A recent report by cybersecurity company Rezilion has revealed that over 15 million publicly facing services are susceptible to at least one of the 896 vulnerabilities listed in CISA’s KEV (known exploitable vulnerabilities) catalog. This large-scale research conducted by Rezilion aimed to identify vulnerable systems that are exposed to cyberattacks from threat actors, whether state-sponsored or ransomware gangs.
Rezilion identifies knoan and actively exploited vulnerabilities
Rezilion’s findings are particularly concerning because the examined vulnerabilities are known and highlighted in CISA’s KEV catalog as actively exploited by hackers. Therefore, any delays in patching these vulnerabilities maintain a large attack surface, giving threat actors numerous potential targets.
To find endpoints that are still vulnerable to CVEs added to CISA’s Known Exploitable Vulnerabilities Catalog, Rezilion used the Shodan web scanning service. Using custom search queries, the researchers found 15 million instances vulnerable to 200 CVEs from the catalog. Over half of these instances, i.e., seven million, were vulnerable to one of the 137 CVEs concerning Microsoft Windows.
Top vulnerabilities exposed to cyberattacks
Apart from Windows, Rezilion identified the top-ten CVEs exposed to attacks, almost half of which are over five years old. Therefore, roughly 800,000 machines have not applied security updates for a significant period of time. Over 4.5 million internet-facing devices were identified as vulnerable to KEVs discovered between 2010 and 2020, which is concerning as these machines did not patch the relevant published updates for years, even though a patch was released, and these vulnerabilities are known to be exploited in the wild.
Notable CVEs highlighted in Rezilion’s report
Some notable CVEs highlighted in the Rezilion report are:
- CVE-2021-40438: A medium-severity information disclosure flaw appearing in almost 6.5 million Shodan results, impacting Apache HTTPD servers v2.4.48 and older.
- Proxyshell: A set of three vulnerabilities impacting Microsoft Exchange, which Iranian APTs chained together for remote code execution attacks in 2021. Shodan returns 14,554 results today.
- ProxyLogon: A set of four flaws impacting Microsoft Exchange, which Russian hackers extensively leveraged in 2021 against U.S. infrastructure. There are still 4,990 systems vulnerable to ProxyLogon, according to Shodan, with 584 located in the U.S.
- HeartBleed (CVE-2014-0160): A medium-severity flaw impacting OpenSSL, allowing attackers to leak sensitive information from a process memory. Shodan says a whopping 190,446 are still vulnerable to this flaw.
Furthermore, Rezilion’s 15 million exposed endpoints estimate is conservative, containing only non-duplicates and leaving out cases for which the researchers could not find queries that narrowed down product versions.
Exploitation attempts
Rezilion used data from Greynoise that monitors and categorizes vulnerability exploitation attempts to identify which CVEs are the most exploited. At the top of the list with the most exploited flaws is CVE-2022-26134, which had 1,421 results in GreyNoise and 816 exploitation attempts in the past month. Other flaws ranking high in the list include CVE-2018-13379, a pre-authentication arbitrary files read impacting FortiOS devices, which has 331 results on GreyNoise, and Log4Shell, a nasty code execution bug on Log4J2 that had 66 exploitation attempts in the past month.