High-profile CVEs turn up in vulnerability exploit sales

The dark web marketplaces dedicated to the trade of credentials and vulnerabilities boasts some big names in enterprise compromises, Flashpoint research released Tuesday shows.

Three reported purchases of vulnerability exploits on the dark web during the first half of the year included high profile, actively exploited CVEs, according to the threat intelligence firm.

The remote code execution vulnerability in Barracuda’s email security gateway appliances, CVE-2023-2868, was purchased for $15,000 during Q2. Barracuda disclosed and attempted to patch the actively exploited zero-day vulnerability in May, but the patches failed and exploits are still underway.

Flashpoint said its threat intelligence analysts observed a post expressing interest in the exploit on June 16 and another user offered help in response two days later.

CVE-2023-24489 impacting Citrix ShareFile was sold for $25,000, and there were two reported purchases of exploits for CVE-2022-32548 affecting DrayTek routers for an unknown sum, according to Flashpoint.

Flashpoint said it cannot confirm if successful transactions occurred in these instances because dark web sales typically occur over direct message.

Exploits of known, unpatched vulnerabilities accounted for more than 5% of the breaches studied in IBM’s annual report on data breach costs.

Flashpoint observed 27 vulnerability exploits listed for sale or purchased on the dark web during the first half of the year. One-third of those vulnerability exploits were linked to Microsoft products.

Exploits for vulnerabilities in products from Adobe, Fortinet, Oracle, Veeam and VMware were also listed for sale on the dark web, according to Flashpoint.

Prices varied widely during the six-month period, with one exploit listed for $600 and another fetching $25,000.