On the Internet, Everything Old is Exploitable Again

Keeping up with the constant stream of vulnerability disclosures and news of zero day exploits is a Sisyphean task and one that even the most well-resourced security teams can’t realistically take on. And while shiny new bugs attract attention and clicks, new data on mass exploitation activity shows that many attackers are targeting older, known vulnerabilities–many of them more than five years old–on a consistent basis, and having plenty of success.

In its new Mass Internet Exploitation Report, our friends at GreyNoise found that legacy vulnerabilities were among the most frequently targeted by attackers in 2024, accounting for a significant portion of the observed exploit activity against CVEs last year. Many of those legacy flaws are vintage 2016 or even older, a data point that aligns with what many security researchers and defenders already believe: Old bugs can be just as pesky as new ones.

Let’s use CVE-2017-9841 as an example. This is a rather simple and easy-to-exploit remote code execution flaw in the PHPUnit PHP testing framework that has been public for several years. Updates to address it have been available for seven years, and yet exploit attempts against this vulnerability continue unabated.

“Despite being a 7-year-old vulnerability, PHPUnit ’s RCE (CVE-2017-9841) remains actively exploited in 2024 since it only requires a basic HTTP POST request to execute arbitrary PHP code, making it ideal for automated attacks. Its presence in widely-used applications like WordPress plugins, Drupal modules, and Moodle gives it a huge footprint on the internet. The vulnerability ’s persistence is further amplified by its integration into modern attack chains, particularly through the Androxgh0st malware which combines this legacy exploit with newer vulnerabilities like CVE-2024-4577,” the GreyNoise report explains.

Simple and effective are highly desirable properties for exploits, and when the target vulnerability has been public for that length of time, attackers have had plenty of opportunities to refine their techniques. With this in mind, it’s not a surprise that the two most targeted CVEs are from 2014 and 2018, respectively: CVE-2014-8361, the Realtek Miniigd UPnP flaw, and CVE-2018-10561, the GPON router worm.

“While a well-crafted, single-malt Scotch may improve with age, the same cannot be said for CVEs. 40% of the observed exploited CVEs in 2024 were published in or before 2020, and roughly 10% in or before 2016, with CVE-1999-0526 permanently anchoring almost every CVE temporal lineage plot in 1997. And, just over 13% of the CVEs with 2024 activity were published in 2024,” the report says.

“Threat actors continue to successfully weaponize “vintage” vulnerabilities, likely because they know many organizations struggle with comprehensive vulnerability management programs. The continued exploitation of decades-old CVEs suggests that “patch the new stuff” is a failed strategy, and that proper asset inventory, configuration management, and systematic vulnerability remediation must be core components of any cybersecurity program.”

While those older bugs continue to attract plenty of attention from attackers, GreyNoise’s data reveals that adversaries are not shy about exploiting new vulnerabilities too, especially in edge security devices. As we wrote about last month, edge security devices have become a significant target set for many adversaries, with Ivanti’s Connect Secure and Pulse Secure products being key examples.

“Ivanti’s track record in 2024 shows a concerning pattern of critical vulnerabilities across their product portfolio, wit h multiple instances of zero-day exploits being discovered in the wild before patches were available. The company ’s VPN and security products have been targeted by both nation-state actors and cybercriminals, leading to compromises of government agencies, defense contractors, and Fortune 500 companies,” GreyNoise says in the report.

Exploitation of vulnerabilities is no longer just a hit-or-miss proposition. Cybercriminals and APT teams now conduct exploitation at scale, and the volume of this activity is only going to continue to increase. Enterprise defenders should prioritize patching publicly disclosed vulnerabilities as quickly as possible, while not forgetting the old, familiar ones, too.