Total advisories:  1,073 ↑ (last month: 992)

Another record-breaking month (and quarter) with the highest advisory count in the history of Secunia Research (since 2002)
and a record breaking Q1 with a whopping 44% increase compared to last years Q1.

NVD Challenges: Ensuring Unwavering Vulnerability Intelligence with Flexera’s Software Vulnerability Research

The biggest news are the ongoing issues at NVD, where the entire vulnerability community is seriously concerned about the potential delays in vulnerability analysis efforts.

While it’s unclear on the exact reasons on what’s cooking at NVD, we are positive that NIST will bounce back strongly. However, the gap between enriched and pending analysis is simply increasing by the day. After doing some rough math, we noticed that over 40% of vulnerabilities from the beginning of 2024 are pending enrichment from NVD.

Having said that Flexera’s Software Vulnerability Research (Secunia Research), is completely unperturbed with these delays from NVD. We recognize the importance of timely and accurate vulnerability intelligence for our customers. We understand that delays in analysis efforts can impact decision-making and cybersecurity strategies. However, we want to assure our clients that our solution remains unaffected by these challenges.

Since our inception in 2002, Flexera’s SVR has been committed to providing the most accurate and reliable source of vulnerability intelligence. Our dedication to excellence has enabled us to build a reputation for delivering unparalleled insights into the vulnerabilities of software applications. Unlike some solutions that rely solely on NVD for vulnerability data, Software Vulnerability Research utilizes a diverse range of data sources to ensure comprehensive coverage and independence from any single provider. In addition to NVD, we leverage vendor information, community data, threat feeds, dark web sources, and our own dedicated research team to gather intelligence on vulnerabilities across more than 70,000 products.

Linux Kernel Vulnerability Trends
A notable (ongoing) trend that our Research Team has detected is that there is a high increase of Linux Kernel vulnerabilities.
There are some concerns about this increase:

  • Many of these “vulnerabilities” are not really vulnerabilities and descriptions are “fuzzy” at best. (see rejections)
  • It seems like “spring cleaning” where they issue CVEs for ager-old GIT commit fixes.
  • Or worst, users are “forced” to adapt to Kernel version updates instead of picking GIT Commits.

The result is a high workload on not only vulnerability researchers around the world, but also organizations having Linux assets.

Important conclusions from this month report are:

  • A new record with 1,073 advisories, breaking the record of October ’23 (1,055 advisories)
  • Last 3 months we’ve seen a serious increase in the number of advisories: + 44%
  • Less than half (8%) of all vulnerabilities reported in this month have a “Remote Attack Vector” (last month 49.29%)
  • The Secunia Research Team reported 2 Extremely critical advisory this month. (Last month: 1)
  • 7 Zero-Day Advisories reported. (last month :5) for mostly Apple (5), Microsoft (1) and Tukaani Project XZ Utils (1)
  • Threat Intelligence indicates again that Moderately Critical Vulnerabilities are targeted by hackers.
  • This month 110 advisories contain at least one vulnerability linked to a Recent Cyber Exploit
    and 402 advisories contained at least one vulnerability linked to a Historical Cyber Exploit.
  • More than half of all advisories are disclosed by these 3 usual (Linux) suspect vendors (SUSE,Linux,Red Hat)
  • Interestingly among these vendors are also the ones with the most rejected advisories:
    • Record breaking: Linux Foundation: 176 out of 276 advisories were rejected by the Secunia Research Team.
  • Cisco contributed to more than half of all Networking related Advisories this month with 25 advisories.

Last month we reported that 66.53% of all Secunia Advisories had a Threat (exploits, malware, ransomware, etc.) associated with them, this month the number has been lower again for at least 2 months in a row to 53.59%

Using Threat Intelligence is going to help you with prioritizing what needs to be patched immediately.

Monthly Vulnerability Review March 2024