What 2024 taught us about security vulnerabilties
From zero-day exploits to weaknesses in widely used software and hardware, the vulnerabilities uncovered last year underscore threat actors’ tactics and the critical gaps in organizational defenses.
This roundup showcases the standout findings from 2024’s cybersecurity reports, highlighting critical risks and emerging threats that demand attention. Whether you’re a security leader, IT professional, or cybersecurity-conscious, these insights will help frame the priorities and strategies needed to stay resilient.
Zero-days dominate top frequently exploited vulnerabilities
The list of top exploited vulnerabilities includes severe issues affecting widely used enterprise products. Notable mentions are Citrix NetScaler (CVE-2023-3519), which allows remote code execution, and Cisco IOS XE (CVE-2023-20198), targeted for privilege escalation. Additionally, the Log4Shell vulnerability (CVE-2021-44228), impacting Apache’s Log4j library, continues to be exploited due to its extensive usage in various software applications, even two years after its initial disclosure.
Critical vulnerabilities persist in high-risk sectors
The Finance and Insurance industry (FSI) had the highest number of critical vulnerabilities across all site complexities, with 565 critical vulnerabilities identified for small FSI sites, 580 for medium sites,and 154 for large sites. The next-highest industry was Healthcare and Social Assistance, with 367, 486, and 139 critical vulnerabilities for small, medium, and large sites respectively.
50% of financial orgs have high-severity security flaws in their apps
Veracode researchers found 40% of all applications in the financial sector have security debt (flaws that remain unfixed for longer than a year), which is slightly better than the cross-industry average of 42%. In addition, just 5.5% of financial sector applications are flaw-free, compared to 5.9% across other industries. While slightly fewer financial sector applications have security debt, they accumulate more of it.
75% of new vulnerabilities exploited within 19 days
The report highlights a critical gap in remediation efforts, with the average time to patch exceeding 100 days, contrasted against the finding that 75% of new vulnerabilities are exploited in 19 days or less. Skybox found that nearly half of all newly discovered vulnerabilities were classified as high or critical.
Critical vulnerabilities take 4.5 months on average to remediate
The average Known Exploited Vulnerabilities (KEV) is resolved within 6 months (174 median days), whereas non-KEVs can take more than 1.7 years (621 median days). Despite faster remediation of KEVs versus non-KEV, more than 60% are remediated after deadlines provided by CISA.
Cybercriminals are getting faster at exploiting vulnerabilities
Fortinet telemetry found that 41% of organizations detected exploits from signatures less than one month old and 98% of organizations detected N-Day vulnerabilities that have existed for at least five years.
Organizations are knowingly releasing vulnerable applications
With more software to secure that has been deployed in more environments with less time available to secure it, a remarkable 91% of companies have knowingly released vulnerable applications.
CISA Adds Second BeyondTrust Flaw to KEV Catalog Amid Active Attacks
Illicit HuiOne Telegram Market Surpasses Hydra, Hits $24 Billion in Crypto Transactions
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
CWE-688 Function Call With Incorrect Variable or Reference as Argument
CWE-288 Authentication Bypass Using an Alternate Path or Channel
CWE-1045 Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
CWE-574 EJB Bad Practices: Use of Synchronization Primitives
CWE-940 Improper Verification of Source of a Communication Channel
Free online web security scanner