Cloud Hosting

SUMMARY

The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):

This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.

The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisoryincluding the followingto reduce the risk of compromise by malicious cyber actors.

Download the PDF version of this report:

In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.

Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosurethe value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).

Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.

Table 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:

In addition to the 12 vulnerabilities listed in Table 1, the authoring agencies identified vulnerabilitieslisted in Table 2that were also routinely exploited by malicious cyber actors in 2022.

The authoring agencies recommend vendors and developers take the following steps to ensure their products are secure by design and default:

For more information on designing secure-by-design and -default products, including additional recommended secure-by-default configurations, see joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.

The authoring agencies recommend end-user organizations implement the mitigations below to improve cybersecurity posture on the basis of the threat actors activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISAs Cross-Sector Cybersecurity Performance Goals for more information on CPGs, including additional recommended baseline protections.

The information in this report is being provided as is for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

This document was developed by CISA, NSA, FBI, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

[1] Apache Log4j Vulnerability Guidance

August 3, 2023: Initial version.

CVE

Vendor

Affected Products and Versions

Patch Information

Resources

CVE-2017-0199

Microsoft

Multiple Products

Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows

CVE-2017-11882

Microsoft

Office, Multiple Versions

Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882

CVE-2018-13379

Fortinet

FortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6

FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests

Joint CSAs:

Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology

APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

CVE-2019-11510

Ivanti

Pulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12

SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX

CISA Alerts:

Continued Exploitation of Pulse Secure VPN Vulnerability

Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

ACSC Advisory:

2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software

Joint CSA:

APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

CCCS Alert:

APT Actors Target U.S. and Allied Networks - Update 1

CVE-2019-0708

Microsoft

Remote Desktop Services

Remote Desktop Services Remote Code Execution Vulnerability

CVE-2019-19781

Citrix

ADC and Gateway version 13.0 all supported builds before 13.0.47.24

NetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12

SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b

CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance

Joint CSAs:

APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

CCCS Alert:

Detecting Compromises relating to Citrix CVE-2019-19781

CVE-2020-5902

F5

BIG IP versions 15.1.0, 15.0.0 to 15.0.1, 14.1.0 to 14.1.2, 13.1.0 to 13.1.3, 12.1.0 to 12.1.5, and 11.6.1 to 11.6.5

K52145254: TMUI RCE vulnerability CVE-2020-5902

CISA Alert:

Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902

CVE-2020-1472

Microsoft

Windows Server, Multiple Versions

Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472

ACSC Advisory:

2020-016: Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)

Joint CSA:

APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

CCCS Alert:

Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - Update 1

CVE-2020-14882

Oracle

WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Oracle Critical Patch Update Advisory - October 2020

CVE-2020-14883

Oracle

WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Oracle Critical Patch Update Advisory - October 2020

CVE-2021-20016

SonicWALL

SSLVPN SMA100, Build Version 10.x

Confirmed Zero-day vulnerability in the SonicWall SMA100 build version 10.x

CVE-2021-26855

Microsoft

Exchange Server, Multiple Versions

Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855

CISA Alert:

See more here:
2022 Top Routinely Exploited Vulnerabilities - CISA