Rise in Zero-Day Exploits: A Growing Threat in 2023

October 16, 2024

Google, in collaboration with Mandiant security analysts, has reported a concerning trend in 2023 where 70% of disclosed vulnerabilities that were actively exploited were zero-days. Out of 138 vulnerabilities, 97 (70.3%) were exploited as zero-days, indicating that threat actors launched attacks using these flaws before the vendors were even aware of the bugs or had a chance to create patches.

From 2020 to 2022, the ratio of n-days (fixed flaws) to zero-days (flaws with no available fix) held steady at 4:6. However, in 2023, this ratio shifted to 3:7. Google clarifies that this is not due to a decrease in the number of n-days exploited, but rather an increase in zero-day exploitation and the enhanced ability of security vendors to detect it.

The rise in malicious activity and the diversification of targeted products is reflected in the increased number of vendors impacted by actively exploited flaws. In 2023, a record 56 vendors were affected, up from 44 in 2022, and surpassing the previous high of 48 vendors in 2021.

Another noteworthy trend is the reduced time taken to exploit (TTE) a newly disclosed flaw, which has now fallen to just five days. This is a significant decrease from the 63 days in 2018-2019 and the 32 days in 2021-2022. With this reduced TTE, strategies such as network segmentation, real-time detection, and urgent patch prioritization have become crucial.

Google also reported that there is no correlation between the disclosure of exploits and TTE. In 2023, 75% of exploits were publicly disclosed before exploitation had begun, and 25% were disclosed after hackers had already started exploiting the flaws.

Two examples provided in the report to illustrate the lack of a consistent relationship between public exploit availability and malicious activity are CVE-2023-28121 (WordPress plugin) and CVE-2023-27997 (Fortinet FortiOS). In the case of CVE-2023-28121, exploitation began three months after disclosure and ten days after a proof-of-concept was published. For CVE-2023-27997, the flaw was immediately weaponized in public exploits, but the first malicious exploitation event was recorded four months later.

Google concludes that factors such as the difficulty of exploitation, threat actor motivation, target value, and overall attack complexity all influence TTE, and a direct or isolated correlation with proof-of-concept availability would be misleading.

Related News

• Critical Fortinet RCE Bug Exploit Released: Immediate Patching Required
• Critical Remote Code Execution Vulnerability in Fortinet Patched
• Active Exploitation of New Fortinet RCE Vulnerability Confirmed by CISA
• Critical Vulnerability in WordPress WooCommerce Payments Plugin Exploited by Hackers
• Critical Remote Code Execution Vulnerability Detected in Fortinet's FortiOS and FortiProxy Devices

Latest News

• Critical Vulnerability in Kubernetes Image Builder Allows Root SSH Access to VMs
• North Korean Group ScarCruft Exploits Windows Zero-Day to Disseminate RokRAT Malware
• Sidewinder APT Group Expands Geographic Reach in Latest Cyberattack Spree
• Critical Vulnerability in GitHub Enterprise Server Addressed
• China Denounces U.S. Claims of Volt Typhoon Cyber Espionage, Alleges Fabrication