10 of the biggest zero-day attacks of 2023

1. Fortra GoAnywhere

Zero-day attacks started strong in 2023 with CVE-2023-0669, a pre-authentication command injection vulnerability in Fortra's GoAnywhere managed file transfer (MFT) product. Cybersecurity reporter Brian Krebs first reported the flaw on Feb. 2; Fortra had issued a private security advisory for CVE-2023-0669 the day before to authenticated customers.

The vulnerability was patched on Feb. 7, but the details of the exploitation didn't come into focus until the following month when data security vendor Rubrik disclosed a breach on March 14 that it attributed to the GoAnywhere flaw. On the same day, the Clop ransomware gang listed Rubrik on its data leak site. Rubrik was the first of many organizations that would disclose breaches related to the zero-day flaw, including Procter & Gamble, Hitachi Energy and Community Health Systems.

Clop claimed responsibility for more than 100 data extortion attacks, though it's unclear how many victims paid the ransom. The Fortra GoAnywhere flaw was just the first MFT zero day that led to several more attacks.

2. Barracuda Email Security Gateway

On May 23, Barracuda Networks disclosed a zero-day vulnerability in its Email Security Gateway (ESG) appliance, tracked as CVE-2023-2868. The vendor said it discovered the flaw on May 19th and issued a patch to all appliances the following day. While the initial advisory contained few details about the vulnerability, more information about the flaw and related attacks came to light the next week.

Barracuda said it hired Mandiant, a Google Cloud company, to investigate suspicious activity around ESG appliances on May 18, which led to the discovery of the zero-day vulnerability. More importantly, the investigation revealed CVE-2023-2868, a remote command injection vulnerability, had been exploited as far back as October 2022. Barracuda said attackers used three types of malware to gain persistent backdoor access to "a subset of ESG appliances," which were used to conduct data exfiltration from customer networks.

The situation became more dire when Barracuda announced on June 6 that "impacted ESG appliances" needed to be replaced immediately. Barracuda later clarified that only appliances that were "compromised" by threat actors needed to be replaced and that new products would be provided to customers at no cost.

On June 15, Mandiant reported that the attacks were carried by a cyberespionage actor, dubbed UNC4841, in support of the Chinese government. The threat actor modified its malware to prevent effective patching and maintain persistent access on compromised devices. The FBI later warned in August that suspected Chinese nation-state hackers continued to exploit the zero-day flaw.

3. Progress Software MoveIt Transfer

Another MFT zero-day vulnerability appeared on May 31 when Progress Software disclosed and patched an SQL injection flaw, tracked as CVE-2023-34362, in its MoveIt Transfer software. The following day, Rapid7 reported exploitation of the zero-day flaw, but the situation rapidly worsened just a few days later.

On June 4, Microsoft Threat Intelligence Center attributed exploitation of the MoveIt Transfer flaw to a threat actor it tracks as Lace Tempest, which is associated with the Clop ransomware gang. Clop threat actors exploited the zero-day flaw in Fortra's GoAnywhere MFT product earlier in the year. Mandiant also observed "wide exploitation" activity where attackers were compromised MoveIt Transfer instances and stealing customer data. Soon after, dozens of victims emerged, both through data breach disclosures as well as listings on Clop's data leak site. Victims included state and federal government agencies as well as British Airways, Extreme Networks and Siemens Energy.

The list of victims continued to grow months after CVE-2023-34362 was first disclosed. Like the attacks on Fortra GoAnywhere customers, the attackers focused solely on data theft and did not deploy ransomware in victims' environments. It's unclear how many victims paid Clop's ransom demands, but the scope of the attacks was staggering. Emsisoft estimated in September that Clop's data theft and extortion campaign affected 2,095 organizations and more than 62 million individuals.

4. VMware Tools

On June 13, VMware disclosed a low-severity flaw that affected ESXi hypervisor instances. The authentication bypass vulnerability, tracked as CVE-2023-20867, let an attacker on a compromised ESXi host break the authenticate check in VMware Tools host-to-guest operations and ultimately compromise the VM.

