The FBI, NSA, and allied agencies within the Five Eyes intelligence network have published a list of the 15 most exploited vulnerabilities from 2023. The cybersecurity advisory, a collaborative effort led by the Cybersecurity and Infrastructure Security Agency (CISA) alongside the national cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom, urges organizations worldwide to prioritize patching these vulnerabilities. The advisory highlights that malicious actors leveraged more zero-day vulnerabilities in 2023 than in 2022, exposing critical enterprise networks.
These zero-day vulnerabilities, which are exploited before the release of patches, enabled cyber actors to compromise high-priority targets with minimal resistance.
The advisory also emphasizes the need for organizations to deploy strong patch management systems to prevent further exposure.
Zero-day Vulnerabilities: Background and Purpose
The advisory, developed by cybersecurity agencies in the Five Eyes alliance, aims to provide critical insights into the most exploited vulnerabilities and associated risks in 2023. This release serves as a reference for both developers and organizations, advising them to adopt a proactive approach to vulnerability management and security best practices.
The authoring agencies included:
- United States: CISA, FBI, and NSA
- Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
- Canada: Canadian Centre for Cyber Security (CCCS)
- New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and CERT NZ
- United Kingdom: National Cyber Security Centre (NCSC-UK)
Key Findings
The report’s findings highlight a growing trend: in 2023, the majority of the most exploited vulnerabilities were first exploited as zero-days, a rise from the previous year when fewer vulnerabilities were exploited before patches were available. Notably, cyber actors have been most successful in exploiting vulnerabilities within the first two years of their disclosure.
Table 1 below lists the top 15 vulnerabilities exploited throughout 2023. The table includes each vulnerability’s Common Vulnerabilities and Exposures (CVE) identifier, as well as affected platforms and exploit details.
| CVE | Platform | Vulnerability Details |
|---|---|---|
| CVE-2023-3519 | Citrix NetScaler ADC & Gateway | Causes stack buffer overflow via HTTP GET request |
| CVE-2023-4966 | Citrix NetScaler ADC & Gateway | Session token leakage, PoC revealed in Oct 2023 |
| CVE-2023-20198 | Cisco IOS XE Web UI | Unauthorized access; allows local user creation |
| CVE-2023-20273 | Cisco IOS XE | Escalates privileges to root once local user is created |
| CVE-2023-27997 | Fortinet FortiOS & FortiProxy SSL-VPN | Remote code execution via crafted requests |
| CVE-2023-34362 | Progress MOVEit Transfer | SQL injection grants sysadmin access and remote code execution |
| CVE-2023-22515 | Atlassian Confluence | Exploits improper input validation; adds admin user |
| CVE-2021-44228 | Apache Log4j (Log4Shell) | Code execution vulnerability; active since Dec 2021 |
| CVE-2023-2868 | Barracuda ESG Appliance | Unauthorized access and remote command execution |
| CVE-2022-47966 | Zoho ManageEngine | Executes arbitrary code via SAML endpoint |
| CVE-2023-27350 | PaperCut MF/NG | Bypasses authentication, executes code through scripting |
| CVE-2020-1472 | Microsoft Netlogon | Privilege escalation via secure channel exploit |
| CVE-2023-42793 | JetBrains TeamCity | Authentication bypass allows remote code execution |
| CVE-2023-23397 | Microsoft Outlook | Privilege escalation via specially crafted emails |
| CVE-2023-49103 | ownCloud graphapi | Unauthenticated access to sensitive admin data |
Recommended Mitigations
The advisory includes actionable recommendations to help organizations secure their networks against these vulnerabilities. Here’s a summary of the key measures:
For Developers and Vendors
- Secure Software Development: Follow secure design principles, integrating security at each stage of the Software Development Life Cycle (SDLC).
- SP 800-218 SSDF Compliance: Implement secure practices such as peer code reviews, vulnerability disclosure programs, and static and dynamic application security testing (SAST/DAST) to identify and mitigate vulnerabilities.
- Secure by Default Configurations: Eliminate default passwords, employ single sign-on (SSO) technology, and maintain high-quality audit logs.
For End-User Organizations
- Patch Management: Regularly update systems, prioritizing the patching of known exploited vulnerabilities (KEVs) listed in the advisory.
- Security Tools: Deploy endpoint detection and response (EDR) systems, web application firewalls, and network protocol analyzers to detect and respond to zero-day exploit attempts.
- Secure Configurations: Enforce secure default configurations to reduce unnecessary exposure and improve overall security resilience.
Implementing Security-Centered Development Lifecycles
The advisory encourages implementing security-centered product development lifecycles, reducing vulnerability exposure through vigrous testing and threat modeling. By enhancing the development process with these practices, developers can better prevent vulnerabilities and minimize the need for post-deployment patches, which can be costly and time-consuming.
