Highlights
- CVE-2023-23397 seems to be one of the most dangerous vulnerability in Q1 2023 as no user interaction is needed. It is a Privilege Escalation vulnerability and affects all versions of Microsoft Outlook desktop. APT28 threat actor group took advantage of this vulnerability to attack sectors such as Governments, Military, Energy and Transportation in broader Europe.
- A Bypass Authentication vulnerability, CVE-2023-27350, affected Papercut servers. Bl00dy, Clop and Lockbit ransomware operations took advantage of this vulnerability by attacking different countries and sectors to steal corporate data.
- Mirai Botnet, and variations of it , took advantage of two critical CVE vulnerabilities, the CVE-2023-28771 (Zyxel) and the CVE-2023-1389 (TP-Link) respectively. Both CVEs suffered from an OS command injection vulnerability.
- Clop ransomware gang took advantage of the CVE-2023-0669 OS command injection vulnerability. It has been exploited as a zero-day to steal data from various companies worldwide.
- A zero-day remote command injection vulnerability, CVE-2023-2868, has been exploited since 2022, for at least seven (7) months, to backdoor customers Barracuda Email Security Gateway (ESG) appliances. It was identified on May 19 2023. A custom malware was deployed to Barracuda ESG appliances with an ultimate goal to steal data.
- Magniber ransomware gang group took advantage of the Security Bypass vulnerability, CVE-2023-24880, in Microsoft Windows.
- Nokoyama ransomware gang group took advantage of the CLFS (Common Log File System) driver Privilege Escalation vulnerability, CVE-2023-28252, in Microsoft Windows.
- A Russia threat actor group, namely FIN7, took advantage of a design flaw vulnerability, CVE-2023-27532, which affected the Veeam Backup software.
- Threat actor groups, including UNC4857 and Lace Tempest, took advantage of a critical SQL Injection vulnerability, CVE-2023-34362, in the MOVEit Transfer, a secure managed file transfer software. Threat actors uploaded web shells with data exfiltration capabilities.
Vulnerabilities
In the following table we describe the vulnerabilities per vendor/product. Each row contains the following information:
- CVE
- Vendor
- Product
- PRIOn Score
- Vulnerability Type
- Threat Reports
- Exploited in the Wild
- Available exploits
- Advisory (Patch/Info)
|
CVE
|
Vendor
|
Product
|
PRIOn Score
|
Vulnerability Type
|
Threat Reports
|
Exploited In the Wild
|
Exploits
|
Advisory (Patch/Info)
|
|---|---|---|---|---|---|---|---|---|
|
Microsoft
|
Office
|
99
|
Privilege Escalation
|
YES (APT28)
|
|
|
||
|
PaperCut
|
NG
|
95
|
Bypass Authentication
|
YES (Bl00dy/Clop/LockBit)
|
|
|
||
|
Fortra
|
GoAnywhere MFT
|
94
|
Command Injection
|
YES (T505/Clop/LockBit)
|
|
|
||
|
Microsoft
|
Windows
|
94
|
Security Feature Bypass
|
YES (Magniber)
|
|
N/A
|
||
|
Microsoft
|
Microsoft
|
94
|
Privilege Escalation
|
YES (Nokoyama)
|
|
N/A
|
||
|
Barracuda
|
ESG
|
93
|
Command Injection
|
YES (SALTWATER/SEASPY/SEASIDE)
|
|
N/A
|
||
|
Zyxel
|
ZyWALL/USG/FLEX/ATP
|
93
|
OS Command Injection
|
YES (Mirai Botnet)
|
|
|
||
|
Progress
|
MOVEit Transfer
|
93
|
SQL Injection
|
YES (UNC4857)
|
|
N/A
|
||
|
Google
|
Chrome
|
88
|
Integer Overflow
|
N/A
|
|
N/A
|
||
|
Veeam
|
Backup & Replication
|
86
|
Design Flaw
|
YES (FIN7)
|
N/A
|
|
||
|
Microsoft
|
Windows
|
86
|
Privilege Escalation
|
N/A
|
|
N/A
|
||
|
Google
|
Chrome
|
86
|
Type Confusion
|
N/A
|
|
N/A
|
||
|
Apple
|
Multiple
|
86
|
Out of Bounds Write
|
N/A
|
|
N/A
|
||
|
Adobe
|
ColdFusion
|
86
|
Improper Access Control
|
N/A
|
|
|
||
|
Microsoft
|
Windows
|
86
|
Privilege Escalation
|
N/A
|
|
N/A
|
||
|
Microsoft
|
Windows
|
86
|
Security Feature Bypass
|
N/A
|
|
N/A
|
||
|
Apple
|
Multiple
|
86
|
Type Confusion
|
N/A
|
|
N/A
|
||
|
Microsoft
|
Windows
|
86
|
Privilege Escalation
|
N/A
|
|
N/A
|
||
|
Sugarcrm
|
Sugarcrm
|
86
|
Input Validation
|
N/A
|
|
|
||
|
Microsoft
|
Windows
|
85
|
Remote Code Execution
|
N/A
|
|
N/A
|
||
|
Oracle
|
Weblogic
|
85
|
Design Flaw
|
N/A
|
|
|
||
|
Minio
|
Minio
|
84
|
Information Disclosure
|
N/A
|
|
|
||
|
Ruckuswireless
|
Ruckuswireless
|
83
|
Remote Code Execution
|
YES (AndoryuBot)
|
|
N/A
|
||
|
Apple
|
Webkit
|
82
|
Use After Free
|
N/A
|
|
N/A
|
||
|
Apple
|
Webkit
|
82
|
Out of Bounds Read
|
N/A
|
|
N/A
|
||
|
Apple
|
Webkit
|
82
|
Sandbox Escape
|
N/A
|
|
N/A
|
||
|
ARM
|
GPU
|
81
|
Memory Leak
|
N/A
|
|
N/A
|
||
|
TP-Link
|
Archer Ax21
|
80
|
Command Injection
|
YES (Mirai Botnet)
|
|
N/A
|
||
|
Microsoft
|
Windows
|
78
|
Privilege Escalation
|
N/A
|
|
|
||
|
Zoho
|
ManageEngine
|
78
|
Command Injection
|
N/A
|
N/A
|
|
||
|
Microsoft
|
Windows
|
78
|
Privilege Escalation
|
N/A
|
N/A
|
|
||
|
Debian
|
Sudoedit
|
78
|
Privilege Escalation
|
N/A
|
N/A
|
|
||
|
Microsoft
|
Windows
|
77
|
Security Feature Bypass
|
N/A
|
|
|
||
|
Microsoft
|
Windows
|
76
|
Denial of Service
|
N/A
|
N/A
|
|
||
|
Microsoft
|
Windows
|
76
|
Privilege Escalation
|
N/A
|
N/A
|
|
||
|
Linux
|
Kernel
|
75
|
Use After Free
|
YES (Variston-Heliconia framework)
|
|
N/A
|
||
|
Noviservey
|
Noviservey
|
73
|
Remote Code Execution
|
N/A
|
|
N/A
|
||
|
Apple
|
Multiple
|
71
|
Use After Free
|
N/A
|
|
N/A
|
||
|
Google
|
Android
|
71
|
Privilege Escalation
|
N/A
|
|
N/A
|
||
|
Microsoft
|
Windows
|
69
|
Security Feature Bypass
|
YES (BlackLotus)
|
N/A
|
N/A
|
||
|
Microsoft
|
Windows
|
69
|
Security Feature Bypass
|
YES (Russian Threat Actor)
|
N/A
|
N/A
|
||
|
Papercut
|
NG
|
68
|
Bypass Authentication
|
YES (Clop/Lockbit)
|
N/A
|
N/A
|
||
|
3CX
|
DesktopApp
|
68
|
Design Flaw
|
YES (Unknown Actor(s))
|
N/A
|
N/A
|
||
|
Samsung
|
Mobile
|
63
|
Security Feature Bypass
|
N/A
|
|
N/A
|
Vendors
The following graph shows that 34.9% of the total disclosed vulnerabilities were reported in Microsoft products. The two closest ones were reported in Apple products with 14% and Google products with 6.98%.
Vulnerability Types
The following vulnerability types were extracted from the CVE descriptions via NLP classification techniques. Among them, Privilege Escalation, 22.7%, seems to be the number one vulnerability type. This vulnerability type allows unauthorized users to gain privileges, enabling them to access sensitive information or execute malicious activities. Security Feature Bypass is in the second place with 13.6%. Exploiting Security Feature Bypass vulnerabilities, threat actors can circumvent established (by design) security measures. In the third place we have Command Injection, 11.4%, critical vulnerabilities. By manipulating user input, attackers can execute arbitrary commands on vulnerable systems and gain unauthorized access to data. Other vulnerability types are memory corruption (e.g. Use After Free, Out of Bounds Read/Write, Type Confusion), Design Flaws, Input Validation, Authentication and Access Control issues etc.
Disclosed Vulnerabilities over Months
On this graph we can see the disclosed vulnerabilities per month. All months seem to be very busy in terms of exploitability, zero-days etc.
Thoughts
Understanding and monitoring vulnerability trends is crucial in maintaining robust cybersecurity practices. The evolving threat landscape demands constant vigilance and proactive measures from organizations and individuals alike. From the prevalence of privilege escalation vulnerabilities that enable unauthorized access to sensitive information, to the worrisome security feature bypass vulnerabilities that undermine established defenses, and the risks associated with command injection vulnerabilities that facilitate unauthorized execution of commands, it is clear that vulnerabilities continue to pose significant risks and evolve rapidly.
The above analysis was done via the PRIOn Knowledge Base platform. PRIOn Knowledge Base, collects, enriches and analyses publicly disclosed vulnerabilities from the CVE program. It provides actionable data to cyber security practitioners to ensure that the most severe and dangerous vulnerabilities are prioritized. A risk score is assigned to each vulnerability according to its unique characteristics.
Risk Based Vulnerability Management (RBVM) is one of the most challenging tasks in the cybersecurity landscape. We believe that a model that takes into account:
- external contextualized data, such as threat and exploit intelligence, sentiment analysis on media presence
- actionable extracted data from unstructured texts, using predictive Natural Processing Language techniques
- internal business contextualized data (e.g. asset criticality, exposure etc.)
will enable companies to address vulnerabilities that could matter most to their environment. PRIOn could help your organization to triage and prioritize cyber security risks across your entire IT environment.
If you have any questions/comments/suggestions/corrections regarding the above analysis, feel free to contact us.
