2024 marked a record-breaking year for cybersecurity challenges as threat actors ramped up their exploitation of vulnerabilities.
According to the latest findings from VulnCheck, 768 Common Vulnerabilities and Exposures (CVEs) were publicly reported as exploited in the wild for the first time this year.
This figure represents a 20% increase compared to 639 CVEs reported in 2023, highlighting the evolving threat landscape.
VulnCheck’s analysis shows that in 2024, 1% of all published CVEs were reported to have been exploited in the wild. While this ratio aligns with historical trends, the raw number of newly exploited vulnerabilities continues to rise, indicating the increasing sophistication and activity of malicious actors.
Furthermore, spikes in exploitation reporting frequently coincided with major industry events, including the RSA Conference, or were influenced by disclosures from newly onboarded sources like ShadowServer.
April and May witnessed heightened activity, likely fueled by high-profile disclosures during RSA and end-of-quarter reporting.
ShadowServer’s integration into reporting processes in January also led to increased public awareness of exploitation, while product-specific reports from companies like F5 and Fortinet, combined with government agency findings from the U.S. Department of Defense (DOD) and the Cybersecurity and Infrastructure Security Agency (CISA), further contributed to this surge.
The Rapid Pace of Exploitation
An alarming trend observed in 2024 is the speed at which vulnerabilities are being exploited. VulnCheck reports that 23.6% of Known Exploited Vulnerabilities (KEVs) were actively exploited on or before their public disclosure date.
While this represents a slight decrease from 27% in 2023, it underscores how quickly attackers can act following the identification of a vulnerability. This rapid exploitation challenges security teams to act with unprecedented agility to mitigate cyber risks.
Despite the attention given to zero-day vulnerabilities (exploits that occur before any public disclosure), VulnCheck emphasizes that exploitation happens throughout a vulnerability’s lifecycle.
New exploitation can often emerge months or even years after a vulnerability is first disclosed, making long-term vigilance essential.
The 2024 report highlighted that the initial evidence of exploitation came from a diverse set of 112 unique sources, underscoring the importance of collaboration within the security community. These sources include:
- Third-party security vendors: Companies like CheckPoint, Aqua Security, Fortinet, and F5 were instrumental in uncovering exploitation activity.
- Government Agencies: Organizations such as CISA, DOD, and the UK’s National Health Service (NHS) played vital roles in publicizing active threats.
- Non-profits: Groups like ShadowServer significantly contributed to disclosure efforts.
- Product Vendors: Technology giants such as Microsoft, Google, Apple, and Cisco not only disclosed vulnerabilities in their own products but also shed light on third-party vulnerabilities.
- Independent Platforms: Social media platforms like X (formerly Twitter), LinkedIn, and blogs further amplified awareness within the broader cybersecurity community.
The report encourages organizations across industries to publicly disclose exploitation activity whenever possible, contributing to collective defense efforts. It also stresses that while progress is being made, there is still room to expand the breadth of exploitation reporting and collaboration.
As the cybersecurity landscape grows more complex, the findings from 2024 serve as a stark reminder that vigilance, transparency, and cooperation remain critical in staying one step ahead of adversaries.
With the number of publicly exploited CVEs climbing year over year, businesses and security professionals must prioritize proactive threat management to safeguard digital ecosystems.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Start Now for Free.
