Intelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.
"Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide," the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) noted.
"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system."
The top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.
The most routinely exploited flaws in 2020 are as follows -
- CVE-2019-19781 (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability
- CVE-2019-11510 (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability
- CVE-2018-13379 (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak
- CVE-2020-5902 (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability
- CVE-2020-15505 (CVSS score: 9.8) - MobileIron Core & Connector remote code execution vulnerability
- CVE-2020-0688 (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability
- CVE-2019-3396 (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability
- CVE-2017-11882 (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability
- CVE-2019-11580 (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability
- CVE-2018-7600 (CVSS score: 9.8) - Drupal remote code execution vulnerability
- CVE-2019-18935 (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution
- CVE-2019-0604 (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability
- CVE-2020-0787 (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability
- CVE-2020-1472 (CVSS score: 10.0) - Windows Netlogon elevation of privilege vulnerability
The list of vulnerabilities that have come under active attack thus far in 2021 are listed below -
- Microsoft Exchange Server: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 (aka "ProxyLogon")
- Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
- Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104
- VMware: CVE-2021-21985
- Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591
The development also comes a week after MITRE published a list of top 25 "most dangerous" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.
"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices," NCSC Director for Operations, Paul Chichester, said, urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.