What 2024 taught us about security vulnerabilties

From zero-day exploits to weaknesses in widely used software and hardware, the vulnerabilities uncovered last year underscore threat actors’ tactics and the critical gaps in organizational defenses.

This roundup showcases the standout findings from 2024’s cybersecurity reports, highlighting critical risks and emerging threats that demand attention. Whether you’re a security leader, IT professional, or cybersecurity-conscious, these insights will help frame the priorities and strategies needed to stay resilient.

Zero-days dominate top frequently exploited vulnerabilities

The list of top exploited vulnerabilities includes severe issues affecting widely used enterprise products. Notable mentions are Citrix NetScaler (CVE-2023-3519), which allows remote code execution, and Cisco IOS XE (CVE-2023-20198), targeted for privilege escalation. Additionally, the Log4Shell vulnerability (CVE-2021-44228), impacting Apache’s Log4j library, continues to be exploited due to its extensive usage in various software applications, even two years after its initial disclosure.

Critical vulnerabilities persist in high-risk sectors

The Finance and Insurance industry (FSI) had the highest number of critical vulnerabilities across all site complexities, with 565 critical vulnerabilities identified for small FSI sites, 580 for medium sites,and 154 for large sites. The next-highest industry was Healthcare and Social Assistance, with 367, 486, and 139 critical vulnerabilities for small, medium, and large sites respectively.

50% of financial orgs have high-severity security flaws in their apps

Veracode researchers found 40% of all applications in the financial sector have security debt (flaws that remain unfixed for longer than a year), which is slightly better than the cross-industry average of 42%. In addition, just 5.5% of financial sector applications are flaw-free, compared to 5.9% across other industries. While slightly fewer financial sector applications have security debt, they accumulate more of it.

75% of new vulnerabilities exploited within 19 days

The report highlights a critical gap in remediation efforts, with the average time to patch exceeding 100 days, contrasted against the finding that 75% of new vulnerabilities are exploited in 19 days or less. Skybox found that nearly half of all newly discovered vulnerabilities were classified as high or critical.

Critical vulnerabilities take 4.5 months on average to remediate

The average Known Exploited Vulnerabilities (KEV) is resolved within 6 months (174 median days), whereas non-KEVs can take more than 1.7 years (621 median days). Despite faster remediation of KEVs versus non-KEV, more than 60% are remediated after deadlines provided by CISA.

Cybercriminals are getting faster at exploiting vulnerabilities

Fortinet telemetry found that 41% of organizations detected exploits from signatures less than one month old and 98% of organizations detected N-Day vulnerabilities that have existed for at least five years.

Organizations are knowingly releasing vulnerable applications

With more software to secure that has been deployed in more environments with less time available to secure it, a remarkable 91% of companies have knowingly released vulnerable applications.