CVE-2023-20867 assigned a CVSS v3 score of only 3.9 because exploitation required an attacker to have gained root access to an ESXi hypervisor. However, Mandiant, which discovered the zero-day flaw, reported on the same day of the disclosure that a Chinese cyber espionage threat group it identifies as UNC3886 exploited the VMware Tools vulnerability. According to Mandiant's report, UNC3886 previously targeted ESXi hosts in 2022 with a novel malware family.

In the most recent attacks, the cyber espionage group targeted defense, technology and telecommunication organizations in the U.S. and the Asia-Pacific region. The attackers, who Mandiant called "highly adept," exploited the VMware zero-day flaw and executed privileged commands from guest VMs on the ESXi hosts while also deploying persistent backdoors. The attacks demonstrated that even vulnerabilities with low-severity CVSS scores can be used by threat actors to commit significant damage.

5. Microsoft Windows and Office

There were plenty of zero-day flaws in Microsoft products in 2023, but one of the most significant was CVE-2023-36884, a remote code execution (RCE) vulnerability in Windows Search. The flaw, which was first disclosed in Microsoft's July Patch Tuesday release, affects both Windows and Office software.

Two aspects distinguished CVE-2023-36884 from other Microsoft zero days last year. First, the RCE flaw had no patch at the time of the disclosure, though Microsoft did offer mitigations to prevent exploitation. The vulnerability was eventually fixed in the August Patch Tuesday release.

Second, Microsoft revealed that a Russian cybercriminal group it tracks as Storm-0978 exploited CVE-2023-36884 in an espionage-focused phishing campaign as well as financially motivated ransomware attacks. According to Microsoft's report, Storm-0978's campaign targeted defense organizations and government entities in North America and Europe. The phishing emails featured lures related to NATO and the Ukrainian World Congress, and the attackers exploited CVE-2023-36884 to bypass Microsoft's Mark of the Web (MotW) security feature, which typically blocks malicious links and attachments.

While investigating the exploit chain, security researchers with Palo Alto Networks' Unit 42 discovered another vulnerability tracked as CVE-2023-36584. Disclosed in October, the flaw also lets attackers bypass MotW protections.

6. WebP/Libwebp

On Sept. 11, Google issued an emergency patch for a critical heap buffer overflow vulnerability in WebP, an image format developed by the search giant. Tracked as CVE-2023-4863, the zero-day flaw lets a remote attacker perform an out-of-bounds memory write through a malicious WebP image.

But the vulnerability didn't affect just Google's Chrome browser. Because the WebP format is supported by other browser makers, companies such as Microsoft, Apple and Mozilla released browser updates as well. More details would later come to light about CVE-2023-4863. While Google initially described it as a flaw in WebP, security researchers noted that the issue was in the open source Libwebp library, which is used by many software developers for more than just browsers.

To further complicate matters, some cybersecurity companies such as Cloudflare noted similarities between CVE-2023-4863 and a different zero-day heap buffer overflow vulnerability in Apple's Image I/O framework that was disclosed and patched a few days earlier on Sept. 7. The Apple vulnerability, tracked as CVE-2023-41064, was discovered by researchers at The Citizen Lab, who found that it was weaponized in a zero-click exploit by commercial spyware vendor NSO Group.

Citizen Lab, along with Apple's Security Engineering and Architecture team, also discovered CVE-2023-4863. However, neither organization attributed the zero-day activity to NSO Group, and no further details on exploitation were provided.

7. Apple iOS and iPadOS

Like Microsoft, Apple had its share of zero-day vulnerabilities in 2023. However, three flaws in iOS and iPadOS that were disclosed on Sept. 21 stand out. The vulnerabilities include CVE-2023-41992, an elevation of privilege flaw in the OSes' kernel; CVE-2023-41991, a security flaw that let attackers bypass signature validations; and CVE-2023-41993, a flaw in Apple's WebKit browser engine that can lead to arbitrary code execution.

Bill Marczak, a researcher at The Citizen Lab, and Maddie Stone, a security researcher in Google's Threat Analysis Group (TAG), discovered all three zero-days. In a blog post on Sept. 22, The Citizen Lab researchers revealed the vulnerabilities were used in an exploit chain to deliver Predator, a spyware product from commercial surveillance vendor Cytrox. According to Citizen Lab, Ahmed Eltantawy, a former member of the Egyptian Parliament, was targeted by Predator spyware between May and September 2023.

