The Log4Shell vulnerability topped the list of 15 most exploited by cyber actors, according to cybersecurity agencies. Pictured: A computer keyboard is seen in this cropped image with Javascript in the background. ("Coding Javascript" by Christiaan Colen is marked with CC BY-SA 2.0.)

The cybersecurity authorities of the Five Eyes intelligence alliance detailed what they say are the 15 most common vulnerabilities exploited by malicious actors in 2021.

The joint cybersecurity advisory released Wednesday by the Cybersecurity and Infrastructure Security Agency, National Security Agency, FBI, Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre and the U.K.’s National Cyber Security Centre said malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private organizations. 

Highlighted in the alert were the following vulnerabilities:

Log4Shell

CVE-2021-44228: Apache’s open-source logging framework Log4j library could allow a cyber actor to take full control over a system by submitting a specially crafted request to a vulnerable system. Since Log4j is incorporated into thousands of products, the vulnerability was quickly weaponized after it was disclosed in December 2021. 

ProxyLogon

Four vulnerabilities known as ProxyLogon (CVE-2021026855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065) affected Microsoft Exchange email servers that allowed cyber actors to execute arbitrary code that enabled access to files and mailboxes on the servers, as well as stored credentials. 

ProxyShell

Three vulnerabilities known as ProxyShell (CVE-2021-35423, CVE-2021-34473, CVE-2021031207) also affected Microsoft Exchange email servers that reside in Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services. CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers, the alert explained.

Atlassian Confluence Server and Data Center

CVE-20210-2684: The Atlassian vulnerability quickly became one of the most routinely exploited after a proof of concept (POC) was released. An attempted mass exploitation of the vulnerability was observed in September, according to the alert.

The remaining vulnerabilities in the top 15 were:

  • CVE-2021-40539, which allows remote code execution via Zoho ManageEngine AD SelfService Plus
  • CVE-2021-21972, which allows remote code execution in VMware vSphere Client
  • CVE-2020-1472, aka ZeroLogon, which allows elevation privilege via Microsoft Netlogon Remote Protocol
  • CVE-2020-0688, which allows remote code execution via Microsoft Exchange Server
  • CVE-2019-11510, which allows arbitrary file reading in Pulse Connect Pulse Connect Secure
  • CVE-2018-13379, which allows path traversal in Fortinet FortiOS and FortiProxy

To view additional vulnerabilities that are routinely exploited and recommendations on how to mitigate them, view the joint alert here.