Top 30 most exploited software vulnerabilities being used today
For all the zero-days, custom-crafted malware and other completely unknown security vulnerabilities, others have been around for years and are widely used across the board. To showcase this, the FBI (United States Federal Bureau of Investigation), CISA (United States Cybersecurity and Infrastructure Security Agency), ACSC (Australian Cyber Security Centre) and NCSC (United Kingdom National Cyber Security Centre) issued a Joint Cybersecurity Advisory. In this Advisory, they broke down the top 30 vulnerabilities used in 2020 and 2021.
Many of these vulnerabilities have been around for years, despite the manufacturer's and developers' best efforts. As shown by the "PrintNightmare" vulnerability in Microsoft's Print Spooler, for example, just because something is known does not mean that it is easily eliminated.
Learn Vulnerability Management
Accellion
It's very important to remember while going down this list that every vulnerability in this article is either considered “critical” at some point, and they all have been used extensively. Therefore the major takeaway from all of this is that if you're using a product listed here, make sure you're patched immediately.
The FTA server mentioned here is primarily used for transferring very large files. The program itself has been updated over 20 years and has been in sunset status since 2018. It is now considered End-of-Life as of April 30, 2021, with their Kiteworks software taking over. All of the four mentioned vulnerabilities were announced in the same package, each a different vulnerability type.
Qualys was one of the higher-profile organizations to be impacted by this vulnerability, with an FTA server in their DMZ compromised. Their account of the events and what took place, as told by their CISO Ben Carr, can be found here.
Atlassian
Confluence server is a wiki-style collaboration environment. By leveraging a “widget connector macro” in a vulnerable version of the software, malicious users would be able to explore directories on the server, deploy templates and achieve remote code execution.
This particular vulnerability has been used to deploy both cryptocurrency mining software and ransomware.
Crowd and Crowd Data Center are both identity management systems — providing single-sign-on services, which can assist with authentication across multiple platforms through a central provider. The production versions of these programs had a development plugin known as pdkinstall enabled incorrectly by default. Through this vulnerability, malicious users could install their plugins, creating the remote code execution scenario.
Security researcher Corben Leo has a full walkthrough available on their site on how they exploited this vulnerability here.
Citrix
During the COVID-19 pandemic, the shift to remote work was swift and in many cases, unplanned. This meant that many organizations were deploying potentially untested remote access systems in an incompletely configured state. As such, this vulnerability was the most exploited flaw in 2020.
Researchers at Carnegie Mellon University were able to show that the software did not restrict access to a particular section of scripts in a directory called “vpns”’ which was made accessible via directory traversal. Once they were in this directory, they could perform remote code execution of their designs.
Drupal
Drupal is used by many as a content management system (CMS) for websites and wikis. The vulnerability involves the way that Drupal requests parameters. According to Tenable, malicious users can use this to deploy payloads to the system without input sterilization because it accepts parameters in arrays.
It is potentially possible to exploit both the application and the Host OS. Despite the severity of the issue, there are still many unpatched systems, even though patches have been available since mid-2018.
F5
BIG-IP provides load balancing, firewall functions and DNS services. Through this vulnerability, malicious users would be able to access configuration functions of the applications, along with running code of their choosing.
Like many other configuration utilities, however, allowing access to upper-level controls only from particular IPs provides a quick workaround. At the same time, permanent fixes are enabled — this particular takeaway is very important across multiple vendors.
Fortinet
For similar reasons as those reported above with Citrix, Fortinet's SSL VPN offerings exploded in use during 2020 — making it a very tempting target for attackers. All three of these issues revolve around that Remote Access offering, each with a very different effect.
The 2018 vulnerability permitted malicious users to move to directories containing system files from the FortiOS web portal but not necessarily upload their own. While that may not necessarily sound as bad as some other vulnerabilities, according to the researchers credited with the discovery, Devcore's Orange Tsai and Meh Chang, it permits "pre-auth arbitrary file reading,” or more specifically- they could potentially read password databases and other sensitive data.
The 2019 vulnerability could allow users on the same local subnet to impersonate the LDAP authentication server and potentially obtain sensitive data. James Renken of the Internet Security and Research Group, who was one of the discoverers of this vulnerability, reiterated how quickly access could spread through stolen credentials if used in multiple locations.
