyond severity that people need to be wary of. Some 4,000 flaws were found to meet the so-called “worst of the worst” conditions; these are CVEs that have a low attack complexity, don’t require any privileges or user interaction, and have confidentiality designated as high.

Redscan concludes its findings on a somber note, highlighting that although critical and high severity vulnerabilities should be at the forefront most of the time, security teams “shouldn’t lose sight of lower-level vulnerabilities”.

“When analysing the potential risk that vulnerabilities pose, organisations must consider more than just their severity score. Many CVEs are never or rarely exploited in the real world because they are too complex or require attackers to have access to high level privileges. Underestimating what appear to be low risk vulnerabilities can leave organisations open to ‘chaining’, in which attackers move from one vulnerability to another to gradually gain access at increasingly critical stages,” said George Glass, Head of Threat Intelligence at Redscan.