Patching vulnerabilities is a constant battle for organizations, which is why threat actors frequently exploit dated and publicly known vulnerabilities.
But which ones, specifically? The answers arrived this week.
The United States, the United Kingdom, and Australia issued a joint cybersecurity advisory looking at the top Common Vulnerabilities and Exposures (CVEs) exploited in 2020 and 2021.
One of the key findings in the advisory is that four of the most targeted vulnerabilities in 2020 involved remote work, VPNs, or cloud-based technologies. This trend has continued into 2021 and for the foreseeable future as many organizations have adapted to remote work in some way.
Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, had this to say about the advisory:
"In cybersecurity, getting the basics right is often most important. Organizations that apply the best practices of cybersecurity, such as patching, can reduce their risk to cyber actors exploiting known vulnerabilities in their networks. Collaboration is a crucial part of CISA’s work and today we partnered with ACSC, NCSC and FBI to highlight cyber vulnerabilities that public and private organizations should prioritize for patching to minimize risk of being exploited by malicious actors."
The advisory provides the top 30 vulnerabilities exploited in 2020 and that continue to be exploited in 2021.
Below you can see what the agencies believe to be the top regularly exploited CVEs in 2020:
Organizations are highly encouraged to mitigate these vulnerabilities as quickly as possible to reduce risk, as most of them can be fixed by simple patching and updating of systems.
As for CVEs in 2021, the advisory says threat actors continue to target vulnerabilities in perimeter-type devices. Here is a list of CVEs in 2021 organizations need to prioritize patching for:
For more technical information, mitigations, and indicators of compromise on the top vulnerabilities of 2020 and 2021, read the full cybersecurity advisory, Top Routinely Exploited Vulnerabilities (AA21-209A).