NCSC and partner agencies publish top 15 common vulnerabilities for 2023

New Zealand’s National Cyber Security Centre (NCSC) has today published an advisory detailing the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs) alongside the United Kingdom, Australia, the United States, and Canada.  

In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. The majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day.

Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.

All vulnerabilities listed in this advisory have had patches and fixes made available from the vendors to help mitigate the risk of compromise.

It is important for network defenders to remain vigilant with vulnerability management. We encourage vendors, designers, developers, and end-user organisations to implement the recommendations and mitigations outlined in this advisory to reduce the risk of compromise.

The authoring agencies of this advisory are:

  • UK National Cyber Security Centre (NCSC-UK)
  • US Cybersecurity and Infrastructure Security Agency (CISA)
  • US Federal Bureau of Investigation (FBI)
  • US National Security Agency (NSA)
  • Australian Signals Directorate’s Australian Cyber Security Centre (ACSC),
  • Canadian Centre for Cyber Security (CCCS)