2023 Top Routinely Exploited Vulnerabilities – CISA

Additional Routinely Exploited Vulnerabilities

The authoring agencies identified other vulnerabilities, listed in Table 2, that malicious cyber actors also routinely exploited in 2023—in addition to the 15 vulnerabilities listed in Table 1.

Vendors and Developers

The authoring agencies recommend vendors and developers take the following steps to help ensure their products are secure by design and default:

• Identify repeatedly exploited classes of vulnerability.
  • Perform an analysis of both CVEs and known exploited vulnerabilities (KEVs) to understand which classes of vulnerability are identified more than others.
  • Implement appropriate mitigations to eliminate those classes of vulnerability.
  • If a product has several instances of SQL injection vulnerabilities, ensure all database queries in the product use parameterized queries and prohibit other forms of queries.
• Ensure business leaders are responsible for security.
  • Business leaders should ensure their teams take proactive steps to eliminate entire classes of security vulnerabilities, rather than only making one-off patches when new vulnerabilities are discovered.
• Follow SP 800-218 SSDF and implement secure by design practices into each stage of the SDLC; in particular, aim to perform the following SSDF recommendations:
  • Prioritize the use of memory safe languages wherever possible [SSDF PW 6.1].
  • Exercise due diligence when selecting software components (e.g., software libraries, modules, middleware, frameworks) to ensure robust security in consumer software products [SSDF PW 4.1].
  • Set up secure software development team practices—this includes conducting peer code reviews, working to a common organization secure coding standard, and maintaining awareness of language-specific security concerns [SSDF PW.5.1, PW.7.1, PW.7.2].
  • Establish a vulnerability disclosure program to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization [SSDF RV.1.3] and establish processes to determine root causes of discovered vulnerabilities.
  • Use static and dynamic application security testing (SAST/DAST) tools to analyze product source code and application behavior to detect error-prone practices [SSDF PW.7.2, PW.8.2].
• Configure production-ready products to have the most secure settings by default and provide guidance on the risks of changing each setting [SSDF PW.9.1, PW9.2].
  • Prioritize secure by default configurations such as eliminating default passwords, implementing single sign on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration necessary and at no extra charge.
• Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability to enable industry-wide analysis of software security and design flaws.

For more information on designing secure by design and default products, including additional recommended secure by default configurations, see CISA’s joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security by Design and Default.

End-User Organizations

The authoring agencies recommend end-user organizations implement the mitigations below to improve their cybersecurity posture based on threat actors’ activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on CPGs, including additional recommended baseline protections.

Vulnerability and Configuration Management

• Update software, operating systems, applications, and firmware on IT network assets in a timely manner [CPG 1.E].
  • Prioritize patching KEVs, especially those CVEs identified in this advisory, then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
  • For patch information on CVEs identified in this advisory, refer to the Appendix: Patch Information and Additional Resources for Top Exploited Vulnerabilities.
    • If a patch for a KEV or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.
    • Replace end-of-life software (i.e., software no longer supported by the vendor).
• Routinely perform automated asset discovery across the entire estate to identify and catalogue all the systems, services, hardware, and software.
• Implement a robust patch management process and centralized patch management system that establishes prioritization of patch applications [CPG 1.A].
  • Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs).
  • Reputable MSPs can patch applications (such as webmail, file storage, file sharing, chat, and other employee collaboration tools) for their customers.
    Note: MSPs and CSPs can expand their customer’s attack surface and may introduce unanticipated risks, so organizations should proactively collaborate with their MSPs and CSPs to jointly reduce risk [CPG 1.F]. For more information and guidance, see the following resources:
    • CISA Insights’ Risk Considerations for MSP Customers.
    • CISA Insights’ Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses.
    • ACSC’s How to Manage Your Security When Engaging a MSP.
• Document secure baseline configurations for all IT/OT components, including cloud infrastructure.
  • Monitor, examine, and document any deviations from the initial secure baseline [CPG 2.O].
• Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration.
  • Store copies off-network in physically secure locations and test regularly [CPG 2.R].
• Maintain an updated cybersecurity incident response plan that is tested at least annually and updated within a risk informed time frame to ensure its effectiveness [CPG 2.S].

Identity and Access Management

• Enforce phishing-resistant multifactor authentication (MFA) for all users without exception [CPG 2.H].
• Enforce MFA on all VPN connections.
  • If MFA is unavailable, require employees engaging in remote work to use strong passwords [CPG 2.A, 2.B, 2.C, 2.D, 2.G].
• Regularly review, validate, or remove unprivileged accounts (annually at a minimum) [CPG 2.D, 2.E].
• Configure access control under the principle of least privilege [CPG 2.O].
  • Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (using non-administrative privileges where feasible).
    Note: See CISA’s Capacity Enhancement Guide – Implementing Strong Authentication and ACSC’s guidance on Implementing MFA for more information on authentication system hardening.

Protective Controls and Architecture

• Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices [CPG 2.V, 2.W, 2.X].
• Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.
• Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.
• Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).
• Implement Zero Trust Network Architecture (ZTNA) to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks [CPG 2.F, 2.X].
  Note: See CISA’s Zero Trust Maturity Model and the Department of Defense’s Zero Trust Reference Architecture for additional information on Zero Trust.
• Continuously monitor the attack surface and investigate abnormal activity that may indicate cyber actor or malware lateral movement [CPG 2.T].
• Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools.
• Consider using an information technology asset management (ITAM) solution to ensure EDR, SIEM, vulnerability scanners, and other similar tools are reporting the same number of assets [CPG 2.T, 2.V].
• Use web application firewalls to monitor and filter web traffic.
• These tools are commercially available via hardware, software, and cloud-based solutions, and may detect and mitigate exploitation attempts where a cyber actor sends a malicious web request to an unpatched device [CPG 2.B, 2.F].
• Implement an administrative policy and/or automated process configured to monitor unwanted hardware, software, or programs against an allowlist with specified, approved versions [CPG 2.Q].

Supply Chain Security

• Reduce third-party applications and unique system/application builds—provide exceptions only if required to support business critical functions [CPG 2.Q].
• Ensure contracts require vendors and/or third-party service providers to:
• Provide notification of security incidents and vulnerabilities within a risk informed time frame [CPG 1.G, 1.H, 1.I].
• Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities [CPG 4.B].
• Ask your software providers to discuss their secure by design program, provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.

Resources

• For information on the top vulnerabilities routinely exploited in 2016–2019, 2020, 2021, and 2022:
  • Joint CSA Top 10 Routinely Exploited Vulnerabilities.
  • Joint CSA Top Routinely Exploited Vulnerabilities.
  • Joint CSA 2021 Top Routinely Exploited Vulnerabilities.
  • Joint CSA 2022 Top Routinely Exploited Vulnerabilities.
• See the Appendix for additional partner resources on the vulnerabilities mentioned in this advisory.
• See ACSC’s Essential Eight Maturity Model for additional mitigations.
• See ACSC’s Cyber Supply Chain Risk Management for additional considerations and advice.

References

• Apache Log4j Vulnerability Guidance

Reporting

U.S. organizations: All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at [email protected] or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s CyWatch at (855) 292-3937 or [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact [email protected].

Australian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.

Canadian organizations: Report incidents by emailing CCCS at [email protected]. 

New Zealand organizations: Report cyber security incidents to [email protected] or call 04 498 7654.

United Kingdom organizations: Report a significant cyber security incident at  gov.uk/report-cyber (monitored 24 hours).

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

Version History

November 12, 2024: Initial version.