Have You Patched These 30 Frequently Exploited Vulnerabilities?

A joint cybersecurity advisory has been published by CISA, the FBI, the Australian Cyber Security Center, and the UK’s National Cyber Security Center about the software vulnerabilities that were being routinely exploited by threat actors in 2020, together with a list of vulnerabilities that have proven popular with cyber threat actors in the first 6 months of 2021.

Patches are available to fix all of the vulnerabilities included in the top 30 list, yet many organizations still have not addressed all of the flaws. These vulnerabilities have been exploited in attacks on public and private sector entities worldwide, with the most commonly targeted vulnerabilities in perimeter-type devices, in particular those used to support a remote workforce such as VPNs.

The most commonly exploited flaws in 2020 were the CVE-2019-19781 flaw in the Citrix Application Delivery Controller (ADC), the CVE-2019-11510 bug in the Pulse Secure VPN, the CVE-2018-13379 flaw in Fortinet VPNs, and the CVE-2020-5902 vulnerability in F5 Networks’ BIG-IP advanced delivery controller networking devices.

Many of the most often exploited vulnerabilities are not new. Patches have been available for at least a year to correct most of the flaws, but organizations have been slow to apply the patches or implement mitigations to prevent the flaws from being exploited. The reason why hackers continue to target these vulnerabilities is because so many organizations are still vulnerable. One of the vulnerabilities dates to 2000. Even though a patch has long been available, it was still being regularly exploited in 2020.

“Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known,” explained CISA in the advisory.

Preventing exploitation of these vulnerabilities is simple in theory. Just apply the patches listed in the advisory. However, if there are reasons why the patches cannot be easily applied, there are mitigations detailed in the security alert that can reduce the risk of exploitation. If nothing is done however, it will likely just be a matter of time before the flaws are exploited.

Patching should be prioritized, starting with the most frequently exploited vulnerabilities and any that are available to a large number of threat actors – for instance, any vulnerability in an Internet-facing system.

The Top 12 Exploited Vulnerabilities in 2020

Vendor CVE Type
Citrix CVE-2019-19781 arbitrary code execution
Pulse CVE 2019-11510 arbitrary file reading
Fortinet CVE 2018-13379 path traversal
F5- Big IP CVE 2020-5902 remote code execution (RCE)
MobileIron CVE 2020-15505 RCE
Microsoft CVE-2017-11882 RCE
Atlassian CVE-2019-11580 RCE
Drupal CVE-2018-7600 RCE
Telerik CVE 2019-18935 RCE
Microsoft CVE-2019-0604 RCE
Microsoft CVE-2020-0787 elevation of privilege

Many of the vulnerabilities have existed for some time and could have already been exploited. The alert details IOCs, tools and methods that can be used to determine if systems have already been breached.

The security alert also includes a list of more recently discovered flaws that are now being actively exploited. These flaws should also be prioritized by security teams.

Vendor CVE
Microsoft Exchange ProxyLogon flaws: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
Pulse Secure  CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
Accellion CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
VMware CVE-2021-21985
Fortinet CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news