US, UK, Australia issue joint advisory on today’s top exploited vulnerabilities
Cyber-security agencies from Australia, the UK, and the US have published a joint advisory today listing the most exploited security flaws throughout 2020 and 2021.
Joint advisories were published today by the Australian Cyber Security Centre (ACSC), the UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and the US Federal Bureau of Investigation (FBI).
According to the joint advisories, the vulnerabilities span a wide spectrum of products, ranging from VPN appliances to email servers and from network access gateways to web-based enterprise applications and desktop software.
However, the crux of today’s joint advisory is that threat actors have typically exploited recent vulnerabilities, showing their ability to quickly weaponize security flaws once they entered the public domain.
The advisories do not rank vulnerabilities based on their importance but split them into two lists.
The first list is dedicated to the vulnerabilities most exploited through 2020:
- CVE-2019-19781 – Citrix Netscaler Directory Traversal
- CVE-2019-11510 – Pulse Secure Connect VPN Unauthenticated Arbitrary File Disclosure
- CVE-2018-13379 – Fortinet FortioOS Secure Socket Layer VPN Unauthenticated Directory Traversal
- CVE-2020-5902 – F5 Big IP Traffic Management User Interface Remote Code Execution
- CVE-2020-15505 – MobileIron Core & Connector Remote Code Execution
- CVE-2020-0688 – Microsoft Exchange Memory Corruption/Remote Code Execution
- CVE-2019-3396 – Atlassian Confluence Server Widget Connector Remote Code Execution
- CVE-2017-11882 – Microsoft Office Memory Corruption/Remote Code Execution
- CVE-2019-11580 – Atlassian Crowd and Crowd Data Center Remote Code Execution
- CVE-2018-7600 – Drupal Core Multiple Remote Code Execution
- CVE-2019-18935 – Telerik UI for ASP.NET AJAX Insecure Deserialization
- CVE-2019-0604 – Microsoft SharePoint Remote Code Execution
- CVE-2020-0787 – Windows Background Intelligent Transfer Service Elevation of Privilege
- CVE-2020-1472 – Windows Netlogon Elevation of Privilege
The second list includes vulnerabilities that also came under attack in 2021, grouped by vendor:
- Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
- Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
- Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
- VMware: CVE-2021-21985
- Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591
While it would be unrealistic to classify vulnerabilities based on their popularity among threat actors and the number of attacks, the agencies hope that the two lists will encourage private companies and government organizations to take notice, search their networks, and then patched any devices vulnerable to the bugs listed above.
“Collaboration is a crucial part of CISA’s work and today we partnered with ACSC, NCSC and FBI to highlight cyber vulnerabilities that public and private organisations should prioritise for patching to minimise risk of being exploited by malicious actors,” said CISA Executive Assistant Director for Cybersecurity, Eric Goldstein.