A number of the worlds cyber security agencies have released a co-authored cyber security advisory which details the top routinely exploited vulnerabilities for 2022. The report was co-authored by:
- The US Cybersecurity and Infrastructure Security Agency (CISA)
- The Australian Signals Directorate (ACSC)
- The Canadian Centre for Cyber Security (CCCS)
- The New Zealand National Cyber Security Centre (NCSC-NZ)
- The New Zealand Computer Emergency Response Team (CERT NZ)
- The UK National Cyber Security Centre (NCSC)
Top 12 vulnerabilities
- CVE-2018-13379. This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2020 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.
- CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.
- CVE-2021-40539. This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.
- CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.
- CVE-2021- 44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022.
- CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.
- CVE-2022-1388. This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.
- CVE-2022-30190. This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.
- CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.
Routinely exploited vulnerabilities
The report also identifies a large list of exploited vulnerabilities across a range of manufacturer services and applications.
The list includes 10 Microsoft vulnerabilities, 4 Apache web server vulnerabilities, 2 Oracle vulnerabilities, as well as 2 from Fortinet, and 2 from SonicWALL.
Advice and guidance
As well as identifying the vulnerabilities, the advisory also details the steps organisations should take to remediate the issues and to enhance the overall security of the enterprise network.