28,821 — that’s the number of vulnerabilities reported last year alone. With over 28,000 CVEs this year so far, 2024 is on track to set an even more troubling record. As cloud native technologies have become the backbone of modern IT infrastructure, these staggering figures highlight a growing and urgent threat. In this blog, we’ll explore why vulnerability disclosure is on the rise, share key trends seen by our Aqua Nautilus team, and offer practical steps security teams can take today to mitigate these escalating risks in their environments.
Vulnerability Disclosure on the Rise: 2024 Projected at All-Time High
This significant number of vulnerabilities was published on the National Vulnerability Database (NVD), a government repository of standards-based vulnerability management data. Unsurprisingly, data shows more and more vulnerabilities being disclosed year over year, with 2023 hitting a new record of over 28,000. As of September 2024, we are at over 28,000 vulnerabilities, putting us on pace to continue this trajectory and likely surpass that 28k milestone.
There are a few reasons why this is happening:
- The widespread use of open source: Since it’s publicly accessible, open source code enables a larger community of developers and researchers to scrutinize it more thoroughly than proprietary code.
- Greater awareness and reporting: Also on the positive side, increased cybersecurity awareness among organizations and researchers leads to more reporting.
- Complexity of systems: On the less positive side, modern software systems are becoming more complex, creating more opportunities for vulnerabilities to emerge.
- Regulatory requirements: New regulations and standards are pushing for more vulnerability disclosures, which is adding to the numbers.
However, despite the increase in reporting, challenges remain. Earlier this year, the NVD experienced a significant slowdown in its CVE analysis. Since most scanning tools depend on the NVD for vulnerability data to identify which software is affected, this delay has impacted the security posture of many organizations, leaving them more exposed to potential exploits.
Despite Increased Disclosures, Gaps Remain
In November 2023, after digging into GitHub activity and NVD entries, the Aqua Nautilus research team found another problem: a delay in the public disclosure of vulnerabilities in open source projects. This delay creates a risky window where attackers can find and exploit these vulnerabilities. Sometimes, it can take up to hundreds of days before a CVE gets published and patched.
The research also introduces new categories called ‘Half-Day’ and ‘0.75-Day’ vulnerabilities, which sit between the familiar ‘0-day’ (unknown to maintainers) and ‘1-day’ (known and patched) vulnerabilities. ‘Half-Day’ vulnerabilities are known to maintainers but haven’t been officially released yet, while ‘0.75-Day’ vulnerabilities have a patch but don’t have a CVE or CPE, so scanning tools can’t detect them.
Aqua Nautilus highlighted two case studies: Log4Shell (CVE-2021-44228) and a vulnerability in Binwalk (CVE-2022-4510), showing the risks and timelines of these types of vulnerabilities. In the Log4Shell case, there was a ‘Half-Day’ window of 6 days and a ‘0.75-Day’ window of 4 days before an official CVE was released. For the Binwalk case, the ‘Half-Day’ window lasted 98 days.
The findings underscore the need for responsible vulnerability disclosure within the security community. The goal is to close the gap between discovering vulnerabilities and releasing patches, giving attackers less chance to exploit them. We recommend that organizations adopt a defense-in-depth security strategy, incorporating robust runtime protection to mitigate the risks of early vulnerability exposure.
CVE Exploitation: Attackers Are Shifting Focus
As the security landscape evolves, so do the tactics of malicious actors. Lately, we’ve seen a clear shift in where attackers are focusing. In 2022, the notorious Log4Shell vulnerability (CVE-2021-44228) was the main target for scans and attacks. But by late 2023, the spotlight had moved to the Grafana vulnerability (CVE-2021-43798), which became the new hotspot for attackers. This shift shows that attackers are increasingly targeting cloud native environments and the key tools that support them.
Our honeypot research also found that they’re exploiting newly disclosed vulnerabilities faster than ever, so it’s crucial for organizations to stay ahead of these evolving threats. Here’s a look at how attackers are changing the vulnerabilities they’re focusing on, and what this means for cloud security.
Grafana flaws are becoming a bigger target.
In 2022, attackers mainly hunted for the Log4Shell vulnerability (CVE-2021-44228), with nearly 80% of all searches focusing on it, according to the Aqua Nautilus team. This trend continued into 2023, but by the end of last year, attention shifted to flaws in Grafana (CVE-2021-43798).
Grafana, an open source analytics and monitoring tool for visualizing data, is targeted through a directory traversal flaw that lets attackers read arbitrary files from the filesystem. Exploiting this vulnerability can lead to the exposure of sensitive data.
It’s particularly interesting to see attackers focusing on a widely used DevOps tool for monitoring cloud native environments, highlighting their growing interest in cloud native tools overall.
| CVE | Platform | % | CVSS | EPSS |
| CVE-2021-43798 | Grafana | 24.91% | 7.5 | 97.5% |
| CVE-2021-44228 | Log4shell | 23.91% | 10 | 96.69% |
| CVE-2002-1149 | phpinfo.php | 6.71% | N/A | 55.48% |
| CVE-2018-11776 | Apache Struts | 5.39% | 8.1 | 97.53% |
| CVE-2023-32315 | Openfire | 4.74% | 7.5 | 97.02% |
| CVE-2023-38646 | Metabase | 3.62% | 9.8 | 88.91% |
| CVE-2002-0953 | globals.php | 3.55% | N/A | 2.76% |
| CVE-2022-0543 | Redis | 3.00% | 10 | 97.20% |
| CVE-2020-2551 | Oracle WebLogic | 0.95% | 9.8 | 97.54% |
| CVE-2014-6271 | Shellshock | 0.94% | 9.8 | 97.37% |
Exploitation of vulnerabilities in the wild is on the rise.
Threat actors are taking advantage of newly published vulnerabilities. In fact, new CVEs are added to CISA’s Known Exploited Vulnerabilities Catalog nearly every day.
We’re also seeing other examples of rapid weaponization of vulnerabilities by various threat actors. For example, recent Nautilus research on Kinsing applications showed that most of the attacks by Kinsing are conducted by exploiting vulnerabilities. Notably, the recent vulnerabilities in Openfire and RocketMQ were exploited within one to two weeks after their disclosure.
Software supply chain attacks are intensifying.
New vulnerabilities in tools like curl and libcurl, along with the exploitation of novel vulnerabilities by Kinsing malware, highlight the persistent risks in the software supply chain. Other examples include critical vulnerabilities in Jenkins Server that lead to Remote Code Execution (RCE) and the spread of malware through PyTorch dependency confusion.
Mitigation Recommendations
To tackle the rising number of vulnerabilities, security tools have been evolving, and we suggest that security practitioners explore these emerging solutions. Here are a few that have caught our attention:
- Automated code scanning: Tools like GitHub’s CodeQL have been crucial in identifying vulnerabilities in source code, such as the RCE flaw in Apache Struts.
- AI and ML technologies: These are being increasingly used for anomaly detection in code repositories. For instance, Amazon CodeGuru leverages machine learning to spot costly code lines and offer suggestions for improvements.
Additionally, here are some best practices we recommend for reducing vulnerability risks in your environment:
- Develop a defense-in-depth strategy: As mentioned earlier, adopting a layered security approach is essential for comprehensive protection across your environment. This includes implementing strong runtime controls to guard against attacks that might exploit existing or zero-day vulnerabilities, leveraging capabilities like behavioral detection and Cloud Detection and Response (CDR).
- Detect and fix vulnerabilities early: Use a trusted cloud native security scanner to shift left and integrate automated scanning into your software development lifecycle. By uncovering known vulnerabilities and other risks in your container images early on, you can significantly reduce the attack surface that threat actors might exploit.
- Use a risk-based approach for prioritization and remediation: Focus on the vulnerabilities that pose the greatest risk by considering contextual factors like reachability, EPSS, actively running packages, available exploits, and more. This helps in identifying and addressing top-priority vulnerabilities.
- Prevent critical vulnerabilities from reaching production: Set up assurance policies to define the acceptable risk level for deploying container images, which helps reduce the attack surface and stops vulnerabilities from making it to production.
- Mitigate vulnerabilities at runtime: Close off exploitation paths and attack vectors for vulnerabilities that can’t be fixed immediately by applying compensating controls, such as vShield, a virtual patch that provides immediate protection.
If you’re aiming to build a robust cloud vulnerability management program, Aqua’s enterprise-grade CNAPP solution delivers comprehensive, end-to-end vulnerability management for cloud-native workloads. Learn more how Aqua’s Advanced Code-to-Cloud Vulnerability Management can enhance your security strategy or schedule a live demo.
