UNCLASSIFIED / NON CLASSIFIÉ

Co-Authored by: TLP:WHITE Product ID: AA22-117A

April 27, 2022

2021 Top Routinely Exploited Vulnerabilities

SUMMARY
This joint Cybersecurity Advisory (CSA) was coauthored by cybersecurity authorities of the United
States, Australia, Canada, New Zealand, and the United Kingdom: the Cybersecurity and
Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of
Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security
(CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and United Kingdom’s National
Cyber Security Centre (NCSC-UK). This advisory provides details on the top 15 Common
Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as
other CVEs frequently exploited.
U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities assess, in 2021,
malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against
broad target sets, including public and private sector organizations worldwide. To a lesser extent,
malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a
broad spectrum of targets.
The cybersecurity authorities encourage organizations to apply the recommendations in the
Mitigations section of this CSA. These mitigations include applying timely patches to systems and
implementing a centralized patch management system to reduce the risk of compromise by malicious
cyber actors.

U.S. organizations: all organizations should report incidents and anomalous activity to CISA 24/7 Operations
Center at [email protected] or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7
CyWatch at (855) 292-3937 or [email protected]. When available, please include the following information
regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type
of equipment used for the activity; the name of the submitting company or organization; and a designated point
of contact. For NSA client requirements or general cybersecurity inquiries, contact
[email protected]. Australian organizations: visit cyber.gov.au or call 1300 292 371 (1300
CYBER 1) to report cybersecurity incidents and access alerts and advisories. Canadian organizations: report
incidents by emailing CCCS at [email protected]. New Zealand organizations: report cyber security
incidents to [email protected] or call 04 498 7654. United Kingdom organizations: report a significant
cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000
200 973.
This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information
carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public
release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
For more information on the Traffic Light Protocol, see cisa.gov/tlp.

TLP: WHITE
 UNCLASSIFIED / NON CLASSIFIÉ

TLP:WHITE Product ID: AA22-117A

TECHNICAL DETAILS
Key Findings
Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and
virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the
top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within
two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of
malicious actors.
To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software
vulnerabilities—some of which were also routinely exploited in 2020 or earlier. The exploitation of
older vulnerabilities demonstrates the continued risk to organizations that fail to patch software in a
timely manner or are using software that is no longer supported by a vendor.

Top 15 Routinely Exploited Vulnerabilities

Table 1 shows the top 15 vulnerabilities U.S., Australian, Canadian, New Zealand, and UK
cybersecurity authorities observed malicious actors routinely exploiting in 2021, which include:
• CVE-2021-44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an
open-source logging framework. An actor can exploit this vulnerability by submitting a
specially crafted request to a vulnerable system that causes that system to execute arbitrary
code. The request allows a cyber actor to take full control over the system. The actor can then
steal information, launch ransomware, or conduct other malicious activity.[1] Log4j is
incorporated into thousands of products worldwide. This vulnerability was disclosed in
December 2021; the rapid widespread exploitation of this vulnerability demonstrates the ability
of malicious actors to quickly weaponize known vulnerabilities and target organizations before
they patch.
• CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065. These
vulnerabilities, known as ProxyLogon, affect Microsoft Exchange email servers. Successful
exploitation of these vulnerabilities in combination (i.e., “vulnerability chaining”) allows an
unauthenticated cyber actor to execute arbitrary code on vulnerable Exchange Servers, which,
in turn, enables the actor to gain persistent access to files and mailboxes on the servers, as
well as to credentials stored on the servers. Successful exploitation may additionally enable
the cyber actor to compromise trust and identity in a vulnerable network.
• CVE-2021-34523, CVE-2021-34473, CVE-2021-31207. These vulnerabilities, known as
ProxyShell, also affect Microsoft Exchange email servers. Successful exploitation of these
vulnerabilities in combination enables a remote actor to execute arbitrary code. These
vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on
port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is
commonly exposed to the internet to enable users to access their email via mobile devices
and web browsers.
• CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center,
could enable an unauthenticated actor to execute arbitrary code on vulnerable systems. This

