Out of the top five vulnerabilities for 2020 three dated back to 2019 or earlier, according to infosec firm Tenable's annual threat report.
While Zerologon was the company's number one insecurity for 2020, the hoary old Pulse Secure VPN vuln (CVE-2019-11510) was number three, while flaws in Citrix and Fortinet connectivity platforms dating from 2019 and 2018 respectively were also up there.
"As long as unpatched vulnerabilities remain a problem for organizations, you can expect us to keep harping on about them," said Tenable in its 2020 Threat Landscape Report, published today. "This low-hanging fruit is favoured by nation state actors and run-of-the-mill cybercriminals alike."
During the annus horribilis that was 2020, Tenable reckoned that in excess of 18,000 vulnerabilities were reported, saying this was a 6 per cent increase year-on-year and a 183 per cent increase from 2015. While concerning, this could perhaps be explained by last year's wholesale shift to remote working prompting a wave of research (and exploitation) focused on VPNs and remote-working tech.
"Every day, cybersecurity professionals in the UK and the rest of the world are faced with new challenges and vulnerabilities that can put their organisations at risk. The 18,358 vulnerabilities disclosed in 2020 alone reflects a new normal and a clear sign that the job of a cyber defender is only getting more difficult as they navigate the ever-expanding attack surface," said Satnam Narang, a staff research engineer at Tenable.
VPN vulns proved fruitful for attackers including, among others, Chinese state-sponsored crews as the US government warned last summer, not to mention coming number blast tenable security chart features yesteryear