The number of new vulnerabilities reported by the US government in 2022 increased by a quarter annually to hit 25,096, a new all-time high, according to data compiled by Skybox Security.
The security vendor analyzed the National Vulnerability Database (NVD) to compile its Vulnerability and Threat Trends Report 2023.
The findings mean that 2022 was the sixth year in a row that the volume of newly discovered vulnerabilities hit an all-time high. Skybox Security said the latest increase was the biggest since 2017, with the number of CVEs published over the past decade standing at over 192,000.
Read more on vulnerabilities: Google: Record Year for Zero Days in 2021.
Some 80% of CVEs reported in 2022 were either medium or high severity, with 16% deemed critical.
Although the share of critical bugs dropped from 20% last year, Skybox Security argued that severity does not equal risk, with malicious actors often exploiting less severe vulnerabilities for remote code execution (RCE), privilege escalation and more.
Risk assessments must therefore be continuously run to prioritize patching, based not just on the severity of a CVE but also its exploitability, exposure, asset importance and business impact, the report noted.
“The writing is on the wall. Traditional reactive approaches to cybersecurity – waiting until vulnerabilities are reported and then scrambling to scan and patch every instance – are more outmoded by the day,” warned Skybox CEO, Mordecai Rosen.
“There are far too many vulnerabilities, it takes too long to find them and close them, and many are unpatchable in any case. Understaffed cybersecurity organizations can’t keep up.”
Perhaps unsurprisingly, the top CVE targeted by new malware last year was the Log4j bug, CVE-2021-44228, which was actually published at the end of December 2021. Second and third place went to Atlassian Confluence RCE vulnerability, CVE-2022-26134, and the “Follina” RCE flaw in the Microsoft Windows Support Diagnostic Tool (MSDT), CVE-2022-30190.
Of newly discovered malware programs in 2022 exploiting known vulnerabilities, the backdoor category was the most prolific, according to the report.