In an effort to raise awareness among both private companies and government agencies, cybersecurity agencies from the US, the UK and Australia have published a new joint advisory (opens in new tab) which contains information on the most exploited security flaws from last year and so far this year.
As reported (opens in new tab) by The Record, the US Cybersecurity and Infrastructure Security Agency (CISA (opens in new tab)) and the FBI along with the UK National Cyber Security Centre (NCSC (opens in new tab)) and the Australian Cyber Security Centre (ACSC (opens in new tab)) all published joint advisories on the top vulnerabilities exploited by cybercriminals.
These vulnerabilities exist in a wide variety of products from VPN (opens in new tab) appliances, email servers, network access gateways, web-based applications, desktop software and more.
- We've put together a list of the best endpoint protection software (opens in new tab)
- Keep your devices virus free with the best malware removal software (opens in new tab)
- Also check out our roundup of the best firewall (opens in new tab)
According to the cybersecurity agencies' joint advisory, these were the most exploited security flaws in 2020 by vendor and type along with their CVE tracking numbers:
- Citrix - arbitrary code execution tracked as CVE-2019-19781 (opens in new tab)
- Pulse - arbitrary file reading tracked as CVE 2019-11510 (opens in new tab)
- Fortinet – path traversal tracked as CVE 2018-13379 (opens in new tab)
- F5- Big IP – remote code execution (RCE) tracked as CVE 2020-5902 (opens in new tab)
- MobileIron – RCE tracked as CVE 2020-15505 (opens in new tab)
- Microsoft – RCE tracked as CVE-2017-11882 (opens in new tab)
- Microsoft – RCE tracked as CVE-2019-0604 (opens in new tab)
- Microsoft – elevation of privilege tracked as CVE-2020-0787 (opens in new tab)
- Atlassian – RCE tracked as CVE-2019-11580 (opens in new tab)
- Drupal – RCE tracked as CVE-2018-7600 (opens in new tab)
- Telerik – RCE tracked as CVE 2019-18935 (opens in new tab)
- Netlogon – elevation of privilege tracked as CVE-2020-1472 (opens in new tab)
Top vulnerabilities in 2021 so far
The joint advisory also contains a second list of vulnerabilities that cybercriminals have been actively exploiting in their attacks so far this year. However, this list is divided by vendor:
- Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
- Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
- Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
- VMware: CVE-2021-21985
- Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591
By releasing these two lists of the top security flaws last year and so far this year, the cybersecurity agencies from the US, the UK and Australia hope to encourage businesses as well as government agencies to take a second look at their products and services so that they can patch any vulnerabilities (opens in new tab) they have yet to fix.
Director of operations at the UK's NCSC, Paul Chichester provided further insight on the joint advisory published by the three countries' cybersecurity agencies in a press release (opens in new tab), saying:
“We are committed to working with allies to raise awareness of global cyber weaknesses – and present easily actionable solutions to mitigate them. The advisory published today puts the power in every organisation’s hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices. Working with our international partners, we will continue to raise awareness of the threats posed by those that seek to cause harm."
- We've also featured the best antivirus (opens in new tab)