A new analysis reveals a significant increase in the exploitation of zero-day vulnerabilities compared to n-day vulnerabilities in 2023. Out of 138 vulnerabilities tracked, 97 were exploited before patches were released, while only 41 were exploited after.
It indicates a growing preference for exploiting unpatched vulnerabilities among attackers. However, the actual exploitation times are likely to be even earlier due to the limitations of the data collection method.
The average time taken to exploit vulnerabilities has significantly decreased over the past few years. From 63 days in 2018-2019, it dropped to 44 days in 2020-2021, then to 32 days in 2021-2022, and finally to just five days in 2023.
This dramatic reduction indicates a growing efficiency in exploiting vulnerabilities, potentially due to factors like improved tools, techniques, and intelligence sharing. Excluding outlier data points, including n-days and zero-days, slightly increases the average to 47 days.
Data analysis reveals a significant increase in zero-day exploitation in 2023 compared to previous years (2020-2022). The ratio of n-day to zero-day vulnerabilities exploited went from a steady 38:62 to 30:70, suggesting a rise in attackers’ focus on previously unknown vulnerabilities.
The n-day exploitation remains a threat, with over half (56%) of known vulnerabilities being exploited within the first month after a patch becomes available, which emphasizes the importance of rapid patching alongside vigilance for zero-day attacks.
Mandiant analyzed the time from public vulnerability disclosure to exploitation by founding vulnerabilities with a publicly available exploit before attackers started exploiting them, the exploit became public at a median of 7 days after disclosure, and attackers started using it at a median of 30 days after the exploit release.
For vulnerabilities that were exploited before a public exploit existed, attackers started attacks at a median of 15 days after disclosure, and a public exploit appeared at a median of 4 days after attackers began exploiting it.
Two vulnerabilities, CVE-2023-28121 (WooCommerce Payments) and CVE-2023-27997 (FortiOS SSL VPN), highlight the impact of exploit availability on attack timelines. CVE-2023-28121 saw no exploitation for months despite disclosure, but large-scale attacks began shortly after a mass-exploit tool became public.
Conversely, CVE-2023-27997 received immediate attention and exploits, but exploitation only occurred months later in targeted attacks, suggesting attackers may prioritize readily weaponizable vulnerabilities.
Both the vulnerabilities (CVE-2023-27997 and CVE-2023-28121) and identify factors affecting exploitability, where CVE-2023-28121 is easier to exploit due to its simpler mechanism (one HTTP header), while CVE-2023-27997 requires complex exploitation bypassing system protections (DEP, ASLR).
Additionally, the targeted systems for CVE-2023-27997 (FortiOS) are often high-privilege and more valuable to attackers compared to the web servers hosting the WooCommerce plugin (CVE-2023-28121), which are typically located in low-privilege network segments.
