Cybersecurity agencies from five countries collaborated on an advisory regarding Common Vulnerabilities and Exposures (CVEs) routinely exploited in 2023. The agencies involved in this advisory include:
- United States: The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and National Security Agency (NSA)
- Canada: Canadian Centre for Cyber Security (CCCS)
- Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
- United Kingdom: National Cyber Security Centre (NCSC-UK)
- New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
Out of the 15 top vulnerabilities exploited, some include:
- A vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway, allowing unauthenticated user to create a stack buffer overflow
- A vulnerability impacting Microsoft Netlogon, allowing privilege escalation
- A vulnerability influencing ownCloud graphapi, allowing unauthenticated information disclosure
For a comprehensive list of all 15 vulnerabilities, review the advisory on CISA’s website. The advisory encourages organizations to patch vulnerabilities in a timely manner and engage a centralized patch management system in order to try and mitigate vulnerabilities.
Jared Smith, Distinguished Engineer, R&D Strategy at SecurityScorecard, comments, “This advisory reveals a troubling surge in zero-day exploits targeting enterprise networks compared to 2022. It underscores the critical importance of secure development practices, emphasizing the Secure By Design tactics to minimize vulnerabilities across the software lifecycle. However, Secure By Design only goes so far. Some of these products are written in languages that cannot be made bulletproof against zero-days.
“Two of the top exploited vulnerabilities were due to insecure memory access issues (buffer overflows). While CISA pushes for the software community to stop writing code in languages like C, which are extremely error-prone to memory issues, developers working on more secure versions of software to replace those written in C using languages like Rust are retiring due to burnout and near-religious debates about the (in)security of C and why it should or should not be used, despite the amount of issues it has led to in the products named in the list.
“Furthermore, it serves as an important reminder of the importance of limiting third-party applications and establishing clean notification processes for security incidents from third-party service providers. With 75% of third-party breaches targeting software and technology supply chains, embedding security from the outset can significantly enhance resilience across the supply chain.
“With the rise in vulnerabilities in 2023, this upward trend demands a proactive, trust-centered approach to limit the impact of exploited weaknesses and strengthen defenses across the board.”