Threat Research

“Exploring 2023 Trends in Time-to-Exploit”

GoogleCloudIntel

Mandiant’s review of 138 vulnerabilities disclosed in 2023 found 97 exploited as zero-days and an average time-to-exploit (TTE) of just five days, with zero-days accounting for 70% of exploitation. The report highlights rapid, diverse exploitation across vendors and shows that exploit release or media attention are not reliable predictors of when in-the-wild exploitation will occur. #CVE-2023-28121 #CVE-2023-27997 #XORtigate #WooCommercePayments #FortiOS #Mandiant

Keypoints

  • 97 of 138 tracked 2023 vulnerabilities were exploited as zero-days; 41 were exploited as n-days.
  • Average time-to-exploit (TTE) in 2023 was five days (after removing outliers).
  • Zero-day exploitation rose to 70% of observed exploitation versus 30% n-days.
  • 12% of n-day vulnerabilities were exploited within one day of patch release; 56% within one month.
  • 41 vulnerabilities were first exploited only after public disclosure.
  • Number of exploited vendors increased by 17% in 2023, indicating diversification of targets.
  • Exploitation remains the primary initial infection vector observed in Mandiant incident response engagements.

MITRE Techniques

  • [T1190] Exploitation of Public-Facing Application – Used as an initial access vector by exploiting disclosed or zero-day vulnerabilities in internet-facing services. (‘Exploitation of Public-Facing Application (T1190)’)
  • [T1059] Command-Line Interface – Execution of commands via CLI observed as part of post-exploitation activity. (‘Command-Line Interface (T1059)’)
  • [T1100] Web Shell – Persistence achieved by deploying web shells on compromised web servers. (‘Web Shell (T1100)’)
  • [T1203] Exploitation of Vulnerability – Privilege escalation and code execution via exploitation of software flaws. (‘Exploitation of Vulnerability (T1203)’)
  • [T1027] Obfuscated Files or Information – Defense evasion through obfuscation of payloads or exploit code. (‘Obfuscated Files or Information (T1027)’)
  • [T1003] Credential Dumping – Post-exploitation credential harvesting to expand access within networks. (‘Credential Dumping (T1003)’)
  • [T1046] Network Service Scanning – Discovery of vulnerable services as part of reconnaissance and mass-scanning campaigns. (‘Network Service Scanning (T1046)’)
  • [T1021] Remote Services – Lateral movement leveraging remote services after initial compromise. (‘Remote Services (T1021)’)
  • [T1213] Data from Information Repositories – Collection of sensitive data from centralized repositories once access is obtained. (‘Data from Information Repositories (T1213)’)
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration using established command-and-control channels. (‘Exfiltration Over Command and Control Channel (T1041)’)
  • [T1565] Data Manipulation – Impact activity including modification or corruption of data after compromise. (‘Data Manipulation (T1565)’)

Indicators of Compromise

  • [CVE] Vulnerability identifiers observed in exploitation timelines – CVE-2023-28121, CVE-2023-27997
  • [Exploit code / PoC] Public exploit artifacts and modules used to weaponize vulnerabilities – Metasploit module for CVE-2023-28121, public PoCs and weaponized exploits for CVE-2023-27997
  • [Vendor/Product] Affected products referenced as targets – WooCommerce Payments (WordPress plugin), Fortinet FortiOS
  • [Source URL] Report and supporting materials – https://cloud.google.com/blog/topics/threat-intelligence/time-to-exploit-trends-2023/

Mandiant’s technical analysis centers on measured exploitation timelines for 138 vulnerabilities disclosed in 2023. The Time-to-Exploit (TTE) metric shows a steep decline to an average of five days in 2023 (after excluding statistical outliers), driven largely by 97 zero-day exploits versus 41 n-day cases. For n-day vulnerabilities, exploitation clustered early: 12% occurred within one day of a patch, 29% within a week, and 56% within a month. The dataset also shows 41 vulnerabilities first exploited after public disclosure, and Mandiant found no consistent correlation between public exploit availability or media attention and the time until in-the-wild exploitation.

Two concrete use cases illustrate how exploit reliability and ease determine operational timelines. CVE-2023-28121 (WooCommerce Payments) required a simple HTTP header to create an Administrator user; public PoCs and a Metasploit module led to mass automated exploitation within days once a weaponized exploit became available. In contrast, CVE-2023-27997 (XORtigate in FortiOS) involved a heap overflow requiring bypasses for DEP/ASLR and complex payload crafting; despite early public PoCs and scanner code, Mandiant observed limited, targeted exploitation months after disclosure, underscoring how exploitation difficulty and target value affect attacker behavior.

Operational implications for defenders include prioritizing rapid detection and response over relying solely on exploit release or publicity as risk signals, accelerating patch management for high-value or easily automated-exploit vulnerabilities, and strengthening architectural mitigations (network segmentation, least privilege, access controls) to limit lateral impact when exploitation occurs. Monitoring for public PoCs and weaponized modules remains important, but should be weighed alongside exploit complexity and asset criticality when triaging remediation efforts.
Read more: https://cloud.google.com/blog/topics/threat-intelligence/time-to-exploit-trends-2023/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint