Zero-day vulnerabilities topped the list of most frequently exploited flaws in 2023, according to a new report from the Cybersecurity and Infrastructure Security Agency (CISA) and its counterparts in Five Eyes countries.
In 2023, ten of the fifteen most exploited vulnerabilities were initially zero-days. Among the notable zero-day flaws were those impacting Barracuda’s Email Security Gateway (ESG) appliances, exploited by suspected Chinese hackers, which led the company to advise customers to replace compromised devices. Other vulnerabilities included the MOVEit zero-day, which fueled a widespread data breach, and CitrixBleed, a flaw that affected Citrix’s network perimeter devices and has been exploited in the Lockbit ransomware attacks.
The top 15 vulnerabilities are listed as follows:
-
CVE-2023-3519: Code injection in Citrix NetScaler ADC and NetScaler Gateway. Allows an unauthenticated user to cause a stack buffer overflow in the NSPPE process by using a HTTP GET request.
-
CVE-2023-4966: Cross-cite scripting in Citrix NetScaler ADC and NetScaler Gateway. Allows session token leakage. A proof-of-concept for this exploit was revealed in October 2023.
-
CVE-2023-20198 and CVE-2023-20273: Improper Privilege Management in Cisco IOS XE Web UI. A remote non-authenticated attacker can send a specially crafted HTTP request to the affected device and create an account with privilege level 15 access.
-
CVE-2023-27997: Unauthenticated remote code execution in Fortinet FortiOS and FortiProxy SSL-VPN. Allows a remote user to craft specific requests to execute arbitrary code or commands.
-
CVE-2023-34362: SQL injection in Progress MOVEit Transfer. Allows to obtain a sysadmin API access token.
-
CVE-2023-22515: Remote code execution in Atlassian Confluence Data Center and Server. A remote non-authenticated attacker can send specially crafted requests to the server to create an administrative account and gain unauthorized access to the system.
-
CVE-2021-44228 (Log4Shell): Remote code execution in Apache’s Log4j library, an open source logging framework incorporated into thousands of products worldwide. A remote attacker can send a specially crafted request to the application and execute arbitrary code on the target system. The vulnerability has been frequently exploited by threat actors following public disclosure in December 2021.
-
CVE-2023-2868: Remote command injection in Barracuda Networks Email Security Gateway (ESG) Appliance. Allows a threat actor to obtain unauthorized access and remotely execute system commands via the ESG appliance.
-
CVE-2022-47966: Remote code execution impacting multiple products using Zoho ManageEngine. Affects Zoho ManageEngine products, when SAML SSO is enabled. A remote non-authenticated attacker can bypass authentication process and compromise the affected system.
-
CVE-2023-27350: Improper access control in PaperCut MF/NG. A remote non-authenticated attacker can bypass authentication process and execute arbitrary code with SYSTEM privileges.
-
CVE-2020-1472: Privilege escalation in Microsoft Netlogon. An unauthorized user may use non-default configurations to establish a vulnerable Netlogon secure channel connection to a domain controller by using the Netlogon Remote Protocol. The flaw has been included in top routinely exploited vulnerabilities lists since 2021.
-
CVE-2023-42793: Authentication bypass in JetBrains TeamCity servers. Allows authentication bypass that allows remote code execution against vulnerable JetBrains TeamCity servers.
-
CVE-2023-23397: Net-NTLMv2 hash leak in Microsoft Outlook. Allows elevation of privilege.
-
CVE-2023-49103: Information disclosure in ownCloud graphapi. An unauthenticated user can access sensitive data such as admin passwords, mail server credentials, and license keys.
The advisory also includes a lengthy list of other vulnerabilities exploited by malicious actors, as well as mitigations organizations can use to protect their corporate networks from cyberattacks.