This month’s story in vulnerability targeting trends is one of stability. Even though two of the top ten vulnerabilities changed in June compared with May, and a few vulnerabilities more than doubled in volume, all of the change was minor in the big picture. We did, however, identify a few vulnerabilities that were novel to us, and added four more signatures.
June Vulnerabilities by the Numbers
Figure 1 shows the top ten vulnerabilities by traffic for the month of June. Most of these are old friends by now: CVE-2020-8958 (GPON router), CVE-2017-9841 (PHPUnit), and several others are commonplace in the top ten. On the other hand, both CVE-2019-9082 (ThinkPHP) and CVE-2013-6397 (Apache Solr) more than doubled compared with May, putting them in the top ten for the first time in a while.
Top 10 CVEs for Ports 80/443, June 2023
Figure 1. Top ten targeted vulnerabilities in June 2023. CVE-2019-9082 and CVE-2013-6397 replaced two others in the top ten this month, which was the most traffic CVE-2013-6397 has received in nearly a year.
Table 1 displays the traffic volume for all of the vulnerabilities that showed up in our systems in either June or July. Note that we track 71 vulnerabilities and this list only shows 50—20 CVEs are present in our data at some point but didn’t show up for the last two months. As a reminder, last month we started including CVSS v3.x and Exploit Prediction Scoring System (EPSS) scores to cross-reference with our own observations. Since EPSS scores vary over time, these scores were collected on 1 July 2023, at the end of our period of observation.
F5 Labs Newsletter
Great! You should receive your first email shortly.
The information you provide will be treated in accordance with the F5 Privacy Notice.
CVE Number
June Traffic
Change from May
CVSS v3.x
EPSS Score
CVE-2020-8958
9220
1530
7.2
83.1%
CVE-2017-9841
5027
2173
9.8
97.5%
CVE-2022-24847
2606
-120
7.2
0.1%
CVE-2019-9082
1731
1069
8.8
97.5%
CVE-2021-3129
1614
1006
9.8
97.5%
CVE-2022-22947
1520
-450
10
97.6%
CVE-2020-0688
1292
-111
8.8
97.3%
CVE-2013-6397
1150
760
n/a
71.4%
CVE-2022-41040/CVE-2021-34473
1013
-109
9.8
97.3%
2018 JAWS Web Server Vuln
985
200
n/a
n/a
CVE-2021-28481
932
-474
9.8
2.3%
CVE-2020-25078
840
615
7.5
97.0%
CVE-2021-26855
711
-338
9.8
97.5%
CVE-2020-15505
499
213
9.8
97.5%
CVE-2017-18368
370
131
9.8
97.6%
CVE-2018-10561
294
-42
9.8
97.5%
CVE-2021-22986
216
39
9.8
97.5%
CVE-2022-1388
43
43
9.8
97.5%
CVE-2014-2908
254
-61
n/a
0.6%
Citrix XML Buffer Overflow
250
-59
n/a
n/a
CVE-2021-40539
243
55
9.8
97.5%
NETGEAR-MOZI
203
-46
n/a
n/a
CVE-2019-18935
184
-131
9.8
90.8%
CVE-2021-26084
146
137
9.8
97.5%
CVE-2018-13379
144
-184
9.8
97.5%
CVE-2021-26086
134
-237
5.3
94.4%
CVE-2017-1000226
117
-249
5.3
0.1%
CVE-2022-40684
101
84
9.8
96.7%
CVE-2021-44228
84
-7
10
97.6%
CVE-2021-27065
53
52
7.8
92.5%
CVE-2022-22965
30
3
9.8
n/a
CVE-2021-21985
21
7
9.8
97.5%
CVE-2020-3452
17
0
7.5
97.6%
CVE-2008-2052
8
0
n/a
0.2%
CVE-2019-9670
8
-12
9.8
97.5%
CVE-2021-41277
5
0
10
96.7%
CVE-2021-25369
4
0
6.2
0.1%
CVE-2018-20062
3
-37
9.8
96.8%
CVE-2018-18775
2
0
6.1
0.2%
CVE-2019-12725
2
-150
9.8
96.7%
CVE-2020-13167
2
0
9.8
97.4%
CVE-2021-21315
2
0
7.8
96.9%
CVE-2021-29203
2
0
9.8
95.6%
CVE-2021-33564
2
0
9.8
6.1%
CVE-2020-7796
1
0
9.8
74.8%
CVE-2021-33357
1
0
9.8
96.4%
CVE-2007-3010
0
0
n/a
97.3%
CVE-2018-7600
0
0
9.8
97.6%
CVE-2020-17496
0
0
9.8
97.5%
CVE-2020-25213
0
0
9.8
97.5%
Table 1. Traffic volumes, change from the previous month, CVSS and EPSS scores for all vulnerabilities that were targeted in either May or June 2023.
