The security agencies of the US, Australia, Canada, the UK and New Zealand have published a definitive list of the most exploited vulnerabilities of 2021, topped by Log4Shell.
Aside from the notorious Log4j vulnerability, the list includes the notable ProxyLogon and ProxyShell flaws and other Microsoft bugs ZeroLogon, and another Microsoft Exchange Server flaw (CVE-2020-0688).
Others on the top 15 list are bugs in Atlassian (CVE-2021-26084), VMware vSphere CVE-2021-21972 Pulse Secure (CVE-2019-11510) and Fortinet FortiOS (CVE-2018-13379).
“The NCSC and our allies are committed to raising awareness of vulnerabilities and presenting actionable solutions to mitigate them,” said National Cyber Security Centre (NCSC) CEO Lindy Cameron.
“This advisory places the power in the hands of network defenders to fix the most common cyber weaknesses in the public and private sector ecosystem.”
In addition to the top 15 list, the security agencies provided an extra list of bugs to patch, including noteworthy systems such as the Accellion File Transfer Appliance (FTA) which was targeted en masse by a cybercrime group with links to FIN11 and Clop ransomware.
Other vulnerable products include Windows Print Spooler and VPN offerings Pulse Connect Secure and SonicWall SSLVPN SMA100.
Andreas Berger, lead product engineer for application security at Dynatrace, argued that applications are increasingly riddled with flaws because they’re built on cloud-native architectures with open source components, making bugs harder to weed out.
“Even with a robust layered approach to cybersecurity, many organizations still lack solutions that can see inside containerized applications, or understand the context needed to distinguish potential vulnerability from critical exposure,” he continued.
“As a result, it’s very difficult for security teams to prioritize their workload effectively, so even the most well-documented vulnerabilities, like the Log4j library flaw, can go unchecked for months, or even years. It’s especially pertinent to see Log4Shell at the top of the list of the most routinely exploited vulnerabilities in 2021, as it was only discovered in the final month of the year – underscoring just how bad it was.”
To reduce risk exposure, organizations need to combine full-stack observability to eliminate blind spots with AI and automation to reveal the precise cause, type and severity of vulnerabilities, Berger concluded.