Critical CVEs Targeting Internet-Facing Services
Why do internet-facing services attract the most CVE exploitation?
The combination of factors makes internet-facing services uniquely attractive targets:
Direct reachability. Unlike internal systems that require a foothold, internet-facing services are accessible to anyone with a network connection. This eliminates the need for phishing, credential theft, or supply chain compromise as an initial access vector.
Homogeneity. Thousands of organisations run the same VPN gateway, web server, or firewall appliance. A single CVE in Fortinet FortiOS or Ivanti Connect Secure affects every instance globally. Attackers build one exploit and deploy it at scale.
Slow patching. Network edge devices and VPN gateways are difficult to patch because they require maintenance windows and may cause service disruption. According to Mandiant’s M-Trends 2024 report, the median time from vulnerability disclosure to exploitation was 5 days, while the median time to patch for many organisations exceeds 30 days.
High-value access. Compromising a VPN gateway or email server often provides direct access to the internal network, email communications, or sensitive data - making the effort highly rewarding for attackers.
Which recent CVEs have had the highest impact?
Notable CVEs that demonstrate the scale of internet-facing exploitation:
VPN and remote access:
| CVE | Product | Impact | Exploitation Timeline |
|---|---|---|---|
| CVE-2023-27997 | Fortinet FortiOS | Pre-authentication RCE via heap overflow in SSL VPN | Exploited within days of disclosure |
| CVE-2024-21887 | Ivanti Connect Secure | Authentication bypass + command injection chain | Zero-day exploitation before patch available |
| CVE-2023-4966 | Citrix NetScaler (Citrix Bleed) | Session token leak enabling account takeover | Mass exploitation within a week |
Web applications and file transfer:
| CVE | Product | Impact | Exploitation Timeline |
|---|---|---|---|
| CVE-2023-34362 | MOVEit Transfer | SQL injection leading to RCE | Zero-day exploitation; 2,500+ organisations affected |
| CVE-2024-1709 | ConnectWise ScreenConnect | Authentication bypass | Exploited within 24 hours of disclosure |
Email servers:
| CVE | Product | Impact |
|---|---|---|
| CVE-2023-23397 | Microsoft Outlook | NTLM credential theft via crafted email (no user interaction) |
| CVE-2023-36884 | Microsoft Office/Windows | RCE via crafted documents, actively exploited by threat actors |
These examples share a pattern: widely deployed, internet-facing, and exploited at scale.
How do you protect against critical CVE exploitation?
Practical defences, in order of priority:
1. Know what you have exposed. You cannot patch a VPN gateway you forgot about or a web server a team deployed without informing IT. EASM discovery is the foundation - you need a complete, current inventory of everything internet-facing.
2. Subscribe to the right alerts. Monitor CISA KEV updates, vendor security advisories for products in your environment, and security news for early warning of active exploitation campaigns.
3. Patch critical CVEs fast. The window between disclosure and exploitation is often hours to days. Pre-planned patch processes, tested rollback procedures, and pre-approved maintenance windows for emergency patching are essential.
4. Deploy compensating controls. When immediate patching is not possible, apply compensating controls: WAF rules to block exploitation attempts, network segmentation to limit blast radius, and access restrictions (IP allowlisting, VPN-only access) to reduce exposure.
5. Scan continuously. Automated CVE scanning catches newly disclosed vulnerabilities as they are published, before attackers begin mass exploitation.
How SurfaceLoop handles this
SurfaceLoop combines asset discovery with continuous CVE scanning. When a critical vulnerability is disclosed that affects software on your infrastructure, SurfaceLoop alerts you with the specific assets affected, the CVE details, and remediation steps - often within hours of publication.
See Known Vulnerabilities (CVEs) feature →Frequently asked questions
- Which internet-facing services are most targeted by CVE exploitation? +
- VPN and remote access gateways (Fortinet, Ivanti, Palo Alto, Citrix), web servers and application frameworks (Apache, Nginx, WordPress), email servers (Microsoft Exchange), and network edge devices (firewalls, load balancers) are the most frequently targeted. These systems are directly reachable from the internet and often run outdated software.
- How quickly do attackers exploit newly disclosed CVEs? +
- For critical vulnerabilities in widely deployed internet-facing software, exploitation often begins within hours of public disclosure. Mandiant's 2024 research found the average time-to-exploit for internet-facing vulnerabilities has decreased to approximately 5 days, with some CVEs exploited within 24 hours of disclosure.
- Where can I check if a CVE is being actively exploited? +
- CISA's Known Exploited Vulnerabilities (KEV) catalogue is the authoritative source for confirmed active exploitation. Vendor advisories, threat intelligence feeds, and security news outlets also report on active exploitation. SurfaceLoop flags CVEs on the KEV list as high-priority findings.
Get SurfaceLoop security briefings
No spam, just findings that matter. Fortnightly.