Top Risks

Sensor Intel Series: Top CVEs in June 2023

In terms of attacker interest, it was more about continuity than change in June, with many of the same old CVEs being targeted.
July 21, 2023
6 min. read
Previous article in this series
Next article in this series

This month’s story in vulnerability targeting trends is one of stability. Even though two of the top ten vulnerabilities changed in June compared with May, and a few vulnerabilities more than doubled in volume, all of the change was minor in the big picture. We did, however, identify a few vulnerabilities that were novel to us, and added four more signatures.

June Vulnerabilities by the Numbers

Figure 1 shows the top ten vulnerabilities by traffic for the month of June. Most of these are old friends by now: CVE-2020-8958 (GPON router), CVE-2017-9841 (PHPUnit), and several others are commonplace in the top ten. On the other hand, both CVE-2019-9082 (ThinkPHP) and CVE-2013-6397 (Apache Solr) more than doubled compared with May, putting them in the top ten for the first time in a while.

Top 10 CVEs for Ports 80/443, June 2023
Figure 1. Top ten targeted vulnerabilities in June 2023. CVE-2019-9082 and CVE-2013-6397 replaced two others in the top ten this month, which was the most traffic CVE-2013-6397 has received in nearly a year.

Table 1 displays the traffic volume for all of the vulnerabilities that showed up in our systems in either June or July. Note that we track 71 vulnerabilities and this list only shows 50—20 CVEs are present in our data at some point but didn’t show up for the last two months. As a reminder, last month we started including CVSS v3.x and Exploit Prediction Scoring System (EPSS) scores to cross-reference with our own observations. Since EPSS scores vary over time, these scores were collected on 1 July 2023, at the end of our period of observation.

CVE Number June Traffic Change from May CVSS v3.x EPSS Score
CVE-2020-8958 9220 1530 7.2 83.1%
CVE-2017-9841 5027 2173 9.8 97.5%
CVE-2022-24847 2606 -120 7.2 0.1%
CVE-2019-9082 1731 1069 8.8 97.5%
CVE-2021-3129 1614 1006 9.8 97.5%
CVE-2022-22947 1520 -450 10 97.6%
CVE-2020-0688 1292 -111 8.8 97.3%
CVE-2013-6397 1150 760 n/a 71.4%
CVE-2022-41040/CVE-2021-34473 1013 -109 9.8 97.3%
2018 JAWS Web Server Vuln 985 200 n/a n/a
CVE-2021-28481 932 -474 9.8 2.3%
CVE-2020-25078 840 615 7.5 97.0%
CVE-2021-26855 711 -338 9.8 97.5%
CVE-2020-15505 499 213 9.8 97.5%
CVE-2017-18368 370 131 9.8 97.6%
CVE-2018-10561 294 -42 9.8 97.5%
CVE-2021-22986 216 39 9.8 97.5%
CVE-2022-1388 43 43 9.8 97.5%
CVE-2014-2908 254 -61 n/a 0.6%
Citrix XML Buffer Overflow 250 -59 n/a n/a
CVE-2021-40539 243 55 9.8 97.5%
NETGEAR-MOZI 203 -46 n/a n/a
CVE-2019-18935 184 -131 9.8 90.8%
CVE-2021-26084 146 137 9.8 97.5%
CVE-2018-13379 144 -184 9.8 97.5%
CVE-2021-26086 134 -237 5.3 94.4%
CVE-2017-1000226 117 -249 5.3 0.1%
CVE-2022-40684 101 84 9.8 96.7%
CVE-2021-44228 84 -7 10 97.6%
CVE-2021-27065 53 52 7.8 92.5%
CVE-2022-22965 30 3 9.8 n/a
CVE-2021-21985 21 7 9.8 97.5%
CVE-2020-3452 17 0 7.5 97.6%
CVE-2008-2052 8 0 n/a 0.2%
CVE-2019-9670 8 -12 9.8 97.5%
CVE-2021-41277 5 0 10 96.7%
CVE-2021-25369 4 0 6.2 0.1%
CVE-2018-20062 3 -37 9.8 96.8%
CVE-2018-18775 2 0 6.1 0.2%
CVE-2019-12725 2 -150 9.8 96.7%
CVE-2020-13167 2 0 9.8 97.4%
CVE-2021-21315 2 0 7.8 96.9%
CVE-2021-29203 2 0 9.8 95.6%
CVE-2021-33564 2 0 9.8 6.1%
CVE-2020-7796 1 0 9.8 74.8%
CVE-2021-33357 1 0 9.8 96.4%
CVE-2007-3010 0 0 n/a 97.3%
CVE-2018-7600 0 0 9.8 97.6%
CVE-2020-17496 0 0 9.8 97.5%
CVE-2020-25213 0 0 9.8 97.5%
Table 1. Traffic volumes, change from the previous month, CVSS and EPSS scores for all vulnerabilities that were targeted in either May or June 2023.

