In 2023, cybercriminals increasingly relied on zero-day vulnerabilities to infiltrate enterprise networks, focusing their efforts on high-priority targets.

A report from the Five Eyes cybersecurity alliance, released by the CISA, highlights the majority of the most exploited vulnerabilities last year were initially zero-day flaws, a significant increase compared to 2022 when less than half of the top vulnerabilities were zero-day exploits.

These vulnerabilities proved especially useful to attackers within two years of their public disclosure, as unpatched systems presented ample opportunities for compromise.

The report noted that over time, the utility of these exploits diminishes as more systems are patched and international cybersecurity efforts shorten the lifespan of zero-day vulnerabilities.

Among the most exploited vulnerabilities in 2023 were several high-profile flaws in products from Citrix, Cisco and Fortinet, which attackers leveraged to compromise enterprise networks.

Citrix’s NetScaler ADC and Gateway products were particularly affected, with CVE-2023-3519 emerging as the most exploited vulnerability of the year.

This flaw enables attackers to execute a stack buffer overflow through a crafted HTTP GET request, allowing for arbitrary code execution and significant operational risks.

Another vulnerability in Citrix products, CVE-2023-4966, dubbed “CitrixBleed,” caused session token leakage, exposing critical enterprise systems to further exploitation.

These vulnerabilities highlighted persistent issues with memory management and left many organizations vulnerable to ransomware attacks.

Cisco’s IOS XE Web UI also faced significant challenges in 2023, with two related vulnerabilities, CVE-2023-20198 and CVE-2023-20273, being heavily targeted.

The first flaw allowed unauthorized users to create local credentials, enabling attackers to gain initial access to enterprise systems.

The second vulnerability, building on the first, facilitated privilege escalation, allowing attackers to gain root-level control.

Both vulnerabilities underscored the importance of securing administrative interfaces and protecting against unauthorized access.

Fortinet’s FortiOS and FortiProxy SSL-VPN were also affected, with CVE-2023-27997 enabling remote attackers to execute arbitrary code via a heap-based buffer overflow, posing a critical risk to nearly half a million firewalls worldwide.

Threat Actors “Firehosing the Internet”

Casey Ellis, founder and advisor at Bugcrowd, said he thinks talking about these vulnerabilities as zero-days is a part of the problem.

“This implies that there’s nothing defenders can do about them when this is very much not the case,” he explained. “The first thing is to recognize that these vulnerabilities are, by definition, not zero-days.”

He said threat actors have taken to routinely “firehosing the internet” using “n-day” vulnerabilities which are known to the vendor, and often have a patch or mitigation guidance associated with them.

“The main takeaway here is for organizations to treat this as a vulnerability intelligence and patch management problem, not a problem of exotic and otherwise indefensible zero-day vulnerabilities,” Ellis said.

Callie Guenther, senior manager, cyber threat research at Critical Start, said the CISA’s secure-by-design initiative has seen some success in prompting vendors to adopt secure coding practices.

However, she added wider adoption and consistent improvement in security frameworks, such as adherence to SP 800-218 and bug bounty programs, are essential.

“Industry collaboration on vulnerability root causes and secure default configurations could improve the initiative’s impact,” she said.

Zero Days, Ransomware Expected to Continue

Guenther noted the rise of complex zero-day exploits and ransomware is expected to continue and to stay ahead, organizations should invest in threat intelligence services, strengthen endpoint security and promote a security-aware culture.

“Shifting to a defense-in-depth strategy that emphasizes identity management and supply chain security will be critical in adapting to new threat vectors,” she explained.

From her perspective, organizations should prioritize adopting a multi-layered approach that includes regular patching, especially within two years post-disclosure, centralized patch management and advanced threat detection including endpoint detection and response (EDR).

“Implementing robust monitoring and prompt remediation are essential, particularly for high-risk vendors’ vulnerabilities,” Guenther said.