Top Routinely Exploited Vulnerabilities | CISA
This Joint Cybersecurity Advisory was coauthored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI).
This advisory provides details on the top 30 vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021.
Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.
Click here for a PDF version of this report.
Key Findings
In 2020, cyber actors readily exploited recently disclosed vulnerabilities to compromise unpatched systems. Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years. Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic. The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.
Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies. Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organization to conduct rigorous patch management.
CISA, ACSC, the NCSC, and FBI consider the vulnerabilities listed in table 1 to be the topmost regularly exploited CVEs by cyber actors during 2020.
Table 1:Top Routinely Exploited CVEs in 2020
|
Vendor |
CVE |
Type |
|---|---|---|
|
Citrix |
CVE-2019-19781 |
arbitrary code execution |
|
Pulse |
CVE 2019-11510 |
arbitrary file reading |
|
Fortinet |
CVE 2018-13379 |
path traversal |
|
F5- Big IP |
CVE 2020-5902 |
remote code execution (RCE) |
|
MobileIron |
CVE 2020-15505 |
RCE |
|
Microsoft |
CVE-2017-11882 |
RCE |
|
Atlassian |
CVE-2019-11580 |
RCE |
|
Drupal |
CVE-2018-7600 |
RCE |
|
Telerik |
CVE 2019-18935 |
RCE |
|
Microsoft |
CVE-2019-0604 |
RCE |
|
Microsoft |
CVE-2020-0787 |
elevation of privilege |
|
Netlogon |
CVE-2020-1472 |
elevation of privilege |
In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet.
CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known.
Organizations are encouraged to remediate or mitigate vulnerabilities as quickly as possible to reduce the risk of exploitation. Most can be remediated by patching and updating systems. Organizations that have not remediated these vulnerabilities should investigate for the presence of IOCs and, if compromised, initiate incident response and recovery plans. See the Contact Information section below for how to reach CISA to report an incident or request technical assistance.
2020 CVEs
CISA, ACSC, the NCSC, and FBI have identified the following as the topmost exploited vulnerabilities by malicious cyber actors from 2020: CVE-2019-19781, CVE-2019-11510, CVE-2018-13379, CVE-2020-5902, CVE-2020-15505, CVE-2020-0688, CVE-2019-3396, CVE-2017-11882, CVE-2019-11580, CVE-2018-7600, CVE 2019-18935, CVE-2019-0604, CVE-2020-0787, CVE-2020-1472.[1][2][3] Among these vulnerabilities, CVE-2019-19781 was the most exploited flaw in 2020, according to U.S. Government technical analysis.CVE-2019-19781 is a recently disclosed critical vulnerability in Citrix’s Application Delivery Controller (ADC)—a load balancing application for web, application, and database servers widely use throughout the United States.[4][5] Nation-state and criminal cyber actors most likely favor using this vulnerability because it is easy to exploit, Citrix servers are widespread, and exploitation enables the actors to perform unauthorized RCE on a target system.[6]
Identified as emerging targets in early 2020,[7] unremediated instances of CVE-2019-19781 and CVE-2019-11510 continued to be exploited throughout the year by nation-state advanced persistent threat actors (APTs) who leveraged these and other vulnerabilities, such as CVE-2018-13379[8][9], in VPN services[10][11] to compromise an array of organizations, including those involved in COVID-19 vaccine development.[12][13]
The CVE-2019-11510 vulnerability in Pulse Connect Secure VPN was also frequently targeted by nation-state APTs. Actors can exploit the vulnerability to steal the unencrypted credentials for all users on a compromised Pulse VPN server and retain unauthorized credentials for all users on a compromised Pulse VPN server and can retain unauthorize access after the system is patched unless all compromised credentials are changed. Nation-state APTs also commonly exploited CVE-2020-15505 and CVE-2020-5902.[14][15][16][17]
2021 CVEs
In 2021, cyber actors continued to target vulnerabilities in perimeter-type devices. In addition to the 2020 CVEs listed above, organizations should prioritize patching for the following CVEs known to be exploited.
- Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
- See CISA’s Alert: Mitigate Microsoft Exchange Server Vulnerabilities for more information on identifying and mitigating malicious activity concerning these vulnerabilities.
- Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
- See CISA’s Alert: Exploitation of Pulse Connect Secure Vulnerabilities for more information on how to investigate and mitigate this malicious activity.
- Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
- See the Australia-New Zealand-Singapore-UK-U.S. Joint Cybersecurity Advisory: Exploitation of Accellion File Transfer Appliance for technical details and mitigations.
- VMware: CVE-2021-21985
- See CISA’s Current Activity: Unpatched VMware vCenter Software for more information and guidance.
- Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591
- See the CISA-FBI Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks for more details and mitigations.
Mitigations and Indicators of Compromise
One of the most effective best practices to mitigate many vulnerabilities is to update software versions once patches are available and as soon as is practicable. If this is not possible, consider applying temporary workarounds or other mitigations, if provided by the vendor. If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems). This advisory highlights vulnerabilities that should be considered as part of the prioritization process. To further assist remediation, automatic software updates should be enabled whenever possible.
Focusing scarce cyber defense resources on patching those vulnerabilities that cyber actors most often use offers the potential of bolstering network security while impeding our adversaries’ operations. For example, nation-state APTs in 2020 extensively relied on a single RCE vulnerability discovered in the Atlassian Crow, a centralized identity management and application (CVE-2019-11580) in its reported operations. A concerted focus on patching this vulnerability could have a relative broad impact by forcing the actors to find alternatives, which may not have the same broad applicability to their target set.
Additionally, attackers commonly exploit weak authentication processes, particularly in external-facing devices. Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.
Tables 2–14 provide more details about, and specific mitigations for, each of the top exploited CVEs in 2020.
Note: The lists of associated malware corresponding to each CVE below are not meant to be exhaustive but intended to identify a malware family commonly associated with exploiting the CVE.
Table 2: CVE-2019-19781 Vulnerability Details
|
Citrix Netscaler Directory Traversal (CVE-2019-19781) |
|
|---|---|
|
Vulnerability Description |
CVSS 3.02 Critical |
|
Vulnerability Discussion, IOCs, and Malware Campaigns The lack of adequate access controls allows an attacker to enumerate system directories for vulnerable code (directory traversal). In this instance, Citrix ADC maintains a vulnerable Perl script ( Multiple malware campaigns, including NOTROBIN, have taken advantage of this vulnerability. |
Fix |
|
Recommended Mitigations
|
|
|
Detection Methods |
|
|
Vulnerable Technologies and Versions |
|
|
References and Additional Guidance |
|
Table 3: CVE 2019-11510 Vulnerability Details
Table 4: CVE 2018-13379 Vulnerability Details
Table 5: CVE-2020-5902 Vulnerability Details
| F5 Big IP Traffic Management User Interface (CVE-2020-5902) | |
|---|---|
|
Vulnerability Description |
CVSS 3.0 |
|
Vulnerability Discussion, IOCs, and Malware Campaigns |
Fix Upgrade to Secure Versions Available |
|
Recommended Mitigations
|
|
| Detection Methods | |
|
Vulnerable Technologies and Versions |
|
| References | |
Table 6: CVE-2020-15505 Vulnerability Details
| MobileIron Core & Connector (CVE-2020-15505) | |
|
Vulnerability Description MobileIron Core & Connector, Sentry, and Monitoring and Reporting Database (RDB) software are vulnerable to RCE via unspecified vectors. |
CVSS 3.0 Critical |
|
Vulnerability Discussion, IOCs, and Malware Campaigns CVE-2020-15505 is an RCE vulnerability in MobileIron Core & Connector versions 10.3 and earlier. This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors. Multiple APTs have been observed exploiting this vulnerability to gain unauthorized access. |
Fix |
|
Recommended Mitigations
|
|
|
Detection Methods
|
|
|
Vulnerable Technologies and Versions MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0, and 10.6.0.0; Sentry versions 9.7.2 and earlier and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier are vulnerable. |
|
|
References |
|
Table 7: CVE-2020-0688 Vulnerability Details
Table 8: CVE-2019-3396 Vulnerability Details
Table 9: CVE 2017-11882 Vulnerability Details
| Microsoft Office Memory Corruption (CVE 2017-11882) | |
|
Vulnerability Description Microsoft Office is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code, in the context of the current user, by failing to properly handle objects in memory. It is also known as the “Microsoft Office Memory Corruption Vulnerability.” Cyber actors continued to exploit this four-year-old vulnerability in Microsoft Office that the U.S. Government publicly assessed last year was the most frequently targeted. Cyber actors most likely continue to exploit this vulnerability because Microsoft Office use is ubiquitous worldwide, the vulnerability is ideal for phasing campaigns, and it enables RCE on vulnerable systems. |
CVSS 3.0 High |
|
Vulnerability Discussion, IOCs, and Malware Campaigns Microsoft Equation Editor, a component of Microsoft Office, contains a stack buffer overflow vulnerability that enables RCE on a vulnerable system. The component was compiled on November 9, 2000. Without any further recompilation, it was used in all currently supported versions of Microsoft Office. Microsoft Equation Editor is an out-of-process COM server that is hosted by Data execution prevention (DEP) and address space layout randomization (ASLR) should protect against such attacks. However, because of the manner in which Multiple cyber espionage campaigns have taken advantage of this vulnerability. CISA has noted CVE-2017-11882 being exploited to deliver LokiBot malware. |
Fix |
|
Recommended Mitigations |
|
|
Detection Methods
|
|
|
Vulnerable Technologies and Versions
|
|
|
References |
|
Table 10: CVE 2019-11580 Vulnerability Details
| Atlassian Crowd and Crowd Data Center Remote Code Execution (CVE 2019-11580) | |
|
Vulnerability Description Atlassian Crowd and Crowd Data Center had the |
CVSS 3.0 Critical |
|
Vulnerability Discussion, IOCs, and Malware Campaigns Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits RCE on systems running a vulnerable version of Crowd or Crowd Data Center. |
Fix |
|
Recommended Mitigations
|
|
|
Detection Methods |
|
|
Vulnerable Technologies and Versions All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability. |
|
|
References |
|
Table 11: CVE 2018-7600 Vulnerability Details
| Drupal Core Multiple Remote Code Execution (CVE 2018-7600) | |
|
Vulnerability Description Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allow remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. |
CVSS 3.0 Critical |
|
Vulnerability Discussion, IOCs, and Malware Campaigns An RCE vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. Failed exploit attempts may result in a denial-of-service condition. A remote user can send specially crafted data to trigger a flaw in the processing of renderable arrays in the Form Application Programming Interface, or API, and cause the target system to render the user-supplied data and execute arbitrary code on the target system. Malware campaigns include the Muhstik botnet and XMRig Monero Cryptocurrency mining. |
Fix |
|
Recommended Mitigations
|
|
|
Detection Methods |
|
|
Vulnerable Technologies and Versions
|
|
|
References |
|
Table 12: CVE 2019-18935 Vulnerability Details
| Telerik UI for ASP.NET AJAX Insecure Deserialization (CVE 2019-18935) | |
|
Vulnerability Description Telerik User Interface (UI) for ASP.NET does not properly filter serialized input for malicious content. Versions prior to R1 2020 (2020.1.114) are susceptible to remote code execution attacks on affected web servers due to a deserialization vulnerability. |
CVS 3.0 Critical |
|
Vulnerability Discussion, IOCs, and Malware Campaigns The Telerik UI does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise. A vulnerable
There were two malware campaigns associated with this vulnerability:
|
Fix |
|
Recommended Mitigations
|
|
|
Detection Methods
|
|
|
Vulnerable Technologies and Versions Telerik UI for ASP.NET AJAX versions prior to R1 2020 (2020.1.114) are affected. |
|
|
References |
|
Table 13: CVE-2019-0604 Vulnerability Details
| Microsoft SharePoint Remote Code Execution (CVE-2019-0604) | |
|
Vulnerability Description A vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to execute arbitrary code on vulnerable Microsoft SharePoint servers. |
CVSS 3.0 Critical |
|
Vulnerability Discussion, IOCs, and Malware Campaigns This vulnerability was typically exploited to install webshell malware to vulnerable hosts. A webshell could be placed in any location served by the associated Internet Information Services (IIS) web server and did not require authentication. These web shells would commonly be installed in the Layouts folder within the Microsoft SharePoint installation directory, for example:
The The exploit was used in malware phishing and the WickrMe/Hello Ransomware campaigns. |
Fix |
|
Recommended Mitigations
|
|
|
Detection Methods
|
|
|
Vulnerable Technologies and Versions At the time of the vulnerability release, the following Microsoft SharePoint versions were affected: Microsoft Sharepoint 2019, Microsoft SharePoint 2016, Microsoft SharePoint 2013 SP1, and Microsoft SharePoint 2010 SP2. |
|
|
References |
|
Table 14: CVE-2020-0787 Vulnerability Details
| Windows Background Intelligent Transfer Service Elevation of Privilege (CVE-2020-0787) | |
|
Vulnerability Description The Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-level privileges. |
CVSS 3.0 High |
