These 15 Bugs Are Attackers' Favorites Right Now

There is no shortage of critical vulnerabilities in major products for attackers to take advantage of, and they don’t let the opportunity pass by. In a new advisory from CISA and partners in Australia, Canada, New Zealand, and the U.K., the agencies detail the 15 most commonly exploited vulnerabilities.

It should come as no surprise that some of the more serious ones are in edge security devices.

The advisory, co-authored by the signals intelligence and cybersecurity agencies in various countries, paints a rather bleak picture of the security of enterprise software.

Among the 15 vulnerabilities listed, two are in Cisco’s IOS XE software, one is in the Fortinet FortiOS and FortiProxy SSL-VPN, and one is in the Barracuda Email Security Gateway.

Some of the remaining flaws will be familiar to any defender: the Apache Log4Shell bug and the Progress MOVEit Transfer vulnerability, both of which have become major problems for thousands of organizations. 

CVEs:

• CVE-2023-3519 - Citrix - NetScaler ADC - Unauthenticated remote code execution

• CVE-2023-4966 - Citrix - NetScaler ADC  - Unauthenticated sensitive information disclosure

• CVE-2023-20198 - Cisco - IOS XE - Privilege Escalation Vulnerability

• CVE-2023-20273 - Cisco - IOS XE - OS Command Injection

• CVE-2023-27997 - Fortinet - FortiOS-6K7K - Execute unauthorized code or commands

• CVE-2023-34362 - Progress MOVEit Transfer - SQL Injection

• CVE-2023-22515 - Atlassian Confluence Data Center and Server Broken Access Control

• CVE-2021-44228 - Apache Log4j2 - Remote Code Execution

• CVE-2023-2868 - Barracuda Networks - ESG Appliance - Improper Input Validation

• CVE-2022-47966 - Zoho ManageEngine - Multiple Products - Remote Code Execution

• CVE-2023-27350 - PaperCut - MF/NG - Improper Access Control

• CVE-2020-1472 - Microsoft - Netlogon - Privilege Escalation

• CVE-2023-42793 - JetBrains - TeamCity - Authentication Bypass

• CVE-2023-23397 - Microsoft - Office Outlook Privilege Escalation

• CVE-2023-49103 - ownCloud - graphapi - Information Disclosure

Why It Matters: All of these vulnerabilities are known publicly and the details are available and some of them are several years old.

For example, the Log4Shell bug is from 2021 and another of the flaws, in Microsoft Netlogon, is from 2020.

The fact that attackers are still having success exploiting these vulnerabilities is not a good sign for the state of patch management at the moment. Many of these vulnerabilities also were exploited as zero days.

“In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day,” the advisory says. 

“Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.”

What to Do Now: Patch these vulnerabilities as soon as possible. Attackers obviously are focusing their efforts on these bugs and having plenty of success. Many of these vulnerabilities were disclosed two or more years ago, so there has been more than enough time to apply the updates.