Cybersecurity is like a never-ending game of whack-a-mole – as soon as you fix one vulnerability, another one pops up. But it’s not just about fixing problems; it’s about preventing them from happening in the first place. It’s time to get ahead of the game and equip ourselves with the right set of tools, controls, and processes to prevent these attacks before they happen. Join us as we delve into the five most commonly exploited vulnerabilities of 2023 and learn how to safeguard your business against these persistent threats.
Here is a list of top exploited vulnerabilities as spotted by Veriti’s research team (CVE numbers are detailed below). The below attacks could have been patched if the proper vulnerability protection was turned on/ patching process had been implemented.
top exploited vulnerabilities
As spotted by Veriti’s research team
CODE EXECUTION
COMMAND INJECTION
DIRECTORY TRAVERSAL
INFORMATION DISCLOSURE
AUTHENTICATION BYPASS
REMOTE CODE EXECUTION
Starting from the top, the first one is remote code execution (RCE), the reigning champion of vulnerabilities. With its widespread impact, RCE links to two of the most notable applications that act as fertile ground for exploited vulnerabilities in recent times: Apache Struts and Microsoft Exchange.
Apache Struts
Apache Struts-related CVEs (Common Vulnerabilities and Exposures) are a crucial concern for organizations. One of the most well-known CVEs is CVE-2017-5638., which was responsible for the high-profile Equifax data breach. In this breach, the personal information of 143 million Americans was put at risk, highlighting the consequences of unpatched vulnerabilities.
The vulnerability in Apache Struts, an open-source web application framework for developing Java EE web applications, arose from incorrect exception handling and error message generation during file upload attempts. This flaw allowed remote attackers to execute arbitrary commands on the targeted system by sending a specially crafted Content-Type or Content-Disposition.
It is still armed and dangerous, and for some reason, organizations still choose not to protect themselves from this attack.
still armed and dangerous
Adding to the threat posed by CVE-2017-5638, there is another dangerous family member: CVE-2018-11776,. This vulnerability is considered even more critical than its cousin, as it operates at a deeper level within the code and is more difficult for researchers to identify.
As shown in the chart below, in the last months, organizations have faced increased exploitation of both vulnerabilities. These vulnerabilities have garnered renewed attention and pose a significant threat to the security of impacted organizations. This serves as a reminder of the ongoing importance of staying vigilant and proactive in the face of evolving security threats.
Organizations attacked by CVEs
The following charts provide a visual representation of the geographical distribution of the targeted organizations, the industries they belong to, along with a timeline that details the identified vulnerabilities and volume of attack incidents.
Top Countries
United States
Israel
India
France
Top Industries
ISP/MSP
Manufacturing
Education
Other popular RCE CVEs
Other popular RCE CVEs (as spotted by Veriti’s researchers) that, for some reason, are continuously being exploited by cyber attackers without any response are:
Vulnerability | Description |
CVE-2017-12611 | Apache Struts2 Freemarker Remote Code Execution |
CVE-2016-4438 | Apache Struts REST plugin Remote Code Execution |
CVE-2017-12617 | Apache Tomcat HTTP PUT Remote Code Execution |
CVE-2017-12615 | Apache Tomcat PUT Method Arbitrary File Upload Remote Code Execution |
CVE-2016-3081 | Apache Struts Dynamic Method Remote Code Execution |
CVE-2017-9805 | Apache Struts REST Plugin XStream Deserialization Remote Code Execution |
Microsoft Exchange
We all learned to love or at least appreciate Microsoft Exchange. After all, it is the unsung hero of corporate communications.
Microsoft Exchange is a server software developed by Microsoft Corporation for managing email, scheduling, and other communications in a corporate environment. It provides a secure and reliable platform for businesses to manage their communications and collaborate effectively with employees, customers, and partners
But when it comes to CVE-2021-26855, the hero mistakenly compromises the organization, allowing attackers to steal sensitive data and gain long-term access to victim environments. This attack is a server-side request forgery (SSRF) vulnerability in Exchange, allowing attackers to send arbitrary HTTP requests and authenticate as the Exchange server. Microsoft Threat Intelligence Center (MSTIC) has identified the source of the recent Microsoft Exchange attacks as HAFNIUM, a state-sponsored hacking group operating out of China. This conclusion was reached with high confidence based on the analysis of the techniques, tactics, and procedures used in the campaign.
The SSRF vulnerability
Another Microsoft Exchange vulnerability that attackers exploit even in greater numbers (as seen on the table below) is CVE-2021-34473. This SSRF vulnerability is a sneaky one, allowing attackers to manipulate a vulnerable server into doing their bidding. That’s right, no authentication is needed – the attacker tricks the server into thinking it’s making requests on behalf of a trusted source. This happens because of a path confusion issue, where the server gets mixed up on which request it should be making.
Organizations attacked by CVEs
Taking the proactive approach
As cyber threats become more sophisticated, organizations can no longer afford to take a reactive approach to security. Known vulnerabilities with CVSS scores of 9 and above, if left unaddressed, can result in disastrous consequences such as data breaches and significant downtime. However, many organizations are hesitant to switch to block mode to prevent these vulnerabilities from being exploited, fearing that doing so may cause unintended downtime and negatively impact business operations. To address this challenge, organizations should continuously and automatically assess their security configurations and correlate them with security logs to ensure that they are properly secured while minimizing the risk of downtime. By prioritizing proactive security measures, organizations can better protect themselves from potential threats and maintain business uptime without sacrificing security.