One of the more interesting things in Table 1 is the low EPSS score of CVE-2022-24847. This was the third-most targeted CVE in our data last month, but the EPSS likelihood of future exploitation is a mere 1%. There could be many explanations for this—the score was slightly higher, around 2.6%, shortly after the vulnerability was released in April 2022, but subsided around 1% or lower by the beginning of May 2022. While we will never know why this particular vulnerability seems so uninteresting to EPSS when it is clearly being exploited in the wild, this shouldn’t be taken as an indictment of the efficacy of EPSS, which has been proven at scale.1 Perhaps our observations will help refine EPSS parameter weights in the future.
Targeting Trends
To better illustrate how June contrasts with previous months, Figure 2 shows how fourteen of the most heavily targeted vulnerabilities (the top five from each month of the past year) have ebbed and flowed in terms of attack volume and rank. Note that in this view two vulnerabilities stand out for their rapid growth: CVE-2019-9082 and CVE-2021-3129.
Figure 2. Evolution of vulnerability targeting trends over previous twelve months. This plot shows fourteen vulnerabilities which collectively represent the monthly top five for all twelve months. The rapid growth of CVE-2019-9082 and CVE-2021-3129 are visible in June.
Long Term Trends
Figure 3 shows traffic volume for the past year for all 70 of the tracked CVEs. Note the log10 scale on the y-axis. Other than some of the fluctuations we’ve discussed in above figures, not much changed last month.
Figure 3. Traffic volume by vulnerability. June 2023 did not see much significant change in traffic volume for any notable CVEs.
Conclusions
The comparative stability in attacker trends according to our data brings to mind an analysis we looked at earlier this year. In February 2023 we published a report in collaboration with the Cyentia Institute1 examining the long-term history and evolution of the CVE Landscape. Figure 4, below, is an analysis from that report which plots the density with which CWEs were assigned to CVEs over time. In essence this figure shows the degree of dominance that any one type of vulnerability had over the landscape of new vulnerabilities at that time.
Figure 4. CWEs by percentage of CVEs published per quarter. Note the comparative diversity of CWEs in more recent CVEs as compared with the period 2005-2016.
The most glaring example of a predominant vulnerability type is visible in the top row, which is CWE-79: Improper Neutralization of Input During Web Page Generation, more commonly known as cross-site scripting (XSS). Cross-site scripting dominated the field of CVEs from 2011-2016, at times making up 60% of published vulns in a quarter. SQL injection was nearly as predominant from late 2007 to mid-2009.
In contrast to this, we currently abide in a period of expanding CWE diversity, with no one vulnerability type predominant. We haven’t yet had the time to explore the CWEs of the CVEs we track, but the trends in this latest traffic are also a reminder that old vulnerabilities never go away—witness the 10 year old Apache Solr CVE in our top ten this month. So while new vulnerabilities come from a much broader set of types, old favorites will most likely be one of these predominant types. We don’t have any answers on this line of inquiry at the moment, but we mention this CWE analysis just as another way to think about patterns and trends in terms of vulnerability management. And with that, we’ll see you in August, when the attackers will hopefully have done something more interesting.
Sander Vinberg is a Threat Research Evangelist for F5 Labs. As the lead researcher on the Application Protection Research Series, he specializes in the evolution of the threat landscape over the long term. He holds a master’s degree from the University of Washington in Information Management, as well as bachelor’s degrees in History and African and African-American Studies from the University of Chicago.
A deep dive into a sustained attack by reseller bots aimed at snatching every available PlayStation 5 during the console's big launch at a large US retailer.
