Fortinet VPN bug tops CISA’s list of most exploited vulnerabilities in 2022

This article was updated at 4:25 p.m. EST on August 3 with comment from Fortinet.

If there’s one take-home message from a joint advisory published Thursday by the cybersecurity agencies of the Five Eyes countries, it’s this: “Patch your internet-facing systems.”

With all of the visibility the agencies have into attacks targeting organizations across the United States, Australia, Canada, New Zealand and the United Kingdom, the joint advisory warns that malicious cyber actors are exploiting older software vulnerabilities more frequently than recently disclosed ones.

The list is not dissimilar to the one released last year. More than half of the top 12 vulnerabilities also featured on that list, including Log4Shell (tracked as CVE-2021-44228) — which was discovered in 2021 and allegedly used by North Korean threat groups — and the Zoho vulnerability (CVE-2021-40539) used in the headline-grabbing attack on the Red Cross.

According to the U.K.’s National Cyber Security Centre (NCSC), the number of vulnerabilities reappearing on this year’s list highlights “how malicious cyber actors continued targeting previously disclosed flaws in internet-facing systems – despite security updates being available to fix them.”

The most exploited vulnerability of last year was actually disclosed back in 2018 and has been the subject of repeated reports from the Cybersecurity and Infrastructure Security Agency/FBI and NCSC despite organizations having had four years to patch the particular appliance.

The vulnerability affects (you guessed it) Fortinet’s SSL VPNs and is tracked as CVE-2018-13379. It has been a known problem for a long time, and one which Western authorities have warned was being exploited by APT29, linked to Russia’s SVR foreign intelligence service, as well as by other malicious groups.

Following publication of this article, a Fortinet spokesperson highlighted the company's work to provide mitigation guidance to the public.

"Fortinet is focused on enabling organizations to make informed risk-based decisions that help mitigate their cyber risks, including the timely deployment of patches and critical updates," they said.

Next on the list of widely exploited issues was a chain of vulnerabilities affecting Microsoft Exchange servers and popularly known as ProxyShell (tracked as CVE-2021-34473, CVE-2021-31207, CVE-2021-34523) which were discovered in 2021.

“Attackers generally see the most success exploiting known vulnerabilities within the first two years of public disclosure and likely target their exploits to maximise impact, emphasising the benefit of organisations applying security updates promptly,” said the NCSC.

And, again, the Atlassian bug (CVE-2021-26084) — which was assigned a severity score of 9.8 out of a maximum of 10, as it allowed remote exploitation over the internet and because the complexity of developing a weaponized exploit was considered low — continued to rank among the top five.

The most exploited vulnerabilities of the year that were actually discovered last year were a pair of issues affecting VMware products (CVE-2022-22954, CVE-2022-22960) which prompted CISA to issue an emergency directive last May, ordering federal civilian agencies to patch their affected products.

Trailing in the race for the worst mishap of 2022 was a flaw affecting F5's BIG-IP products –- assigned a score of 9.8 out of 10 — which CISA was prompted to issue an emergency advisory about. Recorded Future News observed more than 15,000 BIG-IP products exposed to the internet.

Microsoft made the list again, with a vulnerability (CVE-2022-30190) in the Microsoft Support Diagnostic Tool in Windows being exploited by several state-backed threat actors, according to reports from multiple security companies.

Atlassian’s other vulnerability (CVE-2022-26134) is the last of the dirty dozen, with the advisory warning it “was likely initially exploited as a zero-day before public disclosure in June 2022” and noting it was related to the other Atlassian vulnerability (CVE-2021-26084) which came fourth on this list.