Cyber actors continue to exploit publicly known – and often dated – software vulnerabilities against broad target sets, including public and private sector organizations worldwide.  However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.

Today, CISA, the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the Federal Bureau of Investigation (FBI) announced the release of a Joint Cybersecurity Advisory Top Routinely Exploited Vulnerabilities, which details the top vulnerabilities routinely exploited by malicious actors in 2020 and those being widely exploited thus far in 2021.

In 2020, cyber actors readily exploited recently disclosed vulnerabilities to compromise unpatched systems.  Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years.  In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices.  Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet.

CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs.  Organizations are encouraged to remediate or mitigate vulnerabilities as quickly as possible to reduce the risk of exploitation.  This advisory lists the vendors, products, and CVEs associated with these vulnerabilities, which organizations urgently patch.

We encourage you to share this information widely.  The advisory can be found at https://us-cert.cisa.gov/ncas/alerts/aa21-209.