How the NSA’s ‘Top 25’ alert helps security teams prioritize patching

November 4, 2020
The “Top 25” list of critical vulnerabilities released by the NSA last month offers good insight into the general tactics of Chinese state-backed hackers, the conditions of corporate security programs, and what companies can do to sharpen up their patching operations. Today’s columnist, Jerry Gamblin of Kenna Security, tells us why issuing the list was important. (Credit: CC BY-NC-ND 2.0)
  • Remote code execution. Nearly all of the vulnerabilities allowed remote code execution. This isn’t destructive, it’s information gathering or access to internal systems that the attackers are looking for.
  • Established exploits. For nearly all of the vulnerabilities on the list,  exploits are publicly-available. In most cases, exploits for these vulnerabilities were developed and released more than six months ago. The list even includes an Oracle Weblogic vulnerability from 2015. 
  • Available on the internet. The vulnerabilities target applications or services that are publicly-available on the internet from anywhere in the world.
  •  Patches are available for all of them. Of the 25 vulnerabilities, all of them have patches available and many of them have had patches for years.
prestitial ad