The FBI, the NSA, and Five Eyes cybersecurity authorities have released a list of the top 15 routinely exploited vulnerabilities throughout last year, most of them first abused as zero-days.
A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks' exposure to potential attacks.
"In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets," the cybersecurity agencies warned.
"In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day."
As they also revealed, 12 out of the top 15 vulnerabilities routinely abused in the wild were addressed last year, lining up with the agencies warning that threat actors focused their attacks on zero-days (security flaws that have been disclosed but are yet to be patched).
Here is the complete list of last year's most exploited vulnerabilities and relevant links to the National Vulnerability Database entries.
CVE | Vendor | Product | Type |
CVE-2023-3519 | Citrix | NetScaler ADC/Gateway | Code Injection |
CVE-2023-4966 | Citrix | NetScaler ADC/Gateway | Buffer Overflow |
CVE-2023-20198 | Cisco | IOS XE Web UI | Privilege Escalation |
CVE-2023-20273 | Cisco | IOS XE | Web UI Command Injection |
CVE-2023-27997 | Fortinet | FortiOS/FortiProxy SSL-VPN | Heap-Based Buffer Overflow |
CVE-2023-34362 | Progress | MOVEit Transfer | SQL Injection |
CVE-2023-22515 | Atlassian | Confluence Data Center/Server | Broken Access Control |
CVE-2021- 44228 (Log4Shell) | Apache | Log4j2 | Remote Code Execution |
CVE-2023-2868 | Barracuda Networks | ESG Appliance | Improper Input Validation |
CVE-2022-47966 | Zoho | ManageEngine Multiple Products | Remote Code Execution |
CVE-2023-27350 | PaperCut | MF/NG | Improper Access Control |
CVE-2020-1472 | Microsoft | Netlogon | Privilege Escalation |
CVE-2023-42793 | JetBrains | TeamCity | Authentication Bypass |
CVE-2023-23397 | Microsoft | Office Outlook | Privilege Escalation |
CVE-2023-49103 | ownCloud | graphapi | Information Disclosure |
CVE-2023-3519, a code injection vulnerability in NetScaler ADC / Gateway that enables attackers to gain remote code execution on unpatched servers, took the first spot after state hackers abused it to breach U.S. critical infrastructure organizations.
By early August 2023, this security flaw had been leveraged to backdoor at least 640 Citrix servers worldwide and over 2,000 by mid-August.
Today's advisory highlights 32 other vulnerabilities often exploited last year to compromise organizations and provides information on how defenders can decrease their exposure to attacks abusing them in the wild.
This June, MITRE also unveiled the 25 most dangerous software weaknesses for the previous two calendar years and, in November 2021, a list of the most important hardware weaknesses.
"All of these vulnerabilities are publicly known, but many are in the top 15 list for the first time," said Jeffrey Dickerson, NSA's cybersecurity technical director, on Tuesday.
"Network defenders should pay careful attention to trends and take immediate action to ensure vulnerabilities are patched and mitigated. Exploitation will likely continue in 2024 and 2025."