Five Eyes Cybersecurity Agencies Reveal Top Vulnerabilities Exploited in 2022

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and their international cybersecurity partners in Australia, Canada, New Zealand, and the United Kingdom have issued a joint cybersecurity advisory about the top Common Vulnerabilities and Exposures (CVEs) that were exploited by malicious actors in 2022.

One takeaway from the list is that while recently disclosed vulnerabilities are exploited soon after disclosure, it is far more common for malicious actors to exploit older vulnerabilities in their attacks. None of the top five exploited CVEs in 2022 were disclosed that year and the most commonly exploited vulnerability was a then four-year-old vulnerability affecting Fortinet FortiOS/FortiProxy, a patch for which was made available in May 2019. The vulnerability was also one of the most commonly exploited CVEs in 2020 and 2021.

The cybersecurity agencies point out that Proof-of-Concept (PoC) exploit code was publicly available for many of the vulnerabilities, which allowed the vulnerabilities to be exploited by a much broader range of threat actors. While it is important to prioritize patching to ensure critical vulnerabilities are patched quickly, attention should be paid to vulnerabilities that have publicly available exploit code and these should be given maximum priority.

Malicious actors also tend to concentrate on critical and high-severity CVEs that are globally prevalent. “While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years,” according to Five Eyes agencies. “Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets’ networks.”

Generally, threat actors will be able to have the greatest success by exploiting vulnerabilities within the first two years following public disclosure, with the effectiveness of their exploits dwindling over time as more organizations patch the vulnerabilities. The fact that the Fortinet vulnerability continued to be extensively exploited three years after a patch was released confirms that many organizations are failing to apply patches in a timely manner. If more organizations patched promptly, threat actors would be forced to invest much more time, effort, and money into developing zero-day exploits and conducting software supply chain compromises.

For the first time, the Five Eyes agencies have also shared the associated common weakness enumerations (CWEs) associated with the vulnerabilities, which show the root cause that allowed the vulnerability to be exploited.

The Top 12 Exploited CVEs in 2022

CVE Vendor Product(s) Vulnerability Type CWE
CVE-2018-13379 Fortinet FortiOS & FortiProxy SSL VPN credential exposure CWE-22 – Path Traversal
CVE-2021-34473 (Proxy Shell) Microsoft Exchange Server RCE CWE-918 – Server-Side Request Forgery
CVE-2021-31207 (Proxy Shell) Microsoft Exchange Server Security Bypass Feature CWE-22 – Path Traversal
CVE-2021-34523 (Proxy Shell) Microsoft Exchange Server Elevation of Privilege CWE-287 Improper Authentication
CVE-2021-40539 Zoho AdSelfService Plus RCE / Authentication Bypass CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component
CVE-2021-26084 Atlassian Confluence Server & Data Center Arbitrary Code Execution CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement
CVE-2021-44228 (Log4Shell) Apache Log4j2 RCE CWE-20 Improper Input Validation | CWE-400 Uncontrolled Resource Consumption | CWE-502 Deserialization of Untrusted Data
CVE-2022-22954 VMware Workspace ONE RCE CWE-94 – Code Injection
CVE-2022-22960 VMware Workspace ONE Improper Privilege Management CWE-269 Improper Privilege Management
CVE-2022-1388 F5 Networks BIG-IP Missing Authentication Vulnerability CWE-306 Missing Authentication for Critical Function
CVE-2022-30190 Microsoft Multiple Products RCE None Listed
CVE-2022-26134 Atlassian Confluence Server & Data Center RCE CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component

In addition to these 12 vulnerabilities, the Five Eyes cybersecurity agencies shared details of a further 30 CVEs. The list should be used by all organizations to help them prioritize patching. If patches cannot be applied, the mitigation steps outlined in the security advisory should be applied as soon as possible.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of