Dive Brief:
- Half of the 12 most-commonly exploited vulnerabilities in 2022 were discovered the previous year, cyber authorities from the Five Eyes said in a joint advisory released Thursday. One of the top 12 vulnerabilities was discovered in 2018.
- Flaws in Microsoft products accounted for 1 in 3 of the most-routinely exploited vulnerabilities, including three Exchange Server CVEs from 2021. Two-thirds of the most-exploited vulnerabilities were found in products from three vendors: Atlassian, Microsoft and VMware.
- Other vendors that made the list include Apache’s Log4j, F5 Networks, Fortinet and Zoho.
Dive Insight:
The staying power of older vulnerabilities calls attention to a pair of long-running challenges exasperating organizations and their ability to defend against common threats.
Delayed or inconsistent vulnerability patching remains an underlying problem. This, combined with the unmet need for vendors, designers and developers to adhere to secure-by-design and secure-by-default principles, is aggravating the risk of compromise by malicious cyber actors.
The Five Eyes intelligence alliance, which includes authorities from the U.S., Australia, Canada, New Zealand and the U.K., reiterated the need for vendors to follow secure design practices throughout the software development lifecycle.
End-user organizations bear responsibility as well, particularly as it relates to a timely patch management system and thorough review of software providers’ commitment to a secure-by-design program, the authorities said.
“Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods,” the Five Eyes said in the advisory.
Good patch management is a basic tenet of cybersecurity and organizations that remain vulnerable to older CVEs are “clearly apathetic to the threat landscape,” Rosa Smothers, SVP of cyber operations at KnowBe4, said via email.
“Every company should aspire to send secure-by-default software but it’s difficult for vendors to anticipate and test for every possible vulnerability,” Smothers said. “The failure is the host company’s organizational apathy, ignoring the threat against their software and devices by going years without patching known vulnerabilities.”