Five Eyes Alliance cybersecurity authorities released a joint advisory on the most common vulnerabilities and exposures (CVEs) and listed the 15 most commonly exploited vulnerabilities of 2021. The compilation was constructed to help organizations prioritize their mitigation efforts.

The first vulnerability highlighted was Log4Shell (CVE-2021-44228) in Apache’s Log4j library, which is a popular, open-source logging framework incorporated into thousands of products worldwide. Disclosed last December, the vulnerability received a perfect 10 out of 10 severity score. Security professionals from Palo Alto Networks and Cisco warned Log4Shell is “incredibly easy” to exploit and very few organizations can escape it. 

“The rapid widespread exploitation of this vulnerability demonstrates the ability of malicious actors to quickly weaponize known vulnerabilities and target organizations before they patch,” the advisory wrote.

Eight out of 15 top vulnerabilities that were routinely exploited by malicious actors last year impacted Microsoft Exchange email servers. 

Four of them — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 — are known as ProxyLogon. Vulnerability chaining — exploiting those vulnerabilities in combination — would enable attackers to execute arbitrary code in Exchange servers, which allow them to gain access to files, mailboxes, and credentials.

Another three vulnerabilities CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207 were dubbed ProxyShell and were located within the Microsoft Client Access Service. Successfully exploiting the ProxyShell combination also enabled remote actors to execute arbitrary code. 

Other vulnerabilities making the list included CVE-2021-40539, CVE-2021-26084, and CVE-2021-21972. Those impacted Zoho ManageEngine AD SelfService Plus, Atlassian Confluence server and data center, and VMware vSphere Client products, respectively.

The list also included a number of older vulnerabilities that had been commonly exploited for years. This included CVE-2020-1472 (ZeroLogon), CVE-2020-0688, CVE-2019-11510, and CVE-2018-13379.

“The exploitation of older vulnerabilities demonstrates the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor,” the agencies warned.

“We know that malicious cyber actors go back to what works, which means they target these same critical software vulnerabilities and will continue to do so until companies and organizations address them,” Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said in a statement.

CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and agencies from other Five Eyes countries are encouraging organizations to use mitigation measures such as timely patching of their systems, implementing centralized patch management, and replacing end-of-life software.

They also suggest using identity and access management tools including multi-factor authentication (MFA), properly configuring and securing internet-facing network devices, encrypting network traffic, and disabling unused network ports, protocols, services, and devices.

"This report should be a reminder to organizations that bad actors don't need to develop sophisticated tools when they can just exploit publicly known vulnerabilities," NSA Cybersecurity Director Rob Joyce said in a statement. "Get a handle on mitigations or patches as these CVEs are actively exploited.”