U.S. cybersecurity agencies joined their counterparts around the globe to urge organizations to address the top 15 vulnerabilities exploited in 2021.
Topping the list were the Log4Shell vulnerability and Microsoft bugs ProxyShell and ProxyLogon. Microsoft occupied more than half the list, with Exchange Server accounting for eight of the vulnerabilities. VMware, Atlassian, Pulse Secure and Fortinet rounded out the list.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), NSA and FBI joined their “Five Eyes” counterparts in issuing the alert: the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), and the UK’s National Cyber Security Centre (NCSC UK).
The advisory entails the top 15 Common Vulnerabilities and Exposures (CVEs) that were routinely exploited by malicious cyber actors in 2021, plus another 21 frequently exploited CVEs. The cybersecurity authorities urged organizations to immediately apply timely patches to their systems and implement a centralized patch management system in order to reduce their attack surface.
Also read: Best Patch Management Software & Tools
Web-Facing Systems at Risk
Malicious actors tend to focus on internet-facing systems to gain entry into a network, such as email and virtual private network (VPN) servers, using exploits targeting newly disclosed vulnerabilities.
“U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities assess, in 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” said the advisory.
It could be because of the malicious actors and security researchers releasing proof of concept (POC) exploits within two weeks of the initial disclosure of most of the top exploited bugs in 2021. However, some of the attacks were focused on older vulnerabilities patched years before, indicating that some organizations fail to update their systems even if they detect a patch.
See the Top Secure Email Gateways
Top 15 Routinely Exploited Vulnerabilities
The table below shows the top 15 vulnerabilities observed by the US, Australian, Canadian, New Zealand, and UK cybersecurity authorities, linked to National Vulnerability Database entries and associated malware.
| CVE | Vulnerability | Vendor and Product | Type |
| CVE-2021-44228 | Log4Shell | Apache Log4j | Remote code execution (RCE) |
| CVE-2021-40539 | Zoho ManageEngine AD SelfService Plus | RCE | |
| CVE-2021-34523 | ProxyShell | Microsoft Exchange Server (MES) | Elevation of privilege |
| CVE-2021-34473 | ProxyShell | MES | RCE |
| CVE-2021-31207 | ProxyShell | MES | Security feature bypass |
| CVE-2021-27065 | ProxyLogon | MES | RCE |
| CVE-2021-26858 | ProxyLogon | MES | RCE |
| CVE-2021-26857 | ProxyLogon | MES | RCE |
| CVE-2021-26855 | ProxyLogon | MES | RCE |
| CVE-2021-26084
|
Atlassian Confluence Server and Data Center | Arbitrary code execution | |
| CVE-2021-21972 | VMware vSphere Client | RCE | |
| CVE-2020-1472 | ZeroLogon | Microsoft Netlogon Remote Protocol (MS-NRPC) | Elevation of privilege |
| CVE-2020-0688 | MES | RCE | |
| CVE-2019-11510 | Pulse Secure Pulse Connect Secure | Arbitrary file reading | |
| CVE-2018-13379 | Fortinet FortiOS and FortiProxy | Path traversal |
Other Routinely Exploited Vulnerabilities
In addition to the 15 vulnerabilities listed in the table above, the alert also listed 21 additional security vulnerabilities identified by the cybersecurity agencies that were routinely exploited by malicious cyber actors in 2021.
It includes multiple vulnerabilities that affect internet-facing systems, including Accellion File Transfer Appliance (FTA), Pulse Secure Pulse Connect Secure, and Windows Print Spooler. Three of these vulnerabilities — CVE-2019-19781, CVE-2019-18935, and CVE-2017-11882 — were also routinely exploited in 2020.
| CVE | Vendor and Product | Type |
| CVE-2021-42237 | Sitecore XP | RCE |
| CVE-2021-35464 | ForgeRock OpenAM server | RCE |
| CVE-2021-27104 | Accellion FTA | OS command execution |
| CVE-2021-27103 | Accellion FTA | Server-side request forgery |
| CVE-2021-27102 | Accellion FTA | OS command execution |
| CVE-2021-27101 | Accellion FTA | SQL injection |
| CVE-2021-21985 | VMware vCenter Server | RCE |
| CVE-2021-20038 | SonicWall Secure Mobile Access (SMA) | RCE |
| CVE-2021-40444 | Microsoft MSHTML | RCE |
| CVE-2021-34527 | Microsoft Windows Print Spooler | RCE |
| CVE-2021-3156 | Sudo | Privilege escalation |
| CVE-2021-27852 | Checkbox Survey | Remote arbitrary code execution |
| CVE-2021-22893 | Pulse Secure Pulse Connect Secure | Remote arbitrary code execution |
| CVE-2021-20016 | SonicWall SSLVPN SMA100 | Improper SQL command neutralization, allowing for credential access |
| CVE-2021-1675 | Windows Print Spooler | RCE |
| CVE-2020-2509 | QNAP QTS and QuTS hero | Remote arbitrary code execution |
| CVE-2019-19781 | Citrix Application Delivery Controller (ADC) and Gateway | Arbitrary code execution |
| CVE-2019-18935 | Progress Telerik UI for ASP.NET AJAX | Code execution |
| CVE-2018-0171 | Cisco IOS Software and IOS XE Software | Remote arbitrary code execution |
| CVE-2017-11882 | Microsoft Office | RCE |
| CVE-2017-0199 | Microsoft Office | RCE |
Mitigation Measures
The advisory also includes some mitigation measures to reduce the risk associated with the most abused flaws detailed above. It suggests that companies should use a centralized patch management system while regularly updating their software, applications, operating systems, and firmware on IT network assets. They should also enforce multifactor authentication (MFA) for all users, without exception, and must review, validate, or remove privileged accounts in a timely manner (annually at a minimum).
