Here we are in April 2023, which gives us another opportunity to see what vulnerabilities attackers were most interested in last month. After receiving a huge amount of attacker attention from November 2022 to February 2023, CVE-2020-8958 has returned to volumes of traffic more consistent with what we’d come to expect over the last year or so. However, it still remained the top targeted CVE in our list, with more than double the number of scan or exploit attempts of the next most frequent vulnerability, CVE-2022-22947. We’ll also explore the dramatic decline in traffic targeting CVE-2020-25078, as well as a preponderance of Microsoft CVEs in the top ten for March. Let’s jump into the data.
March Vulnerabilities by the Numbers
Figure 1 shows the top ten vulnerabilities and their traffic for March. CVE-2020-8958 is still sitting at the top, though at a smaller volume than in some recent months. Below that we see a few old regulars, such as CVE-2017-9841. However, we also note that 3 of the top 10, or really 4 of the top 11, are Microsoft Exchange vulnerabilities: CVE-2020-0688, CVE-2020-28481, CVE-2021-34473, and CVE-2022-41040. Note that CVE-2021-34473 and CVE-2022-41040 are lumped together here because they are difficult to differentiate with data from passive sensors. They target the same request URI, and have similar HTTP parameters, but one requires prior authentication and and one does not.
In any case, even though none of these Exchange CVEs is dominating the landscape on its own, collectively they appear to represent an uptick in focus on Microsoft in general and Exchange remote code execution (RCE) vulns in particular.
Table 1 shows traffic volumes for all vulnerabilities that we’re tracking, along with change from the previous month.
|2018 JAWS Web Server Vuln||1165||-523|
|Citrix XML Buffer Overflow||215||-65|
To better understand how March contrasts with previous months, Figure 2 shows a bump plot of targeting frequency. To avoid overplotting, this shows thirteen CVEs which together constitute the top five for each of the twelve months. While some other views of the data might be more useful for assessing a single vulnerability, this plot is particularly useful for understanding how dynamic this targeting landscape is, and how much our traffic changes from month to month.