Dive Brief:

• On Tuesday, industry surpassed the total number of common vulnerabilities and exposures (CVE) recorded in all of 2019, according to the US-CERT Vulnerability Database analysis from K2 Security. 
• This year, the number of recorded vulnerabilities reached 17,447. So far the number of vulnerabilities considered high severity is fewer than 2019, reaching 4,177 this year compared to 4,337 last year. 
• The 17,306 recorded vulnerabilities in 2019 was previously the record. Recorded vulnerabilities started breaking yearly records in 2017, after increasing from 6,447 total vulnerabilities in 2016 to 14,646 in 2017. 

Dive Insight:

Patches are most prevalent for widely-used software. Enterprise software, including Microsoft suite products, Apache Struts and Drupal frameworks, are favorite attack vectors. 

IT teams are often responsible for deploying the patches security teams deem most critical. When patches are missed, it could render even unassuming DOC or RTF files dangerous.

CVEs were already on pace to break 2019's record, but the pandemic caused organizations to accelerate application production resulting in time-crunched quality assurance and greater reliance on open source code, according to K2 Security.

NordVPN identified the top-five CVEs attackers have exploited this year:  

• Microsoft CVE-2012-0158: The vulnerability was first published in 2012. The attackers targeted governments globally, leveraging Microsoft Office RTF files for enhanced spreadability.  
• Microsoft CVE-2019-0604: The bug was discovered in 2019. Using a remote code execution vulnerability in Microsoft SharePoint, the attacker is able to run arbitrary code "in the context of the SharePoint application pool and the SharePoint server farm account," said Microsoft. 
• VMware CVE-2020-4006: Found in November, researchers found Russia-based actors were leveraging a command injection vulnerability in VMware Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector. The vulnerability needs network access to the administrative configurator on any port to execute commands "with unrestricted privileges on the underlying" OS, according to Palo Alto Networks' Unit 42. 
• Drupal CVE-2018-7600: The vulnerability was found in 2018 and was labeled highly critical for Drupal CMS users. The CVE also allowed attackers to drop Kitty, a cryptocurrency-mining malware, on Drupal's websites. 
• Citrix CVE-2019-19781: Found in 2019, the CVE is used for deploying ransomware and espionage attacks. It uses vulnerable Citrix devices and systems already compromised "cannot be remediated by" deploying patches, according to CISA. If a cyber network exploitation (CNE) has already been established, they remain even if a patch was applied. 

Companies are missing vulnerability detection on their own. Only 4% of CVEs are found by a scanner before patches are available, according to Kenna Security. After a patch is issued, 90% of CVEs are detected by scanners. 

Companies missing bugs rely on their vendors or bug bounty programs to find issues for them. However, it's not guaranteed companies will find the flaws. Between January and August, Microsoft's Patch Tuesday fixes increased to nearly 103 patches monthly, according to Trend Micro. The increase is either down to more vulnerable code, or a more meticulous investigation of older OS due to increased cyberthreats this year.