Today, CISA, the National Security Agency (NSA), the FBI, and international partners published a joint Cybersecurity Advisory (CSA), 2023 Top Routinely Exploited Vulnerabilities. As in prior years, this effort highlights multiple vulnerabilities that threat actors are routinely exploiting on devices and software that remain unpatched or are no longer supported by a vendor. These lists, which include the larger CISA’s Known Exploited Vulnerabilities Catalog, are part of a coordinated global effort to help all organizations prioritize vulnerability management activities, including patching efforts that many struggle with.

According to the report, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high priority targets. As in 2022, malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods. In addition, malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.

This year’s list includes the top 15 vulnerabilities, as well as over 30 other routinely exploited vulnerabilities. The authoring agencies strongly encourage all organizations to review and implement the recommended mitigations detailed in the advisory. Organizations should share information about incidents and unusual cyber activity with their respective cybersecurity authorities.

To report suspicious or criminal activity related to information found in the advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or, by e-mail, at [email protected]. If you have any further questions, or need to request incident response resources or technical assistance related to these threats, contact CISA at [email protected]. Access the full advisory at CISA.

Secure By Design & Demand

CISA continues to push its Secure By Design initiative, the six-month old pledge not only encourages software manufacturers to produce secure products, but the customers of those products to demand them. This unified proactive effort helps eliminate even the possibility of threats, ensuring a much safer digital landscape for all. The pledge has already been signed by many major companies who have made significant improvements since signing on. For more details, visit The Record.