CISA Publishes List of the Most Commonly Exploited Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) have issued a joint cybersecurity advisory about the most common vulnerabilities exploited by cyber actors in 2020, many of which are still being widely exploited in 2021.

The advisory lists the top 30 exploited Common Vulnerabilities and Exposures (CVEs), how each vulnerability is exploited, recommended mitigations, indicators of compromise, and tools and methods that can be used to check whether the vulnerabilities have already been exploited.

Recently disclosed vulnerabilities are exploited by cyber threat actors, but most of the commonly exploited vulnerabilities are not new and were disclosed in the past two years. In 2020, the pandemic forced many businesses to switch from an office-based to a remote workforce, so it is not surprising that 4 of the most commonly exploited vulnerabilities in 2020 concern remote working solutions such as VPNs and cloud-based technologies. Since these remote working solutions are constantly in use, many businesses failed to apply patches and the vulnerabilities were exploited. It is essential that time is taken to apply patches as soon as possible and for IT teams conduct rigorous patch management.

Patches are available to address all of the most commonly exploited vulnerabilities included in the security advisory. Patching should be prioritized, starting with the vulnerabilities that are known to be currently exploited or those that are available to the largest number of potential cyber actors – for example, vulnerabilities in Internet facing systems. If it is not possible to apply patches, consider implementing temporary workarounds and other mitigations suggested by vendors.

The top 12 exploited vulnerabilities in 2020 are detailed in the table below

Vendor CVE Type
Citrix CVE-2019-19781 arbitrary code execution
Pulse CVE 2019-11510 arbitrary file reading
Fortinet CVE 2018-13379 path traversal
F5- Big IP CVE 2020-5902 remote code execution (RCE)
MobileIron CVE 2020-15505 RCE
Microsoft CVE-2017-11882 RCE
Atlassian CVE-2019-11580 RCE
Drupal CVE-2018-7600 RCE
Telerik CVE 2019-18935 RCE
Microsoft CVE-2019-0604 RCE
Microsoft CVE-2020-0787 elevation of privilege
Netlogon CVE-2020-1472 elevation of privilege

In 2021, cyber actors continued to target vulnerabilities in perimeter-type devices, with the most commonly exploited flaws in Pulse, Accellion, VMware, Fortinet, and Microsoft Exchange. CISA is urging security teams to prioritize patching for the following vulnerabilities, which have been extensively exploited in 2021 in addition to addressing the above vulnerabilities.

Vendor CVE
Microsoft Exchange  CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
Pulse Secure  CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
Accellion CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
VMware CVE-2021-21985
Fortinet CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.