Coauthored by cyber authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom, a cybersecurity advisory details the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.
In 2021, malicious actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide.
To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets, demonstrating the continued risk to organizations that fail to patch software promptly or use software that a vendor no longer supports.
The top CVEs exploited include:
CVE |
Vulnerability Name |
Vendor and Product |
Type |
Log4Shell |
Apache Log4j |
Remote code execution (RCE) |
|
|
Zoho ManageEngine AD SelfService Plus |
RCE |
|
ProxyShell |
Microsoft Exchange Server |
Elevation of privilege |
|
ProxyShell |
Microsoft Exchange Server |
RCE |
|
ProxyShell |
Microsoft Exchange Server |
Security feature bypass |
|
ProxyLogon |
Microsoft Exchange Server |
RCE |
|
ProxyLogon |
Microsoft Exchange Server |
RCE |
|
ProxyLogon |
Microsoft Exchange Server |
RCE |
|
ProxyLogon |
Microsoft Exchange Server |
RCE |
|
|
|
|
Atlassian Confluence Server and Data Center |
Arbitrary code execution |
|
VMware vSphere Client |
RCE |
|
ZeroLogon |
Microsoft Netlogon Remote Protocol (MS-NRPC) |
Elevation of privilege |
|
|
Microsoft Exchange Server |
RCE |
|
|
Pulse Secure Pulse Connect Secure |
Arbitrary file reading |
|
|
Fortinet FortiOS and FortiProxy |
Path traversal |
All the security vulnerabilities share characteristics that make them widely exploitable, Bud Broomhead, CEO at Viakoo, says. “They attack widely used systems (e.g., MS Exchange Server), where the vulnerability can be present in multiple systems (e.g., Log4Shell), and often are managed outside the IT organization (e.g., QNAP QTS),” he explains.
In addition, each of these vulnerabilities exists in solutions that are broadly used by enterprises of all industries across the globe. “They are deeply integrated and can be the gateway to a plethora of sensitive data,” says Hank Schless, Senior Manager, Security Solutions at Lookout.
Many security vulnerabilities can originate due to the use of hybrid infrastructures — made up of a mix of on-premises data centers, private clouds and/or public clouds — which can create a visibility problem for security teams. Mixing public and private clouds can increase complexity, heighten risk and make it more difficult for IT and security teams to protect their assets and have visibility into the data stored across all of their apps and servers, Schless explains.
This problem is exacerbated by the fact that most security teams use one set of tools to secure their on-prem resources and another set to secure cloud resources. “It creates a fragmented security posture, and vulnerabilities like these are more likely to slip through the cracks,” he says.
Broomhead expects to see open source and IoT/OT attack vectors grow in both volume and severity. “Get prepared to address them better,” he notes.
To secure a hybrid infrastructure, Schless suggests organizations implement a unified security platform that enables IT and security teams to have visibility into where their vulnerable assets exist, protect all data with uniform security policies, and understand how users are interacting with sensitive data.
