Risk Based Security on Monday released its vulnerability report for 2021 and revealed that a record-breaking 28,695 flaws were disclosed last year, which represents a significant increase from the 23,269 disclosed in 2020.
Of the vulnerabilities disclosed in 2021, more than 4,100 are remotely exploitable, have a public exploit available, and also have a patch or mitigation. By focusing on these security holes first, organizations could reduce risk by 86%, according to the vulnerability and data breach intelligence company.
On the other hand, to put that 4,100 into context, the known exploited vulnerabilities catalog maintained by CISA, which tracks issues disclosed over the past decade, only contains 360 entries.
The COVID-19 pandemic appears to have had some impact on vulnerability disclosures, starting with the first quarter of 2020, when there was a significantly lower number of disclosures. Risk Based Security (RBS) also noticed that disclosures slowed down in the first half of 2021, but they picked up in the second half of the year.
“In the 2021 Mid Year 2021 Report, the difference between 2020 and 2021 was only around 400. In the second half of the year, that gap then increased by over 3,500,” the company said in its latest report. “This is a considerable increase, further lending to the idea that we are seeing the disclosure landscape shake off the pandemic as researchers return to their normal output.”
As for the products with the most vulnerabilities discovered in 2021, the top 10 mostly includes Linux distributions. Google’s Pixel devices also made the top 10. Pixel phones ranked 12 in 2020 and moved up to the fifth place in 2021, but the number of vulnerabilities was roughly the same in both years.
One significant change in 2021 is that the top 10 does not include any version of Windows. Furthermore, in the list of top vendors, Microsoft dropped from second place in 2020 to fifth in 2021. However, this could be explained by the fact that 2020 was — as RBS puts it — “an unusually bad year for Microsoft,” with nearly 1,600 vulnerabilities, up from 940 in the previous year.
It’s worth noting that 29% of the vulnerabilities cataloged by RBS do not have a CVE identifier.
“The good news is that the industry is starting to make big leaps in how it views vulnerability management. Firms like Gartner are catching on to the inefficiencies caused by reliance on vulnerability scanners, while government agencies like the Cybersecurity Infrastructure and Security Agency are pushing for organizations to focus their prioritization on metadata like exploitability, rather than severit,” RBS said in its report.
It added, “All of these movements are educating organizations that it can be possible to proactively manage risk, rather than always reacting to it. As enterprises take the steps in assessing those possibilities, security teams will come to realize that it will all come down to the quality of data. To make informed risk-decisions, they will come to understand that comprehensive, actionable, and timely vulnerability intelligence will be critical, and that it won’t be found in the public source.”
Earlier this year, RBS announced getting acquired by threat intelligence company Flashpoint.
Related: Telemetry Report Shows Patch Status of High-Profile Vulnerabilities
Related: Microsoft Explains How It Processes Vulnerability Reports
Related: Number of ICS Vulnerabilities Continued to Increase in 2020: Report