Report Name: AA23-215A report
Generated: 2023-08-05 13:55:38

Product Name	Prevalence	U	C	H	M	L	A	Comment
Apache HTTP Server	0.9	3					3	Apache HTTP Server is a free and open-source web server that delivers web content through the internet
Apache Log4j2	0.9	2					2	Log4j2 is revamped version of Apache Logging framework
Microsoft Exchange	0.8	8					8	Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft
Microsoft Office	0.8	2					2	Microsoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer
Microsoft Windows Support Diagnostic Tool (MSDT)	0.8	1					1	The Microsoft Support Diagnostic Tool is a legacy service in Microsoft Windows that allows Microsoft technical support agents to analyze diagnostic data remotely for troubleshooting purposes
Netlogon Remote Protocol	0.8	1					1	The Netlogon Remote Protocol is a remote procedure call (RPC) interface that is used for user and machine authentication on domain-based networks
Windows Client Server Run-time Subsystem (CSRSS)	0.8			1			1	Client Server Runtime Subsystem, or csrss.exe, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem and is included in Windows NT 3.1 and later
Windows Remote Desktop Services	0.8	1					1	Remote Desktop Services, known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection
BIG-IP	0.7	2					2	BIG-IP platform is a smart evolution of Application Delivery Controller (ADC) technology; solutions built on this platform are load balancers
Citrix Application Delivery Controller	0.7	1					1	Citrix Application Delivery Controller (ADC) is an advanced load balancer with features that enhance the performance of applications
Confluence Server	0.7	2					2	Confluence is a web-based corporate wiki
Pulse Connect Secure	0.7	1					1	Pulse Connect Secure provides a seamless, cost-effective, SSL VPN solution for remote and mobile users from any web- enabled device to corporate resources
FortiOS	0.5	3					3	FortiOS is Fortinet's operating system used in their hardware, such as the Fortigate firewall and switches
QNAP NAS	0.5		1				1	A QNAP NAS is a powerful device that allows you to store and share files and access them from anywhere in the world
SAP NetWeaver	0.5	1					1	SAP NetWeaver is a software stack for many of SAP SE's applications
SonicWall SMA100	0.5	1	1				2	SonicWall Secure Mobile Access (SMA) 100 Series solution simplifies end-to-end secure remote access to corporate resources hosted across on-prem, cloud and hybrid data centers, empowering your workforce without increasing the risk to your enterprise
VMware Workspace One	0.5	1	1				2	VMware Workspace ONE is a management platform that allows IT administrators to centrally control end users' mobile devices and cloud-hosted virtual desktops and applications from the cloud or from an on-premises deployment
Zoho ManageEngine ADSelfService Plus	0.5	1					1	Zoho ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps
Oracle WebLogic Server	0.4	2					2	Unified and extensible platform for developing, deploying and running enterprise applications
SonicWall Email Security	0.4		1				1	SonicWall Email Security appliances and software provide multi-layered protection from inbound and outbound email threats and compliance violations
Spring Cloud Function	0.4	1					1	Spring Cloud Function abstracts away all of the transport details and infrastructure, allowing the developer to keep all the familiar tools and processes, and focus firmly on business logic
WSO2 Identity Server	0.4	1					1	WSO2 Identity Server is an API-driven open source identity and access management (IAM) product designed to help you build effective customer IAM (CIAM) solutions
Zimbra Collaboration	0.3		1	1			2	Zimbra Collaboration is a collaborative software suite that includes an email server and a web client

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0	22					22
Code Injection	0.97		1				1
Command Injection	0.97	2	2				4
Arbitrary File Reading	0.95	1					1
Authentication Bypass	0.95	4	1				5
Security Feature Bypass	0.9	1					1
Memory Corruption	0.6	1					1
Elevation of Privilege	0.5	2	1	1			4
Cross Site Scripting	0.4			1			1
Path Traversal	0.4	2					2

Source	U	C	H	M	L	A
Comment	35	5	2			42

Urgent (35)

