Breaking Down CISA’s Top Routinely Exploited Vulnerabilities

Introduction

Despite 2024 nearing its end, the Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, NSA, and international partners, issued their annual advisory highlighting the most exploited Common Vulnerabilities and Exposures (CVEs) of 2023. These vulnerabilities, found in widely-used software from major vendors like Citrix, Fortinet, and Microsoft, have been heavily targeted by cybercriminals and state-sponsored actors. The list underscores the urgent need for organizations to adopt proactive cybersecurity practices to protect against these evolving threats.

This blog dives into the 15 most exploited vulnerabilities reported by CISA, providing an overview of each CVE, and offering insights into the types of attacks, exploitation patterns, and how long they’ve been active.

Key Takeaways

1. Increased Exploitation of Zero-Day Vulnerabilities

In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to the previous year, allowing them to conduct cyber operations against higher-priority targets. Notably, the majority of the most frequently exploited vulnerabilities in 2023 were initially exploited as a zero-day. This represents a significant increase from 2022, when less than half of the top exploited vulnerabilities were exploited as zero-day incidents.

2. Exploit Availability

14 of 15 CVEs in CISA’s 2023 report have 8+ POC exploits; 13 have weaponized exploits, with 5 weaponized before public disclosure of exploitation in the wild.

3. Threat Actor Activity

60 named threat actors linked to 13 CVEs; North Korea’s Silent Chollima targeted 9, while Log4j (CVE-2021-44228) remains the most exploited.

4. Armis Centrix™ for Early Warning Detection Coverage

Armis provided early warning on 10 of the 15 CISA KEV CVEs, with an average lead time of 30 days, providing visibility into vulnerable hosts and detection of threat actor activities to enable proactive cybersecurity strategies.

5. Prioritizing Security Patches is Essential

Many of these vulnerabilities were exploited because patches were ignored or delayed. Enterprises must make patching and software updates a top priority to close gaps immediately. According to the Ponemon Institute, around 60% of data breaches are attributed to known vulnerabilities that remain unpatched, meaning organizations fail to apply security updates to address identified weaknesses in their systems, leaving them highly susceptible to cyber attacks.

6. Attackers Exploit Widely-Used Software

High-profile software from companies such as Microsoft, Fortinet, and Citrix remains a top target, owing to their widespread use in enterprise environments.

7. Multi-Layered Defense is Critical

Relying on a single security layer is not enough. A robust strategy includes vulnerability monitoring, zero-trust principles, AI-driven, early warning intelligence and regular audits to minimize exposure.

8. Legacy and Unpatched Vulnerabilities Remain Dangerous

20% of the CVEs are from 2022 or earlier. CVE-2021-44228 and CVE-2020-1472 reinforce that older vulnerabilities can still pose active risk.

Overview of the Top 15 CVEs

1. CVE-2023-3519

Vendor: Citrix
Product(s): NetScaler ADC, NetScaler Gateway
Impact: Code Injection
Details: This vulnerability affects Citrix ADC and Gateway, allowing attackers to execute arbitrary code remotely. It has been widely exploited due to the critical nature of its capability to grant attackers unauthorized access. Active exploitation began within weeks of its disclosure, proving its appeal to threat actors.

2. CVE-2023-4966

Vendor: Citrix
Product(s): NetScaler ADC, NetScaler Gateway
Impact: Buffer Overflow
Details: A vulnerability in FortiOS’s SSL VPN feature, which allows attackers to execute arbitrary code and escalate privileges. Exploited in targeted attacks, it demonstrates the ongoing risk to VPN solutions often deployed in corporate environments.

3. CVE-2023-20198

Vendor: Cisco
Product(s): IOS XE Web UI
Impact: Privilege Escalation
Details: A vulnerability in Cisco IOS XE’s web user interface (GUI) that permits attackers to execute commands with elevated privileges. This CVE was actively targeted by advanced adversaries looking to exploit enterprise networks.

4. CVE-2023-20273

Vendor: Cisco
Product(s): IOS XE
Impact: Web UI Command Injection
Details: Found in Cisco Secure PIX Firewalls, this CVE enables attackers to bypass authentication and take control of affected systems. Attackers used phishing schemes and embedded scripts to leverage this flaw.

5. CVE-2023-27997

Vendor: Fortinet
Product(s): FortiOS, FortiProxy SSL-VPN
Impact: Heap-Based Buffer Overflow
Details: Affecting FortiProxy and FortiGate firewalls, this zero-click vulnerability requires no user interaction and allows attackers to execute arbitrary commands remotely. Its critical nature and ongoing exploitation remain a concern for enterprise networks.

