AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
A joint Cybersecurity Advisory collaborated on by multiple international agencies highlights the top routinely exploited vulnerabilities of 2022
Background
On August 3, a joint Cybersecurity Advisory (CSA) AA23-215A coauthored by multiple U.S. and international agencies was released to highlight the top routinely exploited vulnerabilities of 2022. The list contains 42 Common Vulnerabilities and Exposures (CVEs) known to be exploited by malicious actors. The alert urges organizations to patch these known and exploitable vulnerabilities as soon as possible and provides some mitigation recommendations as well. For CVEs that remain unpatched, the CSA encourages organizations to begin investigating for indicators of compromise on unpatched devices.
As we’ve explored in our 2022 Threat Landscape Report (TLR), known and exploitable vulnerabilities remain one of the most persistent threats to organizations. Known vulnerabilities took the top spot in our list of the top five vulnerabilities of 2022 because of the prevalence with which attackers have successfully exploited these unpatched flaws. The joint CSA recognizes this as well, adding that these malicious attackers have targeted “older software vulnerabilities rather than recently disclosed vulnerabilities,” while also highlighting the significance of vulnerabilities in internet-facing systems.
Analysis
As we examined the list of 42 CVEs in the CSA, many have been featured in past blogs and alerts from Tenable Research as well as included in our 2020, 2021 and 2022 TLR. In the tables below, we have split up the vulnerabilities into sections based on vendor or product types.
Microsoft Exchange Server
Vulnerabilities in Microsoft Exchange Server, frequently leading to privilege escalation (elevation of privilege or EoP) or remote code execution (RCE), are particularly useful for initial access into targeted networks and have been leveraged by multiple unique ransomware groups/strains and numerous advanced persistent threat (APT) actors. In fact, CVE-2021-26855 (ProxyLogon) was the number one vulnerability in the top five vulnerabilities in our 2021 TLR while CVE-2021-34473 (ProxyShell) took fifth place in the 2022 TLR.
| CVE | Description | CVSSv3 | VPR |
|---|---|---|---|
| CVE-2021-26855 | Microsoft Exchange Server Server-Side Request Forgery (SSRF) Vulnerability (ProxyLogon) | 9.8 | 9.8 |
| CVE-2021-26857 | Microsoft Exchange Server RCE (ProxyLogon) | 7.8 | 7.4 |
| CVE-2021-26858 | Microsoft Exchange Server RCE (Arbitrary File Write) | 7.8 | 7.4 |
| CVE-2021-27065 | Microsoft Exchange Server RCE (Arbitrary File Write) | 7.8 | 9.8 |
| CVE-2021-31207 | Microsoft Exchange Server Security Feature Bypass Vulnerability (Part of ProxyShell) | 6.6 | 9 |
| CVE-2021-34473 | Microsoft Exchange Server RCE (ProxyShell) | 9.8 | 9 |
| CVE-2021-34523 | Microsoft Exchange Server EoP (Part of ProxyShell) | 9.8 | 8.4 |
| CVE-2022-41082 | Microsoft Exchange Server RCE (ProxyNotShell) | 8.8 | 9.4 |
*Please note: Tenable’sVulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 3 and reflects VPR at that time.
Microsoft Office
Vulnerabilities in Microsoft Office products are frequently used by threat actors to gain a foothold into a target network by attaching malicious documents to phishing or spear phishing emails. While CVE-2017-0199 and CVE-2017-11882 are some of the oldest vulnerabilities in the alert (discovered five years ago), attackers are still attempting to exploit them, as many organizations have not patched these flaws despite patches being available for years.
| CVE | Description | CVSSv3 | VPR |
|---|---|---|---|
| CVE-2017-0199 | Microsoft Office/WordPad RCE | 7.8 | 9.8 |
| CVE-2017-11882 | Microsoft Office Memory Corruption Vulnerability | 7.8 | 9.8 |
Additional Microsoft Vulnerabilities
The other Microsoft CVEs on this list includes some of the most well known “named” vulnerabilities in recent years. CVE-2020-1472 (ZeroLogon) was the number one vulnerability in the top five vulnerabilities in our 2020 TLR and it also took fifth place in our 2021 TLR. CVE-2019-0708 (BlueKeep) had an honorable mention in our 2020 TLR while CVE-2022-30190 (Follina) took the third spot in the top 5 vulnerabilities in our 2022 TLR.
