The Fed lists the 30 mostly exploited vulnerabilities. Many are years outdated


Government officials in the US, UK and Australia are calling on public and private organizations to protect their networks by ensuring that firewalls, VPNs and other network perimeter devices are patched against the most widespread exploits.

In a joint report published on Wednesday, the US FBI and CISA (Cybersecurity and Infrastructure Security Agency), the Australian Cyber ​​Security Center and the UK National Cyber ​​Security Center listed the 30 most frequently exploited vulnerabilities. The vulnerabilities lie in a variety of devices or software marketed by Citrix, Pulse Secure, Microsoft, and Fortinet.

“Cyber ​​actors continue to exploit publicly known – and often outdated – software vulnerabilities against broad target groups, including public and private sector organizations around the world,” the recommendation says. “However, companies around the world can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.”

What, do I patch?

Four of the most targeted vulnerabilities over the past year have been in VPNs, cloud-based services, and other devices that allow people to remotely access employer networks. Despite the explosion in the number of workers working from home caused by the COVID-19 pandemic, many VPN gateway devices went unpatched in 2020.

The four most common vulnerability detection dates were between 2018 and 2020, an indication of the frequency with which many organizations using affected devices are holding back from applying security patches. Vulnerabilities include CVE-2019-19781, a remote code execution bug in the Citrix Application Delivery Controller (with the customer to load balance incoming application traffic); CVE 2019-11510, which enables attackers to remotely read sensitive files stored on the Pulse Secure Pulse Connect Secure VPN; CVE 2018-13379, a path traversal vulnerability in Fortinet VPNs; and CVE 2020-5902, a code execution vulnerability in F5’s BIG-IP Advanced Delivery Controller.


The 12 biggest mistakes are:

providers CV Type
Citrix CVE-2019-19781 Execution of arbitrary code
pulse CVE 2019-11510 arbitrary reading of files
Fortinet CVE 2018-13379 Path crossing
F5- Great IP CVE 2020-5902 Remote Code Execution (RCE)
Mobile iron CVE 2020-15505 RCE
Microsoft CVE-2017-11882 RCE
Atlassian CVE-2019-11580 RCE
Drupal CVE-2018-7600 RCE
Telerik CV 2019-18935 RCE
Microsoft CVE-2019-0604 RCE
Microsoft CVE-2020-0787 Increase in privileges
Netlogon CVE-2020-1472 Increase in privileges

Break through the gate

The vulnerabilities – all patches received from vendors – provided the opening vector for an innumerable number of serious attacks. According to a U.S. government recommendation published in April, hackers working for the Russian government routinely exploited CVE-2018-13379, CVE-2019-11510, and CVE-2019-19781.

In the same month, it was revealed that another group of hackers was also exploiting CVE-2018-13379. In one case, the hackers enabled ransomware operators to take control of two production facilities of a European manufacturer.

In the consultation on Wednesday it was further said:

CISA, ACSC, NCSC and FBI assume that public and private organizations around the world will remain at risk from the exploitation of these CVEs. Malicious cyber actors will most likely continue to leverage older known vulnerabilities such as CVE-2017-11882 affecting Microsoft Office as long as they remain in effect and the systems are not patched. The exploitation of known vulnerabilities by attackers makes allocation more difficult, reduces costs and minimizes risk because they do not invest in developing a zero-day exploit for their exclusive use, which they risk losing if they become known.

The officials also listed 13 vulnerabilities discovered this year, which are also being exploited in large numbers. The weak points are:

  • Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065
  • Impulse Safe: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
  • Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
  • VMware: CVE-2021-21985

The advisory provides technical details on each vulnerability, guidance on how to mitigate the risk, and indicators of exposure to help organizations determine if they are vulnerable or have been hacked. The advisory also includes instructions on how to lock down systems.