Hacker in hoodie showing exploited vulnerabilities

The FBI, CISA, NSA and the Five Eyes Published the Top Most Exploited Vulnerabilities of 2022

Cybersecurity authorities of the Five Eyes (FVEY) intelligence alliance have published the list of the top 12 most exploited vulnerabilities throughout 2022, highlighting hackers’ preference for older unpatched security flaws.

According to the joint advisory, only five out of the 12 routinely exploited security vulnerabilities listed were discovered in 2022, with one dating back to 2018.

“In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems,” the report stated.

The report also included the top 30 routinely exploited software flaws in 2022.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) co-authored the report with the FBI, NSA, and partner cybersecurity agencies from the Five Eyes Alliance; the United Kingdom’s NCSC-UK, Canada’s CCCS, Australia’s ACSC, and New Zealand’s NCSC-NZ and CERT-NZ.

Top 12 most exploited vulnerabilities in 2022

Microsoft (4), VMWare (2), and Atlassian (2) dominated, while Fortinet, Zoho, F5 Networks, and Apache also appeared on the list of the 12 most exploited vulnerabilities in 2022.

Fortinet’s FortiOS and FortiProxy SSL VPN credential exposure critical (CVSS 9.1) vulnerability CVE-2018-13379 was the longest exploited on the list since 2018. A Russian state-sponsored threat actor APT29 exploited the security flaw to interfere with U.S. elections.

Similarly, Microsoft’s Exchange Server Proxy Shell RCE CVE-2021-34473, Security Feature Bypass CVE-2021-31207, and privilege escalation CVE-2021-34523 flaws were frequently exploited from 2021.

“What’s most interesting from a cybersecurity perspective is that seven out of twelve of these vulnerabilities were discovered between 2018 and 2021,” said Rosa Smothers, former CIA cyber threat analyst and current executive at KnowBe4. “One of the basic tenets of cybersecurity is good patch management of security flaws affecting software and equipment. Organizations that remain vulnerable are clearly apathetic to the threat landscape.”

Other security flaws discovered in 2022 and regularly exploited in the same year include:

  • VMWare’s Workspace ONE Access and Identity Manager remote code execution (RCE) CVE-2022-22954 and Improper Privilege Management CVE-2022-22960 flaws, which were also the subject of a 2022 CISA security advisory.
  • F5 Networks’ BIG-IP Missing Authentication Vulnerability CVE-2022-1388.
  • Microsoft’s RCE vulnerability CVE-2022-30190 affecting multiple products and was exploited by various nation-state APTs.
  • Atlassian’s Confluence Server and Data Center RCE flaw CVE-2022-26134.

In 2022, CISA published a similar list of the top 15 frequently exploited vulnerabilities in 2021. Half of the routinely exploited vulnerabilities in 2022 were on that list.

“This target list is already a part of the arsenal used by cybercriminals to gain access to organizations’ networks,” said James McQuiggan, a Security Awareness Advocate at KnowBe4. “It’s like ringing the doorbell to see if anyone is home and turning the door handle. If it’s unlocked, they go inside without any problem.”

Thirty additional routinely exploited vulnerabilities

Two-thirds of the additional routinely exploited vulnerabilities were discovered between 2017 and 2021, indicating that organizations did not timely patch discovered security flaws.

Unsurprisingly, Microsoft earned the top spot with the two oldest routinely exploited vulnerabilities, CVE-2017-0199 (multiple products) and Exchange Server’s CVE-2017-11882 Arbitrary Code Execution faults exploited since 2017.

The agencies noted that threat actors target unpatched older security flaws as their proof of concept (POC) code was publicly available, thus facilitating the exploitation of broader software vulnerabilities or vulnerability chains.

“While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years,” noted the advisory.

Subsequently, attackers were more successful in exploiting software flaws within two years of discovery before their value declined as more organizations applied patches.

Thus, timely patching of discovered security flaws reduces their effectiveness, forcing threat actors to pursue more expensive and time-consuming methods such as zero-day exploits and supply chain attacks.

The agencies advised software vendors and developers to adopt “secure by design practices” and implement “secure by default configurations” to reduce exploitable flaws.

Similarly, end-user organizations should timely apply mitigations and improve their cybersecurity posture to slow down attackers.