balloon close to a cactus

2022’s most routinely exploited vulnerabilities—history repeats

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners have released a joint Cybersecurity Advisory (CSA) called the 2022 Top Routinely Exploited Vulnerabilities.

We went over the list and it felt like a bad trip down memory lane. If you adhere to the expression “those who ignore history are doomed to repeat it” then you may consider the list as a valuable resource that you can derive lessons from. Unfortunately as George Bernard Shaw said:

“We learn from history that we learn nothing from history.”

But since that’s a self-contradicting expression, let’s assume there are lessons to be learned.

Last year’s top vulnerabilities

First let me show you the bad memories. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We will use the CVE codes to uniquely identify the covered vulnerabilities.

  • CVE-2021-40539 is a REST API authentication bypass vulnerability in ManageEngine’s single sign-on (SSO) solution which results in remote code execution (RCE). When word of this vulnerability came out it was already clear that it was being exploited in the wild. Noteworthy is that this vulnerability also made it into the top 5 routinely exploited vulnerabilities of 2021.
  • CVE-2021-44228, aka Log4Shell, is a vulnerability in Apache’s Log4j library, an open-source logging framework incorporated into thousands of other products. Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest throughout the first half of 2022.
  • CVE-2018-13379 is a vulnerability affecting Fortinet SSL VPNs, which was also routinely exploited in 2020 and 2021.
  • ProxyShell is a combination of three vulnerabilities in Microsoft Exchange Server (CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523) that can be chained together to allow a remote attacker to break in, take control, and then do bad things on an unpatched server. Proxyshell also made it into the top 5 routinely exploited vulnerabilities of 2021.
  • CVE-2021-26084 is a vulnerability affecting Atlassian Confluence Server and Data Center which could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a proof-of-concept (PoC) was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021 and also made it into the top 5 routinely exploited vulnerabilities of 2021.

Looking at the above, it looks like Shaw was at least partly right. We are not learning from history. It also indicates that we should be able to predict some of the vulnerabilities that will show up in next year’s list. Let’s take a stab at that. So we’re looking for easy to overlook and/or hard to patch vulnerabilities in the 2022 list that we haven’t already covered above.

This year’s top vulnerabilities?

These are the ones that I think will make it to the top 10 next year, maybe together with the ones that have already been around for years.

  • CVE-2022-22954, CVE-2022-22960 are two vulnerabilities that can be chained to allow Remote Code Execurion (RCE), privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. Exploitation of these VMware vulnerabilities began in early 2022 and attempts continued throughout the remainder of the year.
  • CVE-2022-26134 is a critical RCE vulnerability that affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (see CVE-2021-26084 above), which cyber actors also exploited in 2022.
  • CVE-2022-1388 is a vulnerability in the F5 BIG IP platform that allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.
  • CVE-2022-30190, aka Follina, is a Microsoft Windows Support Diagnostic Tool RCE vulnerability. An attacker can send you a malicious Office document that will compromise your machine with malware when you open it.

So I was hoping we can strike a deal. I’ll check next year how well this prediction does and you all patch these vulnerabilities real quick, so I can write about some new ones next year.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.