There are patches or remediations for all of them, but they’re still being picked apart.
Why should attackers stop if the flaws remain unpatched, as so many do?
In a perfect world, CISA would laminate cards with the year’s top 30 vulnerabilities: You could whip it out and ask a business if they’ve bandaged these specific wounds before you hand over your cash.
This is not a perfect world. There are no laminated vulnerability cards.
But at least we have the list: In a joint advisory (PDF) published Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Center, and the UK’s National Cyber Security Center listed the vulnerabilities that were “routinely” exploited in 2020, as well as those that are most often being picked apart so far this year.
The vulnerabilities – which lurk in devices or software from the likes of Citrix, Fortinet, Pulse Secure, Microsoft and Atlassian – include publicly known bugs, some of which are growing hair. One, in fact, dates to 2000.
“Cyber actors continue to exploit publicly known – and often dated – software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” according to the advisory. “However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.”
So far this year, cyberattackers are continuing to target vulnerabilities in perimeter-type devices, with particularly high amounts of unwanted attention being devoted to flaws in the perimeter devices sold by Microsoft, Pulse, Accellion, VMware and Fortinet.
All of the vulnerabilities have received patches from vendors. That doesn’t mean those patches have been applied, of course.