Support 100 years of independent journalism.

  1. Spotlight
  2. Cyber
6 June 2022

2021 was a record year for software vulnerabilities

The rising number of bugs represents a growing challenge for the cyber security industry.

By Michael Goodier

The global software industry is being affected by a rising tide of bugs and security vulnerabilities, with each of the past five years setting a new record for the number of flaws catalogued.

In what is becoming a growing challenge for the cyber security industry, 2021 saw 20,142 unique bugs and security vulnerabilities recorded – up almost 10 per cent from the 18,351 recorded in 2020.

The rise in exploits is reflected in a rising number of vulnerable products as technology has proliferated.

There was a total of 25,223 different software products affected by at least one vulnerability in 2021, up from 24,342 in 2020. But the number of vulnerabilities with high overall severity declined slightly, from 4,378 to 4,063, marking the first decrease in five years. 

To conduct the analysis Spotlight downloaded all historical common vulnerabilities and exposures (CVE) data from the US National Institute of Standards and Technology’s (Nist) National Vulnerability Database (NVD), which provides data on each vulnerability since 2002.

Nist defines a vulnerability as “a weakness in the computational logic (e.g. code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity or availability”. These vulnerabilities are often reverse-engineered by hackers and cyber crime syndicates in order to exploit them.

The figures show that the most common way an attacker can exploit a vulnerability has been through a network. Around 69 per cent of vulnerabilities so far in 2022 were exploitable in this manner, up from 66 per cent in 2021. 

Content from our partners
“I learn something new on every trip"
How data can help revive our high streets in the age of online shopping
Why digital inclusion is a vital piece of levelling up

This was followed by local vulnerabilities, where an attacker would need access to the system in order to exploit it (these made up 28 per cent of vulnerabilities in 2021, and 21 per cent so far this year).

More often than not, attackers are able to exploit a software vulnerability in a system without the unwitting help of a human user. However, around a third of the vulnerabilities required action on the part of a human in order to be successfully exploited (for example, a system administrator installing some software).

One trend in recent years has seen the complexity of attacks decrease. In 2021, 94 per cent of attacks were considered “low complexity” – up from 88 per cent in 2020. A low-complexity attack means that an attacker is likely to be able to successfully repeat any exploit easily, whereas a high-complexity attack means they are often relying on circumstances outside their control.

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. A weekly newsletter helping you fit together the pieces of the global economic slowdown. Quick and essential guide to domestic and global politics from the New Statesman's politics team. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.