2021’s Top 15 Software Vulnerabilities


April 28, 2022

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a joint cybersecurity advisory that lists the top 15 exploited software vulnerabilities used by cyber-criminals in 2021.

The advisory was compiled by cybersecurity agencies from the “Five Eyes” nations (Australia, Canada, New Zealand, the U.K., and U.S.). Its purpose is to encourage organizations to apply things like patches to impacted systems and develop a centralized patch management system in order to reduce future threats.

The Top 15 Exploited Software Vulnerabilities in 2021:

CVE Vulnerability Name Vendor and Product Type
CVE-2021-44228 Log4Shell Apache Log4j Remote code execution (RCE)
CVE-2021-40539   Zoho Manage Engine AD SelfService Plus RCE
CVE-2021-34523 ProxyShell Microsoft Exchange Server Elevation of privilege
CVE-2021-34473 Proxy Shell Microsoft Exchange Server RCE
CVE-2021-31207 ProxyShell Microsoft Exchange Server Security feature bypass
CVE-2021-27065 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26858 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26857 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26855 ProxyLogon Microsoft Exchange Server RCE
CVE-2021-26084   Atlassian Confluence Server and Data Center Arbitrary code execution
CVE-2021-21972   VMware vSphere Client RCE
CVE-2021-1472 ZeroLogon Microsoft Netlogon Remote Protocol (MS-NRPC) Elevation of privilege
CVE-2021-0688   Microsoft Exchange Server RCE
CVE-2019-11510   Pulse Secure Pulse Connect Secure

Arbitrary file reading

CVE-2018-13379   Fortinet FortiOS and FortiProxy Path traversal



Vulnerability and Configuration Management

  • Update software, operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix.
    • If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.
  • Use a centralized patch management system.
  • Replace end-of-life software, i.e., software that is no longer supported by the vendor. For example, Accellion FTA was retired in April 2021.
  • Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications—such as webmail, file storage, file sharing, and chat and other employee collaboration tools—for their customers. However, as MSPs and CSPs expand their client organization’s attack surface and may introduce unanticipated risks, organizations should proactively collaborate with their MSPs and CSPs to jointly reduce that risk.

Identity and Access Management:

  • Enforce multi-factor authentication (MFA) for all users, without exception.
  • Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords.
  • Regularly review, validate, or remove privileged accounts (annually at a minimum).
  • Configure access control under the concept of least privilege principle.
    • Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (non-administrative privileges). 

Protective Controls and Architecture

  • Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices. o Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP. o Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting. o Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).
  • Segment networks to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks.
  • Continuously monitor the attack surface and investigate abnormal activity that may indicate lateral movement of a threat actor or malware.
    • Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure your EDR, SIEM, vulnerability scanner, etc., are reporting the same number of assets.
    • Monitor the environment for potentially unwanted programs.
  • Reduce third-party applications and unique system/application builds; provide exceptions only if required to support business-critical functions.
  • Implement application allowlisting.
Carl Keyser is the Content Manager at Integris.

Keep reading

What to Know Before Installing Co-Pilot for Microsoft Word

What to Know Before Installing Co-Pilot for Microsoft Word

Imagine having an AI assistant that pulls from your notes, marries them to an existing document format, and writes a document for you. That's the power of Copilot for Microsoft Word, which is planned for rollout in 2024 for those who buy the Copilot M365 license....

Bridging the Gap between Automation and Innovation

Bridging the Gap between Automation and Innovation

Automation and Innovation. Some people might say those two words cancel each other out. Yet, I believe these two concepts can create capacity for each other—if your business leverages the free time automation creates to foster innovation. Automation can be...