Most exploited vulnerabilities 2022: Five Eyes’ list of CVEs comes with a twist in the tail

Two CVEs dominate attack traffic and one will look very familiar: So will six others...

A Five Eyes list of the most exploited vulnerabilities in 2022 has uncanny parallels with 2021’s list: 58% of the software security flaws on it made a showing in the previous year’s list also, emphasising what an uphill battle remains to encourage organisations to patch or mitigate against even the most ubiquitously abused and widely flagged cybersecurity risks.

The new list of the most exploited vulnerabilities in 2022 – published early August 2023 by CISA and partner agencies – hints at a change of focus: Not by hackers, who remain attracted to the low hanging fruit of critical vulnerabilities for which exploits and metasploit modules et al are easily available; but by government authorities, who emphasise in the very first call-to-action of the advisory that vendors need to perform better…

See also: Thousands of VMware customers publicly exposed to pre-auth RCE as exploit reproduced

Cloudflare’s researchers note that their telemetry shows: “Two CVEs mentioned in the CISA report are responsible for the vast majority of attack traffic seen in the wild: Log4J (2021-2021-44228) and Atlassian Confluence Code Injection” (CVE-2022-26134.)

“Vendors, designers, and developers [should] implement secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in your software…Follow the Secure Software Development Framework and implement secure design practices into each stage of the software development life cycle [and] establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities,” CISA and partners said; a notable addition given that 2021’s advisory did not even include the word “vendors”.

(The advisory’s early emphasis on demanding “secure by design” software suggests harks back to some of the key pillars in 2019’s cross-party US “Solarium Commission”, which had highlighted a need to “incentivize product manufacturers to scrap a ‘first to market’ mentality” and which warned industry bluntly that the “aggregated vulnerability assumed by [vendors] has created a significant national concern: rampant insecurity that  passes costs of billions of dollars to downstream consumers and that has the potential both to disrupt our day-to- day life and to undermine public confidence in and the  effectiveness of key institutions…”)

See also: Hyperscalers, telcos exposing BIG-IP to the internet as pre-auth RCE vulnerability drops

The Commission’s proposal that “Congress… pass a law establishing that final goods assemblers of software, hardware, and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities for as long as they support a product or service” looks unlikely to happen.

But the new list does suggest that vendors pushing out porous software without even the most rudimentary fuzzing and security testing may find themselves increasingly in the spotlight and possibly, hot water in future.

The 12 most exploited vulnerabilities of 2022

(CVEs in bold also featured in 2021's "most exploited" list)

Vendor

CVE

Type

Severity

Exploit info

Apache Log4J

CVE-2021-44228

RCE

CVSS: 10


Exploit


Zoho

ManageEngine

CVE-2021-40539

RCE

CVSS: 9.8

Exploit

Microsoft

CVE-2021-34523

CVE-2021-34473

CVE-2021-31207

EOP

RCE

Security feature bypass

CVSS: 9.8

CVSS: 9.8

CVSS: 7.2

Exploit






Atlassian

CVE-2021-26084

Arbitrary code execution

CVSS: 9.8

Exploit

VMware

CVE-2022-22954

RCE

CVSS: 9.8

Exploit

VMware

CVE-2022-22960

Improper Privilege Management

CVSS: 7.8

Exploit






F5 Networks

CVE-2022-1388

Missing Authentication Vulnerability 

CVSS: 9.8

Exploit

Microsoft

CVE-2022-30190

RCE

CVSS: 7.8

Exploit

Fortinet

CVE-2018-13379

Path traversal

CVSS: 9.8

Exploit

Atlassian

CVE-2022-26134

RCE

CVSS 9.8

Exploit


Note: Exploit links shared for Red Team research purposes only and not tested by The Stack. Handle with care and always play safely in a sandboxed environment.

CISA warned that software companies’ business leaders should take “proactive steps to eliminate entire classes of security vulnerabilities, rather than… one-off patches when new vulnerabilities are discovered.”

The most exploited vulnerabilities in 2022 advisory from CISA urged vendors to “perform an analysis of both CVEs and known exploited vulnerabilities to understand which classes of vulnerability are identified… Implement appropriate mitigations to eliminate those classes of vulnerability [e.g] if a product has several instances of SQL injection vulnerabilities, ensure all database queries in the product use parameterized queries, and prohibit other forms of queries… [use] static and dynamic application security testing tools to analyze product source code and application behavior to detect error-prone practices.”

The full advisory is here.

Join peers following The Stack on LinkedIn