According to a report by vulncheck, in May 2024, a total of 103 vulnerabilities (CVE) were identified as being exploited for the first time. This marked a significant increase of 90.7% compared to the previous month, indicating a rise in the number of vulnerabilities being targeted. Concurrently, Verizon’s report for 2024 highlighted a 180% increase in the number of vulnerability cases from 2022 to 2023.
Out of the 103 vulnerabilities identified in May, evidence of exploitation was found in 73 unique products from 58 software suppliers. Notable software such as Google Chrome, Microsoft Windows, Apple Safari, and Adobe Acrobat Reader were among those with the most vulnerabilities. Other products like Microsoft Exchange, Oracle JDK, PHPMYADMIN, TP-Link TL-R600VPN, and ArcServe Unified Data Protection were also targeted.
The increase in disclosure of vulnerability exploitation can be attributed to reports by companies like Fortinet, Checkpoint, and Aqua Security, which collectively shared information on 49 unique vulnerabilities. This trend reflects a positive shift towards wider information sharing among vendors for the benefit of security teams.
Vulncheck pointed out a noticeable decrease in the effectiveness of major organizations like CISA and NIST in detecting and reporting actively exploited vulnerabilities. In May, CISA only added 14 vulnerabilities to its KEV list, which accounted for 13.6% of the total vulnerabilities identified by Vulncheck during the same period.
Similarly, NIST incorporated only 22 out of the 103 vulnerabilities documented by Vulncheck into its NVD database, with 10 of them still pending analysis by the end of May. This shift signifies a changing landscape in American cybersecurity, with private companies surpassing governmental bodies in the detection and disclosure of vulnerabilities.
As commercial entities demonstrate increased efficiency and transparency in sharing real-time data, traditional leaders like CISA and NIST lag behind in their ability to keep pace with evolving cyber threats. This highlights the growing importance of private sector involvement in cybersecurity and emphasizes the necessity for collaboration between commercial and government entities to effectively combat cyber threats.