Articles about CVE

Ignoring vulnerabilities and exposures may not seem like a good idea, but conventional strategies rely heavily on vulnerability severity (CVSS) and exploitability indicators (EPSS), which ignore whether vulnerabilities are exploitable or already mitigated by existing defenses in a specific organization.

More than 40,000 new CVEs were disclosed in 2024, of which 61 percent were labeled as high or critical, but they won't all be a risk to every business. A new tool from Picus Security allows security teams to verify the exploitability of vulnerabilities and determine which pose real-world risks based on their unique environments.

Continue reading →

The CVE (Common Vulnerabilities and Exposures) database is widely used across many cybersecurity tools, allowing the tracking of vulnerabilities.

The CVE program has been in existence for 25 years but today MITRE -- the non-profit organization which looks after the database -- has announced that its contract with the US Department of Homeland Security to operate the CVE Program hasn't been renewed.

Continue reading →

As someone who uses and loves TP-Link products (including its affordable routers and smart home devices) I’m truly elated to see the company taking cybersecurity more seriously. You see, the company has officially joined the CVE Numbering Authorities (CNAs), meaning it can now assign CVE IDs to security flaws found in its own products.

Here’s why it matters, folks: CVEs (Common Vulnerabilities and Exposures) are used to track publicly known cybersecurity issues. By becoming a CNA, TP-Link gains the power to document and disclose vulnerabilities faster and more transparently. That’s a win for both the company and the people who rely on its devices every day (such as yours truly).

Continue reading →

While many organizations have solutions in place to identify patchable CVEs, non-patchable security issues such as misconfigurations continue to provide threat actors with consistent access points to exploit organizations.

We spoke to Jason Mar-Tang, field CISO at Pentera, to discuss the challenge of non-patchable security issues vs. CVEs, what makes them so much more difficult to identify, the challenges of remediation, and what standards organizations should implement to tackle this challenge.

Continue reading →

A new report predicts a record-breaking 41,000 to 50,000 new Common Vulnerabilities and Exposures (CVEs) this year, based on data from the National Vulnerability Database (NVD).

The forecast, from the Forum of Incident Response and Security Teams (FIRST), suggests an 11 percent increase compared to 2024, and a whopping 470 percent increase compared to 2023.

Continue reading →

Published vulnerabilities have increased by 43 percent compared to H1 2023, with 23,668 vulnerabilities reported in H1 2024 according to a new report from Forescout.

The average number of new CVEs per day is 111 or 3,381 per month, and 20 percent of exploited vulnerabilities affected VPN and network infrastructure.

Continue reading →

The total number of common vulnerabilities and exposures (CVEs) is expected to increase by 25 percent in 2024 to 34,888 vulnerabilities, or roughly 2,900 per month.

This comes from a new report by 'active insurance' provider Coalition which uses honeypots to monitor for spikes to identify the biggest CVEs before they make news headlines -- thus providing companies with the opportunity to take action before an incident can occur.

Continue reading →

As we approach the end of the year, a new report from Detectify shows that none of the top three vulnerabilities found across all industries in 2023 were covered by a CVE.

What's more, 75 percent of the total vulnerabilities regularly scanned by Detectify, primarily crowdsourced from its community of ethical hackers, don't have a CVE assigned. This suggests that over-reliance on frameworks like the CVE program can weaken an organization's security posture and give it an unrealistic sense of security.

Continue reading →

Operational technology and industrial control system devices represent an attractive target for cybercriminals attempting to access networks, and for nation state actors looking to disrupt infrastructure.

Asset visibility and security company Armis is releasing new research identifying the riskiest devices that pose threats to critical infrastructure industries: manufacturing, utilities and transportation.

Continue reading →

A record 26,448 software security flaws were reported by CISA last year, with the number of critical vulnerabilities (CVEs) up 59 percent from 2021 at 4,135.

The 2023 Annual Threat Intelligence Report, from the Deepwatch Adversary Tactics and Intelligence (ATI) team, also shows that the conflict between Ukraine and Russia has unleashed a flurry of amateur and state-sponsored attacks and breaches on organizations and critical infrastructure.

Continue reading →

Proper patch management is an important component of cybersecurity hygiene. If organizations don’t apply fixes to software bugs in a timely manner, they risk exposing themselves to a variety of threats. But scrambling to fix bugs identified by the Common Vulnerabilities and Exposures (CVE) program is not a complete solution. Organizations need to be doing much more.

The CVE and CVSS programs are essential components of information security management systems (ISMS) at most organizations, but they clearly have issues. The CVE program offers a reference for publicly known vulnerabilities and exposures. CVSS provides a way to capture the main characteristics of a vulnerability and produce a numerical score that reflects its severity. Among the many challenges with these programs, CVSS is not a true indication of the risk a CVE represents to an organization. That’s because it attempts to take the environment into consideration but only has limited success doing so.

Continue reading →

The latest report from JFrog looks at the most prevalent vulnerabilities in 2022 with an in-depth analysis of open source security vulnerabilities that have most impact for DevOps and DevSecOps teams.

The report shows that the severity of six of the top 10 CVEs was overrated, meaning they scored higher in the NVD rating than in JFrog's own analysis. In addition the CVEs appearing within enterprises most frequently are low-severity issues that were simply never fixed.

Continue reading →

We can expect to see more than 1,900 new Common Vulnerabilities and Exposures (CVEs) per month in 2023, including 270 high-severity and 155 critical-severity vulnerabilities -- a 13 percent increase from published 2022 levels.

This is according to a report from cyber insurance provider Coalition, which finds that most CVEs are exploited within 90 days of public disclosure, with the majority exploited within the first 30 days.

Continue reading →

New research, from ICS/OT cybersecurity firm SynSaber, has analyzed over 900 CVEs reported in industrial control systems in the second half of 2022 and finds that 35 percent have no patch or remediation available.

Only 56 percent of the CVEs have been reported by the original equipment manufacturer (OEM), while 43 percent have been submitted by security vendors and independent researchers. A firmware update is required to fix 33 percent.

Continue reading →

Every year, thousands of code vulnerabilities are discovered, patched and publicly disclosed to improve security for current and potential users.

But many of these vulnerabilities share common features, so what can developers do to write better code that prevents vulnerabilities from entering their apps and services in the first place? We talked to Johannes Dahse, head of R&D at clean code specialist SonarSource, to find out. 

Continue reading →