The 12 Most Frequently Exploited Vulnerabilities in 2022 (1)

Exploiting known and unpatched vulnerabilities continues to be a common tactic used by threat actors. From security bypasses and credential exposure to remote code execution, software vulnerabilities have always been a powerful weapon for cyber attackers to compromise systems.

While some new figures have appeared in this year's disruptions, such as new vulnerabilities discovered in Active Directory and MOVEit file transfer applications, and those used in the AlienFox toolkit or IceFire ransomware campaigns, some of the known vulnerabilities have remained strong in terms of frequency of abuse so far.

In this article, we dive into CISA's newly released list of the 12 most frequently exploited vulnerabilities in 2022 that will continue to pose a significant threat to enterprise business.

1. Fortinet FortiOS & FortiProxy (CVE-2018-13379)

Fortinet FortiOS SSL VPNs are primarily used in border firewalls and function by isolating sensitive internal networks from the public Internet. CVE-2018-13379 serves as a particularly severe path traversal vulnerability that allows APT participants to use specially crafted HTTP resource requests to steal legitimate credentials, connect to an unpatched VPN and download system files. Despite the release of a patch back in 2019, CVE-2018-13379 has made several comebacks over the past three years, targeting government, commercial, and technical service networks, among others.

In 2020, a hacker exploited the vulnerability to steal VPN credentials from nearly 50,000 Fortinet VPN devices. Security researchers noted at the time that more than 40 of those 50,000 domains belonged to well-known financial and government organizations. Later that year, the vulnerability reappeared. This time it was exploited by government-backed actors in an attempt to disrupt U.S. election support systems. During this campaign, CVE-2018-13379 was linked to other attacks to exploit servers exposed to the Internet and gain access. The vulnerability reappeared in 2021 when 87,000 sets of credentials for Fortigate SSL VPN devices obtained through the exploitation of CVE-2018-13379 were leaked online.

These critical vulnerabilities remain lucrative for threat actors. The larger the user base, the more potential targets there are, which increases the appeal to attackers. Due to their frequent abuse, the FBI and CISA have issued a joint advisory warning Fortinet users and administrators to beware of Advanced Persistent Threat (APT) attackers actively exploiting existing and future critical VPN vulnerabilities. It is highly likely that these vulnerabilities will continue to be used to gain an initial foothold in vulnerable environments as a springboard for future attacks.

2-4. Microsoft Exchange Server (CVE-2021-34473, CVE-2021-31207, CVE-2021-34523)

Microsoft Exchange Server is a popular email and support system for global organizations, deployed both locally and in the cloud. To this day, a series of vulnerabilities found in unpatched local versions of Microsoft Exchange Server continue to be actively exploited on Internet-facing servers.

This series of vulnerabilities, collectively referred to as "ProxyShell," includes CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523, and affects multiple versions of local Microsoft Exchange Server. ProxyShell targets unpatched Exchange servers to enable pre-authenticated Remote Code Execution (RCE). Of the three vulnerabilities, CVE-2021-34473 has the highest CVSS score of 9.1, and while the remaining vulnerabilities were initially categorized as "exploitation less likely" when used in conjunction with CVE-2021-34473, they provide significant value to attackers. In short, ProxyShell allows an attacker to execute arbitrary commands on a vulnerable Exchange server on port 443.

All three vulnerabilities were patched in 2021, but security researchers are currently tracking several uncategorized threat (UNC) organizations known to be exploiting the ProxyShell vulnerability, while predicting additional clusters to emerge as future generations of threat actors adopt valid vulnerabilities. In one particular cluster of threat activity tracked as UNC2980, Mandiant researchers observed that the ProxyShell vulnerability was used in a cyber espionage campaign. In this operation, UNC2980 dropped multiple tools into the U.S. university's system environment after gaining access and deploying a web shell by utilizing ProxyShell. After conducting an attack via ProxyShell, the attackers used publicly available tools (e.g., Mimikatz, HTRAN, and EarthWorm) to conduct post-attack activities.