Cybersecurity Agencies Detail Top Vulnerabilities and Exposures 

Malicious cyber actors are increasingly exploiting zero-day vulnerabilities to compromise enterprise networks. This finding comes from the annual Cybersecurity Advisory (CSA) released November 12, 2024, which covers the top routinely exploited vulnerabilities of 2023.  

Eleven of the 15 Common Vulnerabilities and Exposures (CVEs) in 2023 were initially exploited as zero-day vulnerabilities, which are vulnerabilities in a computer system unknown to its owner, developer, and the general public. Compare this to the 2022 report, where only two of the top exploited vulnerabilities were zero-day. 

The advisory, co-authored by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and foreign partners, alerts organizations about the most pressing cyber threats and provides guidance on mitigating these risks. 

Spike in Zero-Day Attacks on High-Priority Targets 

As cybercriminals exploit more zero-day vulnerabilities to compromise enterprise networks, they are able to conduct cyber operations against higher-priority targets.  

“All of these vulnerabilities are publicly known, but many are in the top 15 list for the first time,” said Jeffrey Dickerson, NSA’s cybersecurity technical director. “Network defenders should pay careful attention to trends and take immediate action to ensure vulnerabilities are patched and mitigated. Exploitation will likely continue in 2024 and 2025.” 

2023’s Top 15 Exploited Vulnerabilities Revealed 

The advisory details the top CVEs, which are summarized here by vulnerability – vendor – product(s): 

1. Code Injection – Citrix – NetScaler ADC, NetScaler Gateway 
2. Buffer Overflow – Citrix – NetScaler ADC, NetScaler Gateway 
3. Privilege Escalation – Cisco – IOS XE Web UI 
4. Web UI Command Injection – Cisco – IOS XE 
5. Heap-Based Buffer Overflow – Fortinet – FortiOS, FortiProxy SSL-VPN 
6. SQL Injection – Progress – MOVEit Transfer 
7. Broken Access Control – Atlassian – Confluence Data Center and Server 
8. Remote Code Execution (RCE) – Apache – Log4j2  
9. Improper Input Validation – Barracuda Networks – ESG Appliance 
10. Remote Code Execution – Zoho – ManageEngine Multiple Products 
11. Improper Access Control – PaperCut – MF/NG 
12. Privilege Escalation – Microsoft – Netlogon 
13. Authentication Bypass – JetBrains – TeamCity 
14. Privilege Escalation – Microsoft – Office Outlook 
15. Information Disclosure – ownCloud – graphapi 

Boost Defenses Against Zero-Day Exploits 

“IT security departments have been using layered approaches to protect against new and more advanced threats,” said Ron Bebus, PrivaPlan CIO, CISSP. “These layers include advanced detection technologies, continuous monitoring, and user awareness training. Now they must review and increase the sophistication of each layer to stay ahead of the new tactics being used and developed by cyber attackers.”

The cybersecurity agencies strongly urge vendors, developers, and end-user organizations to implement a range of mitigations, including timely patching, centralized patch management systems, and advanced security tools. Notably, most zero-day exploits, including at least three of last year’s top 15 vulnerabilities, have been discovered when an end user or EDR system reports suspicious activity or unusual device malfunctions.