Zero-days dominate top frequently exploited vulnerabilities

A joint report by leading cybersecurity agencies from the U.S., UK, Canada, Australia, and New Zealand has identified the most commonly exploited vulnerabilities of 2023.

Zero-day vulnerabilities on the rise

The advisory highlights that malicious cyber actors increasingly targeted zero-day vulnerabilities, posing significant threats to enterprise networks. Notably, the exploitation of these zero-days rose compared to 2022.

Unlike previous years, where older, unpatched vulnerabilities dominated the list, 2023 saw a spike in zero-day exploits, reflecting the evolving tactics of threat actors who aim to compromise high-priority targets quickly after vulnerabilities are disclosed. The report emphasizes that many of these vulnerabilities were actively exploited within two years of their public disclosure, highlighting the need for timely patch management.

Top exploited vulnerabilities

The list of top exploited vulnerabilities includes severe issues affecting widely used enterprise products. Notable mentions are Citrix NetScaler (CVE-2023-3519), which allows remote code execution, and Cisco IOS XE (CVE-2023-20198), targeted for privilege escalation. Additionally, the Log4Shell vulnerability (CVE-2021-44228), impacting Apache’s Log4j library, continues to be exploited due to its extensive usage in various software applications, even two years after its initial disclosure. Other commonly targeted products include Fortinet’s SSL-VPN, Microsoft Office Outlook, and Progress MOVEit Transfer.

“One of the common threads among many of the flaws highlighted in the 2023 Top Routinely Exploited Vulnerabilities list is that they are in services or systems that are exposed to the internet – from VPN solutions to remote management interfaces. There’s a strong correlation between internet-facing systems that utilize software containing known vulnerabilities and the likelihood of exploitation,” Satnam Narang, senior staff research engineer at Tenable, told Help Net Security.

“The oldest vulnerability on the list is seven years old (CVE-2017-6742) and we know that the APT group known as APT28 (or Fancy Bear) has been historically linked to the exploitation of this flaw as recently as 2021. Yet, in 2023, other attackers still utilize this same flaw in the wild. According to some intelligence, there are still around 24,000 Cisco IOS and IOS XE systems online that may be vulnerable to this flaw,” Narang added.

How to protect your organization

The advisory underscores the urgent need for organizations to enhance their cybersecurity defenses by adopting proactive measures. It recommends following secure software development frameworks, implementing MFA, and utilizing advanced EDR solutions. The report calls on software vendors to adopt secure by design principles, focusing on eliminating classes of vulnerabilities during the development phase and providing secure configurations by default.

For end-user organizations, the agencies advise implementing patch management systems, prioritizing critical updates, and regularly monitoring systems for signs of compromise. The report also highlights the importance of collaboration with third-party service providers to ensure consistent application of security best practices.