The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and their international cybersecurity partners in Australia, Canada, New Zealand, and the United Kingdom have issued a joint cybersecurity advisory about the top Common Vulnerabilities and Exposures (CVEs) that were exploited by malicious actors in 2022.
One takeaway from the list is that while recently disclosed vulnerabilities are exploited soon after disclosure, it is far more common for malicious actors to exploit older vulnerabilities in their attacks. None of the top five exploited CVEs in 2022 were disclosed that year and the most commonly exploited vulnerability was a then four-year-old vulnerability affecting Fortinet FortiOS/FortiProxy, a patch for which was made available in May 2019. The vulnerability was also one of the most commonly exploited CVEs in 2020 and 2021.
The cybersecurity agencies point out that Proof-of-Concept (PoC) exploit code was publicly available for many of the vulnerabilities, which allowed the vulnerabilities to be exploited by a much broader range of threat actors. While it is important to prioritize patching to ensure critical vulnerabilities are patched quickly, attention should be paid to vulnerabilities that have publicly available exploit code and these should be given maximum priority.
Malicious actors also tend to concentrate on critical and high-severity CVEs that are globally prevalent. “While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years,” according to Five Eyes agencies. “Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets’ networks.”
Generally, threat actors will be able to have the greatest success by exploiting vulnerabilities within the first two years following public disclosure, with the effectiveness of their exploits dwindling over time as more organizations patch the vulnerabilities. The fact that the Fortinet vulnerability continued to be extensively exploited three years after a patch was released confirms that many organizations are failing to apply patches in a timely manner. If more organizations patched promptly, threat actors would be forced to invest much more time, effort, and money into developing zero-day exploits and conducting software supply chain compromises.
For the first time, the Five Eyes agencies have also shared the associated common weakness enumerations (CWEs) associated with the vulnerabilities, which show the root cause that allowed the vulnerability to be exploited.
The Top 12 Exploited CVEs in 2022
| CVE | Vendor | Product(s) | Vulnerability Type | CWE |
| CVE-2018-13379 | Fortinet | FortiOS & FortiProxy | SSL VPN credential exposure | CWE-22 – Path Traversal |
| CVE-2021-34473 (Proxy Shell) | Microsoft | Exchange Server | RCE | CWE-918 – Server-Side Request Forgery |
| CVE-2021-31207 (Proxy Shell) | Microsoft | Exchange Server | Security Bypass Feature | CWE-22 – Path Traversal |
| CVE-2021-34523 (Proxy Shell) | Microsoft | Exchange Server | Elevation of Privilege | CWE-287 Improper Authentication |
| CVE-2021-40539 | Zoho | AdSelfService Plus | RCE / Authentication Bypass | CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component |
| CVE-2021-26084 | Atlassian | Confluence Server & Data Center | Arbitrary Code Execution | CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement |
| CVE-2021-44228 (Log4Shell) | Apache | Log4j2 | RCE | CWE-20 Improper Input Validation | CWE-400 Uncontrolled Resource Consumption | CWE-502 Deserialization of Untrusted Data |
| CVE-2022-22954 | VMware | Workspace ONE | RCE | CWE-94 – Code Injection |
| CVE-2022-22960 | VMware | Workspace ONE | Improper Privilege Management | CWE-269 Improper Privilege Management |
| CVE-2022-1388 | F5 Networks | BIG-IP | Missing Authentication Vulnerability | CWE-306 Missing Authentication for Critical Function |
| CVE-2022-30190 | Microsoft | Multiple Products | RCE | None Listed |
| CVE-2022-26134 | Atlassian | Confluence Server & Data Center | RCE | CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component |
In addition to these 12 vulnerabilities, the Five Eyes cybersecurity agencies shared details of a further 30 CVEs. The list should be used by all organizations to help them prioritize patching. If patches cannot be applied, the mitigation steps outlined in the security advisory should be applied as soon as possible.