CVEs Surge 25% In ’22, Severity Down but Risk is Still High: Skybox Security

According to data compiled by Skybox Security in their 2023 Vulnerability and Threat Trends Report, the total vulnerabilities reported by the US government in 2022 increased by 25% to hit a new high of 25,096, the sixth year in a row of increases and the biggest since 2017.

  • 80% – medium or high severity 
  • 16% – critical (down 20% over 2021) 

Skybox noted that severity does not equal risk, with threat actors often using less severe vulnerabilities for remote code execution, privilege escalation and more, patching should be prioritized, not based on the severity of a CVE, but its exploitability, exposure, asset importance and business impact.

“The writing is on the wall. Traditional reactive approaches to cybersecurity – waiting until vulnerabilities are reported and then scrambling to scan and patch every instance – are more outmoded by the day. There are far too many vulnerabilities, it takes too long to find them and close them, and many are unpatchable in any case. Understaffed cybersecurity organizations can’t keep up,” Skybox CEO, Mordecai Rosen said.

Dave Ratner, CEO, HYAS had this comment:

“It has never been more clear that, as attackers innovate, the traditional reactive cyber security solutions are losing both effectiveness and efficacy. The only way to level the playing field is to get proactive with modern solutions like Protective DNS across both the IT and OT environments, and it’s not a coincidence that even CISA is making these kinds of recommendations as part of the Shields Up initiative.”

Clearly it’s time to step things up both on the human asset front as well as the technology front. Because there’s really no other way to keep ahead of threat actors who are determined to pwn everything they can in pursuit of all the money and intel that they can get.

Leave a Reply

%d bloggers like this: