The majority of the most exploited vulnerabilities of 2023 were first targeted as zero days, representing a "new normal" in the enterprise threat landscape.
That's the warning from the National Cyber Security Centre (NCSC), which joined with Five Eyes partners, including CISA, to issue a rundown of the top most exploited vulnerabilities of 2023 and issue an urgent advisory on their patching.
Many of the vulnerabilities affect products at the network edge, from the likes of Barracuda, Cisco, Citrix, Fortinet, although the list is diverse – and demonstrated that Log4Shell/Log4J remains worryingly widely exploited.
In 2022, less than half of the most commonly exploited vulnerabilities were zero days.
However, they made up the majority in 2023, and the NCSC observed the same trend throughout 2024, its leadership said today,
Ollie Whitehouse, NCSC Chief Technology Officer, said: “More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern end-user organisations and vendors alike as malicious actors seek to infiltrate networks.
“To reduce the risk of compromise, it is vital all organisations stay on the front foot by applying patches promptly and insisting upon secure-by-design products in the technology marketplace.
“We urge network defenders to be vigilant with vulnerability management, have situational awareness in operations and call on product developers to make security a core component of product design and life-cycle to help stamp out this insidious game of whack-a-mole at source”.
Zero days continue to be a threat for months or even years after discovery, CISA warned in its advisory.
It wrote: "Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities."
The top 15 exploited vulnerabilities of 2023:
- CVE-2023-3519: Citrix NetScaler ADC and NetScaler Gateway.
Allows an unauthenticated user to cause a stack buffer overflow in the NSPPE process by using a HTTP GET request.
- CVE-2023-4966: Citrix NetScaler ADC and NetScaler Gateway.
Allows session token leakage; a proof-of-concept for this exploit was revealed in October 2023.
- CVE-2023-20198: Cisco IOS XE Web UI.
Lets unauthorised users gain initial access and issue a command to create a local user and password combination, enaling them to log in with normal user access.
- CVE-2023-20273: Cisco IOS XE
Allows privilege escalation to root privileges after a local user has been created
- CVE-2023-27997: Fortinet FortiOS and FortiProxy SSL-VPN.
Allows a remote user to craft specific requests that let them execute arbitrary code.
- CVE-2023-34362: Progress MOVEit Transfer.
Allows abuse of an SQL injection vulnerability to obtain a sysadmin API access token. Threat actors may also be able to obtain remote code execution using this access by abusing a deserialization call.
- CVE-2023-22515: Atlassian Confluence Data Center and Server.
Allows exploit of an improper input validation issue. "Arbitrary HTTP parameters can be translated into getter/setter sequences via the XWorks2 middleware and, in turn, allow Java objects to be modified at run time," CISA wrote. "The exploit creates a new administrator user and uploads a malicious plugin to get arbitrary code execution."
- CVE-2021-44228: Log4Shell, affecting Apache’s Log4j library
Allows the execution of arbitrary code. Attackers can take full control of a system by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code.
- CVE-2023-2868: Barracuda Networks Email Security Gateway (ESG) Appliance.
Gives attackers unauthorized access and the ability to remotely execute system commands via the ESG appliance.
- CVE-2022-47966: Zoho ManageEngine.
Allows an unauthenticated user to execute arbitrary code by providing a crafted samlResponse XML to the ServiceDesk Plus SAML endpoint.
- CVE-2023-27350: PaperCut MF/NG.
Allows a malicious cyber actor to chain an authentication bypass vulnerability with the abuse of built-in scripting functionality to execute code.
- CVE-2020-1472: This vulnerability affects Microsoft Netlogon.
Allows privilege escalation. This CVE has been included in top routinely exploited vulnerabilities lists since 2021.
- CVE-2023-42793: This vulnerability can affect JetBrains TeamCity servers.
Allows authentication bypass to enable remote code execution against vulnerable servers.
- CVE-2023-23397: Microsoft Office Outlook.
Allows elevation of privilege. "A threat actor can send a specially crafted email that the Outlook client will automatically trigger when Outlook processes it," CISA wrote. "This exploit occurs even without user interaction."
CVE-2023-49103: ownCloud graphapi.
Allows unauthenticated information disclosure so an unauthenticated user can access sensitive data such as admin passwords, mail server credentials, and license keys.
All these vulnerabilities have now been patched.