6. CVE-2023-34362

Vendor: Progress
Product(s): MOVEit Transfer
Impact: SQL Injection
Details: Exploited in the MOVEit Transfer software, this SQL injection vulnerability allowed attackers to steal vast amounts of sensitive data. This CVE was leveraged in multiple high-profile data breaches during 2023.

7. CVE-2023-22515

Vendor: Atlassian
Product(s): Confluence Data Center and Server
Impact: Broken Access Control
Details: Found in Confluence Server and Data Center, this critical vulnerability allows attackers to escalate privileges and execute arbitrary commands. Attackers exploited its functionality to compromise internal collaboration systems.

8. CVE-2021-44228 (Log4Shell)

Vendor: Apache
Product(s): Log4j2
Impact: Remote Code Execution (RCE)
Details: While discovered in late 2021, Log4Shell remains a top target in 2023. Found in the Log4j logging library, this vulnerability allows attackers to trigger malicious code remotely. Its prolonged exploitation highlights the challenges in mitigating complex, widely-used software components.

9. CVE-2023-2868

Vendor: Barracuda Networks
Product(s): ESG Appliance
Impact: Improper Input Validation
Details: A flaw in the Barracuda ESG (Email Security Gateway) allows attackers to execute arbitrary code. It was exploited in a series of email-based attacks targeting sensitive business communication channels.

10. CVE-2022-47966

Vendor: Zoho
Product(s): ManageEngine Multiple Products
Impact: Remote Code Execution
Details: Affecting Zoho ManageEngine products, this vulnerability allows RCE through its third-party Apache dependency. Cybercriminals exploited unpatched systems heavily, targeting IT management solutions in enterprise environments.

11. CVE-2023-27350

Vendor: PaperCut
Product(s): MF/NG
Impact: Improper Access Control
Details: Targeted within PaperCut MF and NG, this RCE vulnerability was exploited to compromise enterprise printing solutions, notably in environments with legacy systems and lax patch management.

12. CVE-2020-1472 (ZeroLogon)

Vendor: Microsoft
Product(s): Netlogon
Impact: Privilege Escalation
Details: Still active in 2023, this vulnerability affects the Netlogon Remote Protocol and allows attackers to escalate privileges and assume the role of a domain admin. Despite being three years old, unpatched systems remain vulnerable.

13. CVE-2023-42793

Vendor: JetBrains
Product(s): TeamCity
Impact: Authentication Bypass
Details: Found in IBM QRadar SIEM, this flaw allows attackers to remotely execute commands. This vulnerability has been used against enterprise security information and event management (SIEM) systems.

14. CVE-2023-23397

Vendor: Microsoft
Product(s): Office Outlook
Impact: Privilege Escalation
Details: A CVE affecting Microsoft Outlook that was exploited to bypass authentication and execute unauthorized code. It was leveraged as part of phishing campaigns targeting enterprises.

15. CVE-2023-49103

Vendor: ownCloud
Product(s): graphapi
Impact: Information Disclosure
Details: A critical vulnerability in VMware Workspace ONE that enables attackers to execute arbitrary commands. Targeted extensively, this vulnerability reinforced the risks of improperly configured cloud environments.

Enable Proactive Cybersecurity by Blending CISA KEV with AI-driven Early Warning Detection

Armis Centrix™ for Early Warning is the proactive cybersecurity solution designed to empower organizations with early warning intelligence to anticipate and mitigate cyber risks effectively. By leveraging AI-driven actionable intelligence, Armis Centrix™ provides insights into vulnerabilities that threat actors are exploiting in the wild or are about to weaponize, allowing organizations to understand their impact and take preemptive action. Armis provided early warning on 10 of the 15 CISA KEV CVEs, allowing organizations to address potential vulnerabilities with an average lead time of 30 days, ensuring that security teams have ample time to prepare and implement necessary defenses.

To enhance their cybersecurity strategy, security teams should integrate Armis Centrix™ for Early Warning with CISA’s Known Exploited Vulnerabilities (KEV) Catalog. While CISA KEV offers general risk prioritization and focuses on known exploited vulnerabilities, Armis Centrix™ delivers real-time updates and evidence-based insights with high confidence levels. Armis Centrix™ focuses on the formulation stage of exploits by threat actors targeting vulnerabilities. By blending these tools, organizations can ensure a more robust cybersecurity posture, benefiting from both the timely, accurate and evidence-based capabilities of Armis and the foundational insights of CISA KEV.

Learn more about Armis Centrix™ for Early Warning or request a demo today.

References

• Full CISA Advisory