Top 10 Most Exploited Vulnerabilities of 2023


Several vulnerabilities have been identified and exploited by threat actors in the wild this year for several malicious purposes, such as Ransomware, cyber espionage, data theft, cyberterrorism, and many nation-state-sponsored activities.

Some vulnerabilities were added to the CISA’s Known Exploited Vulnerabilities catalog, marking them as extremely important to patch. Products belonging to several vendors, such as Microsoft, Citrix, Fortinet, Progress, and many others, were affected due to these vulnerabilities.

Some of the top vulnerabilities that were exploited this year are,

  1. MOVEit Vulnerability (CVE-2023-34362)
  2. Microsoft Outlook Privilege Escalation (CVE-2023-23397)
  3. Fortinet FortiOS (CVE-2022-41328)
  4. ChatGPT (CVE-2023-28858)
  5. Windows Common Log File System Driver Privilege Escalation (CVE-2023-28252)
  6. Barracuda Email Security Gateway Vulnerability (CVE-2023-2868)
  7. Adobe ColdFusion (CVE-2023-26360)
  8. Citrix Bleed Vulnerability (CVE 2023-4966)
  9. Windows Smart Screen Bypass (CVE-2023-24880)
  10. SugarCRM Remote Code Execution (CVE-2023-22952)

This vulnerability existed in Progress MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1) which were vulnerable to SQL injection attack. 

An unauthenticated threat actor could exploit this vulnerability and gain access to MOVEit Transfer’s Database and perform malicious actions like altering or deleting the database elements.

This vulnerability was exploited in the wild in May and June 2023 by the CL0P ransomware group. The Severity for this vulnerability was given as 9.8 (Critical). Progress released patched versions for fixing this vulnerability alongside precautionary steps.

This vulnerability existed in all versions of Outlook Clients, including Outlook for Android, iOS, Mac, and Windows users. A threat actor can exploit this vulnerability by sending a specially crafted mail, automatically triggering this exploitation. 

Moreover, this is a zero-click vulnerability, as no user interaction is required to exploit this vulnerability. Successful exploitation of this vulnerability leaks the victim’s Net-NTLMv2 hashes, which can then be used to perform relay attacks on other systems and also authenticate the threat actor as the targeted user. 

A Russia-based threat actor exploited this vulnerability to target government, transportation, energy, and military sectors in Europe. The severity for this vulnerability has been given as 9.8 (Critical).

Microsoft has released a patched version to address this vulnerability.

This vulnerability existed in multiple FortiOS versions, allowing a privileged threat actor to read and write arbitrary files through crafted CLI commands due to improper pathname validation to a restricted directory.

This vulnerability was found to be exploited by a Chinese cyberespionage group against governments. The severity of this vulnerability was given as 7.1 (High). Fortinet has released patched versions to fix this vulnerability.

CVE-2023-28858: Off-by-one Error in ChatGPT

This vulnerability existed in the redis-py of the ChatGPT version before 4.5.3, which allows a user to see someone else’s chat history if both users were active simultaneously. Moreover, OpenAI stated that there may have been an “unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during the existence of this bug.

OpenAI has patched this vulnerability swiftly upon being notified. The severity of this vulnerability was given as 3.7 (Low). 

This vulnerability allows a threat actor with access to the systems to run code with SYSTEM privileges. This exists in the clfs.sys driver which is defaultly installed on Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 OSes.

The Nokoyawa ransomware group exploited this vulnerability to attack organizations in April 2023. The severity for this vulnerability was given as 7.8 (High). Microsoft has released patches to fix this vulnerability.

This vulnerability existed in Barracuda Email Security Gateway versions 5.1.3.001-9.2.0.006 due to improper sanitization in processing the .tar files. A threat actor could exploit this vulnerability and execute system commands with the product privileges.

This vulnerability was actively exploited by UNC4841, which works under the support of the People’s Republic of China for espionage and other activities. The severity for this vulnerability was given as 9.8 (Critical). 

Barracuda Networks has released patches for this vulnerability.

This vulnerability affects Adobe ColdFusion version 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier), allowing threat actors to execute arbitrary code under the user’s context due to improper access control. 

An unknown threat actor exploited this vulnerability in June and July 2023. The severity of this vulnerability was given as 9.8 (Critical). Adobe has released patches to fix this vulnerability.

This vulnerability existed in multiple versions of Citrix NetScaler ADC and Gateway appliances, allowing threat actors to retrieve sensitive information on affected devices. The LockBit 3.0 Ransomware group actively exploited this vulnerability in November 2023.

The severity of this vulnerability was given as 7.5 (High). A publicly available exploit code exists for this vulnerability and several instances of exploitation were found. Citrix has released patches to fix this vulnerability.

CVE-2023-24880: Windows SmartScreen Security Feature Bypass Vulnerability

Threat actors can exploit this vulnerability by delivering malicious MSI files that bypass the Mark-of-the-Web (MOTW) warning, potentially deploying malware onto the system. This vulnerability was exploited by Magniber ransomware and Qakbot malware threat actors.

The severity of this vulnerability was given 4.4 (Medium). Moreover, this vulnerability bypassed a previously identified vulnerability on the Windows SmartScreen. Microsoft has released patches to fix this vulnerability.

CVE-2023-22952: Remote Code Execution Vulnerability in SugarCRM

This vulnerability exists in the Email templates of SugarCRM, which can be exploited by a threat actor with any user privilege using a specially crafted request. The threat actor can also inject a custom PHP code due to missing input validation.

The severity for this vulnerability was given as 8.8 (High). Many SugarCRM 11.0 and 12.0 products were affected by this vulnerability. However, SugarCRM has released patches to fix this vulnerability. 

There were several critical vulnerabilities discovered this year, excluding the above list. Users of these products are recommended to upgrade to the latest versions to prevent these vulnerabilities from getting exploited by threat actors.



Source link