Zero-days from top security vendors were most exploited CVEs in 2023

Zero-days comprised the majority of the most routinely exploited vulnerabilities last year, an increase from 2022 which allowed cybercriminals to attack higher-priority targets, Five Eyes cyber officials said in a Tuesday advisory.

The top five vulnerabilities exploited by attackers in 2023 were found in three vendors across networking devices, remote access servers and firewalls.

Last year, the two pairs of CVEs in Citrix and Cisco products, respectively, comprised the four most-exploited vulnerabilities of the year.

Attackers can inflict far reaching and sustained damage on thousands of organizations by focusing their efforts on compromising widely used technology. And the technology that is most abused is coming from leading security vendors, which have repeat CVEs.

While the report is a look back on 2023, the same trend continues and impacts are still playing out for customers across a wide swath of security device and service vendors.

The Cybersecurity and Infrastructure Security Agency is trying to clean up software vendors’ code by encouraging technology companies to eliminate entire classes of defects, coding errors and vulnerabilities from their products.

The agency’s secure-by-design initiative, which aims to shift security responsibilities from customers to vendors by building security into their products during the design and development phase, is part of that effort. Nearly 250 companies, including Cisco and Fortinet, have signed CISA’s voluntary pledge since May.

Yet, the problem persists and the lack of progress underscores CISA’s limited capability to change long-ingrained software development practices. Software defects that continue to cause problems for customers are baked into products that are already in the market.

Citrix bleeds

Researchers dubbed CVE-2023-4966 CitrixBleed as the critical buffer overflow vulnerability caused widespread concern last year. CitrixBleed exploits were linked to ransomware attacks, which impacted some of the most highly regulated companies in the world, including Boeing and Comcast.

The vulnerability affecting Citrix Netscaler Application Delivery Control and Netscaler Gateway was the second-most frequently exploited CVE last year. A critical code injection vulnerability in the same Citrix product, CVE-2023-3519, was the most exploited CVE in 2023.

CISA’s known exploited vulnerabilities catalog, which dates back to 2022, contains 16 Citrix vulnerabilities. Six of those CVEs are known to be used in ransomware campaigns.

Cisco CVEs appear by the dozen

A critical zero-day vulnerability in the web user interface of Cisco IOS XE, CVE-2023-20198, allowed attackers to gain full access to all commands.

A second vulnerability in Cisco IOS XE, CVE-2023-20273, allowed attackers to escalate privileges and write malicious implants to the file system.

Cisco CVEs appear 74 times in CISA’s known exploited vulnerabilities catalog, and five of those vulnerabilities are known to be used in ransomware campaigns.

Fortinet, popular in ransomware campaigns

A heap-based overflow vulnerability affecting Fortinet FortiOS and FortiProxy SSL-VPN, CVE-2023-27997, put nearly 500,000 firewalls at risk of exploits. The critical vulnerability allowed attackers to execute arbitrary code or commands.

CISA’s known exploited vulnerabilities catalog contains 15 Fortinet vulnerabilities. Eight of those CVEs are known to be used in ransomware campaigns.

MOVEit meltdown claims No. 6 spot

Progress Software, which was responsible for one of the farthest reaching CVEs last year, fell just outside of the top five, coming in as the sixth-most exploited vulnerability in 2023.

The zero-day vulnerability in MOVEit, CVE-2023-34362, led to a spree of attacks against MOVEit environments over Memorial Day weekend 2023. The Clop ransomware group, which was responsible for the attacks, ultimately stole highly sensitive data from more than 2,700 organizations and 93 million personal records.