icetray - Fotolia
The National Cyber Security Centre (NCSC), alongside its Five Eyes partner agencies in Australia, Canada, New Zealand and the US, have released details of the 12 most exploited vulnerabilities of 2022, with the likes of Log4Shell and ProxyShell still riding high.
The collective said their list served as a warning about the importance of updating systems as malicious actors continue to favour previously disclosed, high-profile vulnerabilities. Over half of the top flaws listed for 2022 also appeared on the 2021 list despite patches being available for them.
One of the top listed bugs, an SSL VPN credential exposure flaw in Fortinet FortiOS and FortiProxy, dates back to 2018.
“Vulnerabilities are sadly part and parcel of our online world and we see threat actors continue to take advantage of these weaknesses to compromise systems,” said NCSC director of resilience and future technology, Jonathon Ellison.
“This joint advisory with our allies raises awareness of the most routinely exploited vulnerabilities in 2022 to help organisations identify where they might be at risk and take action.
“To bolster resilience, we encourage organisations to apply all security updates promptly and call on software vendors to ensure security is at the core of their product design to help shift the burden of responsibility away from consumers.”
CISA executive assistant director for cyber security, Eric Goldstein, said: “Today, adversaries commonly exploit categories of vulnerabilities that can and must be addressed by technology providers as part of their commitment to secure by design.
“Until that day, malicious actors will continue to find it far too easy to exploit organisations around the world. With our partners, we urge all organisations to review our joint advisory, for every enterprise to prioritise mitigation of these vulnerabilities, and for every technology provider to take accountability for the security outcomes of their customers by reducing the prevalence of these vulnerabilities by design.”
On the available evidence, it is clear that threat actors see the most success exploiting known vulnerabilities within the first 24 months of public disclosure, and likely target their exploits to maximise impact.
The NCSC is encouraging all UK organisations to read the full list – available via CISA – which also contains details of 30 other routinely exploited vulnerabilities and mitigation advice for them.
UK readers can also sign up to the NCSC’s Early Warning service. Launched in 2021 as an add-on to its Active Cyber Defence programme, the service is free to use, and provides a filtered threat intelligence feed of alerts tailored to users.
The most exploited vulnerabilities observed are:
- CVE-2018-13379, an SSL VPN credential exposure flaw in Fortinet FortiOS and FortiProxy;
- CVE-2023-34472, CVE-2021-31207 and CVE-2021-34523, collectively known as ProxyShell, variously a remote code execution (RCE) flaw, a security feature bypass flaw and a privilege escalation (EoP) flaw in Microsoft Exchange Server;
- CVE-2021-40539, an RCE/authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus;
- CVE-2021-26084, an arbitrary code execution flaw in Atlassian Confluence Server and Data Center;
- CVE-2021-44228, aka Log4Shell, an RCE flaw in Apace Log4j2;
- CVE-2022-22954, an RCE vulnerability in VMware Workspace ONE Access and Identity Manager;
- CVE-2022-22960, an improper privilege management flaw in VMware Workspace One Access, Identity Manager and vRealize Automation;
- CVE-2022-1388, a missing authentication vulnerability in F5 Networks BIG-IP;
- CVE-2022-30190, an RCE vulnerability affecting multiple Microsoft Office products;
- CVE-2022-26134, an RCE vulnerability in Atlassian Confluence Server and Data Center.
More recent vulnerability disclosures
- Two vulnerabilities in Adobe ColdFusion have been chained by threat actors to target victim systems, apparently after one of them was accidentally disclosed.
- A manual workaround is currently available for a cross-site scripting vulnerability in Zimbra Collaboration Suite, though a patch won’t be available until later this month.
- A serious RCE vulnerability in Microsoft Office and Windows is among several zero-days disclosed in Redmond’s July Patch Tuesday update, but this one does not have a patch yet.