In an effort to raise awareness among both private companies and government agencies, cybersecurity agencies from the US, the UK and Australia have published a new joint advisory which contains information on the most exploited security flaws from last year and so far this year.
As reported by The Record, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI along with the UK National Cyber Security Centre (NCSC) and the Australian Cyber Security Centre (ACSC) all published joint advisories on the top vulnerabilities exploited by cybercriminals.
These vulnerabilities exist in a wide variety of products from VPN appliances, email servers, network access gateways, web-based applications, desktop software and more.
- We've put together a list of the best endpoint protection software
- Keep your devices virus free with the best malware removal software
- Also check out our roundup of the best firewall
According to the cybersecurity agencies' joint advisory, these were the most exploited security flaws in 2020 by vendor and type along with their CVE tracking numbers:
- Citrix - arbitrary code execution tracked as CVE-2019-19781
- Pulse - arbitrary file reading tracked as CVE 2019-11510
- Fortinet – path traversal tracked as CVE 2018-13379
- F5- Big IP – remote code execution (RCE) tracked as CVE 2020-5902
- MobileIron – RCE tracked as CVE 2020-15505
- Microsoft – RCE tracked as CVE-2017-11882
- Microsoft – RCE tracked as CVE-2019-0604
- Microsoft – elevation of privilege tracked as CVE-2020-0787
- Atlassian – RCE tracked as CVE-2019-11580
- Drupal – RCE tracked as CVE-2018-7600
- Telerik – RCE tracked as CVE 2019-18935
- Netlogon – elevation of privilege tracked as CVE-2020-1472
Top vulnerabilities in 2021 so far
The joint advisory also contains a second list of vulnerabilities that cybercriminals have been actively exploiting in their attacks so far this year. However, this list is divided by vendor:
- Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
- Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
- Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
- VMware: CVE-2021-21985
- Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591
By releasing these two lists of the top security flaws last year and so far this year, the cybersecurity agencies from the US, the UK and Australia hope to encourage businesses as well as government agencies to take a second look at their products and services so that they can patch any vulnerabilities they have yet to fix.
Director of operations at the UK's NCSC, Paul Chichester provided further insight on the joint advisory published by the three countries' cybersecurity agencies in a press release, saying:
“We are committed to working with allies to raise awareness of global cyber weaknesses – and present easily actionable solutions to mitigate them. The advisory published today puts the power in every organisation’s hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices. Working with our international partners, we will continue to raise awareness of the threats posed by those that seek to cause harm."
- We've also featured the best antivirus
Via The Record
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.