What’s behind unchecked CVE proliferation, and what to do about it


The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations’ cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.

Meanwhile, Coalition’s 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.

What’s behind the dramatic rise in CVEs? And what can security teams do to minimize the risk? Let’s find out.

The drivers behind CVE proliferation

The rise in CVEs can be attributed to several factors. Each element adds new layers of complexity, which ultimately provide more opportunities for vulnerabilities to surface. Some of the main causes of CVE proliferation include:

1. Increased complexity of IT systems

Modern enterprise networks are vast ecosystems of on-premises infrastructure, remote endpoints, cloud applications and third-party services. Every new piece of hardware or software introduces potential vulnerabilities that cyber criminals can exploit. As businesses adopt more tools to stay competitive, their attack surfaces widen. And a single CVE can affect multiple software versions or be embedded across different packages.

For instance, software vulnerabilities like MOVEit, Log4Shell and Citrix Bleed have all garnered significant media attention in recent years. However, they represent just a fraction of the total CVEs causing widespread damage. These high-profile cases highlight a growing problem: The more software an organization uses, the more vulnerabilities are discovered, and the harder it becomes to manage them all securely.

2. The explosion of open-source software

Open-source software has become an essential component in many tech stacks, but it also presents unique challenges. The reliance on community-driven solutions means that not all software is regularly maintained or promptly patched. Open-source software leaves the door open to vulnerabilities that are not always caught in a timely manner.

Furthermore, one CVE can affect multiple versions of software or packages of software, especially if that CVE is embedded in pervasive code. Even seemingly minor vulnerabilities can proliferate across various environments, compounding the difficulty of securing them.

3. The rapid pace of code development

Every new line of code that is written introduces new potential vulnerabilities. This is exacerbated by the use of agile development practices, which focus on fast iterations and deployments. While these methods may boost productivity, they also raise the likelihood of security oversights.

CVE lists are far from static. For this reason, CVE scoring is vital to stack rank (organizing CVEs based on their CVSS scores) and knowing which ones are on your network. The dynamic nature of code development means that the total number of vulnerabilities continues to grow at a rapid pace. And organizations must race to patch new issues as they arise.

Explore X-Force Red vulnerability management services

The role of vulnerability management in addressing CVE growth

Vulnerability management has become a critical part of IT risk management, especially in light of the unchecked CVE growth. Organizations that fail to implement effective vulnerability management programs are more exposed to cyberattacks and data breaches. The key to managing this flood of vulnerabilities lies in adopting a proactive, continuous approach to vulnerability discovery, prioritization and resolution.

1. Continuous vulnerability discovery

Vulnerabilities can surface at any time, whether due to new software installations, configuration changes or newly discovered weaknesses in existing systems. Automated vulnerability scanning tools are essential in modern cybersecurity to regularly monitor for vulnerabilities across the organization’s entire attack surface.

Some organizations have implemented advanced scanning techniques that utilize honeypots to identify CVEs before they make headlines. For example, honeypot activity spiked 1,000% in the weeks leading up to the discovery of the MOVEit vulnerability, giving companies the opportunity to act preemptively. Continuous monitoring and real-time scanning are critical to stay ahead of the rapid pace of vulnerability discovery.

2. Effective prioritization of vulnerabilities

With thousands of vulnerabilities flagged each year, it’s impossible for organizations to address them all. Instead, prioritization is critical. Tools like the Common Vulnerability Scoring System (CVSS) and threat intelligence from resources such as MITRE’s CVE list and the National Vulnerability Database (NVD) help security teams determine the criticality of vulnerabilities.

However, these general scoring systems need to be supplemented with organization-specific data to truly prioritize vulnerabilities that matter most. Risk-based vulnerability management (RBVM) has emerged as an effective solution. This approach combines stakeholder-specific data with artificial intelligence and machine learning to offer a more precise prioritization of vulnerabilities based on the organization’s specific risk profile. Vulnerabilities are not only ranked by severity but also by how they could impact the particular organization. This makes prioritization more strategic and manageable.

3. Vulnerability resolution: Remediation, mitigation or acceptance

Once vulnerabilities have been prioritized, organizations must resolve them through remediation, mitigation or acceptance:

  • Remediation is the complete elimination of a vulnerability, such as by patching a software flaw or reconfiguring a network setting.
  • Mitigation reduces the risk of exploitation, though it does not eliminate the vulnerability altogether. This might involve segmenting a vulnerable device from the network or installing a firewall.
  • Acceptance is when a vulnerability is deemed low-risk, and the organization decides that the cost or effort of addressing it outweighs the potential risk it poses.

Organizations need to tailor their approach depending on the criticality of the vulnerability and the potential damage it could cause if exploited.

4. Reporting and continuous improvement

The vulnerability management lifecycle concludes with reporting and continuous improvement. Reporting tools track key metrics, such as mean time to detect (MTTD) and mean time to respond (MTTR), to help organizations assess the effectiveness of their vulnerability management efforts. By regularly reviewing and auditing these processes, organizations can adjust their strategies to handle future CVE proliferation more effectively.

Keys to effectively manage CVE proliferation

As the volume of CVEs continues to grow, organizations should adopt key approaches to improve their vulnerability management capabilities. These include:

  1. Correlating vulnerabilities: By understanding how vulnerabilities interact with each other, security teams can prioritize issues that, while not severe on their own, may present critical risks when combined with other vulnerabilities.

  2. Curating vulnerability information: Instead of overwhelming IT teams with raw scan results, security teams should deliver prioritized, curated reports that provide actionable insights into which vulnerabilities pose the greatest risk.

  3. Strategically scheduling scans: Organizations should regularly scan their most critical assets while balancing the performance impact of frequent scans on less important systems.

  4. Automation: Given the sheer volume of vulnerabilities, manual processes are not feasible. Automating workflows — such as vulnerability discovery, prioritization and patch management — will enable organizations to scale their vulnerability management efforts.

Keep CVEs in check

The unchecked growth in CVEs presents a significant challenge to organizations worldwide. As vulnerabilities continue to rise, organizations must adopt continuous, risk-based vulnerability management strategies to stay ahead of potential threats.

By automating discovery, focusing on context-driven prioritization and implementing strong remediation practices, organizations can mitigate the risks posed by the ever-increasing number of CVEs in today’s complex cybersecurity landscape.

The post What’s behind unchecked CVE proliferation, and what to do about it appeared first on Security Intelligence.