1. Remote Code Execution - Apache HTTP Server (CVE-2021-42013) - Urgent [983]

Description: It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-42013 Apache HTTP Server Server Path Traversal CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

2. Remote Code Execution - Apache Log4j2 (CVE-2021-44228) - Urgent [983]

Description: Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021-44228 through the first half of 2022.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-44228 (Log4Shell) Apache Log4j2 RCE CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') CWE-20 Improper Input Validation CWE-400 Uncontrolled Resource Consumption CWE-502 Deserialization of Untrusted Data

3. Remote Code Execution - Apache Log4j2 (CVE-2021-45046) - Urgent [971]

Description: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-45046 Apache Log4j RCE CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

4. Command Injection - Apache HTTP Server (CVE-2021-40438) - Urgent [966]

Description: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-40438 Apache HTTP Server Server-Side Request Forgery CWE-918: Server-Side Request Forgery (SSRF)

5. Remote Code Execution - Windows Remote Desktop Services (CVE-2019-0708) - Urgent [966]

Description: A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2019-0708 Microsoft Remote Desktop Services RCE CWE-416: Use After Free

6. Remote Code Execution - Apache HTTP Server (CVE-2021-41773) - Urgent [959]

Description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-41773 Apache HTTP Server Server Path Traversal CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

7. Remote Code Execution - Microsoft Exchange (CVE-2021-26855) - Urgent [954]

Description: Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-26855 (ProxyLogon) Microsoft Exchange Server RCE CWE-918: Server-Side Request Forgery (SSRF)

8. Remote Code Execution - Microsoft Exchange (CVE-2021-34473) - Urgent [954]

Description: Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-34473 (Proxy Shell) Microsoft Exchange Server RCE CWE-918 Server-Side Request Forgery (SSRF)

9. Remote Code Execution - BIG-IP (CVE-2020-5902) - Urgent [950]

Description: In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2020-5902 F5 Networks BIG-IP RCE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

10. Remote Code Execution - Confluence Server (CVE-2021-26084) - Urgent [950]

Description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-26084 Atlassian Confluence Server and Data Center Arbitrary code execution CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

11. Remote Code Execution - Confluence Server (CVE-2022-26134) - Urgent [950]

Description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-26134 Atlassian Confluence Server and Data Center RCE CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

12. Remote Code Execution - Microsoft Exchange (CVE-2021-26857) - Urgent [942]

Description: Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-26857 (ProxyLogon) Microsoft Exchange Server RCE CWE-502: Deserialization of Untrusted Data

13. Remote Code Execution - Microsoft Exchange (CVE-2021-26858) - Urgent [942]

Description: Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, CVE-2021-27078.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-26858 (ProxyLogon) Microsoft Exchange Server RCE None Listed

14. Remote Code Execution - Microsoft Exchange (CVE-2021-27065) - Urgent [942]

Description: Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27078.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-27065 (ProxyLogon) Microsoft Exchange Server RCE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

15. Remote Code Execution - Microsoft Exchange (CVE-2022-41082) - Urgent [942]

Description: Microsoft Exchange Server Remote Code Execution Vulnerability.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-41082 Microsoft Exchange Server Privilege Escalation None Listed

16. Remote Code Execution - Microsoft Office (CVE-2017-11882) - Urgent [942]

Description: Microsoft Office Memory Corruption Vulnerability. A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. The security update addresses the vulnerability by correcting how the affected Office component handles objects in memory.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2017-11882 Microsoft Exchange Server Arbitrary Code Execution CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

17. Remote Code Execution - Microsoft Windows Support Diagnostic Tool (MSDT) (CVE-2022-30190) - Urgent [942]

Description: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-30190. This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-30190 Microsoft Multiple Products RCE None Listed

18. Arbitrary File Reading - Pulse Connect Secure (CVE-2019-11510) - Urgent [941]

Description: In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2019-11510 Ivanti Pulse Secure Pulse Connect Secure Arbitrary File Reading CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

19. Authentication Bypass - BIG-IP (CVE-2022-1388) - Urgent [941]

Description: On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-1388. This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-1388 F5 Networks BIG-IP Missing Authentication Vulnerability CWE-306 Missing Authentication for Critical Function

20. Remote Code Execution - Microsoft Office (CVE-2017-0199) - Urgent [930]

Description: Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2017-0199 Microsoft Multiple Products Arbitrary Code Execution None Listed

21. Remote Code Execution - FortiOS (CVE-2022-42475) - Urgent [916]

Description: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-42475 Fortinet FortiOS Heap-based Buffer Overflow CWE-787: Out-of-bounds Write

22. Remote Code Execution - VMware Workspace One (CVE-2022-22954) - Urgent [916]

Description: VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-22954 VMware Workspace ONE Access and Identity Manager RCE CWE-94 Improper Control of Generation of Code ('Code Injection')

23. Remote Code Execution - Zoho ManageEngine ADSelfService Plus (CVE-2021-40539) - Urgent [916]

Description: Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-40539. This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-40539 Zoho ManageEngine ADSelfService Plus RCE/ Authentication Bypass CWE-287 Improper Authentication

24. Security Feature Bypass - Microsoft Exchange (CVE-2021-31207) - Urgent [913]

Description: Microsoft Exchange Server Security Feature Bypass Vulnerability

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-31207 (Proxy Shell) Microsoft Exchange Server Security Feature Bypass CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

25. Command Injection - SAP NetWeaver (CVE-2022-22536) - Urgent [911]

Description: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-22536 SAP Internet Communication Manager (ICM) HTTP Request Smuggling CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

26. Authentication Bypass - FortiOS (CVE-2022-40684) - Urgent [907]

Description: An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-40684 Fortinet FortiOS, FortiProxy, FortiSwitchManager Authentication Bypass CWE-306: Missing Authentication for Critical Function

27. Remote Code Execution - Spring Cloud Function (CVE-2022-22963) - Urgent [899]

Description: In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-22963 VMware Tanzu Spring Cloud RCE CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

28. Remote Code Execution - WSO2 Identity Server (CVE-2022-29464) - Urgent [899]

Description: Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-29464 WSO2 Multiple Products RCE CWE-434: Unrestricted Upload of File with Dangerous Type

29. Authentication Bypass - Oracle WebLogic Server (CVE-2020-14882) - Urgent [891]

Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2020-14882 Oracle WebLogic Server RCE None Listed

30. Elevation of Privilege - Netlogon Remote Protocol (CVE-2020-1472) - Urgent [877]

Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2020-1472 Microsoft Multiple Products Privilege Escalation CWE-330: Use of Insufficiently Random Values

31. Elevation of Privilege - Microsoft Exchange (CVE-2021-34523) - Urgent [865]

Description: Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33768, CVE-2021-34470.

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-34523 (Proxy Shell) Microsoft Exchange Server Elevation of Privilege CWE-287 Improper Authentication

32. Authentication Bypass - Oracle WebLogic Server (CVE-2020-14883) - Urgent [855]

Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2020-14883 Oracle WebLogic Server RCE None Listed

33. Memory Corruption - SonicWall SMA100 (CVE-2021-20038) - Urgent [845]

Description: A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-20038 SonicWall SMA 100 Series Appliances Stack-based Buffer Overflow CWE-787: Out-of-bounds Write CWE-121: Stack-based Buffer Overflow

34. Path Traversal - Citrix Application Delivery Controller (CVE-2019-19781) - Urgent [842]

Description: An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2019-19781 Citrix Application Delivery Controller and Gateway Arbitrary Code Execution CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

35. Path Traversal - FortiOS (CVE-2018-13379) - Urgent [809]

Description: An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2018-13379. This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2020 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2018-13379 Fortinet FortiOS and FortiProxy SSL VPN credential exposure CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Critical (5)

36. Elevation of Privilege - VMware Workspace One (CVE-2022-22960) - Critical [732]

Description: VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to 'root'.

