Background
Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.
In 2020, cyber actors readily exploited recently disclosed vulnerabilities to compromise unpatched systems. Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years.
This advisory provides details on the top 30 vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021.
Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic. Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies. Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organization to conduct rigorous patch management. The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.
CISA, ACSC, the NCSC, and FBI consider the vulnerabilities listed in the below table to be the topmost regularly exploited CVEs by cyber actors during 2020.
Vendor | CVE | Type |
Citrix | CVE-2019-19781 | arbitrary code execution |
Pulse | CVE 2019-11510 | arbitrary file reading |
Fortinet | CVE 2018-13379 | path traversal |
F5- Big IP | CVE 2020-5902 | remote code execution (RCE) |
MobileIron | CVE 2020-15505 | remote code execution (RCE) |
Microsoft | CVE-2017-11882 | remote code execution (RCE) |
Atlassian | CVE-2019-11580 | remote code execution (RCE) |
Drupal | CVE-2018-7600 | remote code execution (RCE) |
Telerik | CVE 2019-18935 | remote code execution (RCE) |
Microsoft | CVE-2019-0604 | remote code execution (RCE) |
Microsoft | CVE-2020-0787 | elevation of privilege |
Netlogon | CVE-2020-1472 | elevation of privilege |
Top Routinely Exploited CVEs in 2020
In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet.
Technical Details:
2020 CVEs
CISA, ACSC, the NCSC, and FBI have identified the following as the topmost exploited vulnerabilities by malicious cyber actors from 2020:
CVE-2019-19781 | CVE-2019-3396 |
CVE-2019-11510 | CVE-2017-11882 |
CVE-2018-13379 | CVE-2019- 11580 |
CVE-2020-5902 | CVE-2018-7600 |
CVE-2020-15505 | CVE 2019-18935 |
CVE-2020-0688 | CVE-2019-0604 |
CVE-2020- 1472 | CVE-2020-0787 |
Among these vulnerabilities:
- CVE-2019-19781: It was the most exploited flaw in 2020. CVE-2019-19781 is a recently disclosed critical vulnerability in Citrix’s Application Delivery Controller (ADC)—a load balancing application for web, application, and database servers widely use throughout the United States.
- CVE-2019-11510: It is a vulnerability in Pulse Connect Secure VPN was also frequently targeted by nation-state APTs. Actors can exploit the vulnerability to steal the unencrypted credentials for all users on a compromised Pulse VPN server and retain unauthorized credentials for all users on a compromised Pulse VPN server and can retain unauthorize access after the system is patched unless all compromised credentials are changed.
Unremediated instances of CVE-2019-19781 and CVE-2019-11510 continued to be exploited throughout the year by nation-state advanced persistent threat actors (APTs) who leveraged these and other vulnerabilities, such as CVE-2018-13379, in VPN services to compromise an array of organizations, including those involved in COVID-19 vaccine development.
2021 CVEs
In 2021, cyber actors continued to target vulnerabilities in perimeter-type devices. In addition to the 2020 CVEs listed above, organizations should prioritize patching for the following CVEs known to be exploited.
Product Manufacturer | CVE Details |
Microsoft Exchange: | CVE-2021-26855
CVE-2021-26857 CVE-2021-26858 CVE-2021-27065 |
Pulse Secure | CVE-2021-22893
CVE-2021-22894 CVE-2021-22899 CVE-2021-22900 |
Accellion | CVE-2021-27101
CVE-2021-27102 CVE-2021-27103 CVE-2021-27104 |
VMware | CVE-2021-21985 |
Fortinet | CVE-2018-13379
CVE-2020-12812 CVE-2019-5591 |
Mitigations
One of the most effective best practices to mitigate many vulnerabilities is to update software versions once patches are available and as soon as is practicable. If this is not possible, consider applying temporary workarounds or other mitigations, if provided by the vendor. If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems). This advisory highlights vulnerabilities that should be considered as part of the prioritization process. To further assist remediation, automatic software updates should be enabled whenever possible.
