Cybersecurity insurance firm Coalition has predicted that there will be 1,900 average monthly critical Common Vulnerabilities and Exposures (CVEs) in 2023, a 13% increase over 2022.

The predictions are a part of the company’s Cyber Threat Index, which was compiled using data gathered by the company’s active risk management and reduction technology, combining data from underwriting and claims, internet scans, its global network of honeypot sensors, and scanning over 5.2 billion IP addresses.

The 1,900 CVEs would include 270 high-severity and 155 critical-severity vulnerabilities, the report said. The predictions are based on data collected over the last ten years.  

For most CVEs, the time to exploit is within 90 days of public disclosure, while the majority of exploits take place within the first 30 days, the Coalition report said.

“We built this prediction using a Seasonal AutoRegressive Integrated Moving Average model. We analyzed vulnerability and seasonality data from the last 10+ years to predict the number, type, and criticality of new CVEs we might observe in 2023. Based on our modelling, we expect the number of vulnerabilities will continue to rise,” Coalition said.  

Coalition’s honeypots observed 22,000 cyberattacks to develop an understanding of attackers’ techniques.

94% of organizations have at least one unencrypted service

About 94% of organizations scanned in 2022 had at least one unencrypted service exposed to the internet, the research noted. Remote Desktop Protocol (RDP) is still cyberattackers’ most commonly scanned protocol, which shows attackers continue to prefer leveraging old protocols with new vulnerabilities to gain access to systems.

Elasticsearch and MongoDB databases have a high rate of compromise, with signals showing that a large number have been captured by ransomware attacks, the report said. 

The use of unauthenticated databases increased in 2022, specifically Redis. This is because they are easy to use and scale, the report said. “Many organizations may lack security focus or expertise, meaning they leave these databases misconfigured or configured with no security controls at all,” Coalition said.  This leaves the data exposed to the internet, making these organizations more likely to have their data stolen and held for ransom.

Coalition recommends that organizations and their security and IT teams prioritize applying updates on public-facing infrastructure and internet-facing software within 30 days of a patch’s release and follow regular upgrade cycles to mitigate vulnerabilities in older software to prepare for the looming 2023 threats.

“Cybersecurity professionals must be more alert than ever to vulnerabilities that already exist within their networks and assets. Attackers are becoming increasingly sophisticated and have become experts at exploiting commonly used systems and technologies,” Tiago Henriques, Coalition’s vice president of security research, said in a note.

The CESS Predictor

This year Coalition created a new scoring mechanism for CVEs called the Coalition Exploit Scoring System (CESS).

The CESS is inspired by Exploit Prediction Scoring System (EPSS) and Common Vulnerability Scanning System (CVSS) but with a unique focus on delivering custom-built information to assist cyberinsurance underwriting by measuring how likely attackers will exploit a CVE.

“Core to the system is the ability to provide security researchers and underwriters with two key pieces of information: the likelihood of exploit availability and the likelihood of exploit usage,” Coalition said. “Our goal for CESS is to create a fully transparent system, explaining exactly how we got to a certain score so that the community can help us improve.”