Vulnerability Management – Some Vulnerabilities Don’t Go Out of Style

A Joint Cybersecurity Advisory on the Top Routinely Exploited Vulnerabilities (AA21-209A) was released yesterday. The advisory, coauthored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI), highlights the top 30 vulnerabilities widely exploited during the previous 12-18 months. Additionally, the report includes specific mitigations and indicators of compromise (IoCs) to assist organizations in protecting and detecting against these top exploited vulnerabilities.

Most vulnerabilities in the top 30 have been assigned CVE (Common Vulnerabilities and Exposure) numbers and range in year of disclosure from 2021 back to 2017. The vulnerabilities are grouped by year of exploitation (2020 and 2021) and while most of the 2021 exploitation revolved around five core products (Microsoft Exchange, Pulse Connect Secure, VMware, Accellion, and Fortinet), activity during 2020 largely encompassed 2019 – 2017 vulnerabilities. This report indicates that while actors are adept at swiftly capitalizing on newly disclosed vulnerabilities, they frequently and persistently favor the old. The reason is the same for both – capitalize before patches are applied. Exploit the new ones before organizations patch and continue exploiting the old ones for organizations that still haven’t patched (and may never patch). The advisory can be accessed at CISA and an overview can be found at The Record.