April 2023 CVE Monthly report 

Apache, Linux, and Cisco — from April 1 to April 30, 2023. It includes the total number of vulnerabilities disclosed within the reporting period, the number of critical and zero-day vulnerabilities disclosed, the number of vulnerabilities actively exploited at the time of writing, and additional major trends and noteworthy vulnerabilities worth highlighting.

Key Findings

• Major software vendors disclosed 7 zero-day vulnerabilities in April 2023 that affect both consumer and enterprise products and software, including security features, access control components, sandboxing environments, and operating systems.
• 15 of the approximately 2,200 vulnerabilities disclosed were high-risk.
• Microsoft’s Windows operating system continues to see new vulnerability exploitation, as befits its high market share.
• Several critical vulnerabilities associated with VM2, a JavaScript sandboxing environment, wereidentified in the reporting period.

CVE Monthly Prominent Vulnerability Disclosures

We identified 15 newly disclosed vulnerabilities with high risk scores for April 2023, 6 of which are zero-day vulnerabilities affecting Microsoft, Apple, and Google. The 3 vulnerabilities that attracted some of the highest attention from security researchers according to our dataset were: CVE-2023-28252, an out-of-bounds write vulnerability in Windows Common Log File System; CVE-2023-2033, a type confusion vulnerability in Google Chrome’s V8 Javascript engine; and CVE-2023-28206, an out-of-bounds write vulnerability in Apple’s IOSurfaceAccelerator and WebKit. In CVE-2023-28252’s case, the flaw has been exploited to ultimately deploy Nokoyawa ransomware payloads. The main trend affecting the non-major vendors were several critical vulnerabilities associated with VM2, a Javascript sandboxing environment.