Alexander Leonov, lead expert with the PT Expert Security Center

In 2023, Positive Technologies categorized a total of 110 security flaws as trending vulnerabilities. These are the most severe vulnerabilities, which must be remediated or compensated for as soon as possible. We isolate these from a large number of vulnerabilities that appear every day. Information about these vulnerabilities appears in MaxPatrol VM within 12 hours. This article takes a closer look at how we define trending vulnerabilities and lists the types of vulnerabilities that posed the greatest threat in 2023.

Trending vulnerabilities are those widely exploited in attacks or likely to be exploited soon.
 

Determining the level of severity and prioritizing are essential to vulnerability management, simply because there are too many vulnerabilities. For example, in 2023 alone, the National Vulnerability Database (NVD) published 28,834 new entries, and all those vulnerabilities pose a varying degree of threat to organizations. Popular severity scoring systems, such as CVSS, typically ignore the key factors: the availability of mature exploitation tools and a sign of exploitation in the wild. Placing vulnerabilities in the trending group bridges that gap.

Trending is the new top level of vulnerability scoring. These vulnerabilities in corporate infrastructures must be fixed first. Positive Technologies adds detection logic for trending vulnerabilities to its products within 12 hours. You need to consider the type of asset where the vulnerability was detected. For instance, a vulnerability in a short-lived test host is not critical. A final decision must be guided by the risk model adopted in the organization.

• A potential malicious actor may exploit the vulnerability to develop an attack on the infrastructure and bring about a non-tolerable event.
• The vulnerability has an exploit, ideally public and verified.
• The vulnerability was detected in a product often used in corporate environments. An exploitable security flaw in a rare software product that hardly anyone uses cannot be considered a trending vulnerability.

Recognizing trending vulnerabilities would be less complicated with publicly available data that is sufficiently complete and reliable. Unfortunately, this is not currently available.

Why using CISA KEV is not enough

One of the best-known sources of information about vulnerabilities that are widely exploited in the wild is the public catalog CISA Known Exploited Vulnerabilities (CISA KEV). However, using it as the main prioritization tool may be associated with challenges that we cover later in this article.

Relevance

Out of the 110 vulnerabilities we flagged as trending in 2023, only 46 can be found in CISA KEV. Meanwhile, out of all the vulnerabilities added to the register in 2023, 134 were not marked by us as trending because they either did not have a critical level of severity or were found in outdated products.

Delays

Vulnerabilities may be added to CISA KEV with significant delays due to strict selection criteria for evidence of in-the-wild exploitation. Besides this, the time that it takes a vulnerability to hit CISA KEV depends on the availability of a vendor fix, as the catalog is essentially a list of remediation requirements intended for U.S. Federal agencies.

Some examples:

1. Multiple vulnerabilities in Juniper EX and SRX network appliances that lead to Remote Code Execution (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847). The vulnerabilities came to light in mid-August. The Shadowserver Foundation reported exploitation attempts in the wild on August 25. CISA KEV did not add the vulnerabilities until November 13. We categorized them as trending much earlier, on August 28.
2. The Looney Tunables Elevation of Privilege vulnerability in the Linux GNU C library (CVE-2023-4911). It was discovered on October 3, a public PoC exploit was ready on the next day, and Kinsing malware was seen exploiting it in early November. CISA KEV did not publish it until November 21. We categorized it as a trending vulnerability much earlier, on October 4.

Why links to exploits in the NVD are not enough

Only 26 out of the 110 vulnerabilities that we added to the trending category in 2023 had a public link to a PoC exploit in the NVD. Besides, links to exploits in the NVD often lack the "exploit" tag. The tag is often added to links to a vague description of a PoC or a reference to one that exists elsewhere, so additional verification is needed regardless of whether the tag is there.

NVD data is not sufficient for obtaining reliable information about exploits. You need to analyze public and commercial exploit databases, code repositories, analytical reports by information security companies and researchers, posts on social media and the dark web, and other sources.

Changes in the vulnerability description

Adequate prioritization requires that you track not just exploits and signs of ongoing attacks but also changes in the description of the vulnerability. The Authentication Bypass in Atlassian Confluence (CVE-2023-22518) is one example. In its security bulletin, Atlassian reported that a malicious actor could exploit the vulnerability to delete data but not to compromise data confidentiality. If that was true, the issue could be addressed with backups, and it could not be considered a trending vulnerability. However, a week later, the vendor updated the information, saying that a malicious actor could obtain administrator permissions and thereby full control over the Confluence server. This was something we had every reason to categorize as a trending vulnerability, which our team did in early November of 2023.

Non-standard CVEs

Some issues that get assigned CVE identifiers are information security incidents, rather than vulnerabilities. It was reported in March 2023 that certain versions of 3CX Desktop App, an instant messaging app with a phone call feature, had been modified by malicious actors on the vendor side. The app was infected with an infostealer-type trojan when downloaded from the official website. Supply chain attacks like that do not typically get a CVE of their own, but this one did: CVE-2023-29059. Adequately defining this kind of non-standard "vulnerability" takes extra effort by an analyst. This particular issue was defined as Remote Code Execution (RCE) because when the user installed an infected app, the malicious actors obtained the same result as they would have, from exploiting an RCE vulnerability. We categorized the vulnerability as trending on March 31, 2023.

CVEs missing from the NVD

Certain vulnerabilities we recognized as trending in 2023 were missing from the NVD and had a status of Reserved in the MITRE database. This was despite the fact that the CVE identifiers could be readily found in various sources that described the vulnerabilities. Examples include the RCE in WinRAR (CVE-2023-40477) and the RCE in Exim (CVE-2023-42115). Issues like that are particularly common with vulnerabilities submitted via the Zero Day Initiative (ZDI) CVE numbering authority.

How to define trending vulnerabilities correctly

In view of these challenges, defining trending vulnerabilities requires an automated process of collecting and updating information from various sources, such as vulnerability databases, vendor security bulletins, social media, blogs, exploit databases, public code repositories, and others, and then verifying the information manually.

Unexpected changes in the severity level are very common. It is critical to both respond in time and predict these whenever possible to have enough time for remediation before mass exploitation starts.

Vulnerability types

In 2023, we added trending vulnerabilities of the following types:

• Remote Code Execution (39)
• Elevation of Privilege (33)
• Authentication Bypass (17)
• Security Feature Bypass (9)
• Information Disclosure (3)
• Command Injection (2)
• Path Traversal (2)
• Code Injection (1)
• Denial of Service (1)
• Memory Corruption (1)
• Incorrect Calculation (1)
• Cross-Site Scripting (1)

Most of these let malicious actors compromise an asset directly, via Remote Code Execution or Authentication Bypass, or elevate their permissions through Elevation of Privilege.

Vulnerable products

In 2023, we added trending vulnerabilities for 73 products.

Product groups

As you can see, most of the trending vulnerabilities we identified were found in corporate infrastructure products, and desktop and server operating systems, primarily Windows.

Product types

Prioritization of vulnerabilities is a cornerstone of a robust security system. However, relying exclusively on sources like CISA KEV and the NVD makes building efficient security a challenge. These catalogs often publish data with a delay, report vulnerabilities in outdated software, and fail to consider the characteristics of non-standard threats and how these change. MaxPatrol VM trending vulnerability data helps you to stay up to date on the most severe vulnerabilities and respond rapidly. We add new expertise to the product as early as practically possible, within 12 hours.