- CISA has published its 2020 list with the most targeted and leveraged software vulnerabilities.
- Only a small portion of them concerns flaws discovered and fixed in 2020, as the majority are older.
- For 2021, the biggest troubles come from MS Exchange, Pulse Secure, Accellion, VMWare, and Fortinet VPN.
CISA, ACSC, the NCSC, and the FBI have compiled a list with the top most exploited vulnerabilities targeted by malicious actors in 2020, and if any of these concern you, you should consider patching them long overdue. In a pandemic-hit world, actors mostly focused on flaws that exist in VPNs, remote work tools, cloud-based solutions, etc. At the same time, the disordination of scattered IT teams responsible for defending against threats didn’t help mitigate the situation.
These are the top routinely exploited CVEs in 2020:
- CVE-2019-19781 – Arbitrary code execution in Citrix ADC and Gateway
- CVE-2019-11510 – Arbitrary file reading in Pulse Secure VPN
- CVE-2018-13379 – Path traversal in Fortinet FortiOS SSL VPN
- CVE-2020-5902 – Remote code execution in F5 BIG-IP
- CVE-2020-15505 – Remote code execution in MobileIron Core and Connector
- CVE-2017-11882 – Remote code execution in Microsoft Office
- CVE-2019-11580 – Remote code execution in Atlassian Crowd and Crowd Data Center
- CVE-2018-7600 – Remote code execution in Drupal
- CVE-2019-18935 – Remote code execution in Telerik UI for ASP.NET AJAX
- CVE-2019-0604 – Remote code execution in Microsoft SharePoint
- CVE-2020-0787 – Elevation of privilege in Microsoft Windows Background Intelligent Transfer Service (BITS)
- CVE-2020-1472 – Elevation of privilege in Netlogon
While four out of the twelve flaws mentioned above were discovered and patched in 2020, the rest were one, two, and even three years old. In fact, CVE-2017-11882 was included in CISA’s top 10 most exploited vulnerabilities to patch for 2019, yet it remained one of the most leveraged flaws in 2020. The same goes for the CVE-2018-7600 (Drupal) and CVE-2019-0604 (SharePoint). There’s just no excuse for leaving these products unpatched in 2021.
As for the running year, CISA has gathered enough data to be in a position to compile a tentative list, so here are the most targeted flaws in 2021:
- Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065
- Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
- Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
- VMware: CVE-2021-21985
- Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591
The agency has provided a list of mitigations for each of the above vulnerabilities, so if you can’t apply the fixing patches through software updates for any reason, you should at least consult the advisory and figure out how you can minimize the risk of exploitation. Remember, these flaws are being used in automated scanning operations that can map large portions of the web, and the vulnerable endpoints are then used for dropping web shells and then typically sold to ransomware actors.