The 2020 vulnerability could allow users to bypass 2 Factor Authentication requirements if they changed their username's case (uppercase/lowercase). If, for example, a malicious user leveraged the 2018 vulnerability to obtain credentials, they could then use this vulnerability to gain full access without requiring a 2FA token.
Microsoft
Microsoft's Windows Operating Systems, Office productivity software, Sharepoint Content Management System and Exchange Email server products power many enterprises. The 2017 Office vulnerability allows a malicious user to distribute a file to a legitimate user, which is then opened in the Office suite programs or the standalone Wordpad application. Once the user opens the file, whatever code the malicious user wishes will run with the logged-on user's permissions. This is very similar in concept to the 2019 Sharepoint vulnerability, where code could be run as the credentials of the Sharepoint app pool and server farm accounts.
The Background Intelligent Transfer Service (BITS) powers a great deal of the updating functionality for Windows. Using this vulnerability, a malicious user who already has access to the system could elevate their permissions to control the entire local computer.
Netlogon allows for authentication of users and computers that are members of Microsoft's Active Directory Domain structure. Exploiting the vulnerability could allow someone to impersonate a Domain Controller and potentially acquire Domain Administrator privileges.
The 2020 Exchange vulnerability is caused by an Exchange Control Panel web app issue in Exchange 2019. The problem revolves around cryptographic keys, specifically that it doesn't make a new key at install time. If a malicious user has access to the default keys, they can cause Exchange to decrypt their data. This can create a Remote Code Execution as SYSTEM- the highest permission level on the server.
The 2021 Exchange vulnerabilities, on the other hand, are part of an attack chain. According to a blog post from Microsoft Corporate Vice President of Customer Security and Trust Tom Burt, the attack contains three steps: "First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who would have access. Second, it would create what's called a web shell to control the compromised server remotely. Third, it would use that remote access- run from the U.S.-based private servers — to steal data from an organization's network."
MobileIron
MobileIron provides many services dealing with Mobile Device Management. Again, Devcore's Orange Tsai discovered a vulnerability in the MobileIron Core product that could allow a malicious user to execute their code without authentication. After confirming the vulnerability, MobileIron expanded its review and discovered several other products that also had this issue.
Pulse Secure
Pulse Secure's Connect Secure is a form of SSL VPN, as we've seen multiple times already on this list. The 2019 vulnerability could allow an unauthenticated user to read files traveling across the VPN, gain access to plain text credentials, and execute commands on clients as they connect to the VPN server.
The 2021 vulnerabilities potentially allow for unauthenticated users to run their code on the VPN Gateway itself with root-level access.
Telerik
Telerik's UI for ASP.NET AJAX allows for the rapid creation and deployment of web forms. This vulnerability is similar in concept to the Exchange decryption vulnerability. If the malicious user can access the encryption keys, either through another vulnerability or via other means, they can run their code on the server.
VMWare
VMWare allows for the running of Virtual Machines on top of Host Operating Systems, with vSphere being their primary management interface. The first vulnerability is due to input validation not being present on a plugin enabled by default. Because of this, a user can run their code on the Host OS. The second vulnerability also deals with plugins, but differently — it would allow the user to perform whatever actions the affected plugins could normally do, but without authentication.
Learn Vulnerability Management
Protect yourself against the most common malware
Developers are not omniscient- they can't see every angle all the time. This means that we may very well end up with vulnerable pieces of software in our production environments. While we might not be able to deploy every fix the second it is released — waiting for patches to fix the issues introduced by the patch — we still want to be aware of possible workarounds that we can deploy in the meantime. VMWare, for example, could allow for turning off plugins as a temporary measure until the permanent update was available. Some companies will let their customers know about possible threats like this, while others may require additional homework or awareness. Therefore we all need to be aware of what is going on in the Information Security space to know if there is something in the works that can impact us for good or ill.
Sources
- https://www.accellion.com/products/fta/, Accellion FTA Server
- https://www.accellion.com/sites/default/files/resources/fta-eol.pdf, Accellion FTA Server EoL Announcement
- https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability, CISA Alert Microsoft PrintNightmare
- https://us-cert.cisa.gov/ncas/alerts/aa21-209a, Top Routinely Exploited Vulnerabilities
- https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint_CSA%20Top%20Routinely%20Exploited%20Vulnerabilities.pdf, Top Routinely Exploited Vulnerabilities
- https://blog.qualys.com/vulnerabilities-threat-research/2021/04/02/qualys-update-on-accellion-fta-security-incident, Qualys Update on Accellion FTA Security Incident
- /topic/sql-injections-introduction/, What is an SQL Injection? SQL Injections: An Introduction
- /topic/the-ssrf-vulnerability/, The SSRF Vulnerability
- /topic/command-execution/, Command Execution
- /topic/what-are-command-injection-vulnerabilities/, What are command injection vulnerabilities?
