Sensor Intel Series: Top CVEs in February 2023

The Sensor Intel Series is created in partnership with Efflux , who maintains a globally distributed network of sensors from which we derive attack telemetry.

------------------------------------------------------------------------------------------

Welcome to the February 2023 installment of the Sensor Intelligence Series. This series offers web application vulnerability targeting intelligence. We produce this intelligence by analyzing scanning and exploit attempts logged by sensors run by our data partners, Efflux. As always, our analysis is limited to traffic on ports 80 and 443.

CVE-2020-8958, an IoT vulnerability in several Guangzhou/VSOL routers, has been the top-targeted vulnerability we track for six of the last seven months, and it retains its top spot in February as well. However, its traffic declined 47% compared with January, making its recent volume closer to what we observed in November. Perhaps this spells the beginning of its decline, although as you’ll see below in Figure 2, we’ve seen CVEs in general and this one in particular seem to fall off of a cliff, only to rebound the following month.

Also notable this month is the dramatic growth in CVE-2020-25078, which is also an IoT vulnerability but this time in several IP cameras. On the one hand the volume of traffic scanning for this vulnerability was not remarkable, with ~3600 connections in February, but only 200 connections were attempted in January, which means traffic increased roughly 18-fold in one month. Let’s see what else changed to put this growth in context.

February Vulnerabilities by the Numbers

Figure 1 shows the top ten vulnerabilities and their traffic for February. Below CVE-2020-25078 we see several CVEs that have been near the top throughout 2022, such as CVE-2017-9641 and the CVE-less 2018 JAWS digital video recorder vulnerability.¹

However, also notable is CVE-2020-0688, a remote code execution (RCE) vulnerability in Microsoft Exchange Server. This is obviously not a new vulnerability, but we only recently identified it in our logs, despite its presence throughout this project.

Table 1 shows traffic volumes for all vulnerabilities that we track. In addition to CVE-2020-0688, which we mentioned earlier, we also added CVE-2014-8379, a file upload vulnerability that had not previously shown up in our logs.

Table 1. CVE targeting volumes for February, along with change from January. We added two new CVEs to our list of signatures this month: CVE-2020-0688 and CVE-2014-8379.

Targeting Trends

To better understand how February contrasts with previous months, Figure 2 shows a bump plot of targeting frequency. To avoid overplotting, this shows thirteen CVEs which together constitute the top five for each of the twelve months.

Figure 2. Evolution of vulnerability targeting in the last twelve months. Note the slight decline in 2020-8958 as well as the dramatic growth of 2020-25078.

Long Term Trends

Figure 3 shows traffic volume over the past year for all of the CVEs we track. Other than the growth of 2020-25078 discussed above, recent months have not seen dramatic changes in the more frequently-targeted CVEs near the top of the plot.

Figure 3. Traffic volume by vulnerability. The resurgence of 2020-25078 is visible here (2nd row, middle column). The log10 scale on the y-axis illustrates how dramatic the growth has been in 2023.

Conclusions

As we often have in the last few months, we can’t help but notice the prevalence of two kinds of vulnerabilities in our logs: RCEs and IoT vulns. The value RCEs offer to attackers is obvious. As for IoT vulnerabilities, it seems fitting that as one IoT vuln (CVE-2020-8958) finally stops growing in prevalence, another (CVE-2020-25078) shoots up in volume to “help out.” All this IoT attention adds to our suspicion that attacker infrastructure for DDoS attacks remains a high priority. For more on DDoS please see the 2023 DDoS Attack Trends, and we’ll see you in a month with more intel.