Yesterday the Cybersecurity & Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC) and the U.S. Federal Bureau of Investigation (FBI) released a joint statement citing the top exploited vulnerabilities seen in 2021 so far.
The findings
Nothing too surprising or groundbreaking in what is targeted the most frequently by cyber criminals. The top exploits are focused on remote work, virtual private networks (VPNs), and cloud-based technologies. This makes sense as the world has shifted to more remote work since early 2020 as the Covid-19 pandemic spread across the globe. The table below comes from the joint statement. The vulnerabilities shown are considered the top exploited CVEs (Common Vulnerabilities and Exposures) by cyber criminals in 2020.
Table 1:Top Routinely Exploited CVEs in 2020
| Vendor | CVE | Type |
| Citrix | CVE-2019-19781 | arbitrary code execution |
| Pulse | CVE 2019-11510 | arbitrary file reading |
| Fortinet | CVE 2018-13379 | path traversal |
| F5- Big IP | CVE 2020-5902 | remote code execution (RCE) |
| MobileIron | CVE 2020-15505 | RCE |
| Microsoft | CVE-2017-11882 | RCE |
| Atlassian | CVE-2019-11580 | RCE |
| Drupal | CVE-2018-7600 | RCE |
| Telerik | CVE 2019-18935 | RCE |
| Microsoft | CVE-2019-0604 | RCE |
| Microsoft | CVE-2020-0787 | elevation of privilege |
| Netlogon | CVE-2020-1472 | elevation of privilege |
https://us-cert.cisa.gov/ncas/alerts/aa21-209a
Focus on these
The joint statement provides insight to the top exploits you need to patch and focus on as well. It suggests focusing on several CVEs found in Microsoft, Pulse Secure, Accellion, VMWare, and Fortinet. For a full list and steps for remediation, check out the statement.
Next Steps
It is strongly recommended to verify if any of these exploits may impact your devices and networks. If they do, consider patching them immediately. As we have written before, updates are key in protecting your small business from falling victim to a cyberattack.
For the latest news on cybersecurity or to test your cybersecurity knowledge, check out Small Business, Big Threat!