|
Vulnerability Discussion, IOCs, and Malware Campaigns To exploit this vulnerability, an actor would first need to have the ability to execute arbitrary code on a vulnerable Windows host. Actors exploiting this vulnerability commonly used the proof of concept code released by the security researcher who discovered the vulnerability. If an actor left the proof of concept exploit’s working directories unchanged, then the presence of the following folders could be used as an indicator of exploitation:
The exploit was used in Maze and Egregor ransomware campaigns. |
Fix |
|
Recommended Mitigations
|
|
|
Detection Methods
|
|
|
Vulnerable Technologies and Versions Windows 7 for 32-bit and x64-based Systems Service Pack 1, 8.1 for 32-bit and x64-based systems, RT 8.1, 10 for 32-bit and x64-based Systems, 10 1607 for 32-bit and x64-based Systems, 10 1709 for 32-bit and x64-based and ARM64-based Systems, 10 1803 for 32-bit and ARM64-based and x64-based Systems, 10 1809 for 32-bit and ARM64-based and x64-based Systems, 10 1903 for 32-bit and ARM64-based and x64-based Systems, 10 1909 for 32-bit, and ARM64-based and x64-based Systems are vulnerable. Windows Server 2008 R2 for x64-based Systems Service Pack 1, 2008 R2 for x64-based Systems Service Pack 1 (Server Core Installation), 2008 for 32-bit Systems Service Pack 2, 2008 for 32-bit Systems Service Pack 2 (Server Core Installation), 2012, 2012 (Server Core Installation), 2012 R2, 2012 R2 (Server Core Installation), 2016, 2016 (Server Core Installation), 2019, 2019 (Server Core Installation), 1803 (Server Core Installation), 1903 (Server Core Installation), and 1909 (Server Core Installation) are also vulnerable. |
|
|
References |
|
Table 15: CVE-2020-1472 Vulnerability Details
| Netlogon Elevation of Privilege (CVE-2020-1472) | |
|
Vulnerability Description The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) reuses a known, static, zero-value initialization vector (VI) in AES-CFB8 mode, which could allow an unauthenticated attacker to impersonate a domain-joined computer including a domain controller, and potentially obtain domain administrator privileges. |
CVSS 3.0 Critical |
|
Vulnerability Discussion, IOCs, and Malware Campaigns To exploit this vulnerability, an actor would first need to have an existing presence on an internal network with network connectivity to a vulnerable Domain Controller, assuming that Domain Controllers are not exposed to the internet. The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts. Threat actors were seen combining the MobileIron CVE-2020-15505 vulnerability for initial access, then using the Netlogon vulnerability to facilitate lateral movement and further compromise of target networks. A nation-state APT group has been observed exploiting this vulnerability.[18] |
Fix |
|
Recommended Mitigations
|
|
|
Detection Methods
|
|
|
Vulnerable Technologies and Versions At the time of the vulnerability release, the following Microsoft Windows Server versions were vulnerable: all versions of Windows Server 2019; all versions of Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; and Windows Server versions 1909/1903/1809. |
|
|
References |
|
For additional general best practices for mitigating cyber threats, see the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity and ACSC’s Essential Eight mitigation strategies.
Additional Resources
Free Cybersecurity Services
CISA offers several free cyber hygiene vulnerability scanning and web application services to help U.S. federal agencies, state and local governments, critical infrastructure, and private organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. For more information about CISA’s free services, or to sign up, email [email protected].
Cyber Essentials
CISA’s Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.
Cyber.gov.au
ACSC’s website provides advice and information about how to protect individuals and families, small- and medium-sized businesses, large organizations and infrastructure, and government organizations from cyber threats.
ACSC Partnership Program
The ACSC Partnership Program enables Australian organizations and individuals to engage with ACSC and fellow partners, drawing on collective understanding, experience, skills, and capability to lift cyber resilience across the Australian economy.
Australian organizations, including government and those in the private sector as well individuals, are welcome to sign up at Become an ACSC partner to join.
NCSC 10 Steps
The NCSC offers 10 Steps to Cyber Security, providing detailed guidance on how medium and large organizations can manage their security.
On vulnerabilities specifically, the NCSC has guidance to organizations on establishing an effective vulnerability management process, focusing on the management of widely available software and hardware.
