FORT MEADE, Md. - Malicious cyber actors are increasingly exploiting zero day vulnerabilities to compromise enterprise networks, according to an annual Cybersecurity Advisory (CSA) about the top routinely exploited vulnerabilities co-authored by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and domestic and foreign partners.
The CSA, “2023 Top Routinely Exploited Vulnerabilities,” details the top 15 Common Vulnerabilities and Exposures (CVEs) collected by the authoring agencies in 2023. Eleven of the 15 CVEs were initially exploited as a zero day – a vulnerability in a computer system unknown to its owner, developer, and the general public. In contrast, only two of the top exploited vulnerabilities were zero day in the 2022 report.
“All of these vulnerabilities are publicly known, but many are in the top 15 list for the first time,” said Jeffrey Dickerson, NSA’s cybersecurity technical director. “Network defenders should pay careful attention to trends and take immediate action to ensure vulnerabilities are patched and mitigated. Exploitation will likely continue in 2024 and 2025.”
In addition to the top 15 exploited CVEs, the CSA shares a comprehensive list of additional routinely exploited vulnerabilities. The authors are releasing the data points, along with previous annual reports, to assist in future trend analysis and retrospection.
The report urges vendors, designers, and developers to prioritize secure by default configurations and to ensure published CVEs include the proper Common Weakness Enumerations (CWEs) to identify the root cause of the vulnerability. It also advises end-user organizations to apply timely patches to systems, implement a centralized patch management system, use security tools (e.g., endpoint detection and response (EDR), web application firewalls, and network protocol analyzers), and ask software providers about their secure by design programs.
Additional co-authors are the Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), Computer Emergency Response Team New Zealand (CERT NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).