Zero-days account for most exploited bugs last year

Threat actors actively exploited 138 software vulnerabilities last year, 70.3% of which were zero-days, while vendors affected by the abused bugs rose from 44 in 2022 to a record high of 56 in 2023, reports BleepingComputer.

Moreover, the ratio between fixed flaws and zero-days declined from 4:6 between 2020 and 2022 to 3:7 last year, with the change attributed to escalated zero-day abuse and improved zero-day detection, an analysis from Google Cloud Mandiant showed. Additional findings revealed that only five days were needed by malicious actors to exploit security flaws last year, indicating a significant decline from time to exploit periods of 32 days in 2021-2022 and 63 days in 2018-2019. However, TTE was not found to be associated with exploit disclosures, as shown with malicious activity involving the Fortinet FortiOS bug, tracked as CVE-2023-27997, and WooCommerce Payments plugin flaw, tracked as CVE-2023-28121. Such findings further emphasize the importance of real-time vulnerability detection, network segmentation, and patch prioritization, according to researchers.