2024 CVE Review – The “Critical, High, Medium” Position Shifting in Cybersecurity

As the calendar turns to 2025, cybersecurity professionals are taking stock of key trends in Common Vulnerabilities and Exposures (CVEs) from the previous year, revealing insights into a rapidly evolving threat landscape.

A detailed review of 2024’s CVE data suggests notable shifts in the nature, severity, and volume of vulnerabilities, prompting discussions within the cybersecurity community about emerging challenges and opportunities.

Declining Severity: A Shift Toward Milder Vulnerabilities

One of the most significant findings of 2024 was a decline in the average CVSS (Common Vulnerability Scoring System) v3.1 severity scores. For the first time in years, the median and average scores dropped from High to Medium.

Compared to 2023, the average CVSS score decreased from 7.09 to 6.9, while the median fell from 7.2 to 6.5—a 9.7% reduction.

This drop aligns with a larger trend of declining CVSS scores observed over the past few years, raising questions about whether software is becoming more secure or if vulnerabilities are being assessed differently.

When alternative datasets (such as CVEDetails.com) were analyzed, the story was consistent.

Their data highlighted an even sharper decline in average scores—from 7.7 in 2023 to 7.1 in 2024. This marks the largest annual drop since the introduction of CNA (CVE Naming Authority) systems in 2016.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Critical and High Severity Vulnerabilities Decrease

“The number of high-severity and critical vulnerabilities also saw a relative decline in 2024. For critical CVEs, the percentage fell from 15.7% (2023) to 13.7% (2024), while high-severity CVEs dropped from 37.1% to 33.5%, according to the NVD (National Vulnerability Database).”

Similar patterns were observed in data from CVEDetails.com, which reported a 5% year-over-year drop in these categories.

This trend suggests a possible shift in the types of vulnerabilities being discovered, with fewer catastrophic security flaws identified.

Reserved CVEs and Industry Implications

Another intriguing trend was a 7% year-over-year decrease in the total number of “reserved” CVEs—vulnerabilities identified but not yet published or resolved. Historically, such drops have coincided with periods of economic uncertainty or industry disruptions.

According to the Vulnerability.blog report, Speculation within the cybersecurity community suggests that widespread tech layoffs in 2023 and 2024 may have contributed to this downturn, as fewer developers and security researchers could mean fewer discoveries of vulnerabilities.

On the other hand, some professionals argue that this could indicate improvements in software development practices or a shift in focus to emerging technologies like generative AI.

WordPress: A Case Study in Soaring Volume

While overall severity trends fell, WordPress and its associated plugins saw a historic surge in CVE volume. In 2024, CNAs such as Wordfence, WPScan, and PatchStack reported a massive increase in vulnerabilities linked to WordPress extensions, many of which were classified as critical. For example:

• Wordfence reported a jump from 948 CVEs in 2023 to 3,322 in 2024.
• PatchStack documented a rise from 2,644 to 3,918 CVEs year over year.

Despite the large numbers, the rate of critical vulnerabilities remained relatively stable or declined in some cases, suggesting that WordPress security is evolving.

Many experts view this as evidence of the platform’s growing maturity and the proactive efforts of its development community to address security issues preemptively.

AI-Related Vulnerabilities: A New Frontier

Another prominent theme in 2024 was the rising discussion around vulnerabilities in generative AI and large language models (LLMs).

While the exact number of AI-related CVEs has yet to gain clear definition, industry leaders, including CVE.org, have acknowledged the need for explicit categorization of AI vulnerabilities.

As AI becomes increasingly integrated into critical systems, establishing clear guidelines for identifying and assigning CVEs to these technologies will be a key focus in 2025 and beyond.

The trends observed in 2024 indicate a nuanced shift in the cybersecurity landscape. While the severity of vulnerabilities appears to be on the decline, the rising complexity of systems, such as AI and WordPress ecosystems, presents new challenges.

Are these trends a sign of more secure software development, or are they indicative of shifting focus areas for researchers and attackers alike? As the cybersecurity community reflects on these insights, the questions remain: What role will emerging technologies play in shaping the future of vulnerabilities, and how will the industry adapt to a rapidly changing threat environment.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates

The post 2024 CVE Review – The “Critical, High, Medium” Position Shifting in Cybersecurity appeared first on Cyber Security News.