U.S. and International Cybersecurity Partners Warn Organizations of Routinely Exploited Vulnerabilities
Joint advisory urges organizations to implement secure by design practices and prioritize patching known exploited vulnerabilities to reduce risk of compromise
WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), Computer Emergency Response Team New Zealand (CERT NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) published an advisory today on the common vulnerabilities and exposures (CVEs), to include associated common weakness enumeration (CWE), that were routinely and frequently exploited by malicious actors last year.
The joint Cybersecurity Advisory, titled “2022 Top Routinely Exploited Vulnerabilities,” provides technical background details on the 12 most exploited vulnerabilities and an overview of an additional 30 vulnerabilities often used to compromise organizations, including specific details that organizations can use to identify and mitigate their exposure.
For the first time, this advisory outlines the CWEs associated with these vulnerabilities, which reflects the underlying root causes that led to the exploited vulnerability. In order to reduce the prevalence of common classes of vulnerabilities, this advisory urges technology vendors to implement specific secure by design principles and to ensure that all published CVEs include the proper CWE identifying the root cause of the vulnerability.
“Today, adversaries commonly exploit categories of vulnerabilities that can and must be addressed by technology providers as part of their commitment to Secure by Design,” said Eric Goldstein,CISA Executive Assistant Director for Cybersecurity. “Until that day, malicious actors will continue to find it far too easy to exploit organizations around the world. With our partners, we urge all organizations to review our joint advisory, for every enterprise to prioritize mitigation of these vulnerabilities, and for every technology provider to take accountability for the security outcomes of their customers by reducing the prevalence of these vulnerabilities by design.”
“Organizations continue using unpatched software and systems, leaving easily discovered openings for cyber actors to target,” said Neal Ziring, the Technical Director for NSA’s Cybersecurity Directorate. “Older vulnerabilities can provide low-cost and high impact means for these actors to access sensitive data.”
"The FBI remains committed to sharing critical cyber threat information with the private sector to combat malicious cyber activity that is targeting American businesses," said Bryan Vorndran, Assistant Director of the FBI's Cyber Division. "We strongly encourage all organizations to address potential network vulnerabilities and implement mitigation strategies referenced in the product. By working with our federal, international, and private sector partners, we will continue to strengthen our defense against malicious cyber actors.”
“We have used the power of our international partnerships to identify the attack methods most popular with malicious actors operating internationally,” said Abigail Bradshaw CSC, Head of the Australian Cyber Security Centre. “Every organisation should be using this list to patch their systems and use it to guide their vulnerability management strategy. Equally, industry can use this list to strengthen products in design processes. Unpatched software is a top access route for hackers and no one should assume all their systems are up to date.”
“When we work as a community we can strengthen our collective resilience,” Sami Khoury, Head, Canadian Centre for Cyber Security. “Every organization with internet-facing networks that implements recommended mitigation measures will greatly reduce their risk of compromise by malicious cyber actors. We know that timely patching reduces the effectiveness of the vulnerabilities listed in this report. We also know that vendors and developers also have a strong role to play by responsibly designing products that are secure by design and default. Together, we can reduce our collective vulnerability and increase our overall security posture.”
“This advisory reinforces one of the foundational aspects of cyber security, said Lisa Fong, responsible for New Zealand’s National Cyber Security Centre. “Malicious actors continue to succeed using the same techniques over and over. I can’t emphasise enough the importance of doing the basics well by understanding your assets, and rapidly applying patches when they become available. Acting on CVE reporting is the difference between getting onto your to-do list and getting onto someone else’s to-do list.”
“This is a timely reminder for organisations that asset lifecycle management and patching policies are incredibly important,” Rob Pope Director CERT NZ. “I’d also like to stress that vulnerability disclosure is a very good thing and organisations that supply software or services should have a vulnerability disclosure policy in place as part of the secure-by-design principles. Doing this makes everyone more secure in the long run.”
“Vulnerabilities are sadly part and parcel of our online world and we see threat actors continue to take advantage of these weaknesses to compromise systems,” said Jonathon Ellison, NCSC-UK Director of Resilience and Future Technology. “This joint advisory with our allies raises awareness of the most routinely exploited vulnerabilities in 2022 to help organisations identify where they might be at risk and take action. To bolster resilience, we encourage organisations to apply all security updates promptly and call on software vendors to ensure security is at the core of their product design to help shift the burden of responsibility away from consumers.”
All organizations are encouraged to review and implement the recommended mitigations in this detailed joint CSA.
Organizations should share information about incidents and unusual cyber activity with their respective cybersecurity authorities. When cyber incidents are reported quickly, it can contribute to stopping further attacks. In the U.S., organizations should inform CISA’s 24/7 Operations Center at firstname.lastname@example.org or (888) 282-0870, or an FBI field office.
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.