Apache, Linux, and Cisco — from April 1 to April 30, 2023. It includes the total number of vulnerabilities disclosed within the reporting period, the number of critical and zero-day vulnerabilities disclosed, the number of vulnerabilities actively exploited at the time of writing, and additional major trends and noteworthy vulnerabilities worth highlighting.
Key Findings
- Major software vendors disclosed 7 zero-day vulnerabilities in April 2023 that affect both consumer and enterprise products and software, including security features, access control components, sandboxing environments, and operating systems.
- 15 of the approximately 2,200 vulnerabilities disclosed were high-risk.
- Microsoft’s Windows operating system continues to see new vulnerability exploitation, as befits its high market share.
- Several critical vulnerabilities associated with VM2, a JavaScript sandboxing environment, wereidentified in the reporting period.
CVE Monthly Prominent Vulnerability Disclosures
We identified 15 newly disclosed vulnerabilities with high risk scores for April 2023, 6 of which are zero-day vulnerabilities affecting Microsoft, Apple, and Google. The 3 vulnerabilities that attracted some of the highest attention from security researchers according to our dataset were: CVE-2023-28252, an out-of-bounds write vulnerability in Windows Common Log File System; CVE-2023-2033, a type confusion vulnerability in Google Chrome’s V8 Javascript engine; and CVE-2023-28206, an out-of-bounds write vulnerability in Apple’s IOSurfaceAccelerator and WebKit. In CVE-2023-28252’s case, the flaw has been exploited to ultimately deploy Nokoyawa ransomware payloads. The main trend affecting the non-major vendors were several critical vulnerabilities associated with VM2, a Javascript sandboxing environment.