Welcome to the Sensor Intelligence Series for April 2023. Last month was comparatively quiet in terms of attack traffic, like March before it. CVE-2020-8958 (an OS command injection vulnerability in a GPON router) remained the top-targeted vulnerability, as it has for nine of the last ten months. Many of the other top targets, such as CVE-2022-22947 and CVE-2020-0688, are well known to us, and have been in the top ten for months.

However, attacks looking for CVE-2022-24847 caught our attention during our routine check for attacks we hadn’t identified yet, and we added a new signature for it. Whereas most of the vulnerabilities we’ve discussed in the last six months have either been either Microsoft Exchange RCEs or IoT devices, CVE-2022-24847 is an Improper Input Validation vulnerability in an open source server named GeoServer. This vulnerability allows for an unchecked JNDI lookup, which can lead to remote code execution through class deserialization. This brings the total number of CVEs whose exploitation we have observed up to 65.

April Vulnerabilities by the Numbers

Figure 1 shows the top ten vulnerabilities and their traffic for April. The gap between the CVE-2020-8958 at the top and the next vulnerability down is striking, even if CVE-2020-8958 is still experiencing roughly half of the traffic it received at its peak in January. The second place goes to the CVE-less JAWS vulnerability in several digital video recorders, followed by our newcomer, CVE-2022-24847.

The remainder of the top ten are types of vulnerabilities we’ve seen many times before—more IoT vulnerabilities, Microsoft Exchange RCEs, and flaws in various PHP tools and frameworks.