Threat actors – both state-backed and financially-motivated – are increasingly taking advantage of previously unknown vulnerabilities, or zero daysto compromise their victims before fixes or patches are made available by the tech industry, according to a new advisory published by the Five Eyes cyber agencies, including the UK's National Cyber Security Center (NCSC) and the United States' Cybersecurity and Infrastructure Security Agency (CISA).
The agencies have collectively drawn up a list of the 15 most exploited vulnerabilities of 2023 and found that the majority of exploited vulnerabilities were zero-days compared to less than half in 2022. The trend has continued through 2024, said the NCSC.
The NCSC said that defenders needed to up their game when it comes to vulnerability management, paying particular attention to applying updates as quickly as possible when they do arrive, and to making sure they have identified all the potentially affected IT assets in their estates.
The organization also urged suppliers and developers to do more to implement secure-by-design principles into their products, something that the Five Eyes governments – Australia, Canada, New Zealand, the UK and the United States – have become particularly vocal about in the past 18 months. Doing so helps reduce the risk of vulnerabilities being accidentally introduced during development, only to be taken advantage of further down the line.
“More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern end-user organizations and vendors alike as malicious actors seek to infiltrate networks,” said NCSC chief technology officer (CTO) Ollie Whitehouse.
“To reduce the risk of compromise, it is vital all organizations stay on the front foot by applying patches promptly and insisting upon secure-by-design products in the technology marketplace,” said Whitehouse.
“We urge network defenders to be vigilant with vulnerability management, have situational awareness in operations and call on product developers to make security a core component of product design and life-cycle to help stamp out this insidious game of whack-a-mole at source ,” he added.
The full list of the vulnerabilities most frequently exploited during 2023 is as follows:
- CVE-2023-3519a code injection flaw in Citrix NetScaler ADC and NetScaler Gateway;
- CVE-2023-4966a buffer overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway, aka citrix bleed,
- CVE-2023-20198an elevation of privilege (EoP) issue in Cisco IOS XE Web UI;
- CVE-2023-20273a web UI command injection bug in Cisco IOS XE;
- CVE-2023-27997a heap-based buffer overflow flaw in Fortinet FortiOS and FortiProxy SSL-VPN;
- CVE-2023-34362a SQL injection vulnerability in Progress MOVEit Transfer, infamously exploited by the Cl0p ransomware gang, the fall-out from which is still being felt,
- CVE-2023-22515a broken access control vulnerable it Atlassian Confluence Data Center and Server;
- CVE-2021-44228a remote code execution (RCE) issue in Apache Log4j2, aka Log4Shell, the source of a major incident at the end of 2021 and still being widely-abused years later;
- CVE-2023-2868an improper input validation flaw in Barracuda Networks ESG Appliance;
- CVE-2022-47966an RCE issue in Zoho ManageEngine;
- CVE-2023-27350an improper access control vulnerability in PaperCut MF/NG;
- CVE-2020-1472an EoP vuln in Microsoft Netlogon, the source of another high-profile historical incident that there is now no excuse for not having addressed;
- CVE-2023-427983an authentication bypass flaw in JetBrains TeamCity;
- CVE-2023-23397an EoP issue in Microsoft Office Outlook, widely-used by Russian spooks,
- And last but not least, CVE-2023-49103an information disclosure vuln in ownCloud graphapi.
The full list, which can be downloaded from CISAalso contains details of a number of other issues that were observed being routinely exploited during 2023, prominent among them two vulnerabilities in Ivanti products. disclosed in August 2023and the infamous Fortra GoAnywhere flaw exploited, yet again, by the Cl0p gang,