Top 12 most-exploited security vulnerabilities revealed by national cyber security agencies

Top 12 most-exploited security vulnerabilities: NCSC logo superimposed with a translucent background in front of an office building
(Image credit: Getty Images)

Cyber criminals are favoring the exploitation of older vulnerabilities more so than recently disclosed flaws.

That’s according to the latest security advisory from the UK’s National Cyber Security Centre and its equivalent partners in the Five Eyes alliance.

On Thursday, it made public a list of the top 12 most commonly exploited vulnerabilities in 2022, many of which appeared in the previous year’s list.

The findings offer insight into the strategies behind cyber criminal activity, highlighting the apathy organizations are evidently taking towards patching security flaws affecting their software and equipment.

“This advisory reinforces one of the foundational aspects of cyber security, said Lisa Fong, deputy director-general at New Zealand’s National Cyber Security Centre. 

“Malicious actors continue to succeed using the same techniques over and over. I can’t emphasize enough the importance of doing the basics well by understanding your assets, and rapidly applying patches when they become available. Acting on CVE reporting is the difference between getting onto your to-do list and getting onto someone else’s to-do list.”

Attackers generally experienced the greatest exploit success in the first two years following a vulnerability’s public disclosure. 

The value of these vulnerabilities gradually decreases as organizations patch or upgrade software.


eBook cover with green title text over image of business man wearing glasses and smiling at a workstation

(Image credit: ServiceNow)

Thwart cyberthreats fast with security operations + AI Ops

Bridge the gap between your IT and security operations. Deliver seamlessly connected vulnerability and incident management


The advice from the security agencies is to apply patches in a timely manner, thus forcing attackers to seek other - potentially more costly - avenues of attack. These include developing zero-day exploits or conducting software supply chain attacks.

Failing to swiftly apply patches means attackers can scan for the number of exposed systems to any given vulnerability, giving them information on its value for attacks. 

If security issues go unpatched by many organizations, it can motivate attackers to develop exploitation tools that enable faster attacks. These tools can be sold to other cyber criminals and they can be used for years if the vulnerability remains unpatched.

The most routinely exploited vulnerabilities of 2022 are:

  • CVE-2018-13379: Affect Fortinet SSL VPNs and was exploited as far back as 2020. Its continued presence on the list is an indicator that many organizations have thus far failed to apply available patches
  • CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523 - also known as ProxyShell: Affect Microsoft Exchange email servers
  • CVE-2021-40539: A remote code execution flaw in Zoho ManageEngine ADSelfService Plus that first saw exploitation in late 2021 and into 2022
  • CVE-2021-26084: A vulnerability in Atlassian’s Confluence Server and Data Center collaboration tools. Mass exploitation of this vulnerability was attempted in late 2021, according to the NCSC advisory
  • CVE-2021-44228, also known as Log4Shell: Affect Apache’s Log4j library. It was first disclosed at the end of 2021, but the NCSC noted high interest in the vulnerability from attackers throughout the first half of 2022
  • CVE-2022-22954 and CVE-2022-22960: Vulnerabilities in VMware’s products that allowed for remote code execution, privilege escalation, and authentication bypass. Exploits were noted at the beginning of 2022 and continued throughout the year

Also exploited in 2022 were CVE-2022-30190 - a vulnerability impacting the Microsoft Support Diagnostic Tool, CVE-2022-26134 - a critical remote code execution vulnerability in Atlassian Confluence and Data Center, and CVE-2022-1388 - a vulnerability permitting attackers to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.

“Today, adversaries commonly exploit categories of vulnerabilities that can and must be addressed by technology providers as part of their commitment to secure by design,” said Eric Goldstein, executive assistant director for cyber security at CISA. 

“Until that day, malicious actors will continue to find it far too easy to exploit organizations around the world. With our partners, we urge all organizations to review our joint advisory, for every enterprise to prioritize mitigation of these vulnerabilities, and for every technology provider to take accountability for the security outcomes of their customers by reducing the prevalence of these vulnerabilities by design.”

Richard Speed
Staff Writer

Richard Speed is an expert in databases, DevOps and IT regulations and governance. He was previously a Staff Writer for ITProCloudPro and ChannelPro, before going freelance. He first joined Future in 2023 having worked as a reporter for The Register. He has also attended numerous domestic and international events, including Microsoft's Build and Ignite conferences and both US and EU KubeCons.

Prior to joining The Register, he spent a number of years working in IT in the pharmaceutical and financial sectors.