In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.
Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure—the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).
Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets’ networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.
The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):
- United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)
- Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
- Canada: Canadian Centre for Cyber Security (CCCS)
- New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
- United Kingdom: National Cyber Security Centre (NCSC-UK)
This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.
The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of compromise by malicious cyber actors.
- Vendors, designers, and developers: Implement secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in your software.
- Follow the Secure Software Development Framework (SSDF), also known as SP 800-218, and implement secure design practices into each stage of the software development life cycle (SDLC). As part of this, establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.
- Prioritize secure-by-default configurations, such as eliminating default passwords, or requiring addition configuration changes to enhance product security.
- Ensure that published CVEs include the proper CWE field identifying the root cause of the vulnerability.
- End-user organizations:
- Apply timely patches to systems. Note: First check for signs of compromise if CVEs identified in this CSA have not been patched.
- Implement a centralized patch management system.
- Use security tools, such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers.
- Ask your software providers to discuss their secure by design program and to provide links to information about how they are working to remove classes of vulnerabilities and to set secure default settings.
Download the PDF version of this report:
