NIST NVD Report Shows Increase in Low-Complexity CVEs


Common vulnerabilities and exposures, or CVEs, are seemingly increasing at a faster rate as a proportion of the overall number of bugs reported, which, according to a survey, have increasingly risen as per the cybersecurity teams. These are very easy to exploit. 

Recently, Redscan, a managed detection, response, and pen-testing professional, evaluated more than 18,000 CVEs filed in the National Vulnerability Database (NVD) of the U.S. National Institute of Standards and Technology (NIST) in 2020 and published a report, NIST Security Vulnerability Trends in 2020: An Analysis.

It shows that just over half (57%) is graded as "high" and "critical" - the most significant figure reported in any year till date. The report often discusses the increase in low difficulty vulnerabilities and the rise of those vulnerabilities that do not involve user interaction. That means that an attacker can take advantage of the user with limited technical skills as well. According to the research, this number has hiked since 2017, after declining dramatically between 2001 and 2014. These developments demonstrate the need for companies to enhance the awareness of wild vulnerabilities and to follow a multi-layered approach for the management of vulnerabilities. In 2020, almost 4000 vulnerabilities can be defined as the “worst of worst” – meeting the worst criteria for all types of NVD filters. 

The research report says, “The prevalence of low complexity vulnerabilities in recent years means that sophisticated adversaries do not need to ‘burn’ their high complexity zero-days on their targets and have the luxury of saving them for future attacks instead.” 

“Low complexity vulnerabilities lend themselves to mass exploitation as the attacker does not need to consider any extenuating factors or issues with an attack path. This situation is worsened once exploit code reaches the public and lower-skilled attackers can simply run scripts to compromise devices.” 

Another vulnerability trend is to be tackled: low-complex CVEs, 63 percent of vulnerabilities found in 2020, are increasing. A rising challenge for safety teams has been a large number of vulnerabilities with low complexity. Complexity is one of the most critical things to consider while evaluating vulnerability risks and in-wild exploitation the timeframes. The low-complex CVEs are loaned to rapid mass manipulation because attackers do not have to consider extenuating circumstances or route problems. 

Alongside, companies also need to improve oversight of tech vendors' activities. They must determine how their manufacturers test their custom code and the use of their goods of non-member libraries. 

“Vulnerabilities which require no interaction to exploit present a complex challenge for security teams, underscoring the need for defense-in-depth. This includes enhancing the visibility of attack behaviors once a compromise has occurred,” added George Glass, Head of Threat Intelligence at Redscan