Welcome back to the Sensor Intelligence Series, our recurring monthly summary of vulnerability intelligence based on distributed passive sensor data. This time, we added a section that briefly discusses some of the most common scanning traffic that is not strictly vulnerability related, to continue to give more context overall.
This month, we found evidence of two more CVEs in our data, specifically CVE-2018-9995, an authentication bypass in TBK DVR devices, and CVE-202-11625, an information disclosure vulnerability in AvertX Night Vision cameras models HD383 and HD438. Neither of these was seen a great deal, however, so they don’t really come into play for the analysis that follows, except as a general note to say that attacker scans targeting IoT devices continues apace.
So, without any further ado, let’s dig into the changes we saw in November for the CVEs we track.
November Vulnerabilities by the Numbers
Figure 1 shows the traffic for the top 10 CVEs in November. CVE-2022-24847, an RCE in the open-source GeoServer software, and CVE-2022-22947, an RCE in the Spring Cloud Gateway product, rose to our top spots. These are nothing new, the latter having been seen in our data at moderately high levels over at least the last year, and the former having been active since February this year. CVE-2020-8958, a Guangzhou router command injection vulnerability, has thus continued to fall in position, as it did last month. Last month’s top seen vulnerability, CVE-2017-9841, an RCE in PHPUnit, now 5 years old, comes in at fourth position. Overall traffic in the CVEs we track dropped again as it did in October.
Table 1 shows traffic for November, change in traffic from October, CVSS v3.x score, and EPSS scores for 70 CVEs and other vulnerabilities. Our list of vulnerabilities with confirmed attack or scanning traffic currently stands at 84, but 11 vulnerabilities saw no traffic in either October or November and so don’t make this table.