Security News > 2023 > August > Five Eyes nations detail dirty dozen most exploited vulnerabilities

Five Eyes nations detail dirty dozen most exploited vulnerabilities
2023-08-07 03:03

Infosec in brief If you're wondering what patches to prioritize, ponder no longer: An international group of cybersecurity agencies has published a list of the 12 most commonly exploited vulnerabilities of 2022 - a list many will recognize.

The coalition of officials from the US, Australia, Canada, New Zealand and United Kingdom's various intelligence and cyber security bodies - known as the Five Eyes - is urging organizations to get serious about dealing with old vulnerabilities that are being overlooked.

"In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," The US Cybersecurity and Infrastructure Security Agency warned in its release of the list.

Leading the dastardly dozen is a vulnerability in Fortinet SSL VPNs. Yes, we know this is an ongoing problem, but this particular vulnerability has been around since 2018 and involves a path traversal bug that can be used to hijack system files.

Critical vulnerabilities of the week: Check your Ether balance!

Mozilla released security updates for Firefox, Firefox ESR and Thunderbird this week that address several vulnerabilities attackers could exploit to take control of affected systems; CISA warned that, despite the fact it only rates a 7.2 CVSS score, a path traversal vulnerability in some versions of Ivanti EPMM is under active exploitation, so be sure to patch asap; CVSS 9.8 - CVE-2023-28343: APSystems Altenergy Power Control Software contains an OS command injection vulnerability that could allow RCE. The spyware is coming from inside the house, FBI discovers.


News URL

https://go.theregister.com/feed/www.theregister.com/2023/08/07/in_brief_security/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-03-14 CVE-2023-28343 OS Command Injection vulnerability in Apsystems Energy Communication Unit Firmware C1.2.5
OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.
network
low complexity
apsystems CWE-78
critical
9.8