Summary of Vulnerabilities Most Likely to Be Exploited
14/02/2024
By Guillermo Pereyra, Security Analyst at LACNIC CSIRT.
The following article presents a summary of the vulnerabilities that had the highest probability of being exploited during the second half of 2023.
As mentioned in our first article, the tools provided by FIRST can be used to find the vulnerabilities most likely to be exploited. Likewise, we used the NIST vulnerability classifier to discover the severity of each vulnerability.
We then filtered the vulnerabilities, prioritizing those with a higher probability of being exploited.
Figure 1. Vulnerabilities throughout the second semester ordered by their probability of being exploited.
Details of some vulnerabilities
The following is a table with some critical vulnerabilities that had a greater likelihood of being exploited during the second half of last year.
Top 10 Table
| CVE | CVSS v3.1 | EPSS (Q4 2023) |
| CVE-2019-1653 | 7.5 HIGH | 0.97567 |
| CVE-2014-6271 | 7.5 HIGH | 0.97564 |
| CVE-2015-7297 | 7.5 HIGH | 0.97564 |
| CVE-2018-7600 | 9.8 CRITICAL | 0.9756 |
| CVE-2015-1635 | 10 HIGH (CVSS v2) | 0.97559 |
| CVE-2019-2725 | 9.8 CRITICAL | 0.97559 |
| CVE-2017-8917 | 9.8 CRITICAL | 0.97555 |
| CVE-2019-16662 | 9.8 CRITICAL | 0.97555 |
| CVE-2020-5902 | 9.8 CRITICAL | 0.97555 |
| CVE-2020-14750 | 9.8 CRITICAL | 0.97553 |
CVE-2019-1653 – Information disclosure vulnerability in Cisco Small Business RV320 and RV325 Routers
CVSSv3.1: 7.5 HIGH
Vulnerable versions: Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers using Firmware from 1.4.2.15 to 1.4.2.20.
Solution: Update to the newest possible version.
Description: Vulnerability in the Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers’ web manager might allow a remote, unauthenticated attacker to download the system configuration.
Reference: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20190123-rv-info.html
CVE-2019-2725 and CVE-2020-14750 – Vulnerabilities in Oracle WebLogic Server
CVSSv3.1: 9.8 CRITICAL
Vulnerable versions: Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.4.0, 14.1.1.0.0.
Solution: Update to the newest possible version.
Description: Remote code execution without the need for authentication.
Reference: https://www.oracle.com/security-alerts/alert-cve-2019-2725.html
Summary
Overall, the vulnerabilities most likely to be exploited are persistent issues. They are used to compromise systems that have not been updated. This is coupled with the existence of publicly available exploits or proofs of concept that are generally easily applied by cybercriminals with limited knowledge about the technology they wish to compromise.
Some new vulnerabilities are also actively exploited by criminals. Examples of these include CVE-2023-20198 and CVE-2023-20273, which were released in October 2023 and affect the web configuration feature of Cisco IOS XE Software. In this case, updating the system is suggested. If the update cannot be performed, the web functionalities must be deactivated.
Recommendations
When faced with the challenge of updating multiple systems, it is advisable to prioritize updating those that are most likely to be attacked or compromised.
In this context, there could be a situation where a vulnerability with a HIGH CVSS score is technically difficult to exploit, while at the same time there might be another vulnerability with a MEDIUM CVSS score for which public exploits exist, which would make it easier for it to be exploited by an attacker. To decide this prioritization, we recommend using the EPSS tool offered by FIRST.
References:
- What is the Exploit Prediction Scoring System (EPSS)?
- Active Exploitation of CVE-2023-20198 and CVE-2023-20273