CISA, International Partners Identify Top Routinely Exploited Vulnerabilities

August 07, 2023 - A group of international cybersecurity authorities released a list of the top routinely exploited vulnerabilities of 2022, highlighting commonly overlooked vulnerabilities that organizations should prioritize patching immediately.

The alert was co-authored by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and cybersecurity agencies from Canada, Australia, New Zealand, and the United Kingdom.

 The list includes unpatched vulnerabilities, such as outdated bugs that many organizations overlook, where exploiting just one flaw can allow network intrusion.

“Today, adversaries commonly exploit categories of vulnerabilities that can and must be addressed by technology providers as part of their commitment to Secure by Design,” Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said in a public statement.

 “Until that day, malicious actors will continue to find it far too easy to exploit organizations around the world. With our partners, we urge all organizations to review our joint advisory, for every enterprise to prioritize mitigation of these vulnerabilities, and for every technology provider to take accountability for the security outcomes of their customers by reducing the prevalence of these vulnerabilities by design.”

The first spot on the list goes to CVE-2018-13379, a Fortinet SSL VPN vulnerability that was fixed four years ago, in May 2019. This inclusion illustrates that many organizations continue to either ignore reports of vulnerabilities or fail to patch all their systems. One of the most dangerous vulnerabilities affecting Fortinet SSL VPNs also made the list in 2020 and 2021.

Also featured on the list are CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523. These vulnerabilities affect Microsoft Exchange email servers. When combined, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities are found within the Microsoft Client Access Service (CAS), typically running on port 443 in Microsoft Internet Information Services (IIS), such as Microsoft's web server. CAS is often exposed to the internet to enable users to access their email via mobile devices and web browsers.

The infamous Log4Shell bug is another addition to the list, under the identifier CVE-2021-44228. This vulnerability, known as Log4Shell, affects Apache's Log4j library, an open-source logging framework used in thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, leading to the execution of arbitrary code.

The advisory lists numerous vulnerabilities and provides guidance to vendors and tech organizations on how to identify and mitigate their exposure. Recommendations include implementing secure-by-design practices and giving priority to patching known exploited vulnerabilities, thereby reducing the risk of compromise. It is also suggested that vendors establish a coordinated vulnerability disclosure program that incorporates processes to determine the root causes of discovered flaws.

Furthermore, security agencies have extended advice to end-user organizations, urging them to apply patches to systems in a timely manner.

The implementation of a centralized patch management system and the use of security tools, such as endpoint detection and response tools, have been emphasized as essential practices to reinforce system security. These concerted efforts reflect a proactive approach to cybersecurity, with the collaborative nature of the advisory underscoring the global nature of the threat and the need for coordinated defense strategies.