Log4Shell, ProxyShell still among most widely exploited flaws

The National Cyber Security Centre (NCSC), alongside its Five Eyes partner agencies in Australia, Canada, New Zealand and the US, have released details of the 12 most exploited vulnerabilities of 2022, with the likes of Log4Shell and ProxyShell still riding high.

The collective said their list served as a warning about the importance of updating systems as malicious actors continue to favour previously disclosed, high-profile vulnerabilities. Over half of the top flaws listed for 2022 also appeared on the 2021 list despite patches being available for them.

One of the top listed bugs, an SSL VPN credential exposure flaw in Fortinet FortiOS and FortiProxy, dates back to 2018.

“Vulnerabilities are sadly part and parcel of our online world and we see threat actors continue to take advantage of these weaknesses to compromise systems,” said NCSC director of resilience and future technology, Jonathon Ellison.

“This joint advisory with our allies raises awareness of the most routinely exploited vulnerabilities in 2022 to help organisations identify where they might be at risk and take action.

“To bolster resilience, we encourage organisations to apply all security updates promptly and call on software vendors to ensure security is at the core of their product design to help shift the burden of responsibility away from consumers.”

 CISA executive assistant director for cyber security, Eric Goldstein, said: “Today, adversaries commonly exploit categories of vulnerabilities that can and must be addressed by technology providers as part of their commitment to secure by design.

“Until that day, malicious actors will continue to find it far too easy to exploit organisations around the world. With our partners, we urge all organisations to review our joint advisory, for every enterprise to prioritise mitigation of these vulnerabilities, and for every technology provider to take accountability for the security outcomes of their customers by reducing the prevalence of these vulnerabilities by design.”

On the available evidence, it is clear that threat actors see the most success exploiting known vulnerabilities within the first 24 months of public disclosure, and likely target their exploits to maximise impact.

The NCSC is encouraging all UK organisations to read the full list – available via CISA – which also contains details of 30 other routinely exploited vulnerabilities and mitigation advice for them.

UK readers can also sign up to the NCSC’s Early Warning service. Launched in 2021 as an add-on to its Active Cyber Defence programme, the service is free to use, and provides a filtered threat intelligence feed of alerts tailored to users.