On April 27, 2022, the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom published a joint Cybersecurity Advisory (CSA), 2021 Top Routinely Exploited Vulnerabilities (AA22-117A). As in prior years, this joint effort highlights multiple vulnerabilities that threat actors are routinely exploiting on devices and software that remain unpatched or are no longer supported by a vendor. AA22-117A lists the top 15 and also includes 21 more “additional routinely exploited vulnerabilities,” for a total of 36 in 2021. For the purposes of this lightweight analysis, all 36 vulnerabilities will be aggregated. These lists, to include the larger CISA’s Known Exploited Vulnerabilities Catalog, are part of a coordinated global effort to help all organizations prioritize vulnerability management activities, including patching efforts that many struggle with.

There were 24 products across 17 vendors encompassing 2021’s 36 routinely exploited vulnerabilities. Many of the top bugs continue targeting internet-facing systems, such as email servers and virtual private network (VPN) servers. Likewise, many of the significant vulnerabilities that were newly disclosed in 2021 led the pack for being routinely exploited, which hasn’t historically happened – it’s not uncommon for vulnerabilities from prior years to dominate in any given year. Unsurprisingly, the more significant volume of bugs included those impacting Microsoft Exchange, including ProxyLogon (CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065) and ProxyShell (CVE-2021-34523, CVE-2021-34473, CVE-2021-31207). However, most of the 2021 exploitation revolved around 5 vendors (Microsoft, Pulse Connect Secure, VMware, Accellion, and SonicWall).

The routinely exploited vulnerabilities in 2021 range in year of disclosure between 2017–2021; 26 in 2021 and 10 prior to 2021. This report once again indicates that while actors are adept at swiftly capitalizing on newly disclosed vulnerabilities, they persistently favor old ones too. The reason is the same for both – capitalize before patches are applied – exploit the new vulnerabilities before organizations patch and continue exploiting the old vulnerabilities because organizations still haven’t patched (and may never patch). Furthermore, after a quick review of similar data from past reports AA21-209A and AA20-133A, one vulnerability makes the trifecta. CVE-2017-11882, a remote code execution bug impacting Microsoft Office (from 5 years ago) appears to be a fan favorite among threat actors, repeatedly making the top routinely exploited vulnerabilities over the past 3 reporting cycles. Another indication that organizations are struggling to patch or update key products in a timely fashion.

Mitigations against these and other vulnerabilities include common best practice risk management activities across vulnerability management, identity and access management, and protective controls and architecture programs. Members are highly encouraged to review AA22-117A for potentially impacted assets within your environment and more details on the recommended mitigations. It is important for all utilities to verify/validate that these vulnerabilities (regardless of how old) have been addressed through patching or other recommended compensating controls to minimize the risk of exploitation against your network.