Legacy Flaws Dominate Top 12 Vulnerabilities List

Written by

Security agencies from the Five Eyes intelligence alliance yesterday released their list of the 12 most exploited vulnerabilities of 2022, highlighting that most of them were also on the previous year’s list.

The report comes from the US Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC) and their counterparts in Canada, Australia and New Zealand.

It comes alongside a fresh warning to organizations to patch promptly, given that threat actors continue to exploit legacy vulnerabilities in large numbers.

“Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure – the value of such vulnerabilities gradually decreases as software is patched or upgraded,” explained CISA.

“Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber-actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).”

Read more on critical vulnerabilities: CVEs Surge By 25% in 2022 to Another Record High

In total, seven of the 12 vulnerabilities listed were from 2021 or earlier. The most frequently exploited last year, CVE-2018-13379, was fixed four years ago by Fortinet and impacts its FortiOS and FortiProxy SSL VPN product. It was also “routinely exploited” in 2020 and 2021, according to the advisory.

“While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years,” CISA continued

“Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets’ networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.”

The report also provides technical information on a further 30 commonly exploited vulnerabilities, as well as mitigation advice designed to reduce the risk of compromise.

“To bolster resilience, we encourage organizations to apply all security updates promptly and call on software vendors to ensure security is at the core of their product design to help shift the burden of responsibility away from consumers,” said NCSC director of resilience and future technology, Jonathon Ellison.

What’s hot on Infosecurity Magazine?