The FBI, NSA, and Five Eyes cybersecurity authorities have released a list of the top 15 routinely exploited vulnerabilities in 2023. Most of these vulnerabilities were first abused as zero-days. The agencies revealed that 12 out of the top 15 vulnerabilities were addressed last year.
This confirms that threat actors focused their attacks on zero-days, which are security flaws that have been disclosed but are yet to be patched. A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws. The advisory also urges organizations to deploy patch management systems to minimize their networks’ exposure to potential attacks.
“In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022,” the advisory states.
Top 2023 vulnerabilities detailed and warned
“This allowed them to conduct cyber operations against higher-priority targets.”
Jeffrey Dickerson, NSA’s cybersecurity technical director, emphasized, “All of these vulnerabilities are publicly known, but many are in the top 15 list for the first time.
Network defenders should pay careful attention to trends and take immediate action to ensure vulnerabilities are patched and mitigated. Exploitation will likely continue in 2024 and 2025.”
A notable vulnerability from the list is a code injection vulnerability in NetScaler ADC / Gateway. This vulnerability enables attackers to gain remote code execution on unpatched servers.
By early August 2023, this security flaw had been leveraged to backdoor systems worldwide. Today’s advisory highlights 32 other vulnerabilities often exploited last year to compromise organizations. It also provides information on how defenders can decrease their exposure to attacks.
