The stubborn one-way passage of time means that it is time for another round of vulnerability targeting intelligence. Web attacks in May 2023 had a lot in common with those in April, with eight of the top ten vulnerabilities remaining consistent across the two months. In that vein of continuity, CVE-2020-8958, the Guangzhou GPON router vulnerability which attackers have targeted heavily for more than a year, continued to draw more than twice the attack traffic of any other CVE.

Also in the top ten were two vulnerabilities which were only recently added to our list of signatures: CVE-2022-24847, a GeoServer remote code execution (RCE) vulnerability that we added in May, and CVE-2021-26855, one of the ProxyLogon vulnerabilities in Microsoft Exchange Server. We actually had a signature already in place for CVE-2021-26855, but after a review of exploit code we have changed that to cover CVE-2021-27065, which is another Exchange Server vulnerability with many similarities, but which sees much less traffic. The upshot is that we are now representing traffic against Microsoft Exchange Server vulnerabilities more accurately, which is good because—stop me if you’ve heard this one—Microsoft Exchange Server is quite the popular piece of software.

May Vulnerabilities by the Numbers

Figure 1 shows the volume of attack traffic for the top ten vulnerabilities in May by volume. Here the overwhelming popularity of CVE-2020-8958 is apparent. It is also notable, however, just how many Microsoft Exchange Server vulnerabilities are present: four out of the top ten (or really five out of the top eleven, since we can’t distinguish CVE-2022-41040 from CVE-2021-34473 with these logs) are targeting Microsoft Exchange Server. This isn’t surprising, given the ubiquity and prominence of the product in enterprise systems, but there seems to have been a marked uptick in Microsoft targeting in the last few months.