Over 15 million publicly facing services are susceptible to at least one of the 896 vulnerabilities listed in CISA’s KEV (known exploitable vulnerabilities) catalog.
This massive number is reported by cybersecurity company Rezilion, which conducted large-scale research to identify vulnerable systems exposed to cyberattacks from threat actors, whether state-sponsored or ransomware gangs.
Rezilion’s findings are particularly worrying because the examined vulnerabilities are known and highlighted in CISA’s KEV catalog as actively exploited by hackers, so any delays in their patching maintain a large attack surface, giving threat actors numerous potential targets.
Exposed to attacks
Rezilion used the Shodan web scanning service to find endpoints that are still vulnerable to CVEs added to CISA’s Known Exploitable Vulnerabilities Catalog.
Using these custom search queries, the researchers found 15 million instances vulnerable to 200 CVEs from the catalog.
Over half of those 7 million instances were vulnerable to one of the 137 CVEs concerning Microsoft Windows, making this component a top priority for defenders and an excellent target for attackers.
Excluding Windows, Rezilion has identified the following top-ten CVEs:
Almost half of those are over five years old, so roughly 800,000 machines have not applied security updates for a significant period of time.
“Overall, over 4.5 million internet-facing devices were identified as vulnerable to KEVs discovered between 2010 and 2020,” comments Rezilion in the report.
“It is very concerning that these machines did not patch the relevant published updates for years even though a patch was released, and these vulnerabilities are known to be exploited in the wild.”
Some notable CVEs highlighted in the Rezilion report are:
- CVE-2021-40438: medium-severity information disclosure flaw appearing in almost 6.5 million Shodan results, impacting Apache HTTPD servers v2.4.48 and older.
- Proxyshell: a set of three vulnerabilities impacting Microsoft Exchange, which Iranian APTs chained together for remote code execution attacks in 2021. Shodan returns 14,554 results today.
- ProxyLogon: a set of four flaws impacting Microsoft Exchange, which Russian hackers extensively leveraged in 2021 against U.S. infrastructure. There are still 4,990 systems vulnerable to ProxyLogon, according to Shodan, with 584 located in the U.S.
- HeartBleed (CVE-2014-0160): medium-severity flaw impacting OpenSSL, allowing attackers to leak sensitive information from a process memory. Shodan says a whopping 190,446 are still vulnerable to this flaw.
Furthermore, for CVE-2021-40438, that large number corresponds to the number of websites/services running on Apache, not individual devices, as many websites can be hosted on a single server.
It is also important to underline that Rezilion’s 15 million exposed endpoints estimate is conservative, containing only non-duplicates and also leaving out cases for which the researchers could not find queries that narrowed down product versions.
Rezilion also told BleepingComputer that they did not only rely on built-in Shodan CVE searches for their research but created custom search queries that determined the versions of software running on devices.
“For some of the vulnerabilities we have Shodan’s inherent tags, but mostly we conducted our own analysis which included identifying the specific vulnerable versions for every affected product and designing specific shodan queries that will allow us to identify indications of these versions in the metadata visible to Shodan,” explained Rezilion’s Director of vulnerability research, Yotam Perkal, to BleepingComputer.
Exposure is one thing, but interest from hackers is another, and to answer this, Rezilion used data from Greynoise that monitors and categorizes vulnerability exploitation attempts.
At the top of the list with the most exploited flaws is CVE-2022-26134, having 1,421 results in GreyNoise, and 816 exploitation attempts in the past month.
This critical-severity flaw in Atlassian Confluence Server and Data Center allows a remote attacker to execute an Object-Graph Navigation Language expression on the vulnerable instance.
Other flaws ranking high in the list include CVE-2018-13379, a pre-authentication arbitrary files read impacting FortiOS devices, which has 331 results on GreyNoise, and Log4Shell, a nasty code execution bug on Log4J2 that had 66 exploitation attempts in the past month.
Patching all flaws in your environment is the apparent solution to these risks,
However, if this is a complicated task for your organization, prioritizing critical flaws in your environment or securing them behind a firewall should be the way to go.
Rezilion says that flaws in Microsoft Windows, Adobe Flash Player, Internet Explorer, Google Chrome, Microsoft Office, and Win32k make up one-fourth of CISA’s KEV catalog, so those products would be a good starting point.