In a recent joint advisory, intelligence agencies from Australia, the U.K., and the U.S. have highlighted critical vulnerabilities that were actively exploited during 2020 and 2021. This report underscores how swiftly threat actors can capitalize on publicly disclosed weaknesses in software, posing a significant risk to various organizations worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the U.K.’s National Cyber Security Centre (NCSC), and the Federal Bureau of Investigation (FBI) noted that cyber adversaries are continually leveraging long-known software vulnerabilities to target a wide array of public and private sector entities across the globe.
The agencies emphasized that organizations can significantly reduce their exposure to these vulnerabilities by implementing available patches and establishing robust centralized patch management systems. This practical advice aims to empower organizations in their efforts to defend against potential exploits.
The advisory identifies the top 30 vulnerabilities applicable to various software categories, including remote work tools, virtual private networks (VPNs), and cloud technologies. The vulnerabilities encompass products from leading companies such as Microsoft, Fortinet, VMware, and numerous others. This extensive list points to the myriad systems that remain vulnerable due to unaddressed security flaws.
Among the most frequently exploited vulnerabilities identified for 2020 include the directory traversal vulnerability in the Citrix Application Delivery Controller (CVE-2019-19781), which has a CVSS score of 9.8, as well as the critical arbitrary file reading vulnerability in Pulse Connect Secure (CVE-2019-11510), which has a perfect score of 10. Specific flaws like these highlight the critical importance of timely patching strategies for organizations to minimize risk.
In 2021, notable vulnerabilities that have come under active attack include several related to Microsoft Exchange Server, including the “ProxyLogon” vulnerabilities (CVE-2021-26855 through CVE-2021-27065). Additionally, vulnerabilities linked to Pulse Secure (CVE-2021-22893 and others) and Accellion (CVE-2021-27101 and subsequent entries) have also been recognized as prevalent threats. The advisory from these agencies reiterates that such vulnerabilities are not only significant but often require swift mitigation efforts.
The recent actions by cybersecurity agencies occur in the context of a broader landscape of vulnerabilities, as highlighted by MITRE’s recent publication of the top 25 “most dangerous” software errors, which pose potential risks for adversaries looking to compromise systems, steal sensitive data, or disrupt services. NCSC’s Director for Operations, Paul Chichester, emphasized the critical need for organizations to prioritize patch management as a fundamental element of their security posture.
Cybersecurity professionals and business owners must remain vigilant, addressing these vulnerabilities to enable a proactive defense strategy against potential exploits. As defined by the MITRE ATT&CK framework, tactics such as initial access, privilege escalation, and execution are central considerations in understanding how these vulnerabilities may be leveraged by attackers. Organizations that take action against identified vulnerabilities will be better positioned to mitigate the threats posed by malicious actors.
