Cybersecurity experts from Australia, U.K., and U.S. governments have released a list of the most commonly exploited vulnerabilities over 2020 and 2021.
The joint advisory released on July 28 was coauthored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI).
The advisory is broken down into the most common 2020 exploited vulnerabilities, which consist of 12 total. Four of those affected remote work, VPNs, or cloud-based technologies.
Moreover, 18 other vulnerabilities discovered in 2021 have also been common targets. Those issues are grouped by popular products to include Microsoft Exchange, Pulse Secure, Accellion, VMware, and Fortinet.
It is important to note that many of the 2020 vulnerabilities are still being targeted today.
2020 exploited vulnerabilities
The experts identified the following most commonly exploited vulnerabilities throughout 2020:
- Citrix SD-WAN WANOP arbitrary code execution: CVE-2019-19781
- Pulse Secure VPN Servers arbitrary file reading: CVE 2019-11510
- Fortinet path traversal: CVE 2018-13379
- F5 BIG-IP remote code execution: CVE 2020-5902
- MobileIron remote code execution: CVE 2020-15505
- Microsoft Office remote code execution: CVE-2017-11882
- Atlassian remote code execution: CVE-2019-11580
- Drupal remote code execution “Drupalgeddon2”: CVE-2018-7600
- Telerik remote code execution: CVE 2019-18935
- Microsoft SharePoint remote code execution: CVE-2019-0604
- Microsoft BITS elevation of privilege: CVE-2020-0787
- Netlogon elevation of privilege “Zerologon”: CVE-2020-1472
2021 exploited vulnerabilities
In 2021, bad cyber actors continued to target perimeter devices and related vulnerabilities such as those products made by Microsoft, Pulse, Accellion, VMware, and Fortinet.
Microsoft released emergency out-of-band security updates back in March 2021 to fix multiple Critical Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) impacting Microsoft Exchange Server 2013, 2016 and 2019.
CISA confirmed CVE-2021-26855 can “allow an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server.”
To add, the Exchange vulnerability basically exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). The remaining three vulnerabilities can all result in remote code execution and could be used in combination with CVE-2021-26855 to further exploit impacted systems.
In May of this year, CISA warned attackers continued to exploit Pulse Connect Secure vulnerabilities, to include CVE-2021-22893 and older vulnerabilities. Security firm Ivanti later discovered active exploits of three other Critical vulnerabilities (CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900).
Moreover, an alert was issued after CISA confirmed malicious activity on public and private entity networks on vulnerable Pulse Connect Secure appliances. Additional detection methods were also added on April 30.
Since March 31, 2021, CISA assisted multiple entities whose vulnerable Pulse Connect Secure products had been exploited by a cyber threat actor. These entities confirmed the malicious activity after running the Pulse Secure Connect Integrity Tool.
Earlier this year, cyber attackers continued to exploit Accellion File Transfer Appliance (FTA) 0-day vulnerabilities (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) to steal data and threaten their victims with extortion attempts.
Starting in mid-December 2020, FireEye’s Mandiant cybersecurity team spotted previously unknown threat actors they call UNC25346 exploiting multiple FTA vulnerabilities to install a web shell dubbed DEWMODE.
In June 2021, security researchers spotted thousands of vulnerable unpatched VMware vCenter servers exposed on the internet. Multiple proof-of-concepts (PoCs) had also been posted online for exploits against a remote code execution (RCE) vulnerability CVE-2021-21985.
VMware released a Critical security update on May 25 to fix two vulnerabilities, one in VMWare vCenter Server that could result in remote code execution (RCE) in the vSphere Client (CVE-2021-21985). According to VMware, the vSphere Client (HTML5) contains an RCE vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.
In April 2021, cybersecurity experts from the FBI and CISA issued a joint cybersecurity advisory warning of APT exploits of Fortinet FortiOS vulnerabilities (CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812).
The FBI warned that it was likely APT actors were scanning for these vulnerabilities to gain access to multiple government, commercial, and technology services networks.
- Microsoft launches Phase 2 fix for Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)
- Microsoft warns of ongoing exploits against Zerologon vulnerability (CVE-2020-1472)
- FBI removes malicious web shells from hundreds of compromised Microsoft Exchange servers
- Microsoft releases emergency patches for Exchange Server RCE vulnerabilities exploited in the wild (Updated)
- Alert: Attackers exploiting Pulse Connect Secure vulnerabilities (updated)
- Another 3 Pulse Connect Secure Critical vulnerabilities discovered
- Cybersecurity experts warn exploits grow ten-fold after Exchange Server zero-day vulnerabilities revealed
- Cyber attackers exploit Accellion FTA 0-day vulnerabilities to steal data
- Qualys impacted by Accellion FTA zero-day vulnerability
- Energy giant Shell latest victim in Accellion FTA cyberattacks
- Thousands of unpatched VMware vCenter servers exposed on the internet
- FBI and CISA warn of Fortinet FortiOS vulnerability exploits
- Threat actors breach South Korean atomic research institute via VPN vulnerability
- Patch these 10 most commonly exploited vulnerabilities