Five Eyes reveals 15 most exploited vulnerabilities of 2021

A joint cybersecurity advisory highlighted the most commonly exploited flaws of 2021 and urged enterprises to implement timely patching protocols.

Issued as a warning, the Five Eyes released a statement Wednesday revealing which common vulnerabilities and exposures (CVEs) posed the biggest threat to enterprises in 2021 with risks continuing into 2022. While there were 15 overall, some of the most concerning bugs highlighted by the agencies included Log4Shell, ProxyLogon, ProxyShell and a flaw tracked as CVE-2021-26084 that affected Atlassian Confluence Server and Data Center.

Three additional vulnerabilities have been an ongoing issue since 2020, indicating a troublesome trend when it comes to applying updates.

That includes a Fortinet flaw published in 2019 tracked as CVE-2018-13379 and a bug known as CVE-2019-11510 that affected Pulse Secure's virtual private network products. Lastly, the advisory listed CVE-2020-1472, also known as Zerologon, an escalation-of-privilege vulnerability discovered in Microsoft's Netlogon Remote Protocol. Microsoft confirmed in-the-wild exploitation in 2020.

"Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors," the advisory said.

To further support that claim and highlight the ongoing patching problem, the advisory addressed concerns when it comes to proof-of-concept (POC) releases. While POCs offer valuable insight into a flaw that can help organizations protect against exploitation, threat actors can leverage those details in malicious attacks.

"For most of the top exploited vulnerabilities, researchers or other actors released [POC] code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors," the advisory said.

Determining the right level of transparency is a controversial topic, as opinions differ among researchers, organizations and law enforcement. Log4Shell's timeline represents one side of the coin. Disclosed in 2021, the flaw in Apache's Log4j library allowed an "actor to take full control over the system."

"The rapid widespread exploitation of this vulnerability demonstrates the ability of malicious actors to quickly weaponize known vulnerabilities and target organizations before they patch," the advisory said.

Cisco Talos released Tuesday its Quarterly Report, which put Log4j exploitation as the second most commonly observed threat for the first quarter of 2022, right behind ransomware. The security vendor even warned of possible exploitation by APT actors.

In a report updated this month, Yotam Perkal, head of vulnerability research as Rezilion, referred to Log4Shell as "one of the most critical vulnerabilities in recent years." He analyzed Log4Shell activity four months after disclosure and found that as of April 20, "36% of the Log4j versions actively downloaded from Maven Central," a code repository, remained vulnerable. Additionally, he noted the problem extends beyond the "significant attack surface that remains vulnerable" as active exploitation attempts are ongoing.

"We believe that one of the main reasons we still see a high number of vulnerable component downloads is the fact that people are unknowingly still using software that relies on vulnerable versions of Log4j," Perkal wrote in the report.

Perkal also attributed it to inefficient vulnerability management, a lack of visibility and the use of vulnerable third-party software. Often, security teams have trouble prioritizing and keeping pace with the overwhelming number of flaws.

That is why prioritizing patching known exploited vulnerabilities, particularly the ones identified in the advisory, was a main mitigation step recommended by CISA and authorities from the U.K., Australia, New Zealand and Canada. Additionally, the co-authors advised system and software updates must be done in a "timely manner" and suggested the use of a centralized patch management system.