A joint cybersecurity advisory has been published by CISA, the FBI, the Australian Cyber Security Center, and the UK’s National Cyber Security Center about the software vulnerabilities that were being routinely exploited by threat actors in 2020, together with a list of vulnerabilities that have proven popular with cyber threat actors in the first 6 months of 2021.
Patches are available to fix all of the vulnerabilities included in the top 30 list, yet many organizations still have not addressed all of the flaws. These vulnerabilities have been exploited in attacks on public and private sector entities worldwide, with the most commonly targeted vulnerabilities in perimeter-type devices, in particular those used to support a remote workforce such as VPNs.
The most commonly exploited flaws in 2020 were the CVE-2019-19781 flaw in the Citrix Application Delivery Controller (ADC), the CVE-2019-11510 bug in the Pulse Secure VPN, the CVE-2018-13379 flaw in Fortinet VPNs, and the CVE-2020-5902 vulnerability in F5 Networks’ BIG-IP advanced delivery controller networking devices.
Many of the most often exploited vulnerabilities are not new. Patches have been available for at least a year to correct most of the flaws, but organizations have been slow to apply the patches or implement mitigations to prevent the flaws from being exploited. The reason why hackers continue to target these vulnerabilities is because so many organizations are still vulnerable. One of the vulnerabilities dates to 2000. Even though a patch has long been available, it was still being regularly exploited in 2020.
“Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known,” explained CISA in the advisory.
Preventing exploitation of these vulnerabilities is simple in theory. Just apply the patches listed in the advisory. However, if there are reasons why the patches cannot be easily applied, there are mitigations detailed in the security alert that can reduce the risk of exploitation. If nothing is done however, it will likely just be a matter of time before the flaws are exploited.
Patching should be prioritized, starting with the most frequently exploited vulnerabilities and any that are available to a large number of threat actors – for instance, any vulnerability in an Internet-facing system.
The Top 12 Exploited Vulnerabilities in 2020
Vendor | CVE | Type |
Citrix | CVE-2019-19781 | arbitrary code execution |
Pulse | CVE 2019-11510 | arbitrary file reading |
Fortinet | CVE 2018-13379 | path traversal |
F5- Big IP | CVE 2020-5902 | remote code execution (RCE) |
MobileIron | CVE 2020-15505 | RCE |
Microsoft | CVE-2017-11882 | RCE |
Atlassian | CVE-2019-11580 | RCE |
Drupal | CVE-2018-7600 | RCE |
Telerik | CVE 2019-18935 | RCE |
Microsoft | CVE-2019-0604 | RCE |
Microsoft | CVE-2020-0787 | elevation of privilege |
Many of the vulnerabilities have existed for some time and could have already been exploited. The alert details IOCs, tools and methods that can be used to determine if systems have already been breached.
The security alert also includes a list of more recently discovered flaws that are now being actively exploited. These flaws should also be prioritized by security teams.
Vendor | CVE |
Microsoft Exchange | ProxyLogon flaws: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 |
Pulse Secure | CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900 |
Accellion | CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 |
VMware | CVE-2021-21985 |
Fortinet | CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 |