Getty Images/iStockphoto

Most widely exploited vulnerabilities in 2023 were zero days

While zero-day exploitation surged throughout 2023, CISA said threat actors continue to exploit known vulnerabilities that were disclosed and patched as far back as 2017.

Attackers exploited significantly more zero-day vulnerabilities against victim organizations in 2023 compared to 2022, according to a new government advisory.

CISA published a joint government advisory Tuesday that detailed the topmost exploited vulnerabilities of 2023. The advisory, co-authored by agencies in the U.K., Australia, Canada and New Zealand, warned of alarming trends that further underscored how enterprises need to improve vulnerability management protocols.

Though enterprises continued to face challenges with known vulnerabilities despite patches being available, zero-day vulnerabilities presented increased risks throughout 2023.

"In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets," CISA wrote in the advisory. "In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day."

One example that made the advisory's Top 15 routinely exploited vulnerability list was an unauthenticated buffer-related bug tracked as CVE-2023-4966 that affects Citrix NetScaler ADC and NetScaler Gateway. Mandiant published research that attackers exploited the flaw as a zero-day and warned CVE-2023-4966 was complicated to fix.

The vulnerability, dubbed Citrix Bleed, also drew attention from the LockBit ransomware gang. LockBit actors exploited the flaw against Boeing with reports that a $200 million ransom demand was made.

CVE-2023-4966 was not the only Citrix flaw to make CISA's list. Another was an unauthenticated remote code execution flaw, tracked as CVE-2023-3519, that also affected Citrix's NetScaler ADC and NetScaler Gateway. CVE-2023-3519 received a CVSS of 9.8 and was exploited as a zero-day. In a separate advisory last year, CISA revealed that attackers exploited the zero-day vulnerability against an unnamed critical infrastructure organization.

Unsurprisingly, the zero-day vulnerability that the Clop ransomware gang exploited in Progress Software's MoveIt Transfer product also topped the list. The critical SQL injection flaw, tracked as CVE-2023-34362, highlighted how downstream customers can be significantly affected when attackers exploit just one vulnerability in a popular product.

While the advisory included many zero-day vulnerabilities and flaws disclosed in 2023, it also showed how attackers continue to exploit known vulnerabilities. CISA highlighted a pattern that makes it even more vital for enterprises to adopt efficient and timely patching practices.

"Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability," the report read.

Some of the exploited vulnerabilities were disclosed and patched as far back as 2017, such as a remote code execution flaw in Cisco IOS and IOS XE Software SNMP, tracked as CVE-2017-6742. CISA found that threat actors also exploited a 2018 path traversal flaw, tracked as CVE-2018-13379, in Fortinet's FortiOS SSL VPNs as well.

Satnam Narang, senior staff research engineer at Tenable, told TechTarget Editorial that the inclusion of vulnerabilities in VPNs and internet-exposed services was a common thread among many of the flaws highlighted in the advisory. Narang added that there's a strong correlation between internet-facing systems that utilize software containing known vulnerabilities and the likelihood of exploitation.

Narang also said CVE-2017-6742 exploitation has been connected to the Russian state-sponsored advanced persistent threat group known as Fancy Bear. The group exploited another vulnerability, tracked as CVE-2023-23397, on CISA's advisory to target Microsoft Exchange accounts.

Narang stressed that CVE-2017-6742 continues to pose a threat to victim organizations even though it was patched more than seven years ago.

"Yet in 2023, we still see this same flaw being utilized in the wild by other attackers. According to some intelligence, there are still around 24,000 Cisco IOS and IOS XE systems online that may be vulnerable to this flaw," Narang said in an email to TechTarget Editorial. "Each year that the Top Routinely Exploited list is published serves as a constant reminder of the threat posed by known vulnerabilities for most organizations and why it is not just important [but] it is [also] imperative for organizations to address these known vulnerabilities in a timely manner to protect against unauthorized access to critical business systems."

CISA recommended that vendors and developers identify repeatedly exploited vulnerability classes through analysis. Regarding end-user organizations, the advisory recommended prioritizing vulnerabilities on the Known Exploited Vulnerabilities catalog and routinely performing asset discovery across their infrastructure.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.

Dig Deeper on Threats and vulnerabilities