| CVE | Description | CVSSv3 | VPR |
|---|---|---|---|
| CVE-2019-0708 | Microsoft’s Remote Desktop Services RCE (BlueKeep) | 9.8 | 9.7 |
| CVE-2020-1472 | EoP vulnerability in Windows Netlogon (Zerologon) | 10 | 10 |
| CVE-2022-30190 | Microsoft Windows Support Diagnostic Tool (MSDT) RCE (Follina) | 7.8 | 9.8 |
| CVE-2022-22047 | Windows Client Server Run-time Subsystem (CSRSS) EoP | 7.8 | 9.2 |
Apache Products
The CSA features five CVEs in Apache products, three of which were in Apache HTTP Server while the remaining two were vulnerabilities in the now infamous Log4j 2 logging library. While there’s much to be said about Log4j, for brevity we recommend visiting the Tenable Log4j page to view the blogs and resources associated with Log4Shell and its related vulnerabilities.
| CVE | Description | CVSSv3 | VPR |
|---|---|---|---|
| CVE-2021-40438 | Apache HTTP Server SSRF | 9 | 8.1 |
| CVE-2021-41773 | Apache HTTP Server Path Traversal and File Disclosure | 7.5 | 7.1 |
| CVE-2021-42013 | Apache HTTP Server Path Traversal and File Disclosure | 9.8 | 9 |
| CVE-2021-44228 | Apache Log4j RCE (Log4Shell) | 10 | 10 |
| CVE-2021-45046 | Apache Log4j2 Denial of Service (DoS) and RCE | 9 | 9.2 |
SSL VPN Devices
Vulnerabilities impacting SSL VPN devices continue to have a major impact, as they are routinely exploited by APTs and ransomware gangs against organizations around the world. Three of the top five vulnerabilities in the 2020 TLR were in SSL VPN devices. Many of these vulnerabilities have been included in multiple U.S. and international government agency alerts over the years, and because these devices are internet facing and critical to business operations, they are an ideal doorway into organizations. Therefore, patching these devices should be a top priority for any organization.
| CVE | Description | CVSSv3 | VPR |
|---|---|---|---|
| CVE-2018-13379 | Fortinet FortiOS SSL VPN Web Portal Information Disclosure | 9.8 | 9.4 |
| CVE-2019-11510 | Pulse Connect Secure Arbitrary File Disclosure | 10 | 8.1 |
| CVE-2019-19781 | Citrix Application Delivery Controller (ADC) and Gateway Directory Traversal | 9.8 | 9.4 |
| CVE-2022-42475 | Fortinet FortiOS SSL-VPN Heap-Based Buffer Overflow | 9.8 | 9.5 |
| CVE-2022-40684 | Fortinet FortiOS Authentication Bypass Vulnerability | 9.8 | 9.2 |
Many of the remaining flaws in the CSA are found in internet-facing devices, which make them more susceptible to attack. Therefore, organizations that utilize these products in their networks should prioritize remediating vulnerabilities in these products:
SonicWall Products
| CVE | Description | CVSSv3 | VPR |
|---|---|---|---|
| CVE-2021-20016 | SQL injection vulnerability in SonicWall’s Secure Mobile Access (SMA) 100 | 9.8 | 7.4 |
| CVE-2021-20021 | SonicWall Email Security Improper Privilege Management Vulnerability | 9.8 | 7.4 |
| CVE-2021-20038 | SonicWall Secure Mobile Access (SMA) 100 Unauthenticated Stack-Based Buffer Overflow | 9.8 | 7.4 |
Atlassian Confluence Server and Data Center
| CVE | Description | CVSSv3 | VPR |
|---|---|---|---|
| CVE-2021-26084 | Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection | 9.8 | 9.7 |
| CVE-2022-26134 | Atlassian Confluence Server and Data Center OGNL Injection | 9.8 | 9.7 |
VMware Products
| CVE | Description | CVSSv3 | VPR |
|---|---|---|---|
| CVE-2022-22963 | VMware Tanzu Spring Cloud RCE | 9.8 | 9.7 |
| CVE-2022-22954 | VMware Workspace ONE Access and Identity Manager RCE | 9.8 | 9.6 |
| CVE-2022-22960 | VMware Workspace ONE Access and Identity Manager and vRealize Automation Privilege Escalation Vulnerability | 7.8 | 7.4 |
Oracle WebLogic Server
| CVE | Description | CVSSv3 | VPR |
|---|---|---|---|
| CVE-2020-14882 | Oracle Web Logic Server Console Component RCE | 9.8 | 9.2 |
| CVE-2020-14883 | Oracle Web Logic Server Console Component RCE | 7.2 | 8.4 |
Additional Vendors and Products
| CVE | Description | CVSSv3 | VPR |
|---|---|---|---|
| CVE-2020-5902 | F5 BIG-IP Directory Traversal Vulnerability | 9.8 | 9.2 |
| CVE-2022-1388 | F5 Networks F5 BIG-IP Authentication Bypass Vulnerability | 9.8 | 9.5 |
| CVE-2021-40539 | ManageEngine ADSelfService Plus REST API Authentication Bypass | 9.8 | 9.2 |
