Lucene search

K
thnThe Hacker NewsTHN:3266EB2F73FA4A955845C8FEBA4E73C5
HistoryApr 28, 2022 - 5:41 a.m.

U.S. Cybersecurity Agency Lists 2021's Top 15 Most Exploited Software Vulnerabilities

2022-04-2805:41:00
The Hacker News
thehackernews.com
3376

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

Software Vulnerabilities

Log4Shell, ProxyShell, ProxyLogon, ZeroLogon, and flaws in Zoho ManageEngine AD SelfService Plus, Atlassian Confluence, and VMware vSphere Client emerged as some of the top exploited security vulnerabilities in 2021.

That’s according to a “Top Routinely Exploited Vulnerabilities” report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand, the U.K., and the U.S.

Other frequently weaponized flaws included a remote code execution bug in Microsoft Exchange Server (CVE-2020-0688), an arbitrary file read vulnerability in Pulse Secure Pulse Connect Secure (CVE-2019-11510), and a path traversal defect in Fortinet FortiOS and FortiProxy (CVE-2018-13379).

Most Exploited Software Vulnerabilities

Nine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, and one each of security feature bypass, arbitrary code execution, arbitrary file read, and path traversal flaws.

“Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities,” the agencies said in a joint advisory.

“For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (PoC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors.”

To mitigate the risk of exploitation of publicly known software vulnerabilities, the agencies are recommending organizations to apply patches in a timely fashion and implement a centralized patch management system.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C