On Monday, Risk Based Security issued its vulnerability report for 2021, revealing a record-breaking 28,695 flaws discovered last year, up from 23,269 weaknesses disclosed in 2020. More than 4,100 of the vulnerabilities exposed in 2021 are remotely exploitable, have a public exploit, and a fix or mitigation.
According to the vulnerability and data breach intelligence business, organizations may minimize risk by 86 percent by first concentrating on these security flaws. To put these 4,100 in perspective, CISA’s known exploited vulnerabilities library, which records problems published over the last decade, only has 360 entries.
“In the 2021 Mid Year 2021 Report, the difference between 2020 and 2021 was only around 400. In the second half of the year, that gap then increased by over 3,500,” as stated by the company in its newest report. “This is a considerable increase, further lending to the idea that we are seeing the disclosure landscape shake off the pandemic as researchers return to their normal output.”
In terms of the top ten products with the most vulnerabilities identified in 2021, Linux distributions dominate the list. The Pixel smartphones from Google also reached the top ten. In 2020, Pixel phones were ranked 12th, while in 2021, they were placed fifth. However, the number of vulnerabilities was approximately the same in both years.
The top 10 in 2021 do not feature any version of Windows, which is a huge change. Moreover, Microsoft slid from second place in 2020 to fifth place in 2021 on the list of major vendors. This might be explained by the fact that 2020 was “an unusually bad year for Microsoft.” There were roughly 1,600 vulnerabilities this year, up from 940 the year before.
It’s worth mentioning that RBS catalogs 29% of vulnerabilities that don’t have a CVE designation. RBS also said that the industry is beginning to take significant steps forward in its approach to vulnerability management. Organizations like Gartner recognize inefficiencies created by dependence on vulnerability scanners. At the same time, government bodies such as the Cybersecurity Infrastructure and Security Agency (CISA) urge companies to prioritize metadata, such as exploitability above severity.