| CVE-2022-29464 | WSO2 RCE (Arbitrary File Upload) | 9.8 | 9.6 |
| CVE-2022-27593 | QNAP NAS Externally Controlled Reference Vulnerability | 9.1 | 6.7 |
| CVE-2022-22536 | SAP Internet Communication Manager (ICM) HTTP Request Smuggling Vulnerability | 10 | 8.1 |
| CVE-2022-24682 | Zimbra Collaboration Suite Cross Site Scripting Vulnerability | 6.1 | 4.6 |
| CVE-2022-27924 | Zimbra Collaboration Suite Command Injection Vulnerability | 7.5 | 5.1 |
Solution
For all of the 42 CVEs featured in this CSA, patches are available from each of the respective vendors and patching all of the CVEs should be prioritized. In some instances, the CSA offers mitigation guidance when patching cannot be immediately performed as well as mitigation guidance for vendors and developers including recommendations and resources on how to secure your networks.
We recommend all organizations review the CSA and we emphasize the importance of prioritizing patching of all the vulnerabilities listed.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities can be found here. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
In addition to these plugins, many of these vulnerabilities have been featured in our annual TLR report. Our 2022 TLR scan template can be utilized to scan for all the vulnerabilities featured in our 2022 report:
While not all of these vulnerabilities listed in the CSA can be found in the scan template, for more targeted scanning, we recommend configuring a custom scan policy and enabling plugins specific to the devices on your respective networks to quickly identify those assets that remain unpatched.
Get more information
- CISAs 2022 Top Routinely Exploited Vulnerabilities (AA23-215A)
- Tenable’s 2020 Threat Landscape Retrospective
- Tenable’s 2021 Threat Landscape Retrospective
- Tenable’s 2022 Threat Landscape Report
Additional Tenable Blog Coverage
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Related Articles
CVE-2024-0012, CVE-2024-9474: Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wild
November 18, 2024Palo Alto Networks confirmed two zero-day vulnerabilities were exploited as part of attacks in the wild against PAN-OS devices, with one being attributed to Operation Lunar Peek.
Cybersecurity Snapshot: Five Eyes Rank 2023’s Most Frequently Exploited CVEs, While CSA Publishes Framework for AI System Audits
November 15, 2024Check out the CVEs attackers targeted the most last year, along with mitigation tips. Plus, a new guide says AI system audits must go beyond check-box compliance. Meanwhile, a report foresees stronger AI use by defenders and hackers in 2025. And get the latest on cloud security, SMBs' MFA use and the CIS Benchmarks.
Microsoft’s November 2024 Patch Tuesday Addresses 87 CVEs (CVE-2024-43451, CVE-2024-49039)
November 12, 2024Microsoft addresses 87 CVEs and one advisory (ADV240001) in its November 2024 Patch Tuesday release, with four critical vulnerabilities and four zero-day vulnerabilities, including two that were exploited in the wild.
CVE-2024-0012, CVE-2024-9474: Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wild
November 18, 2024Palo Alto Networks confirmed two zero-day vulnerabilities were exploited as part of attacks in the wild against PAN-OS devices, with one being attributed to Operation Lunar Peek.
New AWS Control Policy on the Block
November 18, 2024AWS has released an important new feature that allows you to apply permission boundaries around resources at scale called Resource Control Policies (RCPs). Read on to learn what RCPs are all about and how to use them, as well as how Tenable Cloud Security already factors them into its analysis.
The Dark Side of Domain-Specific Languages: Uncovering New Attack Techniques in OPA and Terraform
November 18, 2024Check out our deep dive into both new and known techniques for abusing infrastructure-as-code and policy-as-code tools. You’ll also learn how to defend against them in this blog post which expands on the attack techniques presented at our fwd:cloudsec Europe 2024 talk “Who Watches the Watchmen? Stealing Credentials from Policy-as-Code Engines (and beyond).”
- Exposure Management