CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
100.0%
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors.
This alert provides details on vulnerabilities routinely exploited by foreign cyber actors—primarily Common Vulnerabilities and Exposures (CVEs)[1]—to help organizations reduce the risk of these foreign threats.
Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.
The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.
For indicators of compromise (IOCs) and additional guidance associated with the CVEs in this Alert, see the each entry within the Mitigations section below. Click here for a PDF version of this report.
U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.
In addition to the top 10 vulnerabilities from 2016 to 2019 listed above, the U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020:
This Alert provides mitigations for each of the top vulnerabilities identified above. In addition to the mitigations listed below, CISA, FBI, and the broader U.S. Government recommend that organizations transition away from any end-of-life software.
Note: The lists of associated malware corresponding to each CVE below is not meant to be exhaustive but instead is intended to identify a malware family commonly associated with exploiting the CVE.
CVE-2017-11882
CVE-2017-0199
CVE-2017-5638
CVE-2012-0158
CVE-2019-0604
CVE-2017-0143
CVE-2018-4878
CVE-2017-8759
CVE-2015-1641
CVE-2018-7600
CVE-2019-11510
CVE-2019-19781
Oversights in Microsoft O365 Security Configurations
Organizational Cybersecurity Weaknesses
Adversaries use known vulnerabilities and phishing attacks to compromise the security of organizations. CISA offers several free scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors.
Cyber Hygiene: Vulnerability Scanning helps secure your internet-facing systems from weak configuration and known vulnerabilities. It also encourages organizations to adopt modern security best practices. CISA performs regular network and vulnerability scans and delivers a weekly report for your action. Once initiated, this service is mostly automated and requires little direct interaction. After CISA receives the required paperwork for Cyber Hygiene, our scans will start within 72 hours and you’ll begin receiving reports within two weeks.
Web Application Service checks your publicly accessible web sites for potential bugs and weak configurations. It provides a “snapshot” of your publicly accessible web applications and also checks functionality and performance in your application.
If your organization would like these services or want more information about other useful services, please email [email protected].
The Patch Factory: CISA infographic depicting the global infrastructure for managing vulnerabilities.
CISA Alert: (AA20-120A) Microsoft Office 365 Security Recommendations: recommendations for organizations to review and ensure their O365 environment is configured to protect, detect, and respond against would-be attackers.
CISA’s Cyber Essentials: a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.
If you have any further questions related to this Joint Alert, please contact the FBI at either your local Cyber Task Force or FBI CyWatch.
To request incident response resources or technical assistance related to these threats, contact CISA at [email protected].
[1] Cybersecurity Vulnerabilities and Exposures (CVE) list
[2] CISA Alert (TA15-119A). Top 30 Targeted High Risk Vulnerabilities. (2016, September 29)
[3] Recorded Future. 2019 Vulnerability Report: Cybercriminals Continue to Target Microsoft Products. (2020, February 4)
May 12, 2020: Initial Version
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a
cve.mitre.org/cve/
cve.mitre.org/cve/
nvd.nist.gov/vuln/detail/CVE-2012-0158
nvd.nist.gov/vuln/detail/CVE-2015-1641
nvd.nist.gov/vuln/detail/CVE-2017-0143
nvd.nist.gov/vuln/detail/CVE-2017-0199
nvd.nist.gov/vuln/detail/CVE-2017-11882
nvd.nist.gov/vuln/detail/CVE-2017-5638
nvd.nist.gov/vuln/detail/CVE-2017-8759
nvd.nist.gov/vuln/detail/CVE-2018-4878
nvd.nist.gov/vuln/detail/CVE-2018-7600
nvd.nist.gov/vuln/detail/CVE-2019-0604
nvd.nist.gov/vuln/detail/CVE-2019-11510
nvd.nist.gov/vuln/detail/CVE-2019-19781
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Top%2010%20Routinely%20Exploited%20Vulnerabilities+https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a
www.cisa.gov/cyber-essentials
www.cisa.gov/cyber-essentials
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a&title=Top%2010%20Routinely%20Exploited%20Vulnerabilities
www.fbi.gov/contact-us/field
www.fireeye.com/blog/products-and-services/2020/01/fireeye-and-citrix-tool-scans-for-iocs-related-to-vulnerability.html
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a
www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
www.oig.dhs.gov/
www.recordedfuture.com/top-vulnerabilities-2019/
www.recordedfuture.com/top-vulnerabilities-2019/
www.us-cert.gov/ncas/alerts/aa19-339a
www.us-cert.gov/ncas/alerts/aa20-020a
www.us-cert.gov/ncas/alerts/aa20-031a
www.us-cert.gov/ncas/alerts/aa20-107a
www.us-cert.gov/ncas/alerts/aa20-120a
www.us-cert.gov/ncas/alerts/aa20-120a
www.us-cert.gov/ncas/alerts/TA15-119A
www.us-cert.gov/ncas/alerts/TA15-119A
www.us-cert.gov/ncas/analysis-reports/AR18-312A
www.us-cert.gov/ncas/analysis-reports/ar20-133d
www.us-cert.gov/ncas/analysis-reports/ar20-133e
www.us-cert.gov/ncas/analysis-reports/ar20-133f
www.us-cert.gov/ncas/analysis-reports/ar20-133g
www.us-cert.gov/ncas/analysis-reports/ar20-133h
www.us-cert.gov/ncas/analysis-reports/ar20-133i
www.us-cert.gov/ncas/analysis-reports/ar20-133j
www.us-cert.gov/ncas/analysis-reports/ar20-133k
www.us-cert.gov/ncas/analysis-reports/ar20-133l
www.us-cert.gov/ncas/analysis-reports/ar20-133m
www.us-cert.gov/ncas/analysis-reports/ar20-133n
www.us-cert.gov/ncas/analysis-reports/ar20-133o
www.us-cert.gov/ncas/analysis-reports/ar20-133p
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Top%2010%20Routinely%20Exploited%20Vulnerabilities&body=www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
100.0%