Cybercriminals had a busy year in 2024, with 768 Common Vulnerabilities and Exposures (CVEs) reported as exploited in the wild -- marking a 20% increase over 2023. These findings, based on data from VulnCheck KEV, highlight an escalating trend in real-world attacks leveraging newly disclosed vulnerabilities.
"Exploitation is being reported faster and more broadly than ever before," said Patrick Garrity, Vice President at VulnCheck. "With over 100 different sources contributing to public exploitation reports, defenders have more data but also a growing attack surface to manage."
The Patterns Behind the Exploits
The timing of CVE disclosures in 2024 revealed distinct patterns. Notable spikes in reported exploits coincided with key industry events and the onboarding of new reporting sources:
April/May Surge:Â Increased activity aligned with the RSA Conference and end-of-quarter security reports.
ShadowServer Integration:Â A substantial jump in disclosures followed the onboarding of ShadowServer in January.
Government & Vendor Reports:Â Major security alerts from organizations like CISA, the U.S. Department of Defense, and security firms such as F5 and Fortinet.
Wordfence's Coordinated Disclosures:Â Wordfence played a role in surfacing CVEs where active exploitation was observed but had yet to receive a CVE ID.
These fluctuations indicate that security research communities and industry reporting play a critical role in bringing vulnerabilities to light.
The Race Against Exploitation
One of the most pressing questions in cybersecurity remains: How quickly are vulnerabilities exploited? The answer is troubling. In 2024, 23.6% of Known Exploited Vulnerabilities (KEVs) were already being leveraged in attacks on or before their official CVE disclosure date. While this marks a slight decline from 2023’s 27%, it reinforces the reality that attackers continue to monitor for new exposures and act swiftly.
Despite the perception that zero-day vulnerabilities pose the greatest threat, this data suggests that any stage of a vulnerability’s lifecycle can be risky. "Security teams must stay proactive," Garrity noted. "Just because an exploit isn’t a zero-day doesn’t mean it won’t be weaponized rapidly."
Who Sounds the Alarm First?
The first source to report an exploited vulnerability often dictates how quickly organizations can respond. According to VulnCheck, the 768 CVEs publicly reported in 2024 came from 112 unique sources, including:
Security Vendors:Â Companies such as CheckPoint, Fortinet, and Aqua Security led the charge in vulnerability disclosure.
Government Agencies:Â U.S. CISA, the Department of Defense, and the UK's NHS played a crucial role in public exploit tracking.
Tech Giants:Â Microsoft, Google, Apple, and Cisco actively disclosed both first-party and third-party vulnerabilities.
Social Media & Blogs:Â Platforms like Infosec Exchange, LinkedIn, and Medium became increasingly valuable channels for rapid exploit reporting.
This diverse range of sources has expanded visibility into exploit activity, allowing defenders to respond more effectively -- assuming they can keep up with the overwhelming volume of disclosures.
The Transparency Challenge
While the security community has made strides in increasing disclosure, biases remain. Some sources were onboarded throughout the year, potentially skewing timelines. For example, VulnCheck acknowledged that the ShadowServer dataset may reflect a backlog of previously exploited CVEs only now entering public awareness. Similarly, Wordfence’s efforts to assign CVE identifiers to known exploits may have inflated numbers.
Nonetheless, the trend is clear: Exploit disclosures are rising, attackers are moving faster, and defenders must adapt. "The industry must remain vigilant," said Garrity. "The more we share, the better we can protect."
As organizations grapple with this ever-expanding attack surface, one thing is certain -- 2025 is unlikely to offer a reprieve.