Security Experts:

Connect with us

Hi, what are you looking for?



Over 28,000 Vulnerabilities Disclosed in 2021: Report

Risk Based Security on Monday released its vulnerability report for 2021 and revealed that a record-breaking 28,695 flaws were disclosed last year, which represents a significant increase from the 23,269 disclosed in 2020.

Risk Based Security on Monday released its vulnerability report for 2021 and revealed that a record-breaking 28,695 flaws were disclosed last year, which represents a significant increase from the 23,269 disclosed in 2020.

Of the vulnerabilities disclosed in 2021, more than 4,100 are remotely exploitable, have a public exploit available, and also have a patch or mitigation. By focusing on these security holes first, organizations could reduce risk by 86%, according to the vulnerability and data breach intelligence company.

On the other hand, to put that 4,100 into context, the known exploited vulnerabilities catalog maintained by CISA, which tracks issues disclosed over the past decade, only contains 360 entries.

The COVID-19 pandemic appears to have had some impact on vulnerability disclosures, starting with the first quarter of 2020, when there was a significantly lower number of disclosures. Risk Based Security (RBS) also noticed that disclosures slowed down in the first half of 2021, but they picked up in the second half of the year.

“In the 2021 Mid Year 2021 Report, the difference between 2020 and 2021 was only around 400. In the second half of the year, that gap then increased by over 3,500,” the company said in its latest report. “This is a considerable increase, further lending to the idea that we are seeing the disclosure landscape shake off the pandemic as researchers return to their normal output.”

As for the products with the most vulnerabilities discovered in 2021, the top 10 mostly includes Linux distributions. Google’s Pixel devices also made the top 10. Pixel phones ranked 12 in 2020 and moved up to the fifth place in 2021, but the number of vulnerabilities was roughly the same in both years.

2021 vulnerability disclosure top 10

One significant change in 2021 is that the top 10 does not include any version of Windows. Furthermore, in the list of top vendors, Microsoft dropped from second place in 2020 to fifth in 2021. However, this could be explained by the fact that 2020 was — as RBS puts it — “an unusually bad year for Microsoft,” with nearly 1,600 vulnerabilities, up from 940 in the previous year.

It’s worth noting that 29% of the vulnerabilities cataloged by RBS do not have a CVE identifier.

“The good news is that the industry is starting to make big leaps in how it views vulnerability management. Firms like Gartner are catching on to the inefficiencies caused by reliance on vulnerability scanners, while government agencies like the Cybersecurity Infrastructure and Security Agency are pushing for organizations to focus their prioritization on metadata like exploitability, rather than severit,” RBS said in its report.

It added, “All of these movements are educating organizations that it can be possible to proactively manage risk, rather than always reacting to it. As enterprises take the steps in assessing those possibilities, security teams will come to realize that it will all come down to the quality of data. To make informed risk-decisions, they will come to understand that comprehensive, actionable, and timely vulnerability intelligence will be critical, and that it won’t be found in the public source.”

Earlier this year, RBS announced getting acquired by threat intelligence company Flashpoint.

Related: Telemetry Report Shows Patch Status of High-Profile Vulnerabilities

Related: Microsoft Explains How It Processes Vulnerability Reports

Related: Number of ICS Vulnerabilities Continued to Increase in 2020: Report

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet