Welcome to the Sensor Intelligence Series for April 2023. Last month was comparatively quiet in terms of attack traffic, like March before it. CVE-2020-8958 (an OS command injection vulnerability in a GPON router) remained the top-targeted vulnerability, as it has for nine of the last ten months. Many of the other top targets, such as CVE-2022-22947 and CVE-2020-0688, are well known to us, and have been in the top ten for months.
However, attacks looking for CVE-2022-24847 caught our attention during our routine check for attacks we hadn’t identified yet, and we added a new signature for it. Whereas most of the vulnerabilities we’ve discussed in the last six months have either been either Microsoft Exchange RCEs or IoT devices, CVE-2022-24847 is an Improper Input Validation vulnerability in an open source server named GeoServer. This vulnerability allows for an unchecked JNDI lookup, which can lead to remote code execution through class deserialization.1 This brings the total number of CVEs whose exploitation we have observed up to 65.
April Vulnerabilities by the Numbers
Figure 1 shows the top ten vulnerabilities and their traffic for April. The gap between the CVE-2020-8958 at the top and the next vulnerability down is striking, even if CVE-2020-8958 is still experiencing roughly half of the traffic it received at its peak in January. The second place goes to the CVE-less JAWS vulnerability in several digital video recorders,2 followed by our newcomer, CVE-2022-24847.
The remainder of the top ten are types of vulnerabilities we’ve seen many times before—more IoT vulnerabilities, Microsoft Exchange RCEs, and flaws in various PHP tools and frameworks.
Table 1 shows traffic volumes for all vulnerabilities that we’re tracking, along with change from the previous month.
CVE Number | Count | Change |
CVE-2020-8958 | 7146 | 2635 |
2018 JAWS Web Server Vuln | 2677 | 1391 |
CVE-2022-24847 | 2624 | 1348 |
CVE-2022-22947 | 2089 | 391 |
CVE-2017-9841 | 2062 | 298 |
CVE-2020-0688 | 1365 | 254 |
CVE-2018-10561 | 1028 | 203 |
CVE-2021-28481 | 829 | -68 |
CVE-2022-41040/CVE-2021-34473 | 799 | 81 |
CVE-2019-9082 | 521 | -43 |
CVE-2021-3129 | 485 | -101 |
CVE-2018-13379 | 457 | 54 |
NETGEAR-MOZI | 268 | -101 |
CVE-2020-15505 | 255 | 35 |
CVE-2014-2908 | 248 | 25 |
CVE-2013-6397 | 247 | -53 |
Citrix XML Buffer Overflow | 246 | 19 |
CVE-2019-18935 | 221 | 107 |
CVE-2021-22986 | 212 | 165 |
CVE-2021-40539 | 206 | 0 |
CVE-2019-12725 | 128 | 111 |
CVE-2017-18368 | 114 | -28 |
CVE-2021-26086 | 97 | -127 |
CVE-2017-1000226 | 90 | -69 |
CVE-2021-44228 | 48 | -303 |
CVE-2022-22965 | 34 | -13 |
CVE-2022-40684 | 33 | -32 |
CVE-2020-25078 | 25 | -500 |
CVE-2019-9670 | 24 | 11 |
CVE-2020-3452 | 13 | 0 |
CVE-2021-21985 | 10 | -6 |
CVE-2018-7600 | 3 | 1 |
CVE-2022-1388 | 1 | -26 |
CVE-2021-25369 | 1 | -9 |
CVE-2021-41277 | 1 | -13 |
CVE-2008-2052 | 0 | 0 |
CVE-2008-6668 | 0 | 0 |
CVE-2017-0929 | 0 | 0 |
CVE-2017-9506 | 0 | 0 |
CVE-2018-1000600 | 0 | 0 |
CVE-2018-18775 | 0 | 0 |
CVE-2020-13167 | 0 | 0 |
CVE-2020-17505 | 0 | 0 |
CVE-2020-17506 | 0 | 0 |
CVE-2020-25506 | 0 | 0 |
CVE-2020-28188 | 0 | 0 |
CVE-2020-7796 | 0 | 0 |
CVE-2020-9757 | 0 | 0 |
CVE-2021-20167 | 0 | 0 |
CVE-2021-21315 | 0 | 0 |
CVE-2021-26084 | 0 | 0 |
CVE-2021-29203 | 0 | 0 |
CVE-2021-33357 | 0 | 0 |
CVE-2021-33564 | 0 | 0 |
CVE-2021-3577 | 0 | 0 |
Targeting Trends
To better understand how April contrasts with previous months, Figure 2 shows a bump plot of targeting frequency. To avoid overplotting, this shows fourteen CVEs which together constitute the top five for each of the twelve months. Overall the last few months have seen few dramatic changes compared with Autumn 2022, with one exception: the chartreuse curve showing up in March and April represents the newly added vulnerability CVE-2022-24847, which seemingly came from nowhere to capture ~2500 connections in April.