Sensor Intel Series: Top CVEs in May 2023

The stubborn one-way passage of time means that it is time for another round of vulnerability targeting intelligence. Web attacks in May 2023 had a lot in common with those in April, with eight of the top ten vulnerabilities remaining consistent across the two months. In that vein of continuity, CVE-2020-8958, the Guangzhou GPON router vulnerability which attackers have targeted heavily for more than a year, continued to draw more than twice the attack traffic of any other CVE.

Also in the top ten were two vulnerabilities which were only recently added to our list of signatures: CVE-2022-24847, a GeoServer remote code execution (RCE) vulnerability that we added in May, and CVE-2021-26855, one of the ProxyLogon vulnerabilities in Microsoft Exchange Server. We actually had a signature already in place for CVE-2021-26855, but after a review of exploit code we have changed that to cover CVE-2021-27065, which is another Exchange Server vulnerability with many similarities, but which sees much less traffic. The upshot is that we are now representing traffic against Microsoft Exchange Server vulnerabilities more accurately, which is good because—stop me if you’ve heard this one—Microsoft Exchange Server is quite the popular piece of software.

May Vulnerabilities by the Numbers

Figure 1 shows the volume of attack traffic for the top ten vulnerabilities in May by volume. Here the overwhelming popularity of CVE-2020-8958 is apparent. It is also notable, however, just how many Microsoft Exchange Server vulnerabilities are present: four out of the top ten (or really five out of the top eleven, since we can’t distinguish CVE-2022-41040 from CVE-2021-34473 with these logs) are targeting Microsoft Exchange Server. This isn’t surprising, given the ubiquity and prominence of the product in enterprise systems, but there seems to have been a marked uptick in Microsoft targeting in the last few months.

Table 1 displays the traffic volume for all of the vulnerabilities that showed up in our systems in either May or April (i.e. not all of the 67 vulnerabilities we track are present here). As usual, the change from the previous month is included, but we’ve also included two metrics that are new to this series: Common Vulnerability Scoring System (CVSS) v3.x scores, and Exploit Prediction Scoring System (EPSS) scores. We’ve included these scores because both are valuable sources of vulnerability intelligence that can help put our own observations, which are necessarily limited like all logs of Web traffic, into perspective. As EPSS scores forecast exploitation likelihood in the next 30 days, they are also time-bound. The scores represented here are from June 1 2023, or the day immediately after the period in question.

It is particularly interesting to see some extraordinarily low EPSS scores among the top-targeted vulnerabilities. While an 83% likelihood of exploitation for CVE-2020-8958 shouldn’t be read as a false negative (it still is in the 97^th percentile), CVE-2017-1000226 has a likelihood of exploitation of 0.1%, which makes this latest rash of attacks quite interesting. We will keep an eye on that EPSS score to see if it increases as logs from this targeting campaign make their way into EPSS’ training data.

Targeting Trends

To better illustrate how May contrasts with previous months, Figure 2 shows how fourteen of the most heavily targeted vulnerabilities (the top five from each month of the past year) have ebbed and flowed in terms of attack volume and rank. May 2023 didn’t see a huge amount of change in this respect other than the 2018 JAWS Web Server Vulnerability (another Internet of Things vulnerability in a digital video recorder), which decreased 72% from April traffic. While some other vulnerabilities changed rank, none of this group of fourteen changed dramatically in volume.

Long Term Trends

Figure 3 shows traffic volume for the past year for all 67 of the tracked CVEs. The growth of the GeoServer vulnerability (CVE-2022-24847) over the previous three months is still apparent (third row, rightmost column), although it is interesting to see that the volume has leveled out. CVE-2020-25078, a remote administrator password disclosure vulnerability in D-Link IP cameras, has begun to grow again after declining from a local high in February 2023. We will be watching to see whether it reaches new heights or subsides again.

Conclusions

Another interesting thing about this month’s data is that our signatures happen to include the CVE with the single highest EPSS score and percentile in the dataset as of June 1: CVE-2018-7600. This is a remote code execution vulnerability in various versions of Drupal, and has a CVSS v3.x score of 9.8 (critical). However, despite the high probability of exploit, this seemingly nasty vulnerability’s attack activity was scant in our records, with May traffic against it totaling… one connection. By comparison, April was a bloodbath, featuring three connections (!).

It is tempting to interpret this kind of disparity between different intelligence sources as a sign that one, or both, are skewed or just wrong. In reality they are merely partial in different ways: the signals that we analyze for the SIS are real field observations, but represent a tiny slice of attack traffic on the Web. In contrast, EPSS’ scores are directly generated according to leading indicators, not real attack activity, although observed attacks constitute the training data that is used to weight the various indicators. In short, different kinds of sources like this should always be used complementarily, which is what makes the fact that EPSS is open-source particularly useful. We hope our own sensor intelligence is useful as well. And with that, we’ll see you in July.