The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S, Federal Bureau of Investigation (FBI), have co-authored a new advisory which provides details on the top 30 vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021.  

Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.

In 2020, cyber actors readily exploited recently disclosed vulnerabilities to compromise unpatched systems. Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years. Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic.

The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching. Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies.

Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organization to conduct rigorous patch management. CISA, ACSC, the NCSC, and FBI consider the following vulnerabilities listed to be the topmost regularly exploited CVEs by cyber actors during 2020:

1. Citrix (CVE-2019-19781)
2. Pulse (CVE 2019-11510)
3. Fortinet (CVE 2018-13379)
4. F5- Big IP (CVE 2020-5902)
5. MobileIron (CVE 2020-15505)
6. Microsoft (CVE-2017-11882)
7. Atlassian (CVE-2019-11580)
8. Drupal (CVE-2018-7600)
9. Telerik (CVE 2019-18935)
10. Microsoft (CVE-2019-0604)
11. Microsoft (CVE-2020-0787) 
12. Netlogon (CVE-2020-1472)

In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet.

CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. Organizations are encouraged to remediate or mitigate vulnerabilities as quickly as possible to reduce the risk of exploitation. Most can be remediated by patching and updating systems.

Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, "Vulnerability management is one of the most challenging aspects of any security program. Taking a risk based approach to vulnerability management is the way forward; and teams should absolutely be prioritizing vulnerabilities that are actively being exploited. You can't patch "all the things" and defenders are drowning in vulnerabilities. Vulnerability alerts from CISA are a powerful tool to help teams stay above water and minimize their attack surface."

Organizations that have not remediated these vulnerabilities should investigate for the presence of IOCs and, if compromised, initiate incident response and recovery plans.