Top 30 most exploited vulnerabilities since 2020 revealed
UK, US, and Australian security agencies reveal the systems businesses need to patch now to prevent continued exploitation
The National Cyber Security Centre (NCSC) and its counterparts in the US and Australia have revealed the 30 most routinely exploited vulnerabilities across a variety of systems since the start of 2020.
Last year, hackers typically exploited known and fixed vulnerabilities to target unpatched systems, with many of these having been disclosed within the past two years, according to a joint advisory.
These include well-known vulnerabilities in Citrix, Microsoft, and Fortinet systems that hackers are able to continue exploiting because businesses haven’t yet applied patches. Commonly exploited flaws in 2021 include those found in Microsoft Exchange Server in March, alongside Accellion and VMware vulnerabilities.
Many of these flaws have been discovered within the last two years, which differs from the general norm of hackers exploiting dated vulnerabilities, typically between five and ten years old.
The reason stems, in part, from the expansion of remote working amid the COVID-19 pandemic. The use of technologies such as cloud computing and virtual private networks (VPNs), too, has placed an additional burden on the security industry to maintain and keep pace with routine software patching.
“We are committed to working with allies to raise awareness of global cyber weaknesses – and present easily actionable solutions to mitigate them,” said the NCSC director for operations, Paul Chichester.
“The advisory published today puts the power in every organisation’s hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices. Working with our international partners, we will continue to raise awareness of the threats posed by those that seek to cause harm."
Patch now: The top 30 most exploited flaws since 2020
Citrix - CVE-2019-19781 - various products: Several organisations were targeted in early January through a flaw in Application Delivery Controller (ADC), Citrix Gateway and Citrix SD-WAN that allowed hackers to perform arbitrary code execution on a network.
Ivanti - CVE 2019-11510 - Pulse Connect Secure - Hackers exploited the popular SSL VPN platform used by large organisations and governments to gain access to vulnerable networks. The flaw was even used in Sodinokibi ransomware attacks.
Fortinet - CVE 2018-13379 - FortiOS: A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
F5 - CVE 2020-5902 - BIG-IP: Unauthenticated attackers with network access to the configuration utility of the BIG-IP family of networking hardware and software products could exploit this bug to perform various attacks, including executing arbitrary system commands.
MobileIron - CVE 2020-15505 - various products: MobileIron released patches in June 2020 to address holes in its mobile device management (MDM) systems including this remote code execution (RCE) flaw. It was being exploited by state-backed hackers to compromise the networks of UK organisations.
Microsoft - CVE-2017-11882 - Microsoft Office: Discovered in 2017, this is an RCEbug that exists when the software fails to properly handle objects in memory. If a user is logged in with admin rights, an attacker could take control of the affected system.
The five essentials from your endpoint security partner
Empower your MSP business to operate efficientlyDownload now
Atlassian - CVE-2019-11580 - Atlassian Crowd: Atlassian patched an RCE flaw in its crowd platform in May 2020. This is a user management application for access control for Active Directory (AD), Lightweight Directory Access Protocol (LDAP), OpenLDAP and Microsoft Azure AD.
Drupal - CVE-2018-7600 - Drupal 7 and 8: Older iterations of version 7 and 8 of the content management system (CMS) platform was embedded with an RCE flaw that allowed attackers to execute arbitrary code due to an issue affecting multiple subsystems.
Telerik - CVE 2019-18935 - Telerik UI for ASP.NET AJAX: Hackers have been exploiting an RCE flaw in this widely used suite of UI components for web applications since December 2019. The vulnerability insecurely deserialises JSON objects in a way that results in RCE of the software’s underlying host.
Microsoft - CVE-2019-0604 - Microsoft SharePoint: An RCE vulnerability exists in SharePoint when the software fails to check the source markup of an application package. An attacker can exploit the flaw to run arbitrary code within the SharePoint application pool and the SharePoint server farm account.
Microsoft - CVE-2020-0787 - Windows Background Intelligent Transfer Service (BITS): The BITS component in Windows improperly handles symbolic links, with an attacker able to overwrite a targeted file leading to elevation of privileges. Hackers have exploited this by logging into a targeted system and running a specially crafted application to exploit the flaw and take control of the targeted system.
Microsoft - CVE-2020-1472 - Netlogon Remote Protocol: This elevation of privilege vulnerability exists when a hacker establishes a vulnerable Netlogon secure channel connection to a domain controller. Attackers who exploit the flaw can run a specially crafted application on a device on the network.
Microsoft - CVE-2020-0688 - Exchange Server: An RCE vulnerability exists in Exchange Server when the server fails to properly create unique cryptographic keys at the time of installation. Specifically, this is found in the Exchange Control Panel (ECP) component.
Atlassian - CVE-2019-3396 - Confluence Widget Connector: This critical server-side template injection vulnerability, found in the Confluence Server and Data Center Widget Connector, can lead to path traversal and RCE.
Microsoft - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065 - Exchange Server: Chinese state-backed hackers exploited four previously unknown zero-days to launch a series of devastating attacks against businesses. They were exploiting these flaws as part of a chain attack, with the initial attack demanding the ability to make an untrusted connection to Exchange server port 443.
Ivanti - CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900 - Pulse Secure: At least two major hacking groups deployed a dozen malware families to exploit flaws in Pulse Connect Secure’s suite of VPNs to spy on the US defence sector. The NCSC issued guidance for businesses in May 2021 to update their Pulse Connect Secure systems to version 9.1R.11.4.
Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 - File Transfer Appliance (FTA): In February this year, Accellion patched four flaws in its FTA tool after detecting that fewer than customers were targeted earlier in the year. Cyber security agencies around the world later warned, however, that hackers had continued to exploit the vulnerabilities to target multiple layers of government in the US.
VMware - CVE-2021-21985 - vCenter Server: VMware warned customers in May this year that ransomware gangs were primed to exploit vulnerabilities in the vSphere Client to launch attacks. The flaw involves a lack of input validation in the Virtual SAN Health Check plugin, which is enabled by default in the system.
Fortinet - CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591 - FortiOS: US cyber security agencies warned in April that state-backed hackers were exploiting these flaws to gain access to government systems. The first vulnerability let attackers download system files, and the second led to users successfully logging in without being prompted for a second factor of authentication, while the third let hackers on the same FortiOS subnet intercept sensitive information.
How virtual desktop infrastructure enables digital transformation
Challenges and benefits of VDIFree download
The Okta digital trust index
Exploring the human edge of trustFree download
Optimising workload placement in your hybrid cloud
Deliver increased IT agility with the cloudFree Download
Modernise endpoint protection and leave your legacy challenges behind
The risk of keeping your legacy endpoint security toolsDownload now