Australian Cyber Security Centre (ACSC), the UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and the US Federal Bureau of Investigation (FBI) have issued a joint advisory listing the top 30 most targeted vulnerabilities throughout 2020 and 2021.

The cybersecurity agencies identified the following issues as the topmost exploited vulnerabilities by threat actors from 2020:

• CVE-2019-19781 – Citrix Netscaler Directory Traversal

• CVE-2019-11510 – Pulse Secure Connect VPN Unauthenticated Arbitrary File Disclosure

• CVE-2018-13379 – Fortinet FortioOS Secure Socket Layer VPN Unauthenticated Directory Traversal

• CVE-2020-5902 – F5 Big IP Traffic Management User Interface Remote Code Execution

• CVE-2020-15505 – MobileIron Core & Connector Remote Code Execution

• CVE-2020-0688 – Microsoft Exchange Memory Corruption/Remote Code Execution

• CVE-2019-3396 – Atlassian Confluence Server Widget Connector Remote Code Execution

• CVE-2017-11882 – Microsoft Office Memory Corruption/Remote Code Execution

• CVE-2019-11580 – Atlassian Crowd and Crowd Data Center Remote Code Execution

• CVE-2018-7600 – Drupal Core Multiple Remote Code Execution

• CVE-2019-18935 – Telerik UI for ASP.NET AJAX Insecure Deserialization

• CVE-2019-0604 – Microsoft SharePoint Remote Code Execution

• CVE-2020-0787 – Windows Background Intelligent Transfer Service Elevation of Privilege

• CVE-2020-1472 – Windows Netlogon Elevation of Privilege

Among above mentioned, CVE-2019-19781 was the most exploited flaw in 2020, according to the advisory.

“Identified as emerging targets in early 2020, unremediated instances of CVE-2019-19781 and CVE-2019-11510 continued to be exploited throughout the year by nation-state advanced persistent threat actors (APTs) who leveraged these and other vulnerabilities, such as CVE-2018-13379, in VPN services to compromise an array of organizations, including those involved in COVID-19 vaccine development,” the CISA said.

The second list of vulnerabilities shared by the ACSC, NCSC, CISA, and the FBI includes the flaws most regularly targeted by malicious actors in 2021. Those are:

• Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065

• Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900

• Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104

• VMware: CVE-2021-21985

• Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591

“One of the most effective best practices to mitigate many vulnerabilities is to update software versions once patches are available and as soon as is practicable. If this is not possible, consider applying temporary workarounds or other mitigations, if provided by the vendor. If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems),” the cybersecurity agency advised.

“Additionally, attackers commonly exploit weak authentication processes, particularly in external-facing devices. Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.”