A new joint Cybersecurity Advisory, co-authored by leading cybersecurity agencies from the United States, Australia, Canada, New Zealand, and the United Kingdom, details the vulnerabilities malicious actors routinely exploited in 2023. This advisory highlights specific vulnerabilities and offers guidance to mitigate risks for software developers and end-user organizations. The aim is to help organizations secure systems and strengthen defenses against today's persistent and complex cyber threats.
International cooperation to address cybersecurity threats
This advisory marks a significant collaborative effort among leading cybersecurity organizations worldwide. The report, titled 2023 Top Routinely Exploited Vulnerabilities, compiles critical data on the Common Vulnerabilities and Exposures (CVEs) and Common Weakness Enumerations (CWEs) that were the primary targets of threat actors in 2023. Notably, the advisory observes a marked increase in the exploitation of Zero-Day vulnerabilities, which allow attackers to compromise enterprise networks with little to no warning.
According to the advisory, "Malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high-priority targets." This trend underlines the growing need for both vendors and organizations to adopt preventive and proactive measures to secure their digital infrastructure.
Top 15 routinely exploited vulnerabilities of 2023
The advisory's list of the most exploited vulnerabilities in 2023 provides insight into the types of systems and weaknesses attackers frequently target. These vulnerabilities span a range of technologies, from network security appliances to widely used software applications.
-
CVE-2023-3519 (Citrix NetScaler ADC and Gateway): An unauthenticated user can cause a stack buffer overflow in the NSPPE process using an HTTP GET request.
-
CVE-2023-4966 (Citrix NetScaler ADC and Gateway): This exploit allows session token leakage; a proof-of-concept was revealed in October 2023.
-
CVE-2023-20198 (Cisco IOS XE Web UI): This vulnerability allows unauthorized users to gain initial access and issue a command to create a local user and password combination, resulting in the ability to log in with standard user access.
-
CVE-2023-20273 (Cisco IOS XE): Allows privilege escalation once a local user has been created to root privileges.
-
CVE-2023-27997 (Fortinet FortiOS and FortiProxy SSL-VPN): A remote user can craft specific requests to execute arbitrary code or commands.
-
CVE-2023-34362 (Progress MOVEit Transfer): This vulnerability allows an attacker to abuse an SQL injection vulnerability to obtain a sysadmin API access token. A malicious cyber actor can then obtain remote code execution via this access by abusing a deserialization call.
-
CVE-2023-22515 (Atlassian Confluence Data Center and Server): Arbitrary HTTP parameters can be translated into getter/setter sequences via the XWorks2 middleware and, in turn, allow Java objects to be modified at run time. The exploit creates a new administrator user and uploads a malicious plugin to get
arbitrary code execution. -
CVE-2023-44228 (Apache Log4j, also known as Log4Shell): Allows the execution of arbitrary code. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious
activity. Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021. -
CVE-2023-2868 (Barracuda Networks Email Security Gateway): Allows an individual to obtain unauthorized access and remotely execute system commands via the ESG appliance.
-
CVE-2023-47966 (Zoho ManageEngine): Allows an unauthenticated user to execute arbitrary code by providing a crafted samlResponse
XML to the ServiceDesk Plus SAML endpoint. -
CVE-2023-27350 (PaperCut MF/NG): Allows a malicious cyber actor to chain an authentication bypass vulnerability with the abuse of
built-in scripting functionality to execute code. -
CVE-2020-1472 (Microsoft Netlogon): Allows privilege escalation. An unauthorized user may use non-default configurations to establish a vulnerable Netlogon secure channel connection to a domain controller by using the Netlogon Remote Protocol.
Note: This CVE has been included in top routinely exploited vulnerabilities lists since 2021.
-
CVE-2023-42793 (JetBrains TeamCity): Allows authentication bypass that allows remote code execution against vulnerable JetBrains
TeamCity servers. -
CVE-2023-23397 (Microsoft Office Outlook): This vulnerability allows the elevation of privilege. A threat actor can send a specially crafted email that the Outlook client automatically triggers when Outlook processes it. This exploit occurs even without user interaction.
-
CVE-2023-49103 (ownCloud graphapi): Allows unauthenticated information disclosure. An unauthenticated user can access sensitive data such as admin passwords, mail server credentials, and license keys.
This list reveals that attackers are not only targeting recent vulnerabilities but are also exploiting longstanding ones, such as the infamous Log4Shell (CVE-2021-44228) and Microsoft's Netlogon vulnerability (CVE-2020-1472), underscoring the importance of patching even older vulnerabilities.
Mitigations for vendors and end-user organizations
The advisory urges two primary groups—software vendors and end-user organizations—to take specific actions to reduce cyber risks. Key recommendations include secure-by-design principles, consistent software patching, and implementation of security monitoring tools.
For vendors, designers, and developers:
-
Adopt Secure by Design practices: The report encourages vendors to follow frameworks like NIST's SP 800-218 Secure Software Development Framework (SSDF) throughout the software development lifecycle. Vendors should prioritize secure-by-default configurations, which include "eliminating default passwords and not requiring additional configuration changes to enhance product security."
-
Vulnerability disclosure programs: Establishing coordinated vulnerability disclosure programs allows vendors to detect and resolve vulnerabilities early, minimizing the risk of exploitation.
-
Include CWEs in CVEs: By ensuring that published CVEs contain Common Weakness Enumeration (CWE) identifiers, vendors help identify root causes, fostering a broader understanding of software security issues.
For end-user organizations:
-
Patch and update promptly: Patching known vulnerabilities is critical to reducing an organization's risk profile. The advisory recommends that organizations apply patches promptly and establish centralized patch management processes.
-
Implement security tools: Cybersecurity tools such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers are recommended to detect and prevent malicious activity. Additionally, organizations should "ask software providers to discuss their secure by design program… to set secure default settings."
Addressing Zero-Day exploits
The advisory also emphasizes the evolving nature of cyber threats, with an increasing reliance on Zero-Day exploits. These vulnerabilities—exploited before a patch is available—have become an effective means for attackers to gain initial access to high-value networks. "Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure," the advisory notes. Therefore, rapid response and patching are essential, as attackers often leverage these vulnerabilities soon after they are made public.
Staying ahead of threats with proactive measures
This joint advisory underscores the critical need for proactive and reactive cybersecurity measures. As the list of top exploited vulnerabilities illustrates, malicious actors are not limiting themselves to recent exploits; they continue to target known, unpatched vulnerabilities to gain access to networks. Organizations must invest in robust cybersecurity practices, including adopting secure-by-design principles, rapid patch management, and advanced security monitoring tools to detect and prevent exploitation.
As the advisory concludes, "The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement… recommendations to reduce the risk of compromise by malicious cyber actors." This international effort reflects the importance of unified cybersecurity practices to combat an increasingly aggressive threat landscape.
Follow SecureWorld News for more stories related to cybersecurity.