
CISA has published the list of 2021’s top 15 most exploited software vulnerabilities. This joint Cybersecurity Advisory (CSA) was co-authored by cybersecurity agencies of the United States, Australia, Canada, New Zealand, and the United Kingdom: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and United Kingdom’s National Cyber Security Centre (NCSC-UK). This advisory also includes other frequently exploited vulnerabilities.
Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors.
CISA Statement
The list includes CVE-2021-21972 affecting VMware vSphere Client, CVE-2021-26084 in Atlassian Confluence, CVE-2021-40539 in Zoho ManageEngine AD SelfService Plus, CVE-2018-13379 in Fortinet FortiOS and FortiProxy, CVE-2019-11510 in Pulse Secure Pulse Connect Secure CVE-2019-11510), Log4Shell, ProxyLogon ProxyShell, and ZeroLogon.
CVE | Vulnerability Name | Vendor and Product | Type |
CVE-2021-44228 | Log4Shell | Apache Log4j | RCE |
CVE-2021-40539 | Zoho ManageEngine AD SelfService Plus | RCE | |
CVE-2021-34523 | ProxyShell | Microsoft Exchange Server | Elevation of privilege |
CVE-2021-34473 | ProxyShell | Microsoft Exchange Server | RCE |
CVE-2021-31207 | ProxyShell | Microsoft Exchange Server | Security feature bypass |
CVE-2021-27065 | ProxyLogon | Microsoft Exchange Server | RCE |
CVE-2021-26858 | ProxyLogon | Microsoft Exchange Server | RCE |
CVE-2021-26857 | ProxyLogon | Microsoft Exchange Server | RCE |
CVE-2021-26855 | ProxyLogon | Microsoft Exchange Server | RCE |
CVE-2021-26084 | Atlassian Confluence Server and Data Center | Arbitrary code execution | |
CVE-2021-21972 | VMware vSphere Client | RCE | |
CVE-2020-1472 | ZeroLogon | Microsoft Netlogon Remote Protocol (MS-NRPC) | Elevation of privilege |
CVE-2020-0688 | Microsoft Exchange Server | RCE | |
CVE-2019-11510 | Pulse Secure Pulse Connect Secure | Arbitrary file reading | |
CVE-2018-13379 | Fortinet FortiOS and FortiProxy | Path traversal |
In addition to the 15 vulnerabilities listed above table, U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities identified vulnerabilities listed below, that were also routinely exploited by malicious cyber actors in 2021.
TheCyberThrone Most Rated Exploit Vulnerabilities of 2021: CISA: Top Exploited Vulnerabilities 2021These vulnerabilities include multiple vulnerabilities affecting internet-facing systems, including Accellion File Transfer Appliance (FTA), Windows Print Spooler, and Pulse Secure Pulse Connect Secure. Three of these vulnerabilities were also routinely exploited in 2020: CVE-2019-19781, CVE-2019-18935, and CVE-2017-11882.
CVE | Vendor and Product | Type |
CVE-2021-42237 | Sitecore XP | RCE |
CVE-2021-35464 | ForgeRock OpenAM server | RCE |
CVE-2021-27104 | Accellion FTA | OS command execution |
CVE-2021-27103 | Accellion FTA | Server-side request forgery |
CVE-2021-27102 | Accellion FTA | OS command execution |
CVE-2021-27101 | Accellion FTA | SQL injection |
CVE-2021-21985 | VMware vCenter Server | RCE |
CVE-2021-20038 | SonicWall Secure Mobile Access (SMA) | RCE |
CVE-2021-40444 | Microsoft MSHTML | RCE |
CVE-2021-34527 | Microsoft Windows Print Spooler | RCE |
CVE-2021-3156 | Sudo | Privilege escalation |
CVE-2021-27852 | Checkbox Survey | Remote arbitrary code execution |
CVE-2021-22893 | Pulse Secure Pulse Connect Secure | Remote arbitrary code execution |
CVE-2021-20016 | SonicWall SSLVPN SMA100 | Improper SQL command neutralization, allowing for credential access |
CVE-2021-1675 | Windows Print Spooler | RCE |
CVE-2020-2509 | QNAP QTS and QuTS hero | Remote arbitrary code execution |
CVE-2019-19781 | Citrix Application Delivery Controller (ADC) and Gateway | Arbitrary code execution |
CVE-2019-18935 | Progress Telerik UI for ASP.NET AJAX | Code execution |
CVE-2018-0171 | Cisco IOS Software and IOS XE Software | Remote arbitrary code execution |
CVE-2017-11882 | Microsoft Office | RCE |
CVE-2017-0199 | Microsoft Office | RCE |
Vulnerability management, Identity, and access management, and Proactive controls such as Network segmentation, application whitelisting, IAM, and EDR are suggested as mitigation controls.