A joint cybersecurity advisory has been issued by government agencies from the United States, Australia, Canada, and the United Kingdom, providing information on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious threat actors in 2021, as well as other CVEs frequently exploited and mitigation techniques.
The authorities behind this advisory shared some key findings:
"Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors.
To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities—some of which were also routinely exploited in 2020 or earlier. The exploitation of older vulnerabilities demonstrates the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor."
Here are the top 15 CVEs from 2021, along with the vulnerability name, vendor and product, and type of exploit:
- CVE-2021-44228 - Log4Shell, Apache Log4j, remote code execution (RCE)
- CVE-2021-40539 - Zoho ManageEngine AD SelfService Plus, RCE
- CVE-2021-34523 - ProxyShell, Microsoft Exchange Server, elevation of privilege
- CVE-2021-34473 - ProxyShell, Microsoft Exchange Server, RCE
- CVE-2021-31207 - ProxyShell, Microsoft Exchange Server, security feature bypass
- CVE-2021-27065 - ProxyLogon, Microsoft Exchange Server, RCE
- CVE-2021-26858 - ProxyLogon, Microsoft Exchange Server, RCE
- CVE-2021-26857 - ProxyLogon, Microsoft Exchange Server, RCE
- CVE-2021-26855 - ProxyLogon, Microsoft Exchange Server, RCE
- CVE-2021-26084 - Atlassian Confluence Server and Data Center, arbitrary code execution
- CVE-2021-21972 - VMware vSphere Client, RCE
- CVE-2020-1472 - ZeroLogon, Microsoft Netlogon Remote Protocol (MS-NRPC), elevation of privilege
- CVE-2020-0688 - Microsoft Exchange Server, RCE
- CVE-2019-11510 - Pulse Secure Pulse Connect Secure, arbitrary file reading
- CVE-2018-13379 - Fortinet FortiOS and FortiProxy, path traversal
Three of the top 15 CVEs in 2021 were also routinely exploited in 2020—CVE-2020-1472, CVE-2018-13379, and CVE-2019-11510—showing that many organizations fail to patch software and remain vulnerable to known attack vectors.
See the joint cybersecurity advisory for additional vulnerabilities that are routinely exploited, as well as mitigation techniques.