Today, CISA, the National Security Agency (NSA), the FBI, and international partners published a joint Cybersecurity Advisory (CSA), 2022 Top Routinely Exploited Vulnerabilities. This advisory provides details on the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2022, and the associated Common Weakness Enumeration(s) (CWE), to help organizations better understand the impact exploitation could have on their systems.

According to the report, “In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.” In addition, threat actors usually have the most success exploiting known vulnerabilities within the first two years of public disclosure. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods.

The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in the advisory. Organizations should share information about incidents and unusual cyber activity with their respective cybersecurity authorities because when cyber incidents are reported quickly, it can contribute to stopping further attacks.

To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at CyWatch@fbi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. Access the full advisory at CISA.

Analyst Comment (Jennifer Lyn Walker): As in prior years, this joint effort highlights multiple vulnerabilities that threat actors are routinely exploiting on devices and software that remain unpatched or are no longer supported by a vendor. These lists, to include the larger CISA’s Known Exploited Vulnerabilities Catalog, are part of a coordinated global effort to help all organizations prioritize vulnerability management activities, including patching efforts that many struggle with.

AA23-215 lists the top 12, and also includes 30 more “additional routinely exploited vulnerabilities,” for a total of 42 in 2022. For a convenient overview, the 42 include vulnerabilities between 2017 – 2022 across the following widely used IT manufacturers – in some cases including multiple product lines:

Apache (to include log4j), Atlassian, Citrix, F5, Fortinet, Ivanti, Microsoft, Oracle, QNAP, SAP, SonicWall, VMware, WSO2, Zimbra, and Zoho.

Members, especially ones that struggle with patching, are encouraged to review this advisory more closely to determine if any of these components are in your environments and remain unpatched. This list is designed to help network defenders prioritize addressing (patching) vulnerabilities that actors are actively exploiting among the sea of other vulnerabilities that have been identified as an issue but have not been observed being actively exploited.