CISA’s Top Exploited Vulnerabilities List Stresses Importance of Timely Patching

by | Nov 18, 2024

Very few people probably need a reminder at this point, but CISA’s annual list of the most frequently exploited vulnerabilities reinforces the importance of timely patching when zero-days are announced.

The current list, which summarizes those most exploited in 2023, not only finds an increase in the proportion of zero-days but that criminals are continuing to feast off of high-profile published CVEs for an average of about two years from their remediation. Major issues like Log4Shell and assorted router weaknesses are still being commonly exploited months or years after full patches are issued, with active hunting of these now making up over 50% of exploited vulnerabilities.

Patching of known exploited vulnerabilities continues to be a struggle

“Timely patching” is CISA’s lead piece of advice for organizations, but the presence of things like Log4J on the current list (which was remediated in late 2021) illustrates that the situation isn’t always that straightforward. Slow time-to-patch complicates the issue even further as it requires more checking to first see if exploited vulnerabilities are already present.

CISA does advise organizations to implement good endpoint detection and response solutions, as these are very useful in catching zero-day exploitation. But much of this battle has to be fought on the developer front, with an increasing push for “secure by design” principles embedded in the whole product life cycle. CISA is continuing its call for developers to move away from C to languages less susceptible to common techniques like buffer overflows (which were among the most commonly exploited vulnerabilities once again).

In the meantime, organizations may want to devote more of their energy to third-party supply chain breaches. As the list demonstrates, this is where hackers appear to be having the greatest rates of success.

Zero-days now the majority of exploited vulnerabilities

As of this report, zero-days now make up over 50% of the exploited vulnerabilities at enterprise companies. This is the first time that number has edged over that mark into the majority.

For the most part, exploited vulnerabilities are hit by hackers well after both public disclosure and patching. Log4Shell, which remained the 8th most frequently exploited vulnerability two full years after patching was concluded (according to the timeframe of this list), is one of the primary examples.

There is definitely an explosion of activity close to initial public disclosure, however, which can be expected to taper off over time. This is illustrated by the top two entries on the list, both belonging to Citrix NetScaler. They were disclosed in August and October of 2023 respectively and had sprung to the top of the exploited vulnerabilities list by the end of that year. There is a similar timeframe for the two Cisco vulnerabilities that hold spots three and four.

The MOVEit breach landed at #6 on the list, unsurprising considering that it spanned 2023. But fallout from this breach continues to be an issue even now, with Amazon and other companies recently reporting the theft of employee data that was found being offered for sale on the dark web.

Recent Posts

How can we help?

9 + 8 =

× How can I help you?