Replace warn

ARS Technica: Feds List The Top 30 Most Exploited Vulnerabilities. Many Are Years Old

Read the original article at ARS Technica

Author: Dan Goodin

Hackers continue to exploit publicly known—and often dated—software vulnerabilities.

Government officials in the US, UK, and Australia are urging public- and private-sector organizations to secure their networks by ensuring firewalls, VPNs, and other network-perimeter devices are patched against the most widespread exploits.

In a joint advisory published Wednesday, the US FBI and CISA (Cybersecurity and Infrastructure Security Agency), the Australian Cyber Security Center, and the UK’s National Cyber Security Center listed the top 30 or so most exploited vulnerabilities. The vulnerabilities reside in a host of devices or software marketed by the likes of Citrix, Pulse Secure, Microsoft, and Fortinet.

“Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” the advisory stated. “However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.”

What, me patch?


Four of the most targeted vulnerabilities last year resided in VPNs, cloud-based services, and other devices that allow people to remotely access employer networks. Despite the explosion in the number of work-from-home employees driven by the COVID-19 pandemic, many VPN gateway devices remained unpatched during 2020.

Discovery dates of the top four vulnerabilities ranged from 2018 to 2020, an indication of how common it is for many organizations using the affected devices to withhold applying security patches. The security flaws include CVE-2019-19781, a remote code-execution bug in Citrix’s application delivery controller (which customers use to perform load balancing of inbound application traffic); CVE 2019-11510, which allows attackers to remotely read sensitive files stored by the Pulse Secure Pulse Connect Secure VPN; CVE 2018-13379, a path-traversal weakness in VPNs made by Fortinet; and CVE 2020-5902, a code-execution vulnerability in the BIG-IP advanced delivery controller made by F5.

Breaching the gate


The vulnerabilities—all of which have received patches from vendors—have provided the opening vector from an untold number of serious intrusions. For instance, according to an advisory the US government issued in April, hackers working for the Russian government routinely exploited CVE-2018-13379, CVE-2019-11510, and CVE-2019-19781.

That same month, word emerged that a different set of hackers was also exploiting CVE-2018-13379. In one case, the hackers allowed ransomware operators to seize control of two production facilities belonging to a European manufacturer.

The officials also listed 13 vulnerabilities discovered this year that are also being exploited in large numbers. The vulnerabilities are:

  • Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065
  • Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
  • Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
  • VMware: CVE-2021-21985

The advisory provides technical details for each vulnerability, mitigation guidance, and indicators of compromise to help organizations determine if they’re vulnerable or have been hacked. The advisory also provides guidance for locking down systems.