Andreas Prott – stock.adobe.com
Threat actors increasingly favour zero-day exploits to attack their victims before patches become available according to the NCSC and CISA, which have just published a list of the most widely-used vulnerabilities of 2023
By
-
Alex Scroxton,
Security Editor
Published: 12 Nov 2024 16:49
Threat actors – both state-backed and financially-motivated – are increasingly taking advantage of previously unknown vulnerabilities, or zero-days, to compromise their victims before fixes or patches are made available by the tech industry, according to a new advisory published by the Five Eyes cyber agencies, including the UK’s National Cyber Security Centre (NCSC) and the United States’ Cybersecurity and Infrastructure Security Agency (CISA).
The agencies have collectively drawn up a list of the 15 most exploited vulnerabilities of 2023 and found that the majority of exploited vulnerabilities were zero-days compared to less than half in 2022. The trend has continued through 2024, said the NCSC.
The NCSC said that defenders needed to up their game when it comes to vulnerability management, paying particular attention to applying updates as quickly as possible when they do arrive, and to making sure they have identified all the potentially affected IT assets in their estates.
The organisation also urged suppliers and developers to do more to implement secure-by-design principles into their products, something that the Five Eyes governments – Australia, Canada, New Zealand, the UK and the United States – have become particularly vocal about in the past 18 months. Doing so helps reduce the risk of vulnerabilities being accidentally introduced during development, only to be taken advantage off further down the line.
“More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern end-user organisations and vendors alike as malicious actors seek to infiltrate networks,” said NCSC chief technology officer (CTO) Ollie Whitehouse.
“To reduce the risk of compromise, it is vital all organisations stay on the front foot by applying patches promptly and insisting upon secure-by-design products in the technology marketplace,” said Whitehouse.
“We urge network defenders to be vigilant with vulnerability management, have situational awareness in operations and call on product developers to make security a core component of product design and life-cycle to help stamp out this insidious game of whack-a-mole at source,” he added.
The full list of the vulnerabilities most frequently exploited during 2023 is as follows:
- CVE-2023-3519, a code injection flaw in Citrix NetScaler ADC and NetScaler Gateway;
- CVE-2023-4966, a buffer overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway, aka Citrix Bleed;
- CVE-2023-20198, an elevation of privilege (EoP) issue in Cisco IOS XE Web UI;
- CVE-2023-20273, a web UI command injection bug in Cisco IOS XE;
- CVE-2023-27997, a heap-based buffer overflow flaw in Fortinet FortiOS and FortiProxy SSL-VPN;
