A joint advisory from U.S. and allied cybersecurity agencies issued Thursday highlights the top routinely exploited vulnerabilities — a list that includes old and well-known bugs that many organizations still have not patched.
The annual release comes as the Biden administration is pushing secure-by-design coding and engineering practices in an effort to address the many hundreds of vulnerabilities that are exploited by criminal hackers. Thursday’s list is also a stark and sobering reminder that unpatched vulnerabilities are often simply the easiest way for criminal hackers to gain access to a target.
“Today, adversaries commonly exploit categories of vulnerabilities that can and must be addressed by technology providers as part of their commitment to Secure by Design,” said Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency. “Until that day, malicious actors will continue to find it far too easy to exploit organizations around the world. With our partners, we urge all organizations to review our joint advisory, for every enterprise to prioritize mitigation of these vulnerabilities, and for every technology provider to take accountability for the security outcomes of their customers by reducing the prevalence of these vulnerabilities by design.”
The joint alert includes CISA, the National Security Agency, FBI, as well as the cybersecurity agencies from five eye allies Australia, Canada, New Zealand and the U.K.
Illustrating the fact that many organization continue to either ignore reports of vulnerabilities or fail to patch all their systems, one of the most dangerous vulnerabilities affecting Fortinet SSL VPNs also made the list in 2020 and 2021. The advisory makes clear that the continued exploitation of this bug means that organizations simply do not patch “in a timely manner and remain vulnerable to malicious cyber actors.”
In a statement, a Fortinet spokesperson highlighted multiple blog posts urging customers to fix the vulnerabilities, noting that the company “has continuously communicated with customers urging the implementation of mitigations.”
Others that made it onto the list are a veritable who’s who of bugs: ProxyShell, a collection of vulnerabilities that impact Microsoft Exchange email servers, is the second listed. CISA warned about the campaign abusing ProxyShell back in August 2021. The infamous Log4Shell bug also made the list. The 2021 bug in Apache’s Log4j library made headline news after the campaign of the exploit was described by CISA Director Jen Easterly as “one of the most serious” in her career. Log4Shell also made last years top routinely exploited vulnerability list.
Ron Fabela, CTO at cybersecurity firm XONA Systems, said that malicious hackers really only need to use the “bare minimum” to both gain access to target networks and to achieve their actual objectives. He also noted that while this list of vulnerabilities only impact enterprise technologies, these types of vulnerabilities are also the “gateway” into attacks against critical infrastructure.
“Although no OT specific CVEs are listed in this advisory, critical environments rely heavily on supporting enterprise infrastructure, inheriting these routinely exploited attack surface threats, and must be considered in overall IT/OT security planning,” Fabela said.