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-22960 VMware Workspace ONE Access, Identity Manager, and vRealize Automation Improper Privilege Management CWE-269 Improper Privilege Management

37. Code Injection - SonicWall SMA100 (CVE-2021-20016) - Critical [697]

Description: A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build version 10.x.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-20016 SonicWALL SSLVPN SMA100 SQL Injection CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

38. Command Injection - QNAP NAS (CVE-2022-27593) - Critical [697]

Description: An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-27593 QNAP QNAP NAS Externally Controlled Reference CWE-610: Externally Controlled Reference to a Resource in Another Sphere

39. Authentication Bypass - SonicWall Email Security (CVE-2021-20021) - Critical [664]

Description: A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-20021 SonicWALL Email Security Privilege Escalation Exploit Chain CWE-269: Improper Privilege Management

40. Command Injection - Zimbra Collaboration (CVE-2022-27924) - Critical [651]

Description: Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-27924 Zimbra Zimbra Collaboration Suite Command Injection CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

High (2)

41. Elevation of Privilege - Windows Client Server Run-time Subsystem (CSRSS) (CVE-2022-22047) - High [591]

Description: Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-22047 Microsoft Windows CSRSS Elevation of Privilege CWE-269: Improper Privilege Management

42. Cross Site Scripting - Zimbra Collaboration (CVE-2022-24682) - High [514]

Description: An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-24682 Zimbra Collaboration Suite ‘Cross-site Scripting’ CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Medium (0)

Low (0)

Exploitation in the wild detected (42)

Remote Code Execution (22)

• Apache HTTP Server (CVE-2021-41773, CVE-2021-42013)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-41773 Apache HTTP Server Server Path Traversal CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-42013 Apache HTTP Server Server Path Traversal CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

• Apache Log4j2 (CVE-2021-44228, CVE-2021-45046)

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021-44228 through the first half of 2022.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-44228 (Log4Shell) Apache Log4j2 RCE CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') CWE-20 Improper Input Validation CWE-400 Uncontrolled Resource Consumption CWE-502 Deserialization of Untrusted Data

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-45046 Apache Log4j RCE CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

• Windows Remote Desktop Services (CVE-2019-0708)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2019-0708 Microsoft Remote Desktop Services RCE CWE-416: Use After Free

• Microsoft Exchange (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-34473, CVE-2022-41082)

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-34473 (Proxy Shell) Microsoft Exchange Server RCE CWE-918 Server-Side Request Forgery (SSRF)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-26855 (ProxyLogon) Microsoft Exchange Server RCE CWE-918: Server-Side Request Forgery (SSRF)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-27065 (ProxyLogon) Microsoft Exchange Server RCE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-26858 (ProxyLogon) Microsoft Exchange Server RCE None Listed

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-26857 (ProxyLogon) Microsoft Exchange Server RCE CWE-502: Deserialization of Untrusted Data

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-41082 Microsoft Exchange Server Privilege Escalation None Listed

• BIG-IP (CVE-2020-5902)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2020-5902 F5 Networks BIG-IP RCE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

• Confluence Server (CVE-2021-26084, CVE-2022-26134)

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-26084 Atlassian Confluence Server and Data Center Arbitrary code execution CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-26134 Atlassian Confluence Server and Data Center RCE CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

• Microsoft Office (CVE-2017-0199, CVE-2017-11882)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2017-0199 Microsoft Multiple Products Arbitrary Code Execution None Listed

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2017-11882 Microsoft Exchange Server Arbitrary Code Execution CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

• Microsoft Windows Support Diagnostic Tool (MSDT) (CVE-2022-30190)

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-30190. This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-30190 Microsoft Multiple Products RCE None Listed

• FortiOS (CVE-2022-42475)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-42475 Fortinet FortiOS Heap-based Buffer Overflow CWE-787: Out-of-bounds Write

• VMware Workspace One (CVE-2022-22954)

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-22954 VMware Workspace ONE Access and Identity Manager RCE CWE-94 Improper Control of Generation of Code ('Code Injection')

• Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-40539. This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-40539 Zoho ManageEngine ADSelfService Plus RCE/ Authentication Bypass CWE-287 Improper Authentication

