Support 110 years of independent journalism.

  1. Spotlight on Policy
  2. Tech and Regulation
  3. Cybersecurity
6 June 2022updated 27 Oct 2023 11:17am

2021 was a record year for software vulnerabilities

The rising number of bugs represents a growing challenge for the cyber security industry.

The global software industry is being affected by a rising tide of bugs and security vulnerabilities, with each of the past five years setting a new record for the number of flaws catalogued.

In what is becoming a growing challenge for the cyber security industry, 2021 saw 20,142 unique bugs and security vulnerabilities recorded – up almost 10 per cent from the 18,351 recorded in 2020.

The rise in exploits is reflected in a rising number of vulnerable products as technology has proliferated.

There was a total of 25,223 different software products affected by at least one vulnerability in 2021, up from 24,342 in 2020. But the number of vulnerabilities with high overall severity declined slightly, from 4,378 to 4,063, marking the first decrease in five years.

To conduct the analysis Spotlight downloaded all historical common vulnerabilities and exposures (CVE) data from the US National Institute of Standards and Technology’s (Nist) National Vulnerability Database (NVD), which provides data on each vulnerability since 2002.

Nist defines a vulnerability as “a weakness in the computational logic (e.g. code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity or availability”. These vulnerabilities are often reverse-engineered by hackers and cyber crime syndicates in order to exploit them.

The figures show that the most common way an attacker can exploit a vulnerability has been through a network. Around 69 per cent of vulnerabilities so far in 2022 were exploitable in this manner, up from 66 per cent in 2021.

This was followed by local vulnerabilities, where an attacker would need access to the system in order to exploit it (these made up 28 per cent of vulnerabilities in 2021, and 21 per cent so far this year).

More often than not, attackers are able to exploit a software vulnerability in a system without the unwitting help of a human user. However, around a third of the vulnerabilities required action on the part of a human in order to be successfully exploited (for example, a system administrator installing some software).

One trend in recent years has seen the complexity of attacks decrease. In 2021, 94 per cent of attacks were considered “low complexity” – up from 88 per cent in 2020. A low-complexity attack means that an attacker is likely to be able to successfully repeat any exploit easily, whereas a high-complexity attack means they are often relying on circumstances outside their control.

Select and enter your email address Your weekly guide to the best writing on ideas, politics, books and culture every Saturday. The best way to sign up for The Saturday Read is via The New Statesman's quick and essential guide to the news and politics of the day. The best way to sign up for Morning Call is via
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

Content from our partners
<strong>What you need to know about private markets </strong>
Work isn't working: how to boost the nation's health and happiness
The dementia crisis: a call for action