During 2021, the top 15 vulnerabilities that were exploited — as observed by the US Cybersecurity and Infrastructure Security Agency, US NSA, US FBI, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre — led to remote code execution (RCE) across a range of products, and left IT administrators with a short window to keep their house in order.
“For most of the top exploited vulnerabilities, researchers or other actors released proof of concept code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors,” the agencies said in an alert.
Topping the list was the RCE hole in Java logging library Apache Log4j, also known as Log4Shell, that was disclosed in December.
“The rapid widespread exploitation of this vulnerability demonstrates the ability of malicious actors to quickly weaponize known vulnerabilities and target organizations before they patch,” the alert said.
This was followed by CVE-2021-40539, an RCE hole in Zoho ManageEngine, and seven vulnerabilities in Exchange that became known as ProxyShell and ProxyLogin.
Next on the list was CVE-2021-26084 in Atlassian Confluence, which US Cybercom warned was facing mass exploitation in September. In this instance, the agencies said the exploit code was released a week after it was disclosed.
The final vulnerability from 2021 on the list was CVE-2021-21972, which impacted VMware vSphere.
Completing the list was a quartet of vulnerabilities that were highlighted in July, consisting of CVE-2020-1472 in Microsoft Netlogon which is also called Zerologon, CVE-2020-0688 in Exchange, CVE-2019-11510 from Pulse Secure Connect, and CVE-2018-13379 impacting Fortinet FortiOS and FortiProxy.
A secondary list of another 15 CVEs was also issued, and included holes in Accellion FTA, and additional RCE bugs in VMware vCenter and the Windows print spooler.
To mitigate these vulnerabilities, the agencies repeated advice on timely patching, having a centralised patch management system, and shifting to cloud or managed service providers if rapid scanning is not considered doable. The advice added that organisations should enforce multifactor authentication on all users without exception, with VPN logins in particular called out, as well as regularly reviewing privileged accounts at least yearly and adopting the least privilege principle.
Companies should also move to allowlisting, properly segment networks to limit lateral movement, and constantly monitor attack surfaces.