From 2020 to 2021, there was a 33% increase in the number of reported incidents caused by vulnerability exploitation, according to the 2022 X-Force Threat Intelligence Index. A large percentage of these exploited vulnerabilities were newly discovered; in fact, four out of the top five vulnerabilities in 2021 were newer vulnerabilities. Vulnerability exploitation was the second most common initial infection vector observed by IBM Security X-Force in 2021, falling closely behind phishing. Cybercriminals are finding new ways of bypassing security defenses by identifying weaknesses in network environments or common vulnerabilities and exposures (CVEs) that can be exploited to their benefit, but to the detriment of a vulnerable organization.

This blog takes a look at the most exploited vulnerabilities of 2021 and provides recommendations for organizations to bolster their patch management program to help mitigate the risk of exploitation in 2022.

The cybersecurity vulnerabilities landscape

One of the most notable and recent CVEs in 2021, was CVE-2021-44228, also known as Log4J or Log4Shell. Despite only having been publicly disclosed in December, in less than a month the Log4j vulnerability was the second most exploited vulnerability among the top 10 CVEs of 2021.

As previously stated, four out of the top five most exploited vulnerabilities in 2021 were newly identified. When compared to 2020, that number was just two out of the 10. This trend indicates a clear increase in the volume of exploited vulnerabilities that were previously unknown, signifying that the overall attack surface is expanding rapidly.

According to internal data from X-Force, there were 20,790 new vulnerabilities identified in 2021, surpassing the previous record of 19,242 in 2020. Note that these figures represent overall vulnerabilities and are not limited by issued CVEs by MITRE. This sharp increase in vulnerabilities year over year translates to additional attack vectors that threat actors are utilizing to their advantage.

Top 10 CVEs in 2021

X-Force ranked the top 10 most common CVEs of 2021 based largely on the frequency with which threat actors exploited or attempted to exploit these vulnerabilities. The ranking is made up of data gathered by both X-Force Incident Response (IR) and IBM Managed Security Services (MSS) for 2021.

The oldest vulnerability in the 2021 top CVE list has been disclosed for four years, showing a drastic difference when compared to 2020 where several CVEs had been disclosed for close to a decade or more. This trend may indicate a desire from threat actors to seek out new infection vectors when targeting victim networks. Attackers are also often quick to capitalize on new vulnerabilities that are easily exploitable and found in widespread applications and platforms such as Apache and Microsoft Exchange servers; taking advantage of the window of opportunity that exists prior to vulnerable organizations deploying a patch.

  • CVE-2021-34523 — Microsoft Exchange server flaw enabling malicious actors to bypass authentication and impersonate an administrator. Known generically as ProxyLogon.
  • CVE-2021-44228 — Vulnerability in Apache Log4j Library
  • CVE-2021-26857 — Microsoft Exchange Server remote code execution vulnerability
  • CVE-2020-1472 — Netlogon elevation of privilege vulnerability
  • CVE-2021-27101 — Accellion FTA vulnerability susceptible to SQL injection
  • CVE-2020-7961 — Liferay Portal deserialization of untrusted data allows for remote code execution via JSON web services
  • CVE-2020-15505 — MobileIron vulnerability allowing for remote code execution
  • CVE-2018-20062 — NoneCMS ThinkPHP remote code execution vulnerability
  • CVE-2021-35464 — ForgeRock AM server Java deserialization vulnerability allows for remote code execution
  • CVE-2019-19781 — Citrix Server path traversal flaw

Three notable CVEs from 2021 are highlighted in greater detail below:

1. CVE-2021-44228: Vulnerability in Apache Log4j library

Log4j, also known as Log4Shell, was publicly disclosed in December 2021. It is a logging library developers use for Java programming and is implemented by many organizations for both server and client applications. The Apache Software Foundation rated Log4j as a critical-severity vulnerability affecting the core function of its use that can allow attackers to perform remote code execution, meaning they can run any code and gain unauthorized access to a vulnerable machine.

Although a patch has been released, large-scale organizations may have hundreds of vulnerable applications running on thousands of devices, creating more complexity and a wider attack surface. As a result, the security community has seen numerous attempts of Log4j attacks against organizations across all industries into 2022. The fact that Log4j was the second-highest ranked vulnerability after less than a month highlights its popularity in late 2021.