- /topic/vmware-vcenter-vulnerability-inside-a-critical-remote-code-execution-flaw , VMware vCenter vulnerability: Inside a critical remote code execution flaw
- https://www.atlassian.com/software/confluence/guides/get-started/confluence-overview , A Brief Overview of Confluence
- https://jira.atlassian.com/browse/CONFSERVER-57974 , Remote code execution via Widget Connector macro
- https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html , Confluence Security Advisory - 2019-03-20
- https://www.trendmicro.com/en_us/research/19/e/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit.html? , CVE-2019-3396: Exploiting the Confluence Vulnerability
- https://confluence.atlassian.com/crowd/crowd-user-management-963668504.html , Crowd User Management
- https://jira.atlassian.com/browse/CWD-5388 , Crowd- pdkinstall development plugin incorrectly enabled
- https://support.citrix.com/article/CTX267027 , CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance
- https://www.corben.io/atlassian-crowd-rce/ , Analysis of an Atlassian Crowd RCE - CVE-2019-11580
- https://www.kb.cert.org/vuls/id/619785 , Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP web server vulnerability
- https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/ , Over 100,000 Drupal websites vulnerable to Drupalgeddon 2 (CVE-2018-7600)
- https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-know , Critical Drupal Core Vulnerability: What You Need to Know
- https://groups.drupal.org/security/faq-2018-002 , FAQ about SA-CORE-2018-002
- https://support.f5.com/csp/article/K52145254 , K52145254: TMUI RCE vulnerability CVE-2020-5902
- https://badpackets.net/over-3000-f5-big-ip-endpoints-vulnerable-to-cve-2020-5902/ , Over 3,000 F5 BIG-IP endpoints vulnerable to CVE-2020-5902
- https://www.fortiguard.com/psirt/FG-IR-18-384 , FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests
- https://www.fortiguard.com/psirt/FG-IR-19-037 , FortiGate default configuration does not verify the LDAP server identity.
- https://www.fortiguard.com/psirt/FG-IR-19-283 , FortiOS SSL VPN 2FA bypass by changing username case
- https://arstechnica.com/gadgets/2021/04/feds-say-hackers-are-likely-exploiting-critical-fortinet-vpn-vulnerabilities/ , Feds say hackers are likely exploiting critical Fortinet VPN vulnerabilities
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882 , Microsoft Office Memory Corruption Vulnerability
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604 , Microsoft SharePoint Remote Code Execution Vulnerability
- https://www.kb.cert.org/vuls/id/490028 , Microsoft Windows Netlogon Remote Protocol (MS-NRPC) uses insecure AES-CFB8 initialization vector
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472 , Netlogon Elevation of Privilege Vulnerability
- https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/ , On-Premises Exchange Server Vulnerabilities Resource Center – updated March 25, 2021
- https://arstechnica.com/information-technology/2021/03/microsoft-issues-emergency-patches-for-4-exploited-0days-in-exchange/ , Microsoft issues emergency patches for 4 exploited 0-days in Exchange
- https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/ , New nation-state cyberattacks
- https://www.ivanti.com/blog/mobileiron-security-updates-available?miredirect , MobileIron Security Updates Available
- https://www.kb.cert.org/vuls/id/927237 , Pulse Secure VPN contains multiple vulnerabilities
- https://kb.cert.org/vuls/id/213092 , Pulse Connect Secure contains a use-after-free vulnerability
- https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html , Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
- https://www.tenable.com/blog/copy-paste-compromises-threat-actors-target-telerik-ui-citrix-sharepoint-cve-2019-18935 , Copy-Paste Compromises: Threat Actors Target Telerik UI, Citrix, and SharePoint Vulnerabilities (CVE-2019-18935)
- https://www.zdnet.com/article/critical-remote-code-execution-flaw-in-thousands-of-vmware-vcenter-servers-remains-unpatched/ , Critical remote code execution flaw in thousands of VMWare vCenter servers remains unpatched
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- Top 30 most exploited software vulnerabilities being used today
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
- Security vulnerabilities of voice recognition technologies
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
