Most-Abused-Vulerabilities-2021Download
Vulnerability by Third Party

Study

The lead cybersecurity and law enforcement organizations from the US, UK, and  Australia have performed a forensic study and issued a joint advisory naming the top 30 vulnerabilities that were most commonly abused by threat actors over the course of 2020 and 2021.   

Most of the vulnerabilities were related to remote access/work from home mechanisms deployed by organisations during the COVID-19 pandemic.  

“The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.”

Results

The depressing results of this study were that every exploited vulnerability on the list has an available patch and that all of the exploitations could have been effectively prevented.

According to the U.S. government’s findings, the most exploited vulnerability in 2020 was a flaw in the Citrix Delivery Controller.  Identified as CVE-2019-19781, the arbitrary code execution bug was rated as critical in severity and presents a score of 9.8 out of 10 on the common vulnerability scoring system (CVSS) scale.  An attacker successfully exploiting this vulnerability could take over the affected system entirely. The vulnerability attracted cybercriminals because it is easily exploited and the fact that Citrix servers are used extensively worldwide.

Take away

Patch your systems!

The agencies urged organizations to patch their vulnerable systems and keep them up-to-date. It’s one of the easiest ways to mitigate the chances of the vulnerabilities being exploited and having their systems compromised. 

“In cybersecurity, getting the basics right is often most important. Organizations that apply the best practices of cybersecurity, such as patching, can reduce their risk to cyber actors exploiting known vulnerabilities in their networks,” said Executive Assistant Director for Cybersecurity, CISA, Eric Goldstein.

The List

Here are the top 13 vulnerabilities from the list, including links for remediation.

Take action.    Get your systems patched.

VendorDescriptionTypeFix
CitrixCitrix Netscaler Application Delivery Control (ADC) is vulnerable to RCE and full system compromise due to poor access controls, thus allowing directory traversal.Arbitrary code executionhttps://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/
PulsePulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials.Arbitrary file readinghttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
FortinetFortinet Secure Sockets Layer (SSL) VPN is vulnerable to unauthenticated directory traversal, which allows attackers to gain access to the sslvpn_websession file. An attacker is then able to exact clear-text usernames and passwords.Path traversalhttps://www.fortiguard.com/psirt/FG-IR-18-384
F5- Big IPThe Traffic Management User Interface (TMUI), also referred to as the Configuration Utility, has an RCE vulnerability in undisclosed pages.Remote code execution (RCE)https://support.f5.com/csp/article/K52145254
MobileIronMobileIron Core & Connector, Sentry, and Monitoring and Reporting Database (RDB) software are vulnerable to RCE via unspecified vectors.RCEhttps://www.ivanti.com/blog/mobileiron-security-updates-available
MicrosoftAn RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.RCEhttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688
AtlassianAtlassian Confluence Server and Data Center Widget Connector is vulnerable to a server-side template injection attack.RCEhttps://us-cert.cisa.gov/ncas/alerts/Patch%20Available
DrupalDrupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allow remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.RCEhttps://www.drupal.org/sa-core-2018-002
TelerikTelerik User Interface (UI) for ASP.NET does not properly filter serialized input for malicious content. Versions prior to R1 2020 (2020.1.114) are susceptible to remote code execution attacks on affected web servers due to a deserialization vulnerability.RCEhttps://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization
MicrosoftMicrosoft Office is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code, in the context of the current user, by failing to properly handle objects in memory. It is also known as the “Microsoft Office Memory Corruption Vulnerability.”
Cyber actors continued to exploit this four-year-old vulnerability in Microsoft Office that the U.S. Government publicly assessed last year was the most frequently targeted. Cyber actors most likely continue to exploit this vulnerability because Microsoft Office use is ubiquitous worldwide, the vulnerability is ideal for phasing campaigns, and it enables RCE on vulnerable systems.
RCEhttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882
MicrosoftA vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to execute arbitrary code on vulnerable Microsoft SharePoint servers.RCEhttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604
MicrosoftThe Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-level privileges.
The exploit was used in Maze and Egregor ransomware campaigns.
Elevation of privilegehttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0787
MicrosoftThe Microsoft Windows Netlogon Remote Protocol (MS-NRPC) reuses a known, static, zero-value initialization vector (VI) in AES-CFB8 mode, which could allow an unauthenticated attacker to impersonate a domain-joined computer including a domain controller, and potentially obtain domain administrator privileges.Elevation of privilegehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472