2024 has seen a significant uptick in the discovery and exploitation of zero-day vulnerabilities. These unpatched security flaws present a serious challenge to cybersecurity teams, as attackers can exploit them before any patches are available. As a result, zero-day vulnerabilities have become a go-to tool for cybercriminals aiming to infiltrate enterprise networks.
While all zero-day vulnerabilities demand immediate attention, some are particularly noteworthy because they shed light on which technologies and products are being targeted more frequently by malicious actors. These trends not only highlight critical vulnerabilities but also reveal the evolving tactics and strategies attackers are using to compromise sensitive data and business-critical systems.
In this post, we’ll dive into the total number of zero-day vulnerabilities discovered in 2024, breaking them down by major vendors, and provide a month-by-month trend graph to track how these vulnerabilities have evolved. We’ll also take a closer look at the top 10 most impactful zero-day vulnerabilities of the year, analyzing their significance, exploitation patterns, and real-world consequences for businesses.
Zero-day vulnerabilities in 2024: Vendor breakdown
The year 2024 saw around 90 zero-day vulnerabilities reported. Here’s the breakdown of these vulnerabilities by major vendors:
-
26 vulnerabilities from Microsoft
-
10 vulnerabilities from Google
Monthly breakdown of zero-day vulnerabilities
Here’s how the zero-day vulnerabilities were distributed across the months in 2024:
Top 10 zero-day vulnerabilities of 2024
Let’s now focus on the top 10 most impactful zero-day vulnerabilities of the year, highlighting the components, CVE IDs, and CVSS scores that have raised the most concerns:
1. Vulnerable component: FortiManager
CVE-ID: CVE-2024-47575
CVSS score: 9.8
This vulnerability allowed remote attackers to compromise the affected system due to a lack of authentication in the FortiManager fgfmd daemon. A remote, unauthenticated attacker could send specially crafted requests to the system, executing arbitrary commands and ultimately gaining full control of the system.
2. Vulnerable component: Google Chrome
CVE-ID: CVE-2024-7971
CVSS Score: 9.6
A type confusion error within the V8 engine enabled remote attackers to execute arbitrary code on the target system. By crafting a malicious webpage, attackers could deceive the victim into visiting it, triggering the type confusion error and executing arbitrary code.
3. Vulnerable component: Ivanti Cloud Services Appliance
CVE-ID: CVE-2024-8963
CVSS Score: 9.4
A directory traversal vulnerability allowed remote attackers to exploit an input validation error when processing directory traversal sequences. An unauthenticated attacker could send a specially crafted HTTP request and read arbitrary files on the system. This vulnerability could also be exploited alongside #VU97119 (CVE-2024-8190) to achieve remote code execution.
4. Vulnerable component: Palo Alto Networks Expedition
CVE-ID: CVE-2024-5910
CVSS Score: 9.3
A lack of authentication for a critical function in Palo Alto Networks Expedition allowed attackers with network access to take over the Expedition admin account.
5. Vulnerable component: SQL (Palo Alto Networks Expedition)
CVE-ID: CVE-2024-9465
CVSS Score: 9.2
An SQL injection vulnerability in Palo Alto Networks Expedition allowed unauthenticated attackers to expose the Expedition database contents, including sensitive data like password hashes, usernames, device configurations, and API keys. Attackers could also create and read arbitrary files on the system.
6. Vulnerable component: Windows
CVE-ID: CVE-2024-29988
CVSS Score: 8.8
This vulnerability allowed a remote attacker to compromise the system by exploiting an insufficient implementation of the Mark of the Web feature. A malicious file within an archive could bypass endpoint detection and response/network detection and response and Microsoft Windows SmartScreen prompts, enabling the attacker to compromise the system.
7. Vulnerable component: Windows
CVE-ID: CVE-2024-49039
CVSS Score: 8.8
This vulnerability allowed a local user to escalate privileges on the system. It stemmed from improper authentication in the Windows Task Scheduler, enabling a local attacker to execute a specially crafted application with elevated privileges.
8. Vulnerable component: Windows
CVE-ID: CVE-2024-30040
CVSS Score: 8.8
This vulnerability allowed a remote attacker to compromise the system due to improper input validation in the Windows MSHTML platform. By deceiving the victim into opening or loading a specially crafted file, attackers could bypass Object Linking and Embedding mitigations in Microsoft 365 and Office, executing arbitrary code on the system.
9. Vulnerable component: Google Chromium V8 Engine
CVE-ID: CVE-2024-5274
CVSS Score: 8.8
A mismatch in data types led to this vulnerability. Attackers exploited it by providing input that triggered erroneous data interpretation, enabling attacks like arbitrary code execution or unauthorized data access. The impact could range from privilege escalation to data leakage or denial of service, depending on the context.
10. Vulnerable component: .NET and Visual Studio
CVE-ID: CVE-2024-35264
CVSS Score: 8.1
This vulnerability had a significant impact on confidentiality, integrity, and availability. It was network-based, meaning an attacker could exploit it remotely without any user interaction, triggering a use-after-free condition to compromise the system.
Protect your organization with comprehensive solutions
In today’s rapidly evolving threat landscape, protecting your organization from zero-day vulnerabilities is crucial. With ManageEngine Endpoint Central, Patch Manager Plus, and Vulnerability Manager Plus, you can proactively manage and mitigate these risks before they can be exploited.
These three solutions help you:
-
Ensure timely patching and updates.
-
Identify vulnerabilities in real time.
-
Minimize the attack surface and reduce the risk of exploitation.
Leverage the power of these tools to safeguard your systems, secure your network, and stay ahead of emerging threats.
