CISA: These Were the 15 Most Exploited Vulnerabilities in 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with allied agencies from the U.K., Canada, Australia, and New Zealand, has released a joint advisory on the top 15 cybersecurity vulnerabilities that were most exploited by cybercriminals in 2023. These vulnerabilities impacted a range of widely used software and platforms, leaving organizations at risk of data breaches, unauthorized access, and system manipulation.

Top most exploited flaws last year

The advisory underscores a troubling rise in the exploitation of zero-day vulnerabilities — flaws that were unknown to vendors before their initial exploitation. In 2023, malicious actors successfully leveraged these vulnerabilities to target high-priority systems, representing a shift from previous years when fewer zero-day exploits were among the most exploited. Notably, the majority of 2023's top vulnerabilities were originally zero-days.

Here's the full list of the top 15 routinely exploited vulnerabilities in 2023:

1. Citrix NetScaler ADC and Gateway (CVE-2023-3519): Allows an unauthenticated user to exploit a stack buffer overflow, enabling remote code execution through an HTTP GET request.
2. Citrix NetScaler ADC and Gateway (CVE-2023-4966): A session token leakage vulnerability that can expose sensitive data to unauthorized users.
3. Cisco IOS XE Web UI (CVE-2023-20198): Allows attackers to create a local user with normal access, granting unauthorized access to network systems.
4. Cisco IOS XE (CVE-2023-20273): Enables privilege escalation to root privileges once a local user has been created, potentially compromising the network.
5. Fortinet FortiOS and FortiProxy SSL-VPN (CVE-2023-27997): Allows remote code execution via heap-based buffer overflow, a high-risk vulnerability impacting SSL-VPN services.
6. Progress MOVEit Transfer (CVE-2023-34362): An SQL injection vulnerability that enables attackers to gain sysadmin API access tokens, allowing for remote code execution.
7. Atlassian Confluence Data Center and Server (CVE-2023-22515): Allows attackers to bypass access controls, create new admin users, and upload malicious plugins for arbitrary code execution.
8. Apache Log4j2 (Log4Shell, CVE-2021-44228): A widely exploited vulnerability in the Log4j library that allows arbitrary code execution and has impacted thousands of products globally.
9. Barracuda Email Security Gateway (CVE-2023-2868): Enables remote command injection, allowing unauthorized access to execute system commands via the ESG appliance.
10. Zoho ManageEngine (CVE-2022-47966): A remote code execution vulnerability that lets attackers run arbitrary code via a crafted XML samlResponse to the ServiceDesk Plus SAML endpoint.
11. PaperCut MF/NG (CVE-2023-27350): Allows attackers to exploit an authentication bypass and use built-in scripting for code execution.
12. Microsoft Netlogon (CVE-2020-1472): Enables privilege escalation in domain controllers, allowing unauthorized users to establish vulnerable Netlogon channels.
13. JetBrains TeamCity (CVE-2023-42793): A bypass vulnerability allowing remote code execution against vulnerable TeamCity servers, threatening development environments.
14. Microsoft Office Outlook (CVE-2023-23397): Allows privilege escalation by automatically triggering a malicious email upon processing, even without user interaction.
15. ownCloud graphapi (CVE-2023-49103): Exposes sensitive data, such as admin passwords and server credentials, through unauthenticated information disclosure.

The analysis showed that most vulnerabilities became significantly less exploitable over time as organizations applied patches or replaced affected systems. Despite this, a two-year post-disclosure period remains critical, as malicious actors often prioritize newly disclosed vulnerabilities to exploit systems that have not yet been updated.

The report urges vendors to adopt “secure by design and default” principles to reduce common security flaws. CISA recommends using secure software development frameworks, implementing memory-safe languages where possible, and eliminating default passwords. Additionally, developers should ensure a coordinated vulnerability disclosure system that allows timely root cause analysis and patch release.