Google Published a report revealing the analysis of 138 vulnerabilities identified in 2023, which were subsequently exploited by attackers. It was found that in 70% of cases (97 out of 138), the exploits emerged before the vulnerable software patches (0-Day) were made available. Whereas in 30% (41 out of 138) of cases, vulnerabilities were discovered after the patches were released (N-DAY). Comparatively, in the report for 2021-2022, the percentage of N-DAY vulnerabilities was 38%, and in 2020, it was 39%.
The study also highlighted a significant acceleration in exploit development with an average time of 5 days for exploits to appear after the publication of software corrections. This is a stark decrease from 32 days in 2021-2022, 44 days in 2020, and 63 days in 2018-2019. Within this trend, 12% of vulnerabilities were exploited within a day of patch release, 29% within a week, 56% within a month, and 5% after 6 months (in 2022, this last figure was 25%).
Two critical vulnerabilities, CVE-2023-28121 and CVE-2023-27997, impacting the WOOCOMMMERCE PAYMENTS plugin for WordPress and Fortinet Fortios, were cited as examples. In the case of the WordPress plugin, a basic HTTP request was enough to bypass authentication, leading to attacks within 10 days of technical details being made public. On the other hand, exploiting the Fortinet Fortios vulnerability required a more complex buffer overflow exploit, delaying attacks until 3 months after the details were disclosed. The first exploits for these vulnerabilities were presented after 8 days and 3 days, respectively.