After Eltantawy announced his intention to run for president of Egypt in the country's 2024 election, he contacted The Citizen Lab with concerns about his phone's security. Citizen Lab researchers, along with Google's TAG, investigated the activity on his phone and discovered it had been infected with Predator spyware. Citizen Lab attributed the attack to the Egyptian government and said the case demonstrated how dangerous "mercenary spyware" can be.

8. Atlassian Confluence

On Oct. 4, Atlassian disclosed and patched a zero-day vulnerability in its Confluence Data Center and Server products. Tracked as CVE-2023-22515, the flaw was initially described as an elevation of privilege vulnerability that affected the self-managed versions of the Confluence workspace suite. While Atlassian described the flaw as critical, no CVSS score was assigned at the time of disclosure. The company said "a handful of customers" reported exploitation, but no further details were given.

The next day, Atlassian assigned the zero-day flaw a CVSS score of 10 and revised the description of the flaw. The issue was related to broken access control in Confluence Data Center and Server software. More information was revealed the following week when Microsoft said via X, formerly known as Twitter, that a nation-state threat actor had been exploiting the vulnerability in the wild since Sept. 14. The threat actor, which Microsoft tracks as Storm-0062, is linked to the Chinese government.

It's unclear how many Atlassian customers were attacked by Storm-0062 or what types of organizations the threat actor targeted. Atlassian urged all customers to update their Confluence instances immediately or isolation vulnerable versions from the public internet until they could properly apply the patch.

9. Citrix NetScaler ADC and NetScaler Gateway

When a vulnerability gets its own nickname, that tends to be a sign that the flaw is quite problematic. On Oct. 10, Citrix addressed two vulnerabilities that affected multiple versions of NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). One of the two was a sensitive information disclosure flaw tracked as CVE-2023-4966. The critical vulnerability, which became known amongst infosec professionals as Citrix Bleed, earned a 9.4 CVSS score.

A week later, Mandiant said it had observed exploitation activity for CitrixBleed in the wild since August, primarily against government and technology organizations. According to Mandiant's report, researchers observed threat actors hijacking authenticated sessions for vulnerable appliances, which let them bypass MFA and other strong identity verification checks. More alarmingly, Mandiant warned that those hijacked sessions could still be used by threat actors even after CVE-2023-4966 was patched. The company recommended that customers apply additional mitigations beyond patching Citrix Bleed.

Exploitation of the zero-day flaw continued in November. The Financial Services Information Sharing and Analysis Center warned that the notorious LockBit ransomware gang was exploiting Citrix Bleed. CISA and the FBI issued a similar warning about LockBit attacks in a joint advisory, stating that the agencies expected to see "widespread exploitation" of the vulnerability.

10. Cisco IOS XE

On Oct. 16, Cisco issued an advisory for CVE-2023-20198, a critical zero-day vulnerability in in its IOS XE software that received a CVSS score of 10. The networking giant warned that the zero-day affected all version of IOS XE with the Web User Interface feature enabled. A remote attacker could exploit the flaw and gain the highest level of privileged access to devices running the software. No patch was available at the time of disclosure. Cisco recommended customers disable the HTTP server feature for all vulnerable systems.

In an accompanying blog post, Cisco Talos researchers said exploitation activity began on Sept. 18 and that the clusters of attacks were carried out by the same unidentified threat actor. The threat actor was exploiting the flaw and deploying an implant Cisco Talos named BadCandy on compromised devices.

Just one day after Cisco's initial disclosure, security vendors warned that CVE-2023-20198 was facing mass exploitation. For example, VulnCheck's internet scanning of vulnerable IOS XE instances found thousands of implanted hosts. On October 22, Cisco released patches for CVE-2023-20198 as well as a second, related vulnerability tracked as CVE-2023-20273, which Cisco Talos researchers uncovered during their investigation. Cisco urged all customers to apply patches and implement recommended mitigations as mass exploitation of the flaw continued.

Rob Wright is a longtime technology reporter who lives in the Boston area. Senior security news writer Alex Culafi contributed to this article.