Monthly Vulnerability Insights Report Summary

This month, we reached a new milestone with a record-breaking 1,277 advisories, up from 1,010 last month. Here are the key highlights:

  • Record High: This is the highest number of advisories recorded in a single month since 2002!
  • Significant Increase: The number of advisories has surged by 47% since the beginning of 2024 (last month: +46%).
  • Unassigned CVEs: 24 advisories lack a CVE, including 3 highly critical ones: Gentoo Linux, Roundcube Webmail, and PDF-XChange Editor.
  • Remote Attack Vectors: Only 44.48% of vulnerabilities reported this month have a “Remote Attack Vector” (last month: 48.91%).
  • Extremely Critical Advisories: The Secunia Research Team reported 12 extremely critical advisories, up from 2 last month.
  • Zero-Day Advisories: 13 Zero-Day advisories were reported, affecting Microsoft, Google, and Debian (last month: 2).
  • Targeted Vulnerabilities: Threat Intelligence indicates hackers are targeting moderately critical vulnerabilities.
  • Recent Cyber Exploits: 149 advisories (last month: 132) are linked to recent cyber exploits, and 506 (last month: 412) to historical exploits.
  • Top Vendors: Over half of the advisories come from Linux, Red Hat, and SUSE, who also lead in rejected advisories: 225 out of 342.
  • Networking Advisories: F5 (48%) and Cisco (21%) accounted for over half of all networking-related advisories this month with 39 advisories.

Last month, 62.97% of Secunia Advisories had a threat (exploits, malware, ransomware, etc.) associated with them. This month, the number dropped to 54.66%.

NVD Challenges: The Good and the Bad

The Good: NVD has engaged a third party to help clear the backlog of CVEs and process incoming ones more swiftly. Despite their lack of experience, NIST has relied on this organization for years and expects the backlog to be cleared by year-end.

The Bad: Over 13,000 CVEs are currently awaiting analysis. The number of CVEs without CVSS/CPE data is nearing 50%, and it’s uncertain when this backlog will decrease.

At Flexera’s Software Vulnerability Research (Secunia Research), we remain unaffected by these delays. We continue to provide timely and accurate vulnerability intelligence to support our customers’ decision-making and cybersecurity strategies.

Using Threat Intelligence effectively can help prioritize immediate patching needs.

Stay vigilant and informed!

For the full report click here: https://community.flexera.com/t5/Software-Vulnerability/Monthly-Vulnerability-Insights-May-2024/ba-p/321295?attachment-id=84698