The U.S. Department of Commerce’s National Institute of Standards and Technology’s National Vulnerability Database has hit a record high of reported vulnerabilities in 2021.

The new record, the fifth straight year the record has been broken, came to 18,378 vulnerabilities reported. The number of high-severity vulnerabilities reported fell, to 3,646 in 2021 from 4,381 the year before. Medium-risk vulnerabilities reported came in at 11,767, while low-risk vulnerabilities numbered 2,965, both up from last year.

Researchers at Redscan Cyber Security Ltd. crunched the numbers in the report today and found an average of 50 common vulnerabilities and exposures or CVEs were logged with NIST every day through 2021. Of those reported, 90% can be exploited by attackers with limited technical skill, while 61% of CVEs require no user interaction such as clicking a link, downloading a file or sharing credentials.

Not all the trends were negative. “No privilege” CVEs declined in 2021, coming in at 55%, down from 59% in 2020 and 66% in 2019. Vulnerabilities with a high confidentiality rating — that is, likely to have an impact on confidential data — fell from 59% to 53% of CVEs over the last 12 months.

“It is no surprise to see 2021 top 2020 in the number of new vulnerabilities,” Yaniv Bar-Dayan, co-founder and chief executive of cyber risk management company Vulcan Cyber Ltd., told SiliconANGLE. “Vulnerabilities will increase in number inline with the pace and scale of the tech we adopt, and we’ve come to expect and account for inherent risk in our digital lives.”

The more concerning trend, he added, is a mounting pile of security debt. “If IT security teams are leaving 2020’s vulnerabilities unaddressed, the real 2021 number is cumulative and becoming harder and harder to defend against,” he said.

Bud Broomhead, CEO of enterprise “internet of things” security platform provider Viakoo Inc., noted that despite the fewer high-severity vulnerabilities this year, the report is nonetheless alarming.

“The real issue is how many exploitable vulnerabilities remain ‘in the wild’ for threat actors to take advantage of,” Broomhead explained. ‘The record number of new vulnerabilities, combined with the slow pace of patching and updating devices to remediate vulnerabilities, means that the risk is higher than ever for organizations to be breached, especially through unpatched IoT devices.”

Image: U.S. Air Force/NIST