Threat actors, whether backed by governments or motivated by financial gain, are increasingly exploiting unknown vulnerabilities, known as zero-days, to launch attacks before tech companies can provide patches. This insight comes from a new advisory by the Five Eyes cyber agencies, which include the UK’s National Cyber Security Centre (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
These agencies compiled a list of the 15 most exploited vulnerabilities of 2023, showing a significant rise in zero-day exploits compared to previous years. In 2022, zero-days made up less than half of exploited vulnerabilities; that figure has since changed drastically. The trend has continued into 2024, according to the NCSC.
The NCSC called for organizations to strengthen their vulnerability management processes. It’s crucial to quickly apply updates as they arrive and to accurately identify all potentially affected IT assets. They also urged suppliers and developers to prioritize secure design principles when creating products. This push from the Five Eyes governments over the past 18 months aims to minimize the introduction of vulnerabilities during development.
Ollie Whitehouse, the NCSC’s chief technology officer, pointed out that zero-day exploitation is becoming a routine concern for both end-user organizations and vendors. He emphasized the need for everyone to stay proactive, urging organizations to apply patches swiftly and to demand secure products in the marketplace.
Whitehouse further stressed the importance of vigilance in vulnerability management and operational situational awareness. He also called on product developers to integrate security into every phase of design and lifecycle to tackle these persistent vulnerabilities effectively.
Here’s the list of the most frequently exploited vulnerabilities in 2023:
- CVE-2023-3519: A code injection flaw in Citrix NetScaler ADC and Gateway.
- CVE-2023-4966: A buffer overflow vulnerability in Citrix NetScaler ADC and Gateway, known as Citrix Bleed.
- CVE-2023-20198: An elevation of privilege issue in Cisco IOS XE Web UI.
- CVE-2023-20273: A command injection bug in Cisco IOS XE.
- CVE-2023-27997: A heap-based buffer overflow in Fortinet FortiOS and FortiProxy SSL-VPN.
- CVE-2023-34362: A SQL injection vulnerability in Progress MOVEit Transfer, notably exploited by the Cl0p ransomware gang.
- CVE-2023-22515: A broken access control vulnerability in Atlassian Confluence Data Center and Server.
- CVE-2021-44228: A remote code execution issue in Apache Log4j2, widely known as Log4Shell, still prevalent years after its initial discovery.
- CVE-2023-2868: An improper input validation flaw in Barracuda Networks ESG Appliance.
- CVE-2022-47966: A remote code execution issue in Zoho ManageEngine.
- CVE-2023-27350: An improper access control vulnerability in PaperCut MF/NG.
- CVE-2020-1472: An elevation of privilege vulnerability in Microsoft Netlogon, associated with previous high-profile incidents.
- CVE-2023-427983: An authentication bypass flaw in JetBrains TeamCity.
- CVE-2023-23397: An elevation of privilege issue in Microsoft Office Outlook, reportedly exploited by Russian actors.
- CVE-2023-49103: An information disclosure vulnerability in ownCloud graphapi.
The advisory details additional vulnerabilities that were frequently exploited throughout 2023, including two issues in Ivanti products disclosed in August and the well-known Fortra GoAnywhere flaw used again by the Cl0p gang.