5 Most COMMONLY exploited vulnerabilities today – Part 1

Cybersecurity is like a never-ending game of whack-a-mole – as soon as you fix one vulnerability, another one pops up. But it’s not just about fixing problems; it’s about preventing them from happening in the first place. It’s time to get ahead of the game and equip ourselves with the right set of tools, controls, and processes to prevent these attacks before they happen. Join us as we delve into the five most commonly exploited vulnerabilities of 2023 and learn how to safeguard your business against these persistent threats. 

Here is a list of top exploited vulnerabilities as spotted by Veriti’s research team (CVE numbers are detailed below). The below attacks could have been patched if the proper vulnerability protection was turned on/ patching process had been implemented. 

REMOTE CODE EXECUTION 

Starting from the top, the first one is remote code execution (RCE), the reigning champion of vulnerabilities. With its widespread impact, RCE links to two of the most notable applications that act as fertile ground for exploited vulnerabilities in recent times: Apache Struts and Microsoft Exchange.  

Remote code execution is a vulnerability that allows attackers to execute arbitrary code on a targeted system, typically over a network connection. This vulnerability can occur when an application fails to properly validate user input, allowing attackers to inject malicious code into the application and have it executed on the target system.

Apache Struts 

Apache Struts-related CVEs (Common Vulnerabilities and Exposures) are a crucial concern for organizations. One of the most well-known CVEs is CVE-2017-5638., which was responsible for the high-profile Equifax data breach. In this breach, the personal information of 143 million Americans was put at risk, highlighting the consequences of unpatched vulnerabilities. 

Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON.

The vulnerability in Apache Struts, an open-source web application framework for developing Java EE web applications, arose from incorrect exception handling and error message generation during file upload attempts. This flaw allowed remote attackers to execute arbitrary commands on the targeted system by sending a specially crafted Content-Type or Content-Disposition.  

It is still armed and dangerous, and for some reason, organizations still choose not to protect themselves from this attack. 

still armed and dangerous

Adding to the threat posed by CVE-2017-5638, there is another dangerous family member: CVE-2018-11776,. This vulnerability is considered even more critical than its cousin, as it operates at a deeper level within the code and is more difficult for researchers to identify. 

As shown in the chart below, in the last months, organizations have faced increased exploitation of both vulnerabilities. These vulnerabilities have garnered renewed attention and pose a significant threat to the security of impacted organizations. This serves as a reminder of the ongoing importance of staying vigilant and proactive in the face of evolving security threats. 

Other popular RCE CVEs

Other popular RCE CVEs (as spotted by Veriti’s researchers) that, for some reason, are continuously being exploited by cyber attackers without any response are:  

Microsoft Exchange 

We all learned to love or at least appreciate Microsoft Exchange. After all, it is the unsung hero of corporate communications.  

Microsoft Exchange is a server software developed by Microsoft Corporation for managing email, scheduling, and other communications in a corporate environment. It provides a secure and reliable platform for businesses to manage their communications and collaborate effectively with employees, customers, and partners

But when it comes to CVE-2021-26855, the hero mistakenly compromises the organization, allowing attackers to steal sensitive data and gain long-term access to victim environments. This attack is a server-side request forgery (SSRF) vulnerability in Exchange, allowing attackers to send arbitrary HTTP requests and authenticate as the Exchange server.  Microsoft Threat Intelligence Center (MSTIC) has identified the source of the recent Microsoft Exchange attacks as HAFNIUM, a state-sponsored hacking group operating out of China. This conclusion was reached with high confidence based on the analysis of the techniques, tactics, and procedures used in the campaign. 

The SSRF vulnerability

Another Microsoft Exchange vulnerability that attackers exploit even in greater numbers (as seen on the table below) is CVE-2021-34473. This SSRF vulnerability is a sneaky one, allowing attackers to manipulate a vulnerable server into doing their bidding. That’s right, no authentication is needed – the attacker tricks the server into thinking it’s making requests on behalf of a trusted source. This happens because of a path confusion issue, where the server gets mixed up on which request it should be making. 

Taking the proactive approach

As cyber threats become more sophisticated, organizations can no longer afford to take a reactive approach to security. Known vulnerabilities with CVSS scores of 9 and above, if left unaddressed, can result in disastrous consequences such as data breaches and significant downtime. However, many organizations are hesitant to switch to block mode to prevent these vulnerabilities from being exploited, fearing that doing so may cause unintended downtime and negatively impact business operations. To address this challenge, organizations should continuously and automatically assess their security configurations and correlate them with security logs to ensure that they are properly secured while minimizing the risk of downtime. By prioritizing proactive security measures, organizations can better protect themselves from potential threats and maintain business uptime without sacrificing security.