Alert Essentials:

Bad actors have found medium-severity flaws to be a new sweet spot for vulnerability weaponization. Explore adding a triage enhancement to vulnerability patching policies, such as CISA’s SSVC.

Email Team

Detailed Threat Description:

Threat actors are increasingly exploiting medium-severity vulnerabilities. This trend is driven by several factors, including ease of exploitation, lower detection rates, and the ability to chain multiple vulnerabilities for significant impact.

Medium-severity vulnerabilities often require less sophistication to exploit and are frequently overlooked by defenders who concentrate on higher-severity weaknesses. Yet, medium threats are becoming the sweet spot for threat actors as more groups utilize the flaws to access edge devices or tether them with higher-severity vulnerabilities for attacks.

In 2021, we witnessed a surge of this methodology when the ProxyShell campaign against Microsoft Exchange used one critical and two medium vulnerabilities to install ransomware. This was a highly successful campaign with global impact, and some instances of Exchange are still vulnerable today.

Terror groups also take advantage of edge devices’ medium vulnerabilities for initial access. A medium Terrapin Truncation from 2023 still manipulates SSH session integrity. CVE-2025-24813 was a medium and has increased in severity since global exploitation began against Apache Tomcat web servers. A Curl use-after-free with a CVSS score 5.9 is exploited in vulnerable edge devices, IoT systems, and environments still using SMB or TELNET.

SonicWall is currently experiencing a campaign that exploits a medium amongst a group of flaws. Nation-state actors are chaining a medium-severity flaw with a high-severity flaw to achieve remote code execution and gain complete control over Ivanti Endpoint Manager Mobile. Originally a medium, a FortiOS authentication bypass is being exploited in the wild for unauthorized access to VPN services.

Network defenders should prioritize vulnerabilities based on real-world exploitability and business impact rather than CVSS scores alone. Organizations must consider using tools like CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC) trees to prioritize relevant vulnerabilities based on essential mission operations instead of primarily patching based on the standard vulnerability scoring system.

In 2016, Sweet32 significantly impacted a majority of OpenVPN connections by allowing an Adversary-in-the-middle (AITM) to export large amounts of plaintext data. Exploiting issues like weak cipher suites or certificate errors requires specific conditions. However, the timing is ripe for bad actors to target such flaws and weaponize certificate-based vulnerabilities to install malicious root certificates and malware signed by those certificates.

Impacts on Healthcare Organizations:

Exploitation of medium-severity flaws often results in similar circumstances to weaponization of vulnerabilities with higher CVSS scores. These attacks can potentially deploy ransomware and allow skilled threat actors to compromise the entire system. Healthcare organizations should revise their patching strategies to focus on mission-critical assets and internal attack surfaces, rather than relying on a general threat score.

Engineering Recommendations:

  • Adjust patching policies to address business impact needs
  • Combine the CVSS score with an EPSS score and the organization’s decision tree to better determine the potential vulnerability impact
  • Automate patch management workflows

Leadership Recommendations:

  • Conduct a business impact analysis (BIA) and an application/data critical analysis to identify and prioritize systems that support essential services
  • From that analysis, develop a decision tree to prioritize patching weaknesses based on the organization’s mission and real-world attacks

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References: