Top 12 vulnerabilities routinely exploited in 2022

Cybersecurity agencies from member countries of the Five Eyes intelligence alliance have released a list of the top 12 vulnerabilities routinely exploited in 2022, plus 30 additional ones also “popular” with attackers.

The top 12

“In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains likely facilitating exploitation by a broader range of malicious cyber actors,” the CISA advisory has revealed.

The following vulnerabilities have been most often exploited in 2022:

• CVE-2018-13379 is a path traversal flaw in the Fortinet SSL VPN web portal
• CVE-2021-34473, CVE-2021-31207, CVE-2021-34523 are ProxyShell vulnerabilities affecting Microsoft Exchange servers that, combined, enable pre-authenticated remote code execution
• CVE-2021-40539 is an authentication bypass vulnerability in Zoho ManageEngine AD SelfService Plus
• CVE-2021-26084 is an object-graph navigation language (OGNL) injection vulnerability that could allow an unauthenticated threat actor to execute arbitrary code on a Confluence Server or Data Center instance
• CVE-2021- 44228 (aka Log4Shell) is a remote code execution vulnerability in Apache Log4j, a popular Java logging library, that allows threat actors to execute arbitrary code by submitting a specific request, thus making them gain full control of the system
• CVE-2022-22954, CVE-2022-22960 are RCE, privilege escalation, and authentication bypass vulnerabilities in VMware Workspace ONE Access, Identity Manager, and other VMware products
• CVE-2022-1388 is a vulnerability in F5 BIG-IP that could allow unauthenticated threat actors to execute arbitrary system commands, create or delete files, or disable services
• CVE-2022-30190 is a remote code execution vulnerability affecting Microsoft Windows Support Diagnostic Tool (MSDT) that could allow a remote, unauthenticated threat actor to take control of the system
• CVE-2022-26134 is a remote code execution vulnerability in Atlassian Confluence Data Center and Server

Additional “popular” vulnerabilities

Among the other often exploited vulnerabilities listed, there are bugs in solutions by Citrix (CVE-2019-19781), Microsoft (CVE-2017-0199, CVE-2017-11882, CVE-2020-1472, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, CVE-2022-41082), Ivanti (CVE-2019-11510), SonicWALL (CVE-2021-20021, CVE-2021-20038), Fortinet (CVE-2022-42475, CVE-2022-40684), QNAP (CVE-2022-27593), and other software manufacturers.

Some of the vulnerabilities in these lists date back to 2017 and 2018 and are still being widely exploited.

“To bolster resilience, we encourage organisations to apply all security updates promptly and call on software vendors to ensure security is at the core of their product design to help shift the burden of responsibility away from consumers,” said Jonathon Ellison, NCSC Director of Resilience and Future Technology.