HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

15 Most Exploited Vulnerabilities in 2021

The Five Eyes security agencies, an alliance of intelligence agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States, have issued a joint advisory about the 15 vulnerabilities in software and operating systems that were most commonly targeted by nation-state hackers and cybercriminal organizations in 2021.

Throughout 2021, malicious cyber actors targeted newly disclosed critical software vulnerabilities in attacks against a wide range of industry sectors, including public and private sector organizations. 11 of the most routinely targeted vulnerabilities were publicly disclosed in 2021, although older vulnerabilities continue to be exploited. The 15 most exploited vulnerabilities include 9 that allow remote code execution, 2 elevation of privilege flaws, and security bypass, path traversal, arbitrary file reading, and arbitrary code execution flaws.

Top of the list was the maximum severity Log4Shell vulnerability in the Apache Log4j open source logging framework. The vulnerability – CVE-2021-44228 – can be remotely exploited by a threat actor allowing the execution of arbitrary code, which would give the attacker full control of a vulnerable system. The vulnerability was only disclosed publicly in December 2021, yet still ranked first as the most commonly exploited vulnerability, demonstrating how hackers can quickly weaponize and exploit vulnerabilities before organizations can patch. The flaw was rated one of the most serious vulnerabilities to be discovered in the past decade.

CVE Vulnerability Name Vendor and Product Type
CVE-2021-44228 Log4Shell Apache Log4j Remote code execution (RCE)
CVE-2021-40539 Zoho ManageEngine AD SelfService Plus RCE
CVE-2021-34523 ProxyShell Microsoft Exchange Server Elevation of privilege
CVE-2021-34473 ProxyShell Microsoft Exchange Server RCE
CVE-2021-31207 ProxyShell Microsoft Exchange Server Security feature bypass
CVE-2021-27065 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26858 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26857 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26855 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26084 Atlassian Confluence Server and Data Center Arbitrary code execution
CVE-2021-21972 VMware vSphere Client RCE
CVE-2020-1472 ZeroLogon Microsoft Netlogon Remote Protocol (MS-NRPC) Elevation of privilege
CVE-2020-0688 Microsoft Exchange Server RCE
CVE-2019-11510 Pulse Secure Pulse Connect Secure Arbitrary file reading
CVE-2018-13379 Fortinet FortiOS and FortiProxy Path traversal

The remote code execution vulnerability in Zoho ManageEngine AD SelfService Plus – CVE-2021-40539 – has a 9.8 CVSS severity rating and was the second most exploited vulnerability, with attacks exploiting the vulnerability continuing in 2022. The flaw can be exploited remotely and allows web shells to be implanted in a network, allowing the attacker to compromise credentials, move laterally, and exfiltrate sensitive data.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The ProxyLogon flaws in Microsoft Exchange email servers were also extensively exploited. These flaws – CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065 – allow remote attackers to execute arbitrary code on vulnerable exchange servers to gain access to files and mailboxes on the servers, along with any credentials stored on the servers.

Three ProxyShell vulnerabilities made the top 15 list. These vulnerabilities – CVE-2021-34523, CVE-2021-34473, CVE-2021-31207 – can be exploited on Microsoft Exchange email servers that have the Microsoft Client Access Service (CAS) exposed to the Internet. This is a common configuration that allows users to access their emails on their mobile devices and via web browsers. The flaws can be exploited to remotely execute arbitrary code on vulnerable servers.

In many cases, vulnerabilities were exploited within two weeks of the vulnerabilities being publicly disclosed, most commonly as a result of security researchers publishing proof-of-concept exploits, which helped a much broader range of threat actors quickly exploit the vulnerabilities before organizations had the time to patch.

A further 21 vulnerabilities are listed that are also routinely exploited, including many from 2021 and some dating back to 2017.  Patching these vulnerabilities promptly will ensure they cannot be exploited. The Five Eyes agencies have also included a list of mitigations that make it harder for threat actors to exploit these and other vulnerabilities.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.