Cybersecurity Agencies Share 2022’s Most Commonly Exploited Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and their Five Eyes intelligence partners have issued a joint security advisory detailing the most commonly exploited vulnerabilities in 2022. Cyber threat actors target Internet-facing systems that contain unpatched vulnerabilities to gain initial access to organizations’ internal networks, allowing them to steal sensitive data and conduct other post-exploitation activities. The advisory lists the top 12 Common Vulnerabilities and Exposures (CVEs) that were exploited by malicious actors in 2022 along with a further 30 CVEs that have extensively been exploited by threat actors. This year, the vulnerability list includes associated Common Weakness Enumerations (CWEs), which show the root cause that allowed the vulnerabilities to be exploited.
While sophisticated threat groups actively seek out zero-day vulnerabilities or develop exploits for recently disclosed CVEs, in 2022, malicious actors exploited older vulnerabilities much more frequently than recently disclosed flaws. Many of the vulnerabilities in the list had Proof-of-Concept (PoC) exploits in the public domain, which allowed exploitation of the flaws by a much broader range of threat actors. Top of the list is a five-year-old vulnerability in Fortinet’s SSL VPNs (FortiOs/FortiProxy) – CVE-2018-13379, which was also one of the most frequently exploited vulnerabilities in 2020 and 2021. Despite the vulnerability being the 15th most commonly exploited vulnerability in 2021 and a patch being available since May 2019, many organizations failed to patch and were vulnerable to attack. The vulnerability has been exploited by Advanced Persistent Threat (APT) actors and cybercriminal groups such as ransomware gangs.
It was a similar story with a group of Microsoft Exchange Server vulnerabilities dubbed Proxy Shell (CVE-2021-34473, CVE-2021-31207 & CVE-2021-34523) which allow security features to be bypassed, escalation of privileges, and remote code execution. The vulnerabilities were identified and patched the previous year, and despite extensive media coverage and security warnings about the vulnerabilities, patches failed to be implemented to fix the flaws. An authentication bypass flaw in Zoho ManageEngine which allowed remote code execution and a code execution flaw in Atlassian’s Confluence Server and Data Center were also disclosed and had patches released the previous year.
Threat actors develop exploits for known vulnerabilities and can typically exploit them successfully for a couple of years in low-cost, high-impact attacks due to the failure of many organizations to patch promptly or implement recommended mitigations. The cybersecurity agencies urge all organizations to use the list as a guide to help them prioritize patching. The failure to apply patches promptly, especially known exploited vulnerabilities, makes it easier for attackers to gain access to organizations’ networks.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In addition to implementing a centralized patch management system, patching promptly, and conducting regular vulnerability scans, the cybersecurity agencies encourage vendors, designers, developers, and end-user organizations to take other steps to reduce the risk of compromise by malicious cyber actors, such as implementing secure-by-design principles, prioritizing secure-by-default configurations, and ensuring disclosed CVEs include the correct CWE stating the root cause of the vulnerability.
Most Commonly Exploited CVEs in 2022
CVE | Vendor | Product | Vulnerability | CWE |
CVE-2018-13379 | Fortinet | FortiOS and FortiProxy | SSL VPN credential exposure | CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) |
CVE-2021-34473 (Proxy Shell) | Microsoft | Exchange Server | RCE | CWE-918 – Server-Side Request Forgery |
CVE-2021-31207 (Proxy Shell) | Microsoft | Exchange Server | Security Bypass Feature | CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) |
CVE-2021-34523 (Proxy Shell) | Microsoft | Exchange Server | Elevation of Privilege | CWE-287 Improper Authentication |
CVE-2021-40539 | Zoho | AdSelfService Plus | RCE / Authentication Bypass | CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) |
CVE-2021-26084 | Atlassian | Confluence Server and Data Center | Arbitrary Code Execution | CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection) |
CVE-2021-44228 (Log4Shell) | Apache | Log4j2 | RCE | CWE-20 Improper Input Validation, CWE-400 Uncontrolled Resource Consumption, CWE-502 Deserialization of Untrusted Data |
CVE-2022-22954 | VMware | Workspace ONE | RCE | CWE-94 – Improper Control of Generation of Code (Code Injection) |
CVE-2022-22960 | VMware | Workspace ONE | Improper Privilege Management | CWE-269 Improper Privilege Management |
CVE-2022-1388 | F5 Networks | BIG-IP | Missing Authentication Vulnerability | CWE-306 Missing Authentication for Critical Function |
CVE-2022-30190 | Microsoft | Multiple Products | RCE | None Listed |
CVE-2022-26134 | Atlassian | Confluence Server and Data Center | RCE | CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) |