Attackers continue to accelerate their weaponisation of newly-discovered flaws, the Five Eyes list of most-exploited vulnerabilities of 2021 shows. Contrary to some reports suggesting fears of mass-exploitation had been over-indexed, the flaw in Log4j joined the most widely-exploited vulnerabilities last year, despite only being discovered at the year's end. In total, 11 of the top-15 most exploited vulnerabilities of 2021 were discovered in 2021 – in contrast to previous years when older vulnerabilities dominated the list.
The most-exploited vulnerabilities of 2021
Vendor | CVE | Type | Severity | Exploit info |
---|---|---|---|---|
Apache Log4J | CVE-2021-44228 | RCE | CVSS: 10 | Exploit |
Zoho ManageEngine | CVE-2021-40539 | RCE | CVSS: 9.8 | Exploit |
Microsoft | CVE-2021-34523 CVE-2021-34473 CVE-2021-31207 | EOP RCE Security feature bypass | CVSS: 9.8 CVSS: 9.8 CVSS: 7.2 | Exploit |
Microsoft | CVE-2021-27065 CVE-2021-26858 CVE-2021-26857 CVE-2021-26855 | RCE | CVSS: 7.8 CVSS: 7.8 CVSS: 7.8 CVSS: 9.8 | Exploit Others: 1, 2, 3, 4 |
Atlassian | CVE-2021-26084 | Arbitrary code execution | CVSS: 9.8 | Exploit |
VMware | CVE-2021-21972 | RCE | CVSS: 9.8 | Exploit |
Microsoft | CVE-2020-1472 | EOP | CVSS: 10 | Exploit |
Microsoft | CVE-2020-0688 | RCE | CVSS: 8.8 | Exploit |
Pulse Secure | CVE-2019-11510 | Arbitrary file reading | CVSS: 10 | Exploit |
Fortinet | CVE-2018-13379 | Path traversal | CVSS: 9.8 | Exploit |
“In 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” said the vulnerability report from US, UK, Canadian, Australian and New Zealand cyber-security bodies – known as the Five Eyes.
“For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors,” the report added. (We're sharing some above for Red Team reference.)
Follow >> The Stack on LinkedIn << to keep abreast
Microsoft was the single most-represented vendor on the list, with the collection of Microsoft Exchange server vulnerabilities ProxyShell, ProxyLogon, ZeroLogon -- rampantly exploited at scale by Chinese APTs and other actors -- all making the top-10 most-exploited vulnerabilities of 2021.
But the second-most exploited vulnerability was in the widely-used but less widely-discussed Zoho ManageEngine. The vulnerabilities, allowing authentication-bypass and remote-code execution, had been known and a patch made available since September – but were prevalent enough that at least two separate groups made wide use of them until late in 2021.The last four most-exploited vulnerabilities of 2021 were discovered in previous years - but the oldest is only from 2018, in contrast to bugs almost a decade old found on 2019's vulnerability list.
More 'routinely exploited' vulnerabilities to patch
The cyber-security agencies also listed plenty of other vulnerabilities which are "routinely exploited" and which organisations should patch as soon as possible:
- Sitecore XP: CVE-2021-42237
- ForgeRock OpenAM: CVE-2021-35464
- Accellion FTA: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
- VMware vCenter: CVE-2021-21985
- SonicWall SMA: CVE-2021-20038
- Microsoft MSHTML: CVE-2021-40444
- Microsoft Windows Print Spooler: CVE-2021-34527, CVE-2021-1675
- Sudo: CVE-2021-3156
- Checkbox Survey: CVE-2021-27852
- PulseSecure Pulse Connect Secure: CVE-2021-22893
- SonicWall SSLVPN SMA100: CVE-2021-20016
- QNAP QTS and QuTS hero: CVE-2020-2509
- Citrix ADC and Gateway: CVE-2019-19781
- Progress Telerik UI for ASP.NET Ajax: CVE-2019-18935
- Cisco IOS and IOS XE Software: CVE-2018-0171
- Microsoft Office: CVE-2017-11882, CVE-2017-0199
The 12 most exploited vulnerabilities in 2020 meanwhile were...
Citrix | CVE-2019-19781 | Arbitrary code execution | CVSS: 9.8 | Exploit |
Pulse Secure | CVE 2019-11510 | Arbitrary file reading | CVSS: 10 | Exploit |
Fortinet | CVE 2018-13379 | Path traversal | CVSS: 9.8 | Exploit |
F5- Big IP | CVE 2020-5902 | RCE | CVSS: 9.8 | Exploit |
MobileIron | CVE 2020-15505 | RCE | CVSS: 9.8 | Exploit |
Microsoft | CVE-2017-11882 | RCE | CVSS: 9.3 | Exploit |
Atlassian | CVE-2019-11580 | RCE | CVSS: 9.4 | Exploit |
Drupal | CVE-2018-7600 | RCE | CVSS: 9.8 | Exploit |
Telerik | CVE 2019-18935 | RCE | CVSS: 9.8 | Exploit |
Microsoft | CVE-2019-0604 | RCE | CVSS: 9.8 | Exploit |
Microsoft | CVE-2020-0787 | Elevation of privilege | CVSS: 7.8 | Exploit |
Netlogon | CVE-2020-1472 | Elevation of privilege | CVSS: 10 | Exploit |