One of the more interesting things in Table 1 is the low EPSS score of CVE-2022-24847. This was the third-most targeted CVE in our data last month, but the EPSS likelihood of future exploitation is a mere 1%. There could be many explanations for this—the score was slightly higher, around 2.6%, shortly after the vulnerability was released in April 2022, but subsided around 1% or lower by the beginning of May 2022. While we will never know why this particular vulnerability seems so uninteresting to EPSS when it is clearly being exploited in the wild, this shouldn’t be taken as an indictment of the efficacy of EPSS, which has been proven at scale.1 Perhaps our observations will help refine EPSS parameter weights in the future.

To better illustrate how June contrasts with previous months, Figure 2 shows how fourteen of the most heavily targeted vulnerabilities (the top five from each month of the past year) have ebbed and flowed in terms of attack volume and rank. Note that in this view two vulnerabilities stand out for their rapid growth: CVE-2019-9082 and CVE-2021-3129.

Figure 2. Evolution of vulnerability targeting trends over previous twelve months. This plot shows fourteen vulnerabilities which collectively represent the monthly top five for all twelve months. The rapid growth of CVE-2019-9082 and CVE-2021-3129 are visible in June.

Figure 2. Evolution of vulnerability targeting trends over previous twelve months. This plot shows fourteen vulnerabilities which collectively represent the monthly top five for all twelve months. The rapid growth of CVE-2019-9082 and CVE-2021-3129 are visible in June. 

Figure 3 shows traffic volume for the past year for all 70 of the tracked CVEs. Note the log10 scale on the y-axis. Other than some of the fluctuations we’ve discussed in above figures, not much changed last month.

Figure 3. Traffic volume by vulnerability. June 2023 did not see much significant change in traffic volume for any notable CVEs.

Figure 3. Traffic volume by vulnerability. June 2023 did not see much significant change in traffic volume for any notable CVEs.

Conclusions

The comparative stability in attacker trends according to our data brings to mind an analysis we looked at earlier this year. In February 2023 we published a report in collaboration with the Cyentia Institute1 examining the long-term history and evolution of the CVE Landscape. Figure 4, below, is an analysis from that report which plots the density with which CWEs were assigned to CVEs over time. In essence this figure shows the degree of dominance that any one type of vulnerability had over the landscape of new vulnerabilities at that time.

Figure 4. CWEs by percentage of CVEs published per quarter. Note the comparative diversity of CWEs in more recent CVEs as compared with the period 2005-2016.

Figure 4. CWEs by percentage of CVEs published per quarter. Note the comparative diversity of CWEs in more recent CVEs as compared with the period 2005-2016.

The most glaring example of a predominant vulnerability type is visible in the top row, which is CWE-79: Improper Neutralization of Input During Web Page Generation, more commonly known as cross-site scripting (XSS). Cross-site scripting dominated the field of CVEs from 2011-2016, at times making up 60% of published vulns in a quarter. SQL injection was nearly as predominant from late 2007 to mid-2009.

In contrast to this, we currently abide in a period of expanding CWE diversity, with no one vulnerability type predominant. We haven’t yet had the time to explore the CWEs of the CVEs we track, but the trends in this latest traffic are also a reminder that old vulnerabilities never go away—witness the 10 year old Apache Solr CVE in our top ten this month. So while new vulnerabilities come from a much broader set of types, old favorites will most likely be one of these predominant types. We don’t have any answers on this line of inquiry at the moment, but we mention this CWE analysis just as another way to think about patterns and trends in terms of vulnerability management. And with that, we’ll see you in August, when the attackers will hopefully have done something more interesting.

Previous article in this series
Next article in this series

Recommendations

Technical
Preventative
  • Scan your environment for vulnerabilities aggressively.
  • Patch high-priority vulnerabilities (defined however suits you) as soon as feasible.
  • Engage a DDoS mitigation service to prevent the impact of DDoS on your organization.
Technical
Detective
  • Use a WAF or similar tool to detect and stop web exploits.
  • Monitor anomalous outbound traffic to detect devices in your environment that are participating in DDoS attacks.
Join the Discussion
Authors & Contributors
Sander Vinberg (Author)
Threat Research Evangelist, F5 Labs
Footnotes

1For an examination of the design and performance of the latest EPSS model see https://arxiv.org/abs/2302.14172.

2https://www.cyentia.com/

Read More from F5 Labs

2023 Identity Threat Report: The Unpatchables
2023 Identity Threat Report: The Unpatchables
11/01/2023 report 80 min. read
Sensor Intel Series: Top CVEs in January 2024
Sensor Intel Series: Top CVEs in January 2024
02/19/2024 article 8 min. read
Bots Cheat to Win
Bots Cheat to Win
02/05/2024 article 17 min. read