Hacking

In 2022, more than 40% of zero-day exploits used in the wild were variations of previous issues

Google’s Threat Analysis Group Google states that more than 40% of zero-day flaws discovered in 2022 were variants of previous issues.

The popular Threat Analysis Group (TAG) Maddie Stone wrote Google’s fourth annual year-in-review of zero-day flaws exploited in-the-wild [2021, 2020, 2019], it is built off of the mid-year 2022 review.

In 2022, the researchers disclosed 41 actively exploited zero-day flaws, which marks the second-most ever recorded since we began tracking in mid-2014. In 2021 the number of zero-days discovered by the researchers were 69 detected. 

zero-dayzero-day

The number of zero-day vulnerabilities actively exploited in the wild dropped also due 0-click exploits and new browser mitigations implemented by software vendors.

“Many attackers have been moving towards 0-click rather than 1-click exploits. 0-clicks usually target components other than the browser. In addition, all major browsers also implemented new defenses that make exploiting a vulnerability more difficult and could have influenced attackers moving to other attack surfaces.” reads the report published by Google TAG.

However, the researchers pointed out that the 40% drop is not only caused by improved security of software and hardware vendors.

One of the most interesting data that emerged from the report is that over 40% of the 0-days discovered were variants of previously reported vulnerabilities. Below is the list of zero-day flaws that were variants of previously reported bugs:

Product2022 ITW CVEVariant
Windows win32kCVE-2022-21882CVE-2021-1732 (2021 itw)
iOS IOMobileFrameBufferCVE-2022-22587CVE-2021-30983 (2021 itw)
WebKit “Zombie”CVE-2022-22620Bug was originally fixed in 2013, patch was regressed in 2016
Firefox WebGPU IPCCVE-2022-26485Fuzzing crash fixed in 2021
Android in ARM Mali GPUCVE-2021-39793 CVE-2022-22706CVE-2021-28664 (2021 itw)
Sophos FirewallCVE-2022-1040CVE-2020-12271 (2020 itw)
Chromium v8CVE-2022-1096CVE-2021-30551 (2021 itw)
ChromiumCVE-2022-1364CVE-2021-21195
Windows “PetitPotam”CVE-2022-26925CVE-2021-36942 – Patch was regressed
Windows “Follina”CVE-2022-30190CVE-2021-40444 (2021 itw)
Atlassian ConfluenceCVE-2022-26134CVE-2021-26084 (2021 itw)
Chromium IntentsCVE-2022-2856CVE-2021-38000 (2021 itw)
Exchange SSRF “ProxyNotShell”CVE-2022-41040CVE-2021-34473 “ProxyShell”
Exchange RCE “ProxyNotShell”CVE-2022-41082CVE-2023-21529 “ProxyShell”
Internet Explorer JScript9CVE-2022-41128CVE-2021-34480
Windows “Print Spooler”CVE-2022-41073CVE-2022-37987
WebKit JSCCVE-2022-428562016 bug discovered due to test failure

17 out of the 41 actively exploited zero-days from 2022 are variants of previously reported vulnerabilities, this data confirms a trend observed by the researchers in previous reports.

Another aspect highlighted by Google researchers is that as per the attackers’ arsenal N-days function like 0-days on Android due to long patching times. This means that threat actors can use n-days that functioned as 0-days for a long period of time.

Giving a close look at zero-day flaws disclosed by Google TAG, we can observe a 42% drop in the number of in-the-wild detected 0-days targeting browsers from 2021 to 2022 (from 26 to 15). The main reasons for this drop are browsers’ efforts to prevent exploitation and a shift in attacker behavior away from browsers towards 0-click exploits that target other components on the device. 

“Unlike many commodities in the world, a 0-day itself is not finite. Just because one person has discovered the existence of a 0-day vulnerability and developed it into an exploit doesn’t prevent other people from independently finding it too and using it in their exploit.” continues the report. “Most attackers who are doing their own vulnerability research and exploit development do not want anyone else to do the same as it lowers its value and makes it more likely to be detected and fixed quickly.”

Stone recommends vendors provide patches and mitigations to end-users as fast as possible and suggests sharing more details about the root causes of the flaws.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Pwn2Own Berlin 2025 Day Two: researcher earned 150K hacking VMware ESXi

On day two of Pwn2Own Berlin 2025, participants earned $435,000 for demonstrating zero-day in SharePoint,…

8 hours ago

New botnet HTTPBot targets gaming and tech industries with surgical attacks

New botnet HTTPBot is targeting China's gaming, tech, and education sectors, cybersecurity researchers warn. NSFOCUS …

9 hours ago

Meta plans to train AI on EU user data from May 27 without consent

Meta plans to train AI on EU user data from May 27 without consent; privacy…

18 hours ago

AI in the Cloud: The Rising Tide of Security and Privacy Risks

Over half of firms adopted AI in 2024, but cloud tools like Azure OpenAI raise…

20 hours ago

Google fixed a Chrome vulnerability that could lead to full account takeover

Google released emergency security updates to fix a Chrome vulnerability that could lead to full…

21 hours ago

Nova Scotia Power discloses data breach after March security incident

Nova Scotia Power confirmed a data breach involving the theft of sensitive customer data after…

1 day ago