A joint report published by CISA, the FBI and the NSA, with the support of members of the Five Eyes alliance (USA, Australia, Canada, New Zealand and the UK), reveals the vulnerabilities most exploited by cybercriminals in 2023. Among them, zero-day vulnerabilities, exploited even before the publication of patches, take pride of place. These ransomware attacks, which target critical infrastructures and widely-used software, put the data and systems of organizations around the world at risk.
Unprecedented exploitation of zero-day vulnerabilities
In 2023, attacks exploiting known vulnerabilities reached record levels. This alarming trend has been highlighted by major cybersecurity agencies, such as CISA, the FBI and the NSA, who have published an in-depth analysis of the vulnerabilities most used by cybercriminals. These attacks mainly rely on unpatched vulnerabilities or inappropriate configurations, enabling attackers to infiltrate critical systems and gain access to sensitive data.
The report indicates that zero-day vulnerabilities, exploited before the release of patches, accounted for a significant proportion of attacks in 2023. “In 2023, the majority of the most frequently exploited vulnerabilities were exploited as zero-day vulnerabilities which represents an increase compared to 2022, where less than half of the most frequently exploited vulnerabilities were exploited as zero-day. “we read at the start of the report.
Even more worryingly, vulnerabilities initially identified several years earlier continue to be actively exploited: “Cyber malware writers continue to be most successful in exploiting vulnerabilities within two years of their public disclosure. The usefulness of these vulnerabilities diminishes over time, as systems are patched or replaced.” This highlights a mismatch between the speed of patch deployment and the agility of attackers. This situation highlights a lack of security prioritization within many organizations.
Top 15 most exploited vulnerabilities in 2023
1. CVE-2023-3519: Citrix netscaler ADC and Gateway
Dubbed CitrixBleed by researchers, this flaw, one of the most exploited in 2023, enables code injection on unpatched Citrix systems. An unauthenticated attacker can take advantage of a malicious HTTP GET request to cause a buffer overflow and execute code remotely. This type of attack is particularly dangerous for companies using Citrix solutions to manage their cloud infrastructures and corporate networks. This critical flaw (CVSS score of 9.8) was notably exploited by Lockbit in its attack on Boeing in November 2023, resulting in the theft and publication of 43 GB of sensitive data. Government agencies were also affected by this flaw, resulting in 13 major incidents in the UK.
Type of vulnerability: code injection
2. CVE-2023-4966: Citrix netscaler ADC and Gateway
This vulnerability, (CVSS score of 9.4), facilitates the bypassing of authentication controls and MFA. It has been exploited by LockBit 3.0 against major targets such as theIndustrial and Commercial Bank of China (ICBC ) and the law firm Allen & Overy, putting critical and strategic data at risk in coordinated attacks. A POC (proof of concept) demonstrating how to steal session tokens was published in October 2023, facilitating attacks against unpatched systems.
Type of vulnerability: Buffer Overflow
3. CVE-2023-20198: Cisco IOS XE Web UI
An exploitation of this vulnerability (CVSS score of 10) affecting Cisco IOS XE software allows an unauthorized user to create a local account with basic privileges, compromising system integrity.
Type of vulnerability: elevation of privileges
4. CVE-2023-20273: Cisco IOS XE
This vulnerability (CVSS score 7.2), related to the previous one, allows privileges to be elevated to administrator level. Once exploited, it offers full control over affected systems.
Vulnerability type: Web UI command injection
5. CVE-2023-27997: Fortinet FortiOS SSL-VPN
Attackers can execute arbitrary code or commands by sending specific requests. This flaw ,(CVSS score of 9.2), has been actively exploited to penetrate secure networks.
Vulnerability type: Heap-Based Buffer Overflow
6. CVE-2023-34362: MOVEit Transfer
An SQL injection flaw allows to gain access to APIs as a system administrator by abusing an SQL injection vulnerability. Once this token has been obtained, cybercriminals abuse deserialization calls to execute malicious code. In May 2023 the CL0P ransomware group, used this zero-day SQLi vulnerability to steal data from over 2,700 organizations, compromising 93 million records. The flaw enabled the implementation of a custom webshell (LEMURLOOT) facilitating data exfiltration. Cybercriminals use this information to carry out chain attacks, compromising not only data, but also the associated backup systems.
Type of vulnerability: SQL injection
7. CVE-2023-22515: Atlassian Confluence
This CVE-2023-22515 vulnerability in Atlassian Confluence, (CVSS score of 10), exploits incorrect input validation to gain initial access to networks. This exploit also creates a new administrator account and installs a malicious plugin to execute arbitrary code.
