Recognizing trending vulnerabilities would be less complicated with publicly available data that is sufficiently complete and reliable. Unfortunately, this is not currently available.
Why using CISA KEV is not enough
One of the best-known sources of information about vulnerabilities that are widely exploited in the wild is the public catalog CISA Known Exploited Vulnerabilities (CISA KEV). However, using it as the main prioritization tool may be associated with challenges that we cover later in this article.
Relevance
Out of the 110 vulnerabilities we flagged as trending in 2023, only 46 can be found in CISA KEV. Meanwhile, out of all the vulnerabilities added to the register in 2023, 134 were not marked by us as trending because they either did not have a critical level of severity or were found in outdated products.
Delays
Vulnerabilities may be added to CISA KEV with significant delays due to strict selection criteria for evidence of in-the-wild exploitation. Besides this, the time that it takes a vulnerability to hit CISA KEV depends on the availability of a vendor fix, as the catalog is essentially a list of remediation requirements intended for U.S. Federal agencies.
Some examples:
- Multiple vulnerabilities in Juniper EX and SRX network appliances that lead to Remote Code Execution (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847). The vulnerabilities came to light in mid-August. The Shadowserver Foundation reported exploitation attempts in the wild on August 25. CISA KEV did not add the vulnerabilities until November 13. We categorized them as trending much earlier, on August 28.
- The Looney Tunables Elevation of Privilege vulnerability in the Linux GNU C library (CVE-2023-4911). It was discovered on October 3, a public PoC exploit was ready on the next day, and Kinsing malware was seen exploiting it in early November. CISA KEV did not publish it until November 21. We categorized it as a trending vulnerability much earlier, on October 4.
Why links to exploits in the NVD are not enough
Only 26 out of the 110 vulnerabilities that we added to the trending category in 2023 had a public link to a PoC exploit in the NVD. Besides, links to exploits in the NVD often lack the "exploit" tag. The tag is often added to links to a vague description of a PoC or a reference to one that exists elsewhere, so additional verification is needed regardless of whether the tag is there.
NVD data is not sufficient for obtaining reliable information about exploits. You need to analyze public and commercial exploit databases, code repositories, analytical reports by information security companies and researchers, posts on social media and the dark web, and other sources.
Changes in the vulnerability description
Adequate prioritization requires that you track not just exploits and signs of ongoing attacks but also changes in the description of the vulnerability. The Authentication Bypass in Atlassian Confluence (CVE-2023-22518) is one example. In its security bulletin, Atlassian reported that a malicious actor could exploit the vulnerability to delete data but not to compromise data confidentiality. If that was true, the issue could be addressed with backups, and it could not be considered a trending vulnerability. However, a week later, the vendor updated the information, saying that a malicious actor could obtain administrator permissions and thereby full control over the Confluence server. This was something we had every reason to categorize as a trending vulnerability, which our team did in early November of 2023.
Non-standard CVEs
Some issues that get assigned CVE identifiers are information security incidents, rather than vulnerabilities. It was reported in March 2023 that certain versions of 3CX Desktop App, an instant messaging app with a phone call feature, had been modified by malicious actors on the vendor side. The app was infected with an infostealer-type trojan when downloaded from the official website. Supply chain attacks like that do not typically get a CVE of their own, but this one did: CVE-2023-29059. Adequately defining this kind of non-standard "vulnerability" takes extra effort by an analyst. This particular issue was defined as Remote Code Execution (RCE) because when the user installed an infected app, the malicious actors obtained the same result as they would have, from exploiting an RCE vulnerability. We categorized the vulnerability as trending on March 31, 2023.
CVEs missing from the NVD
Certain vulnerabilities we recognized as trending in 2023 were missing from the NVD and had a status of Reserved in the MITRE database. This was despite the fact that the CVE identifiers could be readily found in various sources that described the vulnerabilities. Examples include the RCE in WinRAR (CVE-2023-40477) and the RCE in Exim (CVE-2023-42115). Issues like that are particularly common with vulnerabilities submitted via the Zero Day Initiative (ZDI) CVE numbering authority.
How to define trending vulnerabilities correctly
In view of these challenges, defining trending vulnerabilities requires an automated process of collecting and updating information from various sources, such as vulnerability databases, vendor security bulletins, social media, blogs, exploit databases, public code repositories, and others, and then verifying the information manually.
Unexpected changes in the severity level are very common. It is critical to both respond in time and predict these whenever possible to have enough time for remediation before mass exploitation starts.