The Cybersecurity and Infrastructure Security Agency (CISA), along with Federal and international partners, released a list of frequently exploited common cybersecurity vulnerabilities and exposures (CVEs), including the top 15 most exploited CVEs of 2021.
While the top 15 CVEs were all previously public, the joint cyber advisory – released along with the FBI and National Security Agency, as well as cyber partners in Australia, Canada, New Zealand, and the United Kingdom – provides advice for organizations to be able to prioritize mitigation measures against unpatched cybersecurity vulnerabilities.
“We know that malicious cyber actors go back to what works, which means they target these same critical software vulnerabilities and will continue to do so until companies and organizations address cybersecurity threats,” CISA Director Jen Easterly said in a press release.
“CISA and our partners are releasing this advisory to highlight the risk that the most commonly exploited vulnerabilities pose to both public and private sector networks,” Easterly added. “We urge all organizations to assess their cybersecurity vulnerability management practices and take action to mitigate risk to the known exploited vulnerabilities.”
Topping the list of most exploited cybersecurity vulnerabilities is the Log4Shell vulnerability disclosed in December 2021. The cyber attack vulnerability was tucked into a popular open-source library and utilized in numerous products both Federal and commercial.
The advisory warns organizations to prioritize mitigation measures around cybersecurity vulnerability and configuration management, security policy, identity and access management, and protective controls and architecture.
“This report should be a reminder to organizations that bad actors don’t need to develop sophisticated tools when they can just exploit publicly known vulnerabilities,” NSA Cybersecurity Director Rob Joyce said. “Get a handle on mitigations or patches as these CVEs are actively exploited.”
More specifically, the advisory suggests organizations prioritize:
- “updating software, operating systems, applications, and firmware, with a prioritization on patching known exploited vulnerabilities; implementing a centralized patch management system; and replacing end-of-life software” for vulnerability management;
- “enforcing multi-factor authentication (MFA) for all users; if MFA is unavailable, require employees engaging in remote work to use strong passwords; and regularly reviewing, validating, or removing privileged accounts” for identity management; and
- “properly configuring and secure internet-facing network devices, disabling unused or unnecessary network ports and protocols, encrypting network traffic, and disabling unused network services and devices” for protective controls and architecture.
“Though the FBI will continue to pursue and disrupt this type of malicious cyber activity, we need your help,” FBI’s Cyber Division Assistant Director Bryan Vorndran, said. “We strongly encourage private sector organizations and the public to implement these steps to mitigate threats from known cyber vulnerabilities, and if you believe you are a victim of a cyber incident, contact your local FBI field office.”