The top ten most-commonly exploited vulnerabilities revealed
Flaws in Microsoft’s OLE technology are at the heart of some of the most widely-used attacks since 2016
Vulnerabilities in a host of Microsoft applications including Office and Share Point are among the most commonly-exploited by cyber criminals, despite patches being widely available for these historical flaws.
US security agencies have identified the ten most widely-exploited software vulnerabilities between 2016 and 2019, with a view to encouraging organisations to prioritise patching these systems over others. Many of these vulnerabilities are a few years old and have already been patched.
Beyond Microsoft products, Apache Struts, Adobe Flash Player and the open-source Drupal content management system (CMS) are also affected.
The report, published by the Cybersecurity and Infrastructure Security Agency (CISA) wing of the Department of Homeland Security (DHS) and the FBI, details hacks carried out by state-backed groups and other cyber criminals.
The guidance has been published amid continued exploitation of known and historic software vulnerabilities against public and private sector organisations. It’s particularly alarming considering that exploiting these vulnerabilities often require fewer resources compared with zero-day exploits for which no patches are available.
Ramped up efforts to patch systems and implement programmes to keep routine patching in place would significantly disrupt foreign adversaries’ attempts to develop or acquire exploits, the agencies said.
The most widely-exploited vulnerabilities concern Microsoft’s Object Linking and Embedding (OLE) technology, which allows documents to contain embedded content from other applications, such as spreadsheets. Three attacks deployed most frequently by state-backed hackers from China, Iran, North Korea and Russia relate with OLE technology.
Chinese-backed cyber criminals were even exploiting the vulnerability dubbed CVE-2012-0158 as of December 2019, which found in a wide number of Microsoft products including Office 2003 and Visual Basic 6.0.
This flaw, incidentally, was assessed in 2015 as being the most used in the US government’s cyber operations. Its continued exploitation today suggests organisations haven’t yet widely-implemented patches for the vulnerability, with state-backed hackers continuing to incorporate dated flaws into their operations so long as they remain effective.
The second-most reported vulnerability was a widespread Web framework known as Apache Struts, dubbed CVE-2017-5638. For mitigation, users are encouraged to upgrade to Struts 2.3.32 or Struts 2.5.10.1.
The full list of the top ten most-commonly exploited vulnerabilities between 2016 and 2019 as determined by US security agencies are outlined in the table below:
| CVE Code | Vulnerable Products | Associated Malware | Mitigation |
| CVE-2017-11882 | Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, 2016 | Loki, Formbook, Pony/FAREIT | Update affected products with the latest patches |
| CVE-2017-0199 | Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, 2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1 | FINSPY, LATENTBOT, Dridex | Update affected products with the latest patches |
| CVE-2017-5638 | Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 | JexBoss | Upgrade to Struts 2.3.32 or Struts 2.5.10.1 |
| CVE-2012-0158 | Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 | Dridex | Update affected products with the latest patches |
| CVE-2019-0604 | Microsoft SharePoint | China Chopper | Update affected products with the latest patches |
| CVE-2017-0143 | Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 | Multiple using the EternalSynergy and EternalBlue Exploit Kit | Update affected products with the latest patches |
| CVE-2018-4878 | Adobe Flash Player before 28.0.0.161 | DOGCALL | Update Adobe Flash Player installation to the latest version |
| CVE-2017-8759 | Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 | FINSPY, FinFisher, WingBird | Update affected products with the latest security patches |
| CVE-2015-1641 | Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1 | Toshliph, UWarrior | Upate affected products with the latest security patches |
| CVE-2018-7600 | Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 | Kitty | Upgrade to the most recent version of Drupal 7 or 8 core |
-
MSPs grow wary over supply chain security threatsNews CyberSmart’s 2026 MSP Survey found that more than two-in-five firms experienced a cyber incident linked to a supplier or third-party vendor over the past year
-
Dell Pro Max with GB10 reviewReviews This juggernaut of a machine can be a gateway to AI productivity, with plenty of power and playbooks to get you started – but it comes at a high cost
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