2. CVE-2021-26857: Microsoft Exchange Server remote code execution vulnerability

This CVE, disclosed in March 2021 along with three other critical vulnerabilities impacting on-premise Microsoft Exchange Servers known together as ProxyLogon, was actively being exploited by APT groups at the time of discovery. ProxyLogon has continued to be an access vector for ransomware operators. Notably, in 2021, operators of both Black KingDom and DearCry ransomware were observed leveraging this exploit in recent campaigns. X-Force ranked this vulnerability as the third-most exploited vulnerability in 2021. This CVE is an insecure deserialization flaw in the Microsoft Exchange Unified Messaging Service that allows threat actors to infiltrate on-prem Exchange Servers of an intended target and install web-based trojan backdoors for long-term access.

Following the initial disclosure of the CVE, several security vendors reported that at least 10 APT groups had been observed exploiting Microsoft Exchange Server vulnerabilities. These threat actor groups which may be linked to the Chinese state-sponsored threat actor group APT41 include Hafnium, LuckyMouse, Tick, Calypso and Winnti Group (tracked by X-Force as Hive0088). Proper software updates and patches have since been released by Microsoft to address these exchange flaws; however, the surge in attacks in March 2021 highlights the criticality of this CVE and its justification for making it into this year’s top 10 CVE list.

3. CVE-2019-19781: Citrix Server Path traversal flaw

This vulnerability was discovered in December 2019 and was the number one most exploited vulnerability in 2020. Despite its discovery being over two years old, this Citrix vulnerability (CVE-2019-19781) still made it into the X-Force top 10 vulnerability list for 2021. This longevity may be attributed to the effectiveness of the exploit, the ease of operationalization and/or the widespread nature of Citrix technology.

The Citrix vulnerability affects Citrix ADC and Citrix Gateway, allowing threat actors to exploit a directory traversal flaw within Citrix servers and perform remote arbitrary code execution with the added functionality of downloading payloads such as trojan backdoors that allows command execution.

The Unknown: Zero-day exploits

Enterprises can have the most robust defense-in-depth security measures in place to protect their business functions, but nonetheless, one can never fully be protected with one hundred percent certainty. Threat actors are always developing more sophisticated tactics, techniques and procedures (TTPs) to target victims, as well as finding new and creative avenues to infect and exploit individuals and organizations. Vulnerabilities that have not yet been publicly disclosed or discovered are known as zero-day exploits and pose significant threats to enterprise networks.

Although it is hard to defend against unknown vulnerabilities, X-Force assesses known vulnerabilities pose a greater threat to organizations overall. When it comes to vulnerability management, taking a layered approach that can identify, prioritize and remediate already disclosed vulnerabilities can drastically reduce risk levels and may even provide a strong return on investment (ROI).

Vulnerability management and remediation efforts

In today’s cybersecurity threat landscape, protecting one’s network infrastructure from exploitation from malicious actors is a critical step in maintaining proper security hygiene for any organization regardless of industry. By utilizing vulnerability management your organization can walk away with confidence that they’re implementing all the necessary steps to avoid being a victim of a cybersecurity attack. Identifying and patching key vulnerabilities within software applications or different network environments is a critical first step in remediating any sort of cyber-related risk.

Being able to effectively implement a vulnerability management program into your organization is key to long-term success but can come with added complexity based on your business needs and goals. X-Force recommends using our top 10 CVEs list to aid in identifying key vulnerabilities that threat actors are most likely to target and exploit.

Additional remediation measures listed below can help prioritize key elements when implementing a robust patch management program:

  • Take quarterly inventory of your network. This can help identify authorized software associated with applications, devices, operating systems or other assets to drive key business decision-making.
  • Leverage your inventory to identify risk and remove any unauthorized software. This will narrow the overall attack surface of your organization.
  • Know your most critical assets and which ones could expose sensitive data. Set baselines for these assets and observe how they behave against the baseline.
  • Create and develop test environments prior to patch management. Make sure to test software patches before applying and rolling them out. Don’t run any updates on unsecured networks that attackers could potentially access.
  • Utilize automated tools to help expedite vulnerability management efforts. These tools can assist in the deployment of software patches. It is recommended to roll patches out in smaller batches to prevent any misalignment of the software that might have been missed during the testing phase.

In the world of cybersecurity, 2021 has proven to be another prolific year for cybercriminals leveraging new threats and vulnerabilities that have impacted victims worldwide. By providing key insights and trends into the ever-evolving threat landscape, X-Force can help bolster your organization to be better protected against emerging cyber threats.  For more insight into the top cybersecurity trends of 2021, be sure to check out the full X-Force Threat Intelligence Index report.

More from Software Vulnerabilities

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today