Welcome back to the Sensor Intelligence Series, our recurring monthly summary of vulnerability intelligence based on distributed passive sensor data. August witnessed ructions among the 80 CVEs whose attack traffic we track. Several CVEs that had been ascendant or predominant plunged in attack traffic, which, oddly enough, restored our old favorite CVE-2020-8958 back to its place of honor at the top of the CVE pile. This is an OS command injection vulnerability in a Guangzhou fiberoptic router, and it has seen a huge amount of scanning and exploitation activity on our sensors in the last 18 months.
August Vulnerabilities by the Numbers
Figure 1 shows the traffic for the top 10 CVEs in August. Below CVE-2020-8958 is CVE-2022-24847, an RCE vulnerability in the open-source GeoServer software, followed by CVE-2022-42475, one of the Fortinet SSL-VPN vulnerabilities we added to our list in July. Also in the top 10 are four Microsoft Exchange Server vulnerabilities, a Citrix NetScaler Gateway injection flaw, and another router flaw, CVE-2017-18368.
Table 1 shows traffic for August, change in traffic from July, CVSS v3.x score, and EPSS scores for 64 CVEs. Our list of CVEs with confirmed attack or scanning traffic currently stands at 80, but 16 vulnerabilities saw no traffic in either July or August and so don’t make this table.
|CVE Number||August Traffic||Change from July||CVSS v3.x Score||EPSS Score|
|2018 JAWS Web Server Vuln||557||-325||NA||NA|
|Citrix XML Buffer Overflow||267||8||NA||NA|
To better assess rapid changes in attack traffic, Figure 1 shows a bump plot, which plots both traffic volume and changes in rank. The 12 CVEs shown here represent the top five for each of the twelve months. In this plot the dramatic drop in traffic targeting CVE-2016-4945 (78% decline) and CVE-2017-9841 (69% decline) are immediately apparent. Less obvious is the fact that the curve for CVE-2020-0688 stops completely at July because we observed zero traffic targeting it in August. It is common for vulnerabilities to fluctuate widely but it is rare to see a vulnerability that had so consistently been targeted drop to zero. This view really emphasizes the moderate amount of traffic in August’s top five, illustrating how quickly CVE targeting trends can reverse.
Long Term Trends
Because Figure 2 only shows high-traffic CVEs, Figure 3 shows traffic for 79 out of the 80 CVEs we have tracked (one CVE hasn’t been targeted for more than a year and so isn’t shown in this plot). In this view several more CVEs that dropped precipitously become apparent. CVE-2019-9082 (an RCE flaw in ThinkPHP) dropped by 99%, from nearly 1800 requests in July to just 64 in August. CVE-2020-15505 (a MobileIron RCE) declined by 99.8% as well. We also noted that the critical Fortinet SSL-VPN flaw that came to our attention in July, CVE-2022-42475, stayed mostly steady compared with last month.