By the Numbers: 2022 CVE Data Review

Jan 26, 2023
Kenna Security

Share with Your Network

The rising annual volume of published Common Vulnerabilities and Exposures (CVEs) has been breaking records since 2017, and 2022 was no exception with nearly 25% more CVEs published than in 2021. Many factors are prompting this steady climb in vulnerabilities, chief among them: expanding attack surfaces, more complex environments, increased connectivity, advanced attacks, and a growing hybrid workforce.

Kenna Security at Cisco’s very own Director of Research Jerry Gamblin recently blogged about 2022’s skyrocketing CVEs and highlighted notable trends. To help organizations better equip their vulnerability and risk management strategies for the year ahead, we’ve rounded up some of Gamblin’s key findings.

CVE Volume

The number of vulnerabilities published to date may seem overwhelming. The National Vulnerability Database (NVD) lists well over 200,000, and plenty still exist that haven’t been officially recognized. The final count for 2022 wrapped up the year with a total of 25,093 CVEs published, averaging 68.75 per day.


CVEs per Month - 2022 CVE Data Review

CVEs per Day - 2022 CVE Data Review

Let’s be real: tracking, assessing, and remediating over 25,000 CVEs every year (and counting) just isn’t feasible. The good news is that the vast majority of published vulnerabilities don’t require your attention. In the Prioritization to Prediction, Volume 8 report, which features real-world vulnerability intelligence gathered and analyzed by Kenna Security and the Cyentia Institute, found that just over 4% of published vulns represent a real risk to organizations. That number may seem more approachable, but identifying and prioritizing which vulns are in those 4% is keeping remediation teams on their toes.

Other highlights:

  • December topped the charts for most CVEs published: 2,426, accounting for 9.7% of the year’s total.
  • 21.6% of all CVEs were published on Tuesdays.
  • The most CVEs published was on Thursday, June 2nd, rolling in at 320 CVEs–4.7X more than the daily average.

CVE Growth

CVEs volumes soared 25% year-to-year from 2021 to 2022, signaling a persistent tide of CVE growth. Also rising is the number of CVEs published that were published in the previous year, at 13.06%. It’s clear the volume of vulnerabilities is surging, yet organizations can only address about one in every seven vulns in their environment—and 16% are left open for more than a year. With limited remediation capacity and rising volume, expanding capacity may seem like the right solution. But our research found improving your vulnerability prioritization strategy to be far more effective than increasing capacity for reducing exploitability.

Top-tier solutions leverage heightened visibility and enhanced threat and vulnerability intelligence to make data-backed predictions about which vulns are likely to be exploited in a particular environment. This helps prioritize vulns that pose the highest risk to your organization’s environment. With integrated solutions and automated workflows, even organizations operating at low capacity can approach the growing volume of CVEs with confidence.

Growth YOY - 2022 CVE Data Review

Percentage of CVEs Published - 2022 CVE Data Review

CVE Severity

With so many vulns to track and patch, security teams have no choice but to focus their efforts on the vulnerabilities that pose the greatest risk to their organization. Many turn to the Common Vulnerability Scoring System (CVSS), which provides one way to rank CVEs. This static, standardized scale from 0.0 to 10.0 attempts to classify the severity of a vulnerability. It’s common for organizations to prioritize CVEs with a CVSS score of 7 or above. This year, the average CVSS score was 7.19 and 48 CVEs scored a “perfect” 10.0.

CVSS Score Counts

CVSS is far from the most accurate or helpful gauge of a CVE’s relative risk. Even prioritizing vulns by the most Twitter mentions it generates reduces exploitability more than a CVSS-based prioritization strategy. Yes, you read that right. And in fact, randomly selecting vulns to fix works about as well as patching what CVSS counts as critical. The problem is, these CVSS scores lack the organizational context needed to help determine the potential impact of a vulnerability. CVSS scores are also notoriously inflated, and therefore unreliable. Ultimately, teams that bank on these static scoring systems to make critical decisions waste valuable time and resources chasing vulns that pose very little risk to them.

Other trends in CVEs

  • Two decades since first going public, the oldest CVEs published this year have almost reached the legal drinking age: CVE-2003-5001, CVE-2003-5002, and CVE-2003-5003.
  • The Common Platform Enumeration (CPE) is a naming scheme for IT systems and software to help identify vulnerable software in a CVE. This year there were 2,815 unique CEPs identified in CVEs. The most common was cpe:2.3:o:google:android:11.0:*:*:*:*:*:*:* that was applied to 299 CVEs.
  • CVE Numbering Authorities (CNAs) are software vendors, bug bounty service providers, research groups, open source projects, and other entities authorized by the CVE Program to assign CVE IDs and publish CVE Records within their scopes of coverage. As of today, there are 266 authorized CNAs and those that published the most CVEs in 2022 were: Github, WPScan, Microsoft, VulDB, and
  • Common Weakness Enumeration (CWE) is a community-developed list of software and hardware weakness types that pose security risks, operated by MITRE and backed by the Cybersecurity and Infrastructure Security Agency (CISA). The community listed 1332 CWEs in 2022, and 236 were assigned to CVEs. CWE-79 was assigned the most, at 3230 times or to 12.88% of all CVEs last year.

Risk-based prioritization remains reliable through the trends

If you feel like you’re always trying to catch up, you’re not alone: the volume of new and existing vulnerabilities will always outweigh an organization’s capacity to mitigate them. But the goal isn’t to mitigate them all—it’s to nip the riskiest vulns in the bud.

Unfortunately, too many security teams rely on CVSS scores alone to prioritize vulns remediation. Headlines may claim the latest “high-risk” vuln is a threat, but risk is subjective and should be calculated in the context of your business’s assets and their likelihood of exploitation. Nearly all assets (95%) have at least one highly exploitable vulnerability, but a mature risk-based vulnerability prioritization strategy with a high remediation capacity can achieve a 29x reduction in exploitability.

Through the trends and fluctuations, contextual, data-driven, risk-based prioritization holds strong as the most effective vulnerability management approach to do more than stay afloat during the surges of vulns, but to optimize finite resources and build security resilience.

To become even more vuln-savvy, watch Jerry Gamblin in this on-demand webinar: Understanding the 8 Riskiest Classes of Vulnerabilities.  



Read the Latest Content

Vulnerability Management

8 Types of High-Risk Cybersecurity Vulnerabilities

We assigned the top cybersecurity vulnerabilities with a high-risk score into eight categories. Learn more about cybersecurity vulnerabilities and...
Vulnerability Management

Learn the Difference Between CVE and CVSS, and What They Mean to You

Understanding the difference between CVEs and CVSS is helpful to understanding how they relate to effective vulnerability management.
Cybersecurity Best Practices

3 Super Common Vulnerability Management Myths: BUSTED

Cybersecurity myths and misconceptions are all too common. We're setting the record straight on the top three myths we hear most often.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.