Top Trending Vulnerabilities of 2024

Feb 115 min read

2024 set a new record for published vulnerabilities, surpassing 40,000 CVEs—up 40% from 2023, with even more growth expected this year. With this surge, security and operations teams are under more pressure than ever. The challenge isn’t just tracking vulnerabilities but cutting through the noise to focus on the ones that truly matter.

This article provides a summary of Cytidel's intelligence for 2024, helping you identify the top vulnerabilities that should be addressed as a priority should they appear in your environment.

Note: reporting focuses on new CVEs published during '24 and excludes any older CVEs that may have trended for the first time throughout the year.

What we'll cover:

The top trending CVEs on news and social media
Significant Risk CVEs you may have missed
- Not on CISA KEV, but has threat actors associated
- CVSS below 7 & EPSS less than 1%
Why there are more vulnerabilities being published
Emerging threats and the need for speed

The Top 10 Trending Vulnerabilities of 2024

The below table lists the top 10 most mentioned CVEs on social media of 2024. All the listed CVEs carry a Cytidel risk rating of Significant, with 8 out of 10 included in the CISA Known Exploited Vulnerabilities (KEV) catalog. These 8 have all been associated with named threat actors. Six of these vulnerabilities are also on our highest risk vulnerabilities of 2024.

Top Trending CVEs on Social Media of 2024

Table listing the top 10 trending CVEs of 2024 with columns for Vendor, Vulnerability Type, CVSS, EPSS, CISA KEV. Risk Rating is Significant in red for each entry. — Top 10 Trending CVEs of 2024 [CVE-2024-3400, CVE-2024-3094, CVE-2024-6387, CVE-2024-9680, CVE-2024-4577, CVE-2024-21887, CVE-2023-46805, CVE-2024-47575, CVE-2024-24919, CVE-2024-23897]

Cytidel CVE Profiles - Top Trending Vulnerabilities of 2024

Source: Cytidel's Vulnerability Threat Intelligence Platform

Significant Risk CVEs you may have missed

If you’ve read some of our previous content or listened to us speak in relation to vulnerability prioritisation before, you’ll know that we often speak about the limitations of existing industry standards.

CVSS (Common Vulnerability Scoring System), CISA KEV (Known Exploited Vulnerabilities Catalog) and EPSS (Exploit Prediction Scoring System) can be great starting points for teams looking to more effectively prioritise vulnerabilities, but even combined they do not tell the full story – often missing crucial, exploited vulnerabilities.

To provide an example with last year’s data - In 2024, Cytidel intelligence marked 131 vulnerabilities with a risk rating of ‘Significant’, our highest risk category. From these, we found:

28% not added to CISA KEV (37 CVEs)
74% had an EPSS below 20% (97 CVEs)
- 66% had an EPSS of 2% or less (86 CVEs)
56% CVEs had a CVSS below 9.0 (Critical) (73 CVEs)
- 11.5% were below 7.0 (Low or Medium) (15 CVEs)

Below are some of the more high-profile CVEs that you may have missed that may warrant immediate action if in your environment.

Not on CISA KEV but has potential public exploit and associated threat actor

Table listing 3 vulnerabilities not on CISA KEV but with Significant Risk Rating. Table contains: CVE, Vendor, Vuln. Type, CVSS, EPSS. All show potential public exploit, threat actor, and significant risk. — Significant Risk CVEs not on CISA KEV [CVE-2024-1708, CVE-2024-21888, CVE-2024-27199]

Plus, CVE-2024-21413 was just added to CISA KEV on February 6th, 2025. Almost a year since it was added to the Cytidel Spotlight and trended across news and social media.

CVSS Below 7, EPSS 1% or less, and associated threat actors

Table listing 4 vulnerabilities with lower CVSS and EPSS but with Significant Risk Rating. Table contains: CVE, Vendor, Vuln. Type, CVSS, EPSS. All show potential public exploit, threat actor, and significant risk. — Significant Risk CVEs that have CVSS below 7 and low EPSS [CVE-2024-20359, CVE-2024-20399, CVE-2024-38213, CVE-2024-37085]

Yes more vulnerabilities are being published, but there are more publishers now too

We spoke about this back in our 2024 Q2 trends report, but one of the reasons there are more vulnerabilities being published is the fact that there are more vendors now registered as CVE Numbering Authorities (CNAs). This means there are more companies now committed to declaring software vulnerabilities.

As of February 2025, there are 437 CNAs with 92 registered since January ’24. This represents a 26% increase in the number of organisations registering vulnerabilities, therefore it’s inevitable the number of CVE’s each year goes up. While this is a positive for the industry, security teams need the right processes and mechanisms to keep on top of this trends. Expecting traditional prioritisation mechanisms such as CVSS alone to continue to be sufficient is no longer feasible. Amplifying this challenge is the fact NVD still hadn’t analysed 10,000 CVE’s published in 2024 (at time of writing), leaving 25% of all CVE’s published that year with incomplete or unverified data.

The need for speed with emerging threats

CVEs trending without being published to NVD

Throughout the year, we noticed a number of CVEs trending across news and social that were not yet published to NVD. From time to time, a vulnerability comes along that Cytidel Intelligence recommends remediating days, or even weeks, before the CVE is published to NVD.

A scenario where this may affect organisations is an over-reliance on vulnerability scanners, which will be unable to detect and alert organisations until the CVE is published and a signature written to detect the CVE. This means that organisations could be exposed to critical, exploited CVEs for days, or more, before they see them in their regular scans.

CVE-2024-4577, one of our top 10 vulnerabilities of 2024 was on our radar for three days before it was eventually published to NVD.

Here’s a quick look at its timeline:

June 6th
- Identified by Cytidel
June 7th
- Proof-of-concept identified
- Added to Cytidel Spotlight
- Began trending on news and social media
- Cytidel customers advised to patch or implement outlined temporary measures
June 9th
- Published to NVD
June 10th
- Nuclei Template added
- Confirmed reports of TellYouThePass ransomware exploiting the CVE
June 11th
- Multiple POCs added
June 12th
- Added to CISA KEV

Time From Identification To Active Exploit Is Reducing

Early last year it was reported that the average time for exploitation to begin is just 4 days following disclosure of the vulnerability. In fact, the aforementioned CVE-2024-4577 in the previous paragraph was one such vulnerability, with reports of exploitation attempts as early as the following day.

In another case, with CVE-2024-5806, a Progress MOVEit Transfer vulnerability, it was a matter of just a few hours after disclosure when reports state it was under attack.

Plus, the leading initial vector for breaches is now exploits

A recent Google M-Trends report from 2024 shows the most common initial infection vector for a data breach was exploits (38%), more than double that of phishing which was reported at (17%). Prior compromise (15%), and stolen credentials (10%) founded out the top four.

When factoring in the growing prominence of vulnerabilities as a leading vector, plus the decreasing time from disclosure to exploitation. Cytidel’s stance on this is clear – you need to incorporate threat intelligence to enable your team to respond to these emerging threats.

Looking to adopt an intelligence led approach to vulnerability management in 2025?

Check out Cytidel's Vulnerability Intelligence if your organisation is looking to stay ahead of rising threats.

Solutions

Vulnerability Threat Intelligence

Advanced Vulnerability Management

TVM Risk Assessment

Case Studies

Saving 20+ hours a week on vulnerability research

Reducing exposure by 91% in 8 weeks with RBVM

Use Cases

Cytidel

Blog

Read some of our vulnerability intelligence, news and updates.

Careers

Check out our open roles and see what it’s like to be part of the Cytidel team.