On November 12, 2024, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the National Security Agency, along with its security partners in Australia, Canada, New Zealand, and the United Kingdom, issued the cybersecurity advisory “2023 Top Routinely Exploited Vulnerabilities,” outlining top vulnerabilities impacting companies across the free world.

The advisory states that threat actors “exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high priority targets.”

The advisory “strongly encourage[s] vendors, designers, developers, and end-user organizations to implement the following recommendations, and those found within the Mitigations section of this advisory, to reduce the risk of compromise by malicious cyber actors.”

Some high-level tips include:

  • Vendors, designers, and developers. Implement secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in your software.

> Follow the SP 800-218 Secure Software Development Framework (SSDF) and implement secure by design practices into each stage of the software development life cycle (SDLC). Establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.

> Prioritize secure by default configurations, such as eliminating default passwords and not requiring additional configuration changes to enhance product security.

> Ensure that published CVEs include the proper CWE field, identifying the root cause of the vulnerability.

  • End-user organizations:

> Apply timely patches to systems.
Note: If CVEs identified in this advisory have not been patched, check for signs of compromise before patching.

> Implement a centralized patch management system.

> Use security tools such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers.

> Ask your software providers to discuss their secure by design program, provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.

The Advisory provides additional resources on technical findings and a list of the top exploited vulnerabilities. IT professionals may wish to consider this guidance and follow its recommendations.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.