Statistics have shown that less than one per cent of security vulnerabilities significantly contributed to the highest risks to businesses in 2023, according to Qualys Threat Research Unit's comprehensive blog series looking back at the threat landscape. Indeed, 97 high-risk vulnerabilities have likely been exploited without being included in the CISA Known Exploited Vulnerabilities catalogue. The report said a quarter of these instances saw the vulnerability being immediately targeted for exploitation – published on the same day that the vulnerability itself was publicly disclosed.
Over the course of 2023, an impressive 26,447 vulnerabilities were disclosed, outstripping the number revealed in 2022 by over 1,500 CVEs. However, not all vulnerabilities were of high risk. Although a tiny proportion (less than 1%) represented major risks. Included among these critical vulnerabilities are those exploited by ransomware, threat actors, and malware; those that have a weaponised exploit; or those that were shown to have confirmed evidence of exploitation in the wild. "These are the ones that will be examined in detail," confirmed Saeed Abbasi, product manager of the Qualys Threat Research Unit.
Over 7,000 vulnerabilities were equipped with proof-of-concept exploit code; 206 had weaponised exploit code available, making a successful compromise of the target system highly likely if used. Also revealed in the analysis were 115 vulnerabilities routinely exploited by threat actors, malware, and ransomware groups. Comparatively, 109 had known evidence of exploitation and were listed in the CISA KEV. In contrast, 97 were exploited in the wild though they were not included in the CISA KEV list
The findings concluded that 32.5% of the 206 identified vulnerabilities resided within the networking infrastructure or web application domains—areas that are typically difficult to protect by conventional means.
Fifty per cent of the high-risk vulnerabilities identified were leveraged by threat actors, ransomware, or malware, with 115 exploited by named threat actors, 20 by ransomware, and 15 by malware and botnets. They also highlighted that more than a third (of the 206 vulnerabilities) could be targeted remotely. This represented a critical need for a comprehensive vulnerability management strategy that includes remote scanning capabilities, rather than relying exclusively on agent-based methods.
The data also shed light on the most prevalent avenues of cyberattacks, highlighting that the exploitation of remote services was the most frequently observed method. This was followed by the exploitation of public-facing applications and exploitation for privilege escalation.
Lastly, the report identified specific vulnerabilities such as CVE-2023-0669, CVE-2023-20887, CVE-2023-22952, CVE-2023-23397, CVE-2023-24880, CVE-2023-27350, CVE-2023-28252, CVE-2023-2868, CVE-2023-29059, CVE-2023-34362 as the ones that stood out as the most frequently exploited. This indicated trending attack vectors and emphasised the necessity for targeted defensive strategies.
"The rapid pace of vulnerability weaponisation and the diversity of threat actors pose significant challenges for organisations globally," concluded Abbasi, adding that "these instances highlight the speed at which vulnerabilities can escalate from publication to weaponised exploit to exploitation and illustrate the immediacy with which cyber threats evolve upon the disclosure of vulnerabilities."