Summary of Vulnerabilities Most Likely to Be Exploited

14/02/2024

Summary of Vulnerabilities Most Likely to Be Exploited

By Guillermo Pereyra, Security Analyst at LACNIC CSIRT.

The following article presents a summary of the vulnerabilities that had the highest probability of being exploited during the second half of 2023.

As mentioned in our first article, the tools provided by FIRST can be used to find the vulnerabilities most likely to be exploited. Likewise, we used the NIST vulnerability classifier to discover the severity of each vulnerability.

We then filtered the vulnerabilities, prioritizing those with a higher probability of being exploited.

Figure 1. Vulnerabilities throughout the second semester ordered by their probability of being exploited.

Additional reading:

Details of some vulnerabilities

The following is a table with some critical vulnerabilities that had a greater likelihood of being exploited during the second half of last year.

Top 10 Table

CVECVSS v3.1EPSS (Q4 2023)
CVE-2019-16537.5 HIGH0.97567
CVE-2014-62717.5 HIGH0.97564
CVE-2015-72977.5 HIGH0.97564
CVE-2018-76009.8 CRITICAL0.9756
CVE-2015-163510 HIGH (CVSS v2)0.97559
CVE-2019-27259.8 CRITICAL0.97559
CVE-2017-89179.8 CRITICAL0.97555
CVE-2019-166629.8 CRITICAL0.97555
CVE-2020-59029.8 CRITICAL0.97555
CVE-2020-147509.8 CRITICAL0.97553

CVE-2019-1653 – Information disclosure vulnerability in Cisco Small Business RV320 and RV325 Routers

CVSSv3.1: 7.5 HIGH

Vulnerable versions: Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers using Firmware from 1.4.2.15 to 1.4.2.20.

Solution: Update to the newest possible version.

Description: Vulnerability in the Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers’ web manager might allow a remote, unauthenticated attacker to download the system configuration.

Reference: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20190123-rv-info.html

CVE-2019-2725 and CVE-2020-14750 – Vulnerabilities in Oracle WebLogic Server

CVSSv3.1: 9.8 CRITICAL

Vulnerable versions: Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.4.0, 14.1.1.0.0.

Solution: Update to the newest possible version.

Description: Remote code execution without the need for authentication.

Reference: https://www.oracle.com/security-alerts/alert-cve-2019-2725.html

Summary

Overall, the vulnerabilities most likely to be exploited are persistent issues. They are used to compromise systems that have not been updated. This is coupled with the existence of publicly available exploits or proofs of concept that are generally easily applied by cybercriminals with limited knowledge about the technology they wish to compromise.

Some new vulnerabilities are also actively exploited by criminals. Examples of these include CVE-2023-20198 and CVE-2023-20273, which were released in October 2023 and affect the web configuration feature of Cisco IOS XE Software. In this case, updating the system is suggested. If the update cannot be performed, the web functionalities must be deactivated.

Recommendations

When faced with the challenge of updating multiple systems, it is advisable to prioritize updating those that are most likely to be attacked or compromised.

In this context, there could be a situation where a vulnerability with a HIGH CVSS score is technically difficult to exploit, while at the same time there might be another vulnerability with a MEDIUM CVSS score for which public exploits exist, which would make it easier for it to be exploited by an attacker. To decide this prioritization, we recommend using the EPSS tool offered by FIRST.

References:

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of LACNIC.

Subscribe
Notify of

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments