Skip to main content
close search
site logo
Dive Brief

Inside the most-commonly exploited CVEs of 2022

Delayed patching and unmet secure-by-design principles are aggravating the risk of compromise, the Five Eyes warned Thursday.

Published Aug. 4, 2023
Matt Kapko's headshot
Senior Reporter
Smiling businesswoman in headphones taking notes, working with laptop and talking smartphone, blue glowing information protection icons. Padlock, cloud and digital interface. Cyber security concept - stock photo
iStock via Getty Images

Dive Brief:

  • Half of the 12 most-commonly exploited vulnerabilities in 2022 were discovered the previous year, cyber authorities from the Five Eyes said in a joint advisory released Thursday. One of the top 12 vulnerabilities was discovered in 2018.
  • Flaws in Microsoft products accounted for 1 in 3 of the most-routinely exploited vulnerabilities, including three Exchange Server CVEs from 2021. Two-thirds of the most-exploited vulnerabilities were found in products from three vendors: Atlassian, Microsoft and VMware.
  • Other vendors that made the list include Apache’s Log4j, F5 Networks, Fortinet and Zoho.

Dive Insight:

The staying power of older vulnerabilities calls attention to a pair of long-running challenges exasperating organizations and their ability to defend against common threats.

Delayed or inconsistent vulnerability patching remains an underlying problem. This, combined with the unmet need for vendors, designers and developers to adhere to secure-by-design and secure-by-default principles, is aggravating the risk of compromise by malicious cyber actors.

The Five Eyes intelligence alliance, which includes authorities from the U.S., Australia, Canada, New Zealand and the U.K., reiterated the need for vendors to follow secure design practices throughout the software development lifecycle.

End-user organizations bear responsibility as well, particularly as it relates to a timely patch management system and thorough review of software providers’ commitment to a secure-by-design program, the authorities said.

“Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods,” the Five Eyes said in the advisory.

Good patch management is a basic tenet of cybersecurity and organizations that remain vulnerable to older CVEs are “clearly apathetic to the threat landscape,” Rosa Smothers, SVP of cyber operations at KnowBe4, said via email.

“Every company should aspire to send secure-by-default software but it’s difficult for vendors to anticipate and test for every possible vulnerability,” Smothers said. “The failure is the host company’s organizational apathy, ignoring the threat against their software and devices by going years without patching known vulnerabilities.”

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell