Support 100 years of independent journalism.

2021 was a record year for software vulnerabilities

The rising number of bugs represents a growing challenge for the cyber security industry.

The global software industry is being affected by a rising tide of bugs and security vulnerabilities, with each of the past five years setting a new record for the number of flaws catalogued.

In what is becoming a growing challenge for the cyber security industry, 2021 saw 20,142 unique bugs and security vulnerabilities recorded – up almost 10 per cent from the 18,351 recorded in 2020.

The rise in exploits is reflected in a rising number of vulnerable products as technology has proliferated.

There was a total of 25,223 different software products affected by at least one vulnerability in 2021, up from 24,342 in 2020. But the number of vulnerabilities with high overall severity declined slightly, from 4,378 to 4,063, marking the first decrease in five years. 

To conduct the analysis Spotlight downloaded all historical common vulnerabilities and exposures (CVE) data from the US National Institute of Standards and Technology’s (Nist) National Vulnerability Database (NVD), which provides data on each vulnerability since 2002.

Nist defines a vulnerability as “a weakness in the computational logic (e.g. code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity or availability”. These vulnerabilities are often reverse-engineered by hackers and cyber crime syndicates in order to exploit them.

The figures show that the most common way an attacker can exploit a vulnerability has been through a network. Around 69 per cent of vulnerabilities so far in 2022 were exploitable in this manner, up from 66 per cent in 2021. 

Content from our partners
Defining a Kodak culture for the future
How do we restore trust in the public sector?
A better future starts at home

This was followed by local vulnerabilities, where an attacker would need access to the system in order to exploit it (these made up 28 per cent of vulnerabilities in 2021, and 21 per cent so far this year).

More often than not, attackers are able to exploit a software vulnerability in a system without the unwitting help of a human user. However, around a third of the vulnerabilities required action on the part of a human in order to be successfully exploited (for example, a system administrator installing some software).

One trend in recent years has seen the complexity of attacks decrease. In 2021, 94 per cent of attacks were considered “low complexity” – up from 88 per cent in 2020. A low-complexity attack means that an attacker is likely to be able to successfully repeat any exploit easily, whereas a high-complexity attack means they are often relying on circumstances outside their control.

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Your new guide to the best writing on ideas, politics, books and culture each weekend - from the New Statesman. A newsletter showcasing the finest writing from the ideas section, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

Topics in this article :