Page 2 of 20 | Product ID: AA22-117A

TLP: WHITE
 UNCLASSIFIED / NON CLASSIFIÉ

TLP:WHITE Product ID: AA22-117A

vulnerability quickly became one of the most routinely exploited vulnerabilities after a POC
was released within a week of its disclosure. Attempted mass exploitation of this vulnerability
was observed in September 2021.
Three of the top 15 routinely exploited vulnerabilities were also routinely exploited in 2020: CVE-
2020-1472, CVE-2018-13379, and CVE-2019-11510. Their continued exploitation indicates that many
organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber
actors.
Table 1: Top 15 Routinely Exploited Vulnerabilities in 2021

Vulnerability Vendor and

CVE Type
Name Product
Remote code execution
CVE-2021-44228 Log4Shell Apache Log4j
(RCE)
CVE-2021-40539 Zoho RCE
ManageEngine AD
SelfService Plus
CVE-2021-34523 ProxyShell Microsoft Elevation of privilege
Exchange Server
CVE-2021-34473 ProxyShell Microsoft RCE
Exchange Server
CVE-2021-31207 ProxyShell Microsoft Security feature bypass
Exchange Server
Microsoft
CVE-2021-27065 ProxyLogon RCE
Exchange Server
Microsoft
CVE-2021-26858 ProxyLogon RCE
Exchange Server
Microsoft
CVE-2021-26857 ProxyLogon RCE
Exchange Server
Microsoft
CVE-2021-26855 ProxyLogon RCE
Exchange Server
Atlassian
CVE-2021-26084 Confluence Server Arbitrary code execution
and Data Center
CVE-2021-21972 VMware vSphere RCE
Client

Page 3 of 20 | Product ID: AA22-117A

TLP: WHITE
 UNCLASSIFIED / NON CLASSIFIÉ

TLP:WHITE Product ID: AA22-117A

Vulnerability Vendor and

CVE Type
Name Product
CVE-2020-1472 ZeroLogon Microsoft Netlogon Elevation of privilege
Remote Protocol
(MS-NRPC)
CVE-2020-0688 Microsoft RCE
Exchange Server
CVE-2019-11510 Pulse Secure Arbitrary file reading
Pulse Connect
Secure

CVE-2018-13379 Fortinet FortiOS Path traversal

and FortiProxy

Additional Routinely Exploited Vulnerabilities

In addition to the 15 vulnerabilities listed in table 1, U.S., Australian, Canadian, New Zealand, and UK
cybersecurity authorities identified vulnerabilities, listed in table 2, that were also routinely exploited
by malicious cyber actors in 2021.
These vulnerabilities include multiple vulnerabilities affecting internet-facing systems, including
Accellion File Transfer Appliance (FTA), Windows Print Spooler, and Pulse Secure Pulse Connect
Secure. Three of these vulnerabilities were also routinely exploited in 2020: CVE-2019-19781, CVE-
2019-18935, and CVE-2017-11882.
Table 2: Additional Routinely Exploited Vulnerabilities in 2021

CVE Vendor and Product Type

CVE-2021-42237 Sitecore XP RCE
CVE-2021-35464 ForgeRock OpenAM server RCE
CVE-2021-27104 Accellion FTA OS command execution
CVE-2021-27103 Accellion FTA Server-side request forgery
CVE-2021-27102 Accellion FTA OS command execution
CVE-2021-27101 Accellion FTA SQL injection
CVE-2021-21985 VMware vCenter Server RCE
CVE-2021-20038 SonicWall Secure Mobile Access RCE
(SMA)

Page 4 of 20 | Product ID: AA22-117A

TLP: WHITE
 UNCLASSIFIED / NON CLASSIFIÉ

TLP:WHITE Product ID: AA22-117A

CVE Vendor and Product Type

CVE-2021-40444 Microsoft MSHTML RCE
CVE-2021-34527 Microsoft Windows Print Spooler RCE
CVE-2021-3156 Sudo Privilege escalation
CVE-2021-27852 Checkbox Survey Remote arbitrary code
execution
CVE-2021-22893 Pulse Secure Pulse Connect Secure Remote arbitrary code
execution
CVE-2021-20016 SonicWall SSLVPN SMA100 Improper SQL command
neutralization, allowing for
credential access
CVE-2021-1675 Windows Print Spooler RCE
CVE-2020-2509 QNAP QTS and QuTS hero Remote arbitrary code
execution
CVE-2019-19781 Citrix Application Delivery Controller Arbitrary code execution
(ADC) and Gateway
CVE-2019-18935 Progress Telerik UI for ASP.NET AJAX Code execution
CVE-2018-0171 Cisco IOS Software and IOS XE Remote arbitrary code
Software execution
CVE-2017-11882 Microsoft Office RCE
CVE-2017-0199 Microsoft Office RCE

MITIGATIONS
Vulnerability and Configuration Management
• Update software, operating systems, applications, and firmware on IT network assets in a
timely manner. Prioritize patching known exploited vulnerabilities, especially those CVEs
identified in this CSA, and then critical and high vulnerabilities that allow for remote code
execution or denial-of-service on internet-facing equipment. For patch information on CVEs
identified in this CSA, refer to the appendix.
o If a patch for a known exploited or critical vulnerability cannot be quickly applied,
implement vendor-approved workarounds.
• Use a centralized patch management system.
• Replace end-of-life software, i.e., software that is no longer supported by the vendor. For
example, Accellion FTA was retired in April 2021.

Page 5 of 20 | Product ID: AA22-117A

TLP: WHITE
 UNCLASSIFIED / NON CLASSIFIÉ

TLP:WHITE Product ID: AA22-117A

• Organizations that are unable to perform rapid scanning and patching of internet-facing
systems should consider moving these services to mature, reputable cloud service providers
(CSPs) or other managed service providers (MSPs). Reputable MSPs can patch
applications—such as webmail, file storage, file sharing, and chat and other employee
collaboration tools—for their customers. However, as MSPs and CSPs expand their client
organization's attack surface and may introduce unanticipated risks, organizations should
proactively collaborate with their MSPs and CSPs to jointly reduce that risk. For more
information and guidance, see the following resources.
o CISA Insights Risk Considerations for Managed Service Provider Customers
o CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized
Businesses
o ACSC advice on How to Manage Your Security When Engaging a Managed Service
Provider

Identity and Access Management

• Enforce multifactor authentication (MFA) for all users, without exception.
• Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in
remote work to use strong passwords.
• Regularly review, validate, or remove privileged accounts (annually at a minimum).
• Configure access control under the concept of least privilege principle.
o Ensure software service accounts only provide necessary permissions (least privilege)
to perform intended functions (non-administrative privileges).

Note: see CISA Capacity Enhancement Guide – Implementing Strong Authentication and ACSC
guidance on Implementing Multi-Factor Authentication for more information on hardening
authentication systems.

Protective Controls and Architecture

• Properly configure and secure internet-facing network devices, disable unused or
unnecessary network ports and protocols, encrypt network traffic, and disable unused network
services and devices.
o Harden commonly exploited enterprise network services, including Link-Local Multicast
Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common
Internet File System (CIFS), Active Directory, and OpenLDAP.
o Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize
Golden Ticket attacks and Kerberoasting.
o Strictly control the use of native scripting applications, such as command-line,
PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed
Component Object Model (DCOM).
• Segment networks to limit or block lateral movement by controlling access to applications,
devices, and databases. Use private virtual local area networks.

Page 6 of 20 | Product ID: AA22-117A

TLP: WHITE
 UNCLASSIFIED / NON CLASSIFIÉ

TLP:WHITE Product ID: AA22-117A

• Continuously monitor the attack surface and investigate abnormal activity that may indicate
lateral movement of a threat actor or malware.

o Use security tools, such as endpoint detection and response (EDR) and security
information and event management (SIEM) tools. Consider using an information
technology asset management (ITAM) solution to ensure your EDR, SIEM,
vulnerability scanner etc., are reporting the same number of assets.
o Monitor the environment for potentially unwanted programs.
• Reduce third-party applications and unique system/application builds; provide exceptions only
if required to support business critical functions.
• Implement application allowlisting.

RESOURCES
• For the top vulnerabilities exploited in 2020, see joint CSA Top Routinely Exploited
Vulnerabilities
• For the top exploited vulnerabilities 2016 through 2019, see joint CSA Top 10 Routinely
Exploited Vulnerabilities.
• See the appendix for additional partner resources on the vulnerabilities mentioned in this CSA.

DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA, the FBI,
NSA, ACSC, CCCS, NZ NCSC, and NCSC-UK do not endorse any commercial product or service,
including any subjects of analysis. Any reference to specific commercial products, processes, or
services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply
endorsement, recommendation, or favoring.

PURPOSE
This document was developed by U.S., Australian, Canadian, New Zealand, and UK cybersecurity
authorities in furtherance of their respective cybersecurity missions, including their responsibilities to
develop and issue cybersecurity specifications and mitigations.

REFERENCES
[1] CISA’s Apache Log4j Vulnerability Guidance

Page 7 of 20 | Product ID: AA22-117A

TLP: WHITE
TLP:WHITE Product ID: AA22-117A

APPENDIX: PATCH INFORMATION AND ADDITIONAL RESOURCES FOR TOP EXPLOITED

VULNERABILITIES
CVE Vendor Affected Products Patch Information Resources

CVE-2021-42237 Sitecore Sitecore XP 7.5.0 - Sitecore Security ACSC Alert Active

Sitecore XP 7.5.2 Bulletin SC2021-003- Exploitation of
499266 vulnerable Sitecore
Sitecore XP 8.0.0 -
Experience Platform
Sitecore XP 8.2.7
Content Management
Systems

CVE-2021-35464 ForgeRock Access Management ForgeRock AM Security ACSC Advisory Active

(AM) 5.x, 6.0.0.x, Advisory #202104 exploitation of
6.5.0.x, 6.5.1, 6.5.2.x ForgeRock Access
and 6.5.3 Manager / OpenAM
servers
OpenAM 9.x, 10.x, 11.x,
12.x and 13.x CCCS ForgeRock
Security Advisory
CVE-2021-27104 Accellion FTA 9_12_370 and Accellion Press Joint CSA Exploitation
earlier Release: Update to of Accellion File
Recent FTA Security Transfer Appliance
CVE-2021-27103 FTA 9_12_411 and
Incident
earlier ACSC Alert Potential
Accellion File Transfer
CVE-2021-27102 FTA versions 9_12_411
Appliance compromise
and earlier

Page 8 of 20 | Product ID: AA22-117A

TLP: WHITE
 TLP:WHITE Product ID: AA22-117A

CVE Vendor Affected Products Patch Information Resources

CVE-2021-27101 FTA 9_12_370 and
earlier

CVE-2021-21985 VMware vCenter Server 7.0, 6.7, VMware Advisory CCCS VMware Security
6.5 VMSA-2021-0010 Advisory
Cloud Foundation
(vCenter Server) 4.x
and 3.x
CVE-2021-21972 VMware vCenter Server 7.0, 6.7, VMware Advisory ACSC Alert VMware
6.5 VMSA-2021-0002 vCenter Server plugin
remote code execution
Cloud Foundation
vulnerability
(vCenter Server) 4.x
and 3.x CCCS VMware Security
Advisory
CCCS Alert APT Actors
Target U.S. and Allied
Networks - Update 1
CVE-2021-20038 SonicWall SMA 100 Series (SMA SonicWall Security ACSC Alert Remote
200, 210, 400, 410, Advisory SNWLID- code execution
500v), versions 2021-0026 vulnerability present in
10.2.0.8-37sv, 10.2.1.1- SonicWall SMA 100
19sv, 10.2.1.2-24sv series appliances

Page 9 of 20 | Product ID: AA22-117

TLP: WHITE
 TLP:WHITE Product ID: AA22-117A

CVE Vendor Affected Products Patch Information Resources

CCCS SonicWall
Security Advisory

CVE-2021-44228 Apache Log4j, all versions from Log4j: Apache Log4j CISA webpage Apache
2.0-beta9 to 2.14.1 Security Vulnerabilities Log4j Vulnerability
Guidance
For other affected For additional
vendors and products, information, see joint CCCS Active
see CISA's GitHub CSA: Mitigating exploitation of Apache
repository. Log4Shell and Other Log4j vulnerability -
Log4j-Related Update 7
Vulnerabilities

CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Zoho ManageEngine: Joint CSA APT Actors
version 6113 and prior ADSelfService Plus Exploiting Newly
6114 Security Fix Identified Vulnerability
Release in ManageEngine
ADSelfService Plus
CCCS Zoho Security
Advisory
CVE-2021-40444 Microsoft Multiple Windows Microsoft Security
products; see Microsoft Update Guide:
Security Update Guide: MSHTML