Most of the top frequently exploited vulnerabilities in 2023 were initially exploited as zero-days, according to data from government agencies in the Five Eyes intelligence alliance.

Compared to the previous year, when less than half of the top exploited flaws were caught in the wild as zero-days, 2023 marked a significant increase in the exploitation of zero-days for the compromise of enterprise networks, according to an advisory summarizing the data.

The data shows that threat actors continue to successfully exploit vulnerabilities within two years after their public disclosure. “The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities,” the agencies said.

The implementation of security-centered product development lifecycles, increased incentives for responsible vulnerability disclosure, and the use of sophisticated endpoint detection and response (EDR) tools should help reduce the lifespan of zero-days.

The list of 2023’s top exploited vulnerabilities opens with CVE-2023-3519 and CVE-2023-4966, two critical-severity flaws in Citrix NetScaler ADC and Gateway NetScaler instances that were patched in July and October last year, but each had been exploited as zero-day in prior months.

The agencies also highlighted CVE-2023-20198 and CVE-2023-20273, two Cisco IOS XE bugs patched in October 2023, after being chained as zero-days in attacks leading to command execution with root privileges.

Fortinet’s firewalls were also routinely targeted, with threat actors caught last year exploiting CVE-2023-27997 as a zero-day. The critical-severity issue can be exploited remotely, without authentication, to execute arbitrary code on vulnerable FortiOS and FortiProxy instances.

Tracked as CVE-2023-34362, a critical SQL injection vulnerability in the MOVEit Transfer managed file transfer (MFT) software that was exploited as a zero-day in the Cl0p hacking campaign affecting over 2,770 organizations and close to 96 million individuals is also on last year’s top frequently exploited flaws.

Another zero-day disclosed last year and frequently used in attacks is CVE-2023-2868, a remote command injection issue in Barracuda Email Security Gateway (ESG) appliances that had been exploited for months before it was discovered, the agencies said.

Microsoft Outlook was also routinely targeted in malicious attacks, and last year threat actors were seen using CVE-2023-23397, a zero-click flaw that a Russian APT had been exploiting as a zero-day for a full year before patches were released.

The list also includes CVE-2023-22515, a critical improper authorization defect in Atlassian Confluence Data Center and Confluence Server that started being exploited less than a week after being publicly disclosed in late October 2023.

Within days after public disclosure, threat actors also started exploiting CVE-2023-39143, a remote code execution flaw in PaperCut NG/MF print management software, CVE-2023-42793, an authentication bypass in TeamCity CI/CD server, and CVE-2023-49103, an information disclosure issue in ownCloud.

Older security defects routinely exploited last year include CVE-2021-44228, the infamous Log4Shell vulnerability, CVE-2022-47966, a Zoho ManageEngine bug, and CVE-2020-1472, the critical Windows Netlogon Remote Protocol (MS-NRPC) flaw known as Zerologon.

The government agencies warn that 32 other vulnerabilities in products from Apple, Atlassian, Cisco, Dahua, F5, FatPipe, Fortinet, Fortra, GitLab, Ivanti, Juniper Networks, Microsoft, Netwrix, Novi, Progress Telerik, RARLAB, Sophos, Unitronics, and Zoho have been frequencly exploited in the wild.

Vendors and developers are advised to identify routinely exploited classes of vulnerabilities and implement mitigations to eliminate them, to implement secure by design practices, configure production-ready products by default with the most secure settings and include the root cause for every published CVE.

Organizations should follow security best practices, including implementing a robust patch management process, performing automated asset discovery, regularly backing up systems, maintaining an updated cybersecurity incident response plan, implementing strong passwords and phishing-resistant multifactor authentication (MFA), and configuring least-privilege access controls and a Zero Trust Network Architecture.

Related: Many Legacy D-Link NAS Devices Exposed to Remote Attacks via Critical Flaw

Related: Palo Alto Networks Expedition Vulnerability Exploited in Attacks, CISA Warns

Related: Details Shared on Windows Downgrade Attacks After Microsoft Mitigations

Related: Yahoo Discloses NetIQ iManager Flaws Allowing Remote Code Execution