Report Reveals Record Exploitation Rate For Load Balancers

Recent data from Action1 indicates a growing trend of threat actors targeting edge devices, particularly load balancers, resulting in a record exploitation rate over the past three years. The study assessed various product categories from 2021 to 2023, using data from the National Vulnerability Database (NVD) and to calculate the ratio of exploited vulnerabilities to total vulnerabilities. Although load balancers are generally secure, they have been disproportionately targeted, with a 17% exploitation rate over the period. Specifically, NGINX products had a 100% exploitation rate, while Citrix products were exploited at a rate of 57%.

The report warns that vulnerabilities in load balancers pose significant risks, as a single exploit can provide broad access or cause significant disruptions in targeted networks. Despite load balancers accounting for only 0.2% of the total vulnerabilities reported over three years, the high exploitation rates underscore their critical impact. This is exemplified by the notorious CitrixBleed vulnerability (CVE-2023-4966), a critical zero-day flaw in Citrix NetScaler ADC and Gateway. This vulnerability was exploited en masse by the ransomware group LockBit against high-profile organizations such as Boeing, the Industrial and Commercial Bank of China (ICBC), Allen & Overy, and DP World, months before Citrix issued an advisory in October 2023.

Security Officer Comments:
Additionally, the study found an increasing focus on macOS and iOS, with exploitation rates rising to 7% and 8%, respectively. Microsoft's exploitation rate also increased to 7% in 2023, up from 2% in 2022, with critical vulnerabilities in Office accounting for nearly 80% of the overall annual vulnerability count.

Suggested Corrections:
Mike Walters, president of Action1, emphasized the importance of reports like this for network defenders, given the well-documented delays in the processing of CVEs by the NVD. He advocates for network defenders to prioritize alternative vulnerability monitoring methods. Walters also calls for enhanced information sharing and collaboration among private cybersecurity firms, academic institutions, and other threat intelligence platforms. This holistic and timely data sharing is crucial to enhancing the security posture of all organizations, especially in light of the current challenges faced by the NVD.