Type of vulnerability: access control failure
8. CVE-2021-44228: Apache Log4j
Discovered in December 2021, this Log4Shell vulnerability, affecting the Apache Log4j library, remains a favorite tool of cybercriminals. This flaw enables remote code execution, opening the way to a range of attacks, from data theft to ransomware deployment.
Vulnerability type: remote code execution
9. CVE-2023-2868: Barracuda Email Security Gateway
This input validation vulnerability (CVSS score of 9.4) in the Barracuda Email Security Gateway allows remote command execution, compromising messaging environments.
Type of vulnerability: bad input validation
10. CVE-2022-47966: Zoho ManageEngine
This code execution flaw without authentication allows an attacker to send a forged SAML request to compromise Zoho ManageEngine applications.
Vulnerability type : remote code execution
11. CVE-2023-27350: PaperCut MF/NG
Combining authentication bypass and embedded script exploitation, this flaw (CVSS score 9.8) allows cybercriminals to execute arbitrary commands on vulnerable systems.
Vulnerability type: access control failure
12. CVE-2020-1472: Microsoft Netlogon
Thanks to a vulnerable default configuration, an attacker can establish a secure connection to the Netlogon protocol and escalate his privileges to remotely take control of affected systems.
Type of vulnerability: elevation of privileges
13. CVE-2023-42793: JetBrains TeamCity
This authentication flaw, (CVSS score of 9.8), allows unauthorized users to remotely execute code on TeamCity servers, compromising development environments.
Vulnerability type: Authentication bypass
14. CVE-2023-23397: Microsoft Office Outlook
An elevation of privileges can be performed by sending a malicious e-mail. The vulnerability , (CVSS score of 9.8), activates automatically when the Outlook client processes the message, without user interaction.
Type of vulnerability: elevation of privileges
15. CVE-2023-49103: OwnCloud graphapi
This vulnerability, (CVSS score of 10), exposes sensitive information, such as administrator passwords or license keys, accessible without prior authentication.
Type of vulnerability: information disclosure
Why are these vulnerabilities still a prime target?
The persistence of exploited vulnerabilities can be explained by several factors:
- Late or non-existent patching: some organizations do not have an effective patch management process in place. Attacks exploiting vulnerabilities published two or more years ago remain frequent, a sign of slow adoption of updates.
- System complexity: the increasing interconnection of systems and the use of third-party software multiply the potential entry points for attackers. For example, hybrid cloud environments are often exposed to attacks via poorly secured management tools.
- Advanced attacker techniques: cybercriminals use automated tools to scan unpatched systems. In addition, they collaborate via underground forums to share exploits and information about vulnerable targets.
Reinforcing resilience: proven strategies for CISOs
To limit the impact of vulnerabilities, it is essential to adopt robust preventive measures. Here are some key recommendations for protecting your systems:
Prioritize patch management
Implementing a centralized patch management system enables critical vulnerabilities to be quickly identified and the necessary updates applied. Organizations should also establish strict policies for replacing end-of-life software, which is often left without security support.
Reinforce network monitoring
Behavioral analysis and anomaly detection tools, such as Endpoint Detection and Response (EDR) solutions, play a key role in detecting suspicious activity. They can rapidly block attempts to exploit known vulnerabilities.
Set up a segmented network architecture
Limiting the lateral movements of attackers by segmenting internal networks is an essential practice. By isolating critical systems, you reduce the risk of an attacker compromising your entire infrastructure.
Promote a culture of cybersecurity
Employees are often the first point of defense against cyber-attacks. Regular training in good security practices, such as how to recognize phishing e-mails, can significantly reduce risks.
Immediate action to counter threats
In 2024, speed of execution remains a key factor in countering cyber threats. Here’s an immediate action plan:
- Audit your systems to identify exposed vulnerabilities.
- Apply patches to all critical vulnerabilities mentioned in this report.
- Implement advanced security solutions, such as application firewalls and vulnerability scanners.
- Work with your suppliers to ensure that their products comply with secure design principles.
” All of these vulnerabilities are publicly known, but many appear in the top 15 for the first time ,” said Jeffrey Dickerson, NSA’s technical director of cybersecurity. “Network advocates should pay close attention to trends and take immediate action to ensure vulnerabilities are patched and mitigated. Exploitation will likely continue into 2024 and 2025.”
By adopting these measures, your organization can reduce the risks associated with attacks exploiting known vulnerabilities, while boosting the confidence of your partners and customers.
Sources :
2023 Top Routinely Exploited Vulnerabilities
Download the “2023 Top Routinely Exploited Vulnerabilities” report (pdf)