• Spring Cloud Function (CVE-2022-22963)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-22963 VMware Tanzu Spring Cloud RCE CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

• WSO2 Identity Server (CVE-2022-29464)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-29464 WSO2 Multiple Products RCE CWE-434: Unrestricted Upload of File with Dangerous Type

Command Injection (4)

• Apache HTTP Server (CVE-2021-40438)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-40438 Apache HTTP Server Server-Side Request Forgery CWE-918: Server-Side Request Forgery (SSRF)

• SAP NetWeaver (CVE-2022-22536)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-22536 SAP Internet Communication Manager (ICM) HTTP Request Smuggling CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

• QNAP NAS (CVE-2022-27593)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-27593 QNAP QNAP NAS Externally Controlled Reference CWE-610: Externally Controlled Reference to a Resource in Another Sphere

• Zimbra Collaboration (CVE-2022-27924)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-27924 Zimbra Zimbra Collaboration Suite Command Injection CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Arbitrary File Reading (1)

• Pulse Connect Secure (CVE-2019-11510)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2019-11510 Ivanti Pulse Secure Pulse Connect Secure Arbitrary File Reading CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Authentication Bypass (5)

• BIG-IP (CVE-2022-1388)

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-1388. This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-1388 F5 Networks BIG-IP Missing Authentication Vulnerability CWE-306 Missing Authentication for Critical Function

• FortiOS (CVE-2022-40684)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-40684 Fortinet FortiOS, FortiProxy, FortiSwitchManager Authentication Bypass CWE-306: Missing Authentication for Critical Function

• Oracle WebLogic Server (CVE-2020-14882, CVE-2020-14883)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2020-14882 Oracle WebLogic Server RCE None Listed

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2020-14883 Oracle WebLogic Server RCE None Listed

• SonicWall Email Security (CVE-2021-20021)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-20021 SonicWALL Email Security Privilege Escalation Exploit Chain CWE-269: Improper Privilege Management

Security Feature Bypass (1)

• Microsoft Exchange (CVE-2021-31207)

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-31207 (Proxy Shell) Microsoft Exchange Server Security Feature Bypass CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Elevation of Privilege (4)

• Netlogon Remote Protocol (CVE-2020-1472)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2020-1472 Microsoft Multiple Products Privilege Escalation CWE-330: Use of Insufficiently Random Values

• Microsoft Exchange (CVE-2021-34523)

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-34523 (Proxy Shell) Microsoft Exchange Server Elevation of Privilege CWE-287 Improper Authentication

• VMware Workspace One (CVE-2022-22960)

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-22960 VMware Workspace ONE Access, Identity Manager, and vRealize Automation Improper Privilege Management CWE-269 Improper Privilege Management

• Windows Client Server Run-time Subsystem (CSRSS) (CVE-2022-22047)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-22047 Microsoft Windows CSRSS Elevation of Privilege CWE-269: Improper Privilege Management

Memory Corruption (1)

• SonicWall SMA100 (CVE-2021-20038)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-20038 SonicWall SMA 100 Series Appliances Stack-based Buffer Overflow CWE-787: Out-of-bounds Write CWE-121: Stack-based Buffer Overflow

Path Traversal (2)

• Citrix Application Delivery Controller (CVE-2019-19781)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2019-19781 Citrix Application Delivery Controller and Gateway Arbitrary Code Execution CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

• FortiOS (CVE-2018-13379)

Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2018-13379. This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2020 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.

Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2018-13379 Fortinet FortiOS and FortiProxy SSL VPN credential exposure CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Code Injection (1)

• SonicWall SMA100 (CVE-2021-20016)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2021-20016 SonicWALL SSLVPN SMA100 SQL Injection CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Cross Site Scripting (1)

• Zimbra Collaboration (CVE-2022-24682)

Comment: Table 2 "30 Additional Routinely Exploited Vulnerabilities in 2022": CVE-2022-24682 Zimbra Collaboration Suite ‘Cross-site Scripting’ CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Public exploit exists, but exploitation in the wild is NOT detected (0)

Other Vulnerabilities (0)