2023’s Most Exploited Zero-day Vulnerabilities Uncovered


The FBI, NSA, and allied agencies within the Five Eyes intelligence network have published a list of the 15 most exploited vulnerabilities from 2023. The cybersecurity advisory, a collaborative effort led by the Cybersecurity and Infrastructure Security Agency (CISA) alongside the national cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom, urges organizations worldwide to prioritize patching these vulnerabilities. The advisory highlights that malicious actors leveraged more zero-day vulnerabilities in 2023 than in 2022, exposing critical enterprise networks.

These zero-day vulnerabilities, which are exploited before the release of patches, enabled cyber actors to compromise high-priority targets with minimal resistance.

The advisory also emphasizes the need for organizations to deploy strong patch management systems to prevent further exposure.

 Zero-day Vulnerabilities: Background and Purpose

The advisory, developed by cybersecurity agencies in the Five Eyes alliance, aims to provide critical insights into the most exploited vulnerabilities and associated risks in 2023. This release serves as a reference for both developers and organizations, advising them to adopt a proactive approach to vulnerability management and security best practices.

The authoring agencies included:

  • United States: CISA, FBI, and NSA
  • Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
  • Canada: Canadian Centre for Cyber Security (CCCS)
  • New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and CERT NZ
  • United Kingdom: National Cyber Security Centre (NCSC-UK)

Key Findings

The report’s findings highlight a growing trend: in 2023, the majority of the most exploited vulnerabilities were first exploited as zero-days, a rise from the previous year when fewer vulnerabilities were exploited before patches were available. Notably, cyber actors have been most successful in exploiting vulnerabilities within the first two years of their disclosure.


Table 1 below lists the top 15 vulnerabilities exploited throughout 2023. The table includes each vulnerability’s Common Vulnerabilities and Exposures (CVE) identifier, as well as affected platforms and exploit details.

CVE Platform Vulnerability Details
CVE-2023-3519 Citrix NetScaler ADC & Gateway Causes stack buffer overflow via HTTP GET request
CVE-2023-4966 Citrix NetScaler ADC & Gateway Session token leakage, PoC revealed in Oct 2023
CVE-2023-20198 Cisco IOS XE Web UI Unauthorized access; allows local user creation
CVE-2023-20273 Cisco IOS XE Escalates privileges to root once local user is created
CVE-2023-27997 Fortinet FortiOS & FortiProxy SSL-VPN Remote code execution via crafted requests
CVE-2023-34362 Progress MOVEit Transfer SQL injection grants sysadmin access and remote code execution
CVE-2023-22515 Atlassian Confluence Exploits improper input validation; adds admin user
CVE-2021-44228 Apache Log4j (Log4Shell) Code execution vulnerability; active since Dec 2021
CVE-2023-2868 Barracuda ESG Appliance Unauthorized access and remote command execution
CVE-2022-47966 Zoho ManageEngine Executes arbitrary code via SAML endpoint
CVE-2023-27350 PaperCut MF/NG Bypasses authentication, executes code through scripting
CVE-2020-1472 Microsoft Netlogon Privilege escalation via secure channel exploit
CVE-2023-42793 JetBrains TeamCity Authentication bypass allows remote code execution
CVE-2023-23397 Microsoft Outlook Privilege escalation via specially crafted emails
CVE-2023-49103 ownCloud graphapi Unauthenticated access to sensitive admin data

Recommended Mitigations

The advisory includes actionable recommendations to help organizations secure their networks against these vulnerabilities. Here’s a summary of the key measures:

For Developers and Vendors

  • Secure Software Development: Follow secure design principles, integrating security at each stage of the Software Development Life Cycle (SDLC).
  • SP 800-218 SSDF Compliance: Implement secure practices such as peer code reviews, vulnerability disclosure programs, and static and dynamic application security testing (SAST/DAST) to identify and mitigate vulnerabilities.
  • Secure by Default Configurations: Eliminate default passwords, employ single sign-on (SSO) technology, and maintain high-quality audit logs.

For End-User Organizations

  • Patch Management: Regularly update systems, prioritizing the patching of known exploited vulnerabilities (KEVs) listed in the advisory.
  • Security Tools: Deploy endpoint detection and response (EDR) systems, web application firewalls, and network protocol analyzers to detect and respond to zero-day exploit attempts.
  • Secure Configurations: Enforce secure default configurations to reduce unnecessary exposure and improve overall security resilience.

Implementing Security-Centered Development Lifecycles

The advisory encourages implementing security-centered product development lifecycles, reducing vulnerability exposure through vigrous testing and threat modeling. By enhancing the development process with these practices, developers can better prevent vulnerabilities and minimize the need for post-deployment patches, which can be costly and time-consuming.

Incentivizing Vulnerability Disclosure Programs

The cybersecurity advisory advocates for an increase in incentives for responsible vulnerability disclosure, recommending programs such as bug bounties to encourage ethical vulnerability reporting. These programs not only compensate researchers but also promote quicker identification and remediation of potential security flaws.

Importance of Sophisticated Detection Tools

The use of advanced detection tools, particularly EDR solutions, can significantly aid in detecting and mitigating zero-day. For example, at least three of the most exploited vulnerabilities in 2023 were identified through the use of EDR or other detection methods when suspicious activity was reported.

By following the recommendations and proactively addressing these known exploits, organizations can effectively mitigate risks and defend against increasingly sophisticated cyber threats.

For more information on the vulnerabilities and recommendations, organizations are encouraged to review CISA’s full advisory.



Source link