Five Eyes infosec agencies list 2023's most exploited software flaws

The cyber security agencies of the UK, US, Canada, Australia, and New Zealand have issued a list of the 15 most exploited vulnerabilities in 2023, and warned that attacks on zero-day exploits have become more common.

"More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern end-user organizations and vendors alike as malicious actors seek to infiltrate networks," wrote Ollie Whitehouse, CTO of the UK's National Cyber Security Centre.

"To reduce the risk of compromise, it is vital all organizations stay on the front foot by applying patches promptly and insisting upon secure-by-design products in the technology marketplace," he added. "We urge network defenders to be vigilant with vulnerability management, have situational awareness in operations and call on product developers to make security a core component of product design and life-cycle to help stamp out this insidious game of whac-a-mole at source."

The top two spots on the list go to Citrix, which topped the chart with a remote code execution bug in versions 12 and 13 of NetScaler ADC and Gateway. The two platforms also got a second place spot due to sensitive information leaking when they are configured as a gateway or authentication, authorization and accounting (AAA) server.

Third and fourth positions on the Five Eyes wall of shame go to Cisco for issues with its IOS XE operating system. The worst issue saw attackers used paired issues to subvert the software – first by creating a local account and then elevating their privileges to root. The fourth most common route into the operating system was down to insufficient input validation that could also allow code to be run as root.

Another operating system in trouble – in fifth place – is Fortinet's FortiOS. The FortiProxy setup tool shares the problem: vulnerability to a heap-based buffer overflow vulnerability. Send the right request and it's open to remote code execution.

• Admins can give thanks this November for dollops of Microsoft patches
• Windows Themes zero-day bug exposes users to NTLM credential theft
• Admins better Spring into action over latest critical open source vuln
• Microsoft 'resolves' and 'mitigates' Windows Server 2025 update whoopsie

You'd expect a file transfer system to be a high-value target and in sixth place is an SQL injection vulnerability in Progress MOVEit Transfer that would allow an attacker to sniff around MySQL, Microsoft SQL Server, or Azure SQL databases. All versions of 2020.0 and 2019x are vulnerable and the flaw has been exploited in the wild since May.

In seventh we have Atlassian Confluence Data Center and Server, which allows attackers to create admin-level accounts and run code, thanks to an improper input validation flaw. The good news is that cloudy versions of Confluence aren't impacted – if accessed at an atlassian.net domain.

There's a blast from the past in at number eight: the Apache Log4j vulnerability from 2021 that caused havoc around the world. But it's still a serious issue, because many haven't patched log4j-core code.

More recent is the 2023 discovery of serious flaws in Barracuda Networks Email Security Gateway, which are much beloved by Chinese attackers. Again, it's an input validation issue – but as the ninth on the list it's clearly still popular.

SaaS-y software vendor Zoho takes tenth place with a serious and much exploited flaw in its ManageEngine tool. If an attacker sends a cunningly coded samlResponse XML to the ServiceDesk Plus SAML endpoint, it's game over. Thankfully only systems with SAML SSO activated are vulnerable.

Print management software seller PaperCut scored number 11 on the list, with a year-old flaw in its scripting that's being used to subvert systems. An attacker can bypass authentication completely to run a remote code attack.

Microsoft's first appearance on the list – at number 12 – is down to a venerable flaw in its netlogon protocol that was first spotted being attacked in September 2020. It's a pretty poor reflection on some people's patching protocols that this is still an issue – the agencies note that this same vuln has made the top 15 list for four years now.

Czech developer tools maker JetBrains takes the unlucky 13th spot on the list, for an authentication bypass in its continuous integration server TeamCity. While not too old a vulnerability, JetBrains has had other problems in the past and could do with improving its relations with the security industry.

Microsoft returns to the list at number 14 with an Outlook issue from March 2023. The vulnerability allows an attacker to escalate privileges, and Russia has been using this actively to go after Western critical infrastructure for the last year – so it's vital to fix.

Finally, open source file-sharing software biz ownCloud makes it on in last place with a CVSS 10-scoring flaw in its owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1 software. Attackers can use this flaw to steal admin passwords, mail server credentials, and license keys.

We cover these lists every year, but the same names keep cropping up. It's a good time to check and make sure you're fully covered – attackers certainly will. ®

Editor's note: This article was updated on November 15 to correct the year to 2023, not 2024 as first stated. We regret the error.