Nearly Two-Thirds of CVEs Are Low Complexity

Security experts have warned of an increase in published vulnerabilities which are relatively easy to exploit and require no user interaction.

Managed security service provider Redscan’s latest report, NIST Security Vulnerability Trends in 2020: An Analysis, takes a look back at the 18,000+ Common Vulnerabilities and Exposures (CVEs) recorded in NIST’s National Vulnerability Database (NVD).

Aside from the fact that more CVEs were reported in 2020 than any year previously, a fact Infosecurity reported on in December, it raised concerns about the types of vulnerabilities emerging.

Over half (57%) of vulnerabilities in 2020 were classified as “critical’ or “high” severity, amounting to over 10,300 CVEs.

However, perhaps more concerning is the fact that 63% of the total number disclosed in 2020 were classed as “low complexity,” which means an attacker with low technical skills could exploit them. This figure has been on the rise since 2017, after largely falling between 2001 and 2014, according to the report.

The 63% figure represents a 13-year-high, Redscan claimed.

“The prevalence of low complexity vulnerabilities in recent years means that sophisticated adversaries do not need to ‘burn’ their high complexity zero-days on their targets and have the luxury of saving them for future attacks instead,” the report warned.

“Low complexity vulnerabilities lend themselves to mass exploitation as the attacker does not need to consider any extenuating factors or issues with an attack path. This situation is worsened once exploit code reaches the public and lower skilled attackers can simply run scripts to compromise devices.”

There was further bad news in that vulnerabilities which require no user interaction to exploit are also on the rise: they represented 68% of all CVEs recorded in 2020.

Attacks exploiting these CVEs are difficult to detect and have the potential to cause significant damage, the vendor claimed.

“Attackers exploiting these vulnerabilities don’t even need their targets to unwittingly perform an action, such as clicking a malicious link in an email. This means that attacks can easily slip under the radar,” the report noted.

“Vulnerabilities which require no interaction to exploit present a complex challenge for security teams, underscoring the need for defense-in-depth. This includes enhancing visibility of attack behaviors once a compromise has occurred.”

What’s Hot on Infosecurity Magazine?