CVE-2019-19781
Citrix Netscaler Directory Traversal |
Vulnerability Description |
Citrix Netscaler Application Delivery Control (ADC) is vulnerable to RCE and full system compromise due to poor access controls, thus allowing directory traversal | |
Recommended Mitigations | |
1) Implement the appropriate refresh build according to the vulnerability details outlined by the vendor: Citrix: Mitigation Steps for CVE-2019-19781 2) If possible, only allow the VPN to communicate with known Internet Protocol (IP) addresses (allow-list).https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/ |
CVE 2019-11510
Pulse Secure Connect VPN |
Vulnerability Description |
Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials. | |
Recommended Mitigations | |
1) Upgrade to the latest Pulse Secure VPN. 2) Stay alert to any scheduled tasks or unknown files/executables. 3) Create detection/protection mechanisms that respond on directory traversal (/../../../) attempts to read local system files.https://kb.pulsesecure.net/articles/ Pulse_Security_Advisories/SA44101 |
CVE 2018-13379
Fortinet FortioOS Secure Socket Layer VPN |
Vulnerability Description |
Fortinet Secure Sockets Layer (SSL) VPN is vulnerable to unauthenticated directory traversal, which allows attackers to gain access to the sslvpn_websession file. An attacker is then able to exact clear-text usernames and passwords. | |
Recommended Mitigations | |
1) Upgrade to the latest Fortinet SSL VPN. 2) Monitor for alerts to any unscheduled tasks or unknown files/executables. 3) Create detection/protection mechanisms that respond on directory traversal (/../../../) attempts to read the sslvpn_websessions file.https://www.fortiguard.com/psirt/FG-IR-18-384 |
CVE-2020-5902
F5 Big IP Traffic Management User Interface |
Vulnerability Description |
The Traffic Management User Interface (TMUI), also referred to as the Configuration Utility, has an RCE vulnerability in undisclosed pages. | |
Recommended Mitigations | |
Download and install a fixed software version of the software from a vendor approved resource. If it is not possible to update quickly, restrict access via the following actions.
1) Address unauthenticated and authenticated attackers on self IPs by blocking all access. https://support.f5.com/csp/article/K52145254 |
CVE-2020-15505
MobileIron Core & Connector |
Vulnerability Description |
MobileIron Core & Connector, Sentry, and Monitoring and Reporting Database (RDB) software are vulnerable to RCE via unspecified vectors. | |
Recommended Mitigations | |
Download and install a fixed software version of the software from a vendor approved resource.
https://www.ivanti.com/blog/mobileiron-security-updates-available |
CVE-2020-0688
Microsoft Exchange Memory Corruption |
Vulnerability Description |
An RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. | |
Recommended Mitigations | |
Download and install a fixed software version of the software from a vendor approved resource.
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688 |
CVE 2017-11882
Microsoft Office Memory Corruption |
Vulnerability Description |
Atlassian Confluence Server and Data Center Widget Connector is vulnerable to a server-side template injection attack. | |
Recommended Mitigations | |
Download and install a fixed software version of the software from a vendor-approved resource.
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882 |
CVE 2019-11580
Atlassian Crowd and Crowd Data Center Remote Code Execution |
Vulnerability Description |
Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. | |
Recommended Mitigations | |
1) Manually check your software version to see if it is susceptible to this vulnerability. 2) CVE-2019-11580 is commonly exploited to install web shell malware. NSA provides guidance on detecting and preventing web shell malware at https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF and signatures at https://github.com/nsacyber/Mitigating-Web-Shellshttps://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html |
CVE 2018-7600
Drupal Core Multiple Remote Code Execution |
Vulnerability Description |
Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allow remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. | |
Recommended Mitigations | |
Upgrade to the most recent version of Drupal 7 or 8 core. If running 7.x, upgrade to Drupal 7.58. If running 8.5.x, upgrade to Drupal 8.5.1.
https://www.drupal.org/sa-core-2018-002 |
CVE 2019-18935
Telerik UI for ASP.NET AJAX Insecure Deserialization |
Vulnerability Description |
Telerik User Interface (UI) for ASP.NET does not properly filter serialized input for malicious content. Versions prior to R1 2020 (2020.1.114) are susceptible to remote code execution attacks on affected web servers due to a deserialization vulnerability. | |
Recommended Mitigations | |
Update to the most recent version of Telerik UI for ASP.NET AJAX (at least 2020.1.114 or later).
https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization |
CVE-2019-0604
Microsoft SharePoint Remote Code Execution |
Vulnerability Description |
A vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to execute arbitrary code on vulnerable Microsoft SharePoint servers. | |
Recommended Mitigations | |
1) Upgrade on-premise installations of Microsoft Sharepoint to the latest available version (Microsoft SharePoint 2019) and patch level. 2) On-premise Microsoft SharePoint installations with a requirement to be accessed by internet-based remote staff should be moved behind an appropriate authentication mechanism such as a VPN, if possible.https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604 |
CVE-2020-0787
Windows Background Intelligent Transfer Service Elevation of Privilege |
Vulnerability Description |
The Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-level privileges. | |
Recommended Mitigations | |
Apply the security updates as recommended in the Microsoft Netlogon security advisory.
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0787 |
CVE-2020-1472
Netlogon Elevation of Privilege |
Vulnerability Description |
The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) reuses a known, static, zero-value initialization vector (VI) in AES-CFB8 mode, which could allow an unauthenticated attacker to impersonate a domain-joined computer including a domain controller, and potentially obtain domain administrator privileges. | |
Recommended Mitigations | |
Apply the security updates as recommended in the Microsoft Netlogon security advisory.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472 |