During the late 1990s, networked devices were taking off.

Local area networks were becoming wide area networks were becoming devices connected to the internet.

People no longer needed physical access to a computer or network to exploit the devices within it.

And with a larger attack surface area, more people started to take advantage of vulnerabilities.

At the time security teams were using information assurance tools in concert with vulnerability scanners to detect and remove vulnerabilities from their systems.

The problem – each security vendor has its own database with little to no crossover.

This mess spawned the Common Vulnerability and Exposures, or CVE, List.

In January 1999, the MITRE Corporation published “Towards a Common Enumeration of Vulnerabilities”.

The cybersecurity community endorsed the importance of CVE via “CVE-compatible” products and services from the moment the CVE list was ideated.

Very soon after this meeting, the original 321 CVE Entries (including entries from previous years) was created and the CVE List was officially launched to the public in September 1999.

CVE-1999-0095 STIX

Interactive graph / download STIX 2.1 bundle.

CVE-1999-0095), the first ever CVE affecting Eric Allman’s Sendmail program, where root privileges could be exploited (not much changes over time!).

The first 10 CVE’s are as follows:

Published DateSeverity (CVSS v2)CVE TitleVendorProductDescription
1988-10-0110CVE-1999-0095eric_allmansendmailThe debug command in Sendmail is enabled, allowing attackers to execute commands as root.
1988-11-1110CVE-1999-0082ftpftpCWD ~root command in ftpd allows root access.
1989-01-017.2CVE-1999-1471bsdbsdBuffer overflow in passwd in BSD based operating systems 4.3 and earlier allows local users to gain root privileges by specifying a long shell or GECOS field.
1989-07-264.6CVE-1999-1122sunsunosVulnerability in restore in SunOS 4.0.3 and earlier allows local users to gain privileges.
1989-10-2610CVE-1999-1467sunsunosVulnerability in rcp on SunOS 4.0.x allows remote attackers from trusted hosts to execute arbitrary commands as root, possibly related to the configuration of the nobody user.
1990-01-297.5CVE-1999-1506sunsunosVulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3, allows remote attackers to access user bin.
1990-05-017.2CVE-1999-0084sunnfsCertain NFS servers allow users to use mknod to gain privileges by creating a writable kmem device and setting the UID to 0.
1990-05-097.5CVE-2000-0388freebsdfreebsdBuffer overflow in FreeBSD libmytinfo library allows local users to execute commands via a long TERMCAP environmental variable.
1990-08-145CVE-1999-0209sunsunosThe SunView (SunTools) selection_svc facility allows remote users to read files.
1990-10-037.2CVE-1999-1198nextnextBuildDisk program on NeXT systems before 2.0 does not prompt users for the root password, which allows local users to gain root privileges.

MITRE’s CVE list quickly took off. As December 2000 there were 29 organisations participating with declarations of compatibility for 43 products.

In it’s first iteration, 9,999 CVEs were allowed per year because CVE IDs were assigned using the format CVE-YYYY-NNNN (CVE-2020-0791).

Today, the number of products and those finding (and exploiting) them has increased significantly from the 1990’s. As such, so has the number of vulnerabilities.

CVE growth 1999 to 2021

To account for this, the CVE ID syntax was extended by adding one more digit to the N potion from four to five digits to CVE-YYYY-NNNNN in 2015. A much needed change indeed. Since 2018, over 15,000 CVE’s have been published each year.

Though what explains the big jump in CVE’s between 2016 and 2017? The answer; it’s how CVE’s could be reported.

Until 2016, MITRE was having trouble assigning CVEs. The process was cumbersome, it took a very long time, and more often than not, researchers simply didn’t get a CVE assigned.

In 2017, MITRE changed their assignment process. They created a web form, and are now assigning CVEs in a matter of hours or days. They also outsourced the assignment of CVEs for open source projects to the DWF.

Therefore the spike you’re seeing doesn’t mean that more vulnerabilities were discovered, but just that more researchers applied for, and successfully had CVEs assigned.

On Tuesday, April 24, 2018 at 19:05:31 UTC, the MITRE Corporation published the one hundred thousandth CVE identifier.

CVE-2017-2906

The lucky winner (or loser?) of this accolade was CVE-2017-2906, reported to MITRE by Cisco Talos affecting Blender software.

At the time of writing, about two years since the 100,000th CVE was reported there are now over 162,000 published CVE’s.

It took about 20 years until we reached 100,000 CVE’s. The 200,000th CVE won’t take another 20 years.




Join the Signals Corps on Discord

Join our public community of intelligence analysts and researchers sharing new content hourly.


Obstracts

Obstracts

Turn any blog into structured threat intelligence.

Stixify

Stixify. Extract machine readable intelligence from unstructured data.

Extract machine readable intelligence from unstructured data.


Vulmatch

Vulmatch

Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.

SIEM Rules

SIEM Rules. Your detection engineering database.

View, modify, and deploy SIEM rules for threat hunting.