The Australian Signals Directorate and its international partners have published a joint advisory on the top routinely exploited vulnerabilities.
The advisory provides details, collected and compiled by the authoring agencies, on the common vulnerabilities and exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated common weakness enumerations.
Malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day.
Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.
The top 15 vulnerabilities the authoring agencies observed malicious cyber actors routinely exploiting in 2023 include:
- CVE-2023-3519: This vulnerability affects Citrix NetScaler ADC and NetScaler Gateway;
- CVE-2023-4966: This vulnerability also affects Citrix NetScaler ADC and NetScaler Gateway;
- CVE-2023-20198: This vulnerability affects Cisco IOS XE Web UI;
- CVE-2023-20273: This vulnerability affects also Cisco IOS XE, following activity from CVE-2023-20198;
- CVE-2023-27997: This vulnerability affects Fortinet FortiOS and FortiProxy SSL-VPN;
- CVE-2023-34362: This vulnerability affects Progress MOVEit Transfer;
- CVE-2023-22515: This vulnerability affects Atlassian Confluence Data Center and Server;
- CVE-2021-44228: This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide;
- CVE-2023-2868: This is a remote command injection vulnerability that affects the Barracuda Networks Email Security Gateway (ESG) Appliance;
- CVE-2022-47966: This is an unauthenticated, remote code execution vulnerability that affects multiple products using Zoho ManageEngine;
- CVE-2023-27350: This vulnerability affects PaperCut MF/NG;
- CVE-2020-1472: This vulnerability affects Microsoft Netlogon;
- CVE-2023-42793: This vulnerability can affect JetBrains TeamCity servers;
- CVE-2023-23397: This vulnerability affects Microsoft Office Outlook; and
- CVE-2023-49103: This vulnerability affects ownCloud graphapi.
The authoring agencies recommend that end-user organisations implement mitigations to improve their cybersecurity posture based on threat actors’ activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).
The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organisations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures.
You can read the full details, including recommended mitigations, in the advisory published on the Cyber.gov.au website.
