2023's Most Exploited Vulnerabilities
The recent "Five Eyes" report, released by the intelligence alliance of the UK, Canada, Australia, New Zealand, and the US, highlighted 2023's most exploited vulnerabilities, underscoring how often we encounter the same vulnerabilities year after year.
It’s striking that vulnerabilities like the Apache Log4j (Log4Shell) flaw from 2021 still rank high on the list. As I shared on the latest episode of The Other Side of the Firewall Podcast:
"If people are paying attention, this shouldn’t still be possible. It’s 2023, and something like Log4j—identified years ago—should have been patched out of existence by now."
So, what does this say about our industry?
For one, it highlights the need for better awareness and more robust patch management practices. A failure to address these persistent vulnerabilities often stems from organizations lacking technical expertise or a proactive security culture. Many smaller businesses ("mom and pops") don't fully understand patch management, leaving them exposed to attackers.
But the responsibility doesn’t lie solely on the shoulders of small businesses. As Daniel Acevedo pointed out, malicious actors are increasingly creative, using zero-days and retooling old exploits. Even vendors and big tech companies need to ensure their products have security baked in from the start. This means:
One potential solution for some businesses is to migrate to the cloud. Large cloud providers often have the resources to quickly patch vulnerabilities across their systems. As I mentioned:
"If you're in the cloud with a major provider like Azure and something like Log4j is still affecting your environment, then they've failed. But on-prem servers sitting in closets are much more likely to remain unpatched because of human oversight or lack of expertise."
Ultimately, staying ahead of threats requires awareness. Cybersecurity professionals should make a habit of engaging with educational resources like podcasts, forums, and trusted news outlets. It’s about cultivating a mindset of continuous learning—passively or actively—so you're not caught off guard by the next big exploit.
Thank you for reading, and stay tuned for more episodes of The Other Side of the Firewall podcast on Monday, Tuesday, Wednesday, and Fridays, as well as the Ask A CISSP podcast every Thursday. Please like, share, and subscribe.
Stay safe, stay secure!
Ryan is a retired Air Force veteran who brings over 20 years of experience in network infrastructure, project management, and cybersecurity consulting to his current roles as CEO of RAM Cyber Consulting & Assessments, LLC and IT Security Analyst at BuddoBot. Buddobot’s mission is to support national security by transforming, empowering, and educating organizations to shift from reactive, diluted, automated, and high-cost IT and security practices to proactive, effective solutions that fortify their security.
Shannon, also a retired Air Force veteran, has more than two decades of expertise in network security and vulnerability management. He now serves as an Information System Security Officer (ISSO) for the U.S. Space Force, where he continues to enhance national security protocols.
Chris, a Navy veteran with over ten years in IT, information assurance, and risk management, currently works at CompliancePoint. His roles include vCISO, RMF assessor, and consultant, focusing on enhancing data security and privacy for various organizations.
Daniel is an Air Force veteran with over 15 years of combined experience in IT, cybersecurity, information assurance, and government risk compliance. He has held various roles, including IT administrator, cybersecurity engineer, senior information system security manager, and currently serves as a senior security consultant for Booz Allen Hamilton. In this latest role, Daniel leverages his expertise to address unique and complex challenges in the cyber and IT domains, enhancing his customers’ capabilities.
**The Other Side of the Firewall podcast is a product of RAM Cyber Consulting & Assessments, LLC. RAM Cyber Consulting & Assessments, LLC is a premier governance, risk, and compliance (GRC) consultancy dedicated to supporting the Defense Industrial Base (DIB), federal agencies, and corporate entities. We specialize in delivering expert guidance to ensure compliance, mitigate risks, and enhance cybersecurity postures. RAM Cyber is pending SDVOSB, VOSB, and 8(a) certification by the SBA, underscoring our commitment to excellence and service.