The top 12 most exploited vulnerabilities of 2020/21

Citrix bug the most abused in 2020, while APTs target Atlassian flaw.

The top 12 most exploited vulnerabilities of 2020/21

Attackers are getting faster at exploiting recently disclosed software flaws, a new joint advisory from the UK's NCSC, US's CISA and Australia's ACSC notes, disclosing that of the 12 most exploited vulnerabilities in 2020, many were for bugs only patched by vendors that year. (By contrast, a similar list published in 2020 revealed that among the most exploited vulnerabilities of the past four years were an nine-year-old and a six-year-old bug.)

The single software vulnerability most exploited in the wild was a bug (CVE-2019-19781) in Citrix Application Delivery Controller (ADC) and Citrix Gateway -- first disclosed  in an advisory on 17 December 2019, but with patches not available for all affected builds until 24 January 2020, the advisory notes.

See also: Millions of HP, Samsung, Xerox printers have a serious security flaw, unnoticed since 2005.

As the agencies noted in a joint advisory published July 28, 2021: "Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organization to conduct rigorous patch management." Exhortations from such agencies to patch regularly are increasingly vociferous and emphasise that they introduce "friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective."

The 12 most exploited vulnerabilities in 2020

CitrixCVE-2019-19781Arbitrary code execution CVSS: 9.8 Exploit
Pulse SecureCVE 2019-11510Arbitrary file readingCVSS: 10Exploit
FortinetCVE 2018-13379Path traversalCVSS: 9.8Exploit
F5- Big IPCVE 2020-5902RCECVSS: 9.8Exploit
MobileIronCVE 2020-15505RCECVSS: 9.8Exploit
MicrosoftCVE-2017-11882RCECVSS: 9.3Exploit
AtlassianCVE-2019-11580RCECVSS: 9.4Exploit
DrupalCVE-2018-7600RCECVSS: 9.8Exploit
TelerikCVE 2019-18935RCECVSS: 9.8Exploit
MicrosoftCVE-2019-0604RCECVSS: 9.8Exploit
MicrosoftCVE-2020-0787Elevation of privilegeCVSS: 7.8Exploit
NetlogonCVE-2020-1472Elevation of privilegeCVSS: 10Exploit

"Focusing scarce cyber defense resources on patching those vulnerabilities that cyber actors most often use offers the potential of bolstering network security while impeding our adversaries’ operations. For example, nation-state APTs in 2020 extensively relied on a single RCE vulnerability discovered in the Atlassian Crow, a centralized identity management and application (CVE-2019-11580)," the advisory notes.

" A concerted focus on patching this vulnerability could have a relative broad impact by forcing the actors to find alternatives, which may not have the same broad applicability to their target set. Additionally, attackers commonly exploit weak authentication processes, particularly in external-facing devices. Organizations should require MFA to remotely access networks from external sources, especially for administrator accounts."

Follow The Stack on LinkedIn

In addition to the 2020 CVEs listed above, organizations should prioritize patching for the following CVEs known to be exploited the agencies said.

  • Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Mitigation details in this CISA’s alert.
  • Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. Mitigation details in this CISA alert.
  • Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. Mitigation details in this NCSC advisory.
  • VMware: CVE-2021-21985. Guidance in this VMware post.
  • Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. Mitigations in this FBI advisory.

Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network noted that among the 12 most exploited vulnerabilities in 2020 were "pretty old" bugs from 2020 or even 2019 are often still exploitable in 2021 "due to persistent shadow IT or poor IT asset inventory... [but] most... are not directly related to working from home (WFH) trend and are also perfectly exploitable in a cloud environment."

He added: "Worse, many organizations now migrate to the cloud in a rush and without proper training of their IT teams, leaving their infrastructure vulnerable to cloud-specific attack vectors (e.g. compromising instance metadata services). Many of the incidents caused by the top vulnerabilities could have been prevented by maintaining proper cybersecurity hygiene, such as implementing holistic asset inventory and attack surface monitoring programs, combined with an agile patch management process."

See also: IWM CIO Ian Crawford on exploding film canisters, archiving PBs of data, and Peter Jackson.