Application security

Zero-days account for most exploited bugs last year

Share

Threat actors actively exploited 138 software vulnerabilities last year, 70.3% of which were zero-days, while vendors affected by the abused bugs rose from 44 in 2022 to a record high of 56 in 2023, reports BleepingComputer.

Moreover, the ratio between fixed flaws and zero-days declined from 4:6 between 2020 and 2022 to 3:7 last year, with the change attributed to escalated zero-day abuse and improved zero-day detection, an analysis from Google Cloud Mandiant showed. Additional findings revealed that only five days were needed by malicious actors to exploit security flaws last year, indicating a significant decline from time to exploit periods of 32 days in 2021-2022 and 63 days in 2018-2019. However, TTE was not found to be associated with exploit disclosures, as shown with malicious activity involving the Fortinet FortiOS bug, tracked as CVE-2023-27997, and WooCommerce Payments plugin flaw, tracked as CVE-2023-28121. Such findings further emphasize the importance of real-time vulnerability detection, network segmentation, and patch prioritization, according to researchers.

Zero-days account for most exploited bugs last year

The ratio between fixed flaws and zero-days declined from 4:6 between 2020 and 2022 to 3:7 last year.

Related

VSCode exploited for unauthorized systems access

Threat actors leveraged social engineering techniques to lure targets into executing a malicious MSI installer-spoofing LNK file that would run an obfuscated script, which ensures persistence and downloads the VSCode command-line interface in the absence of VSCode to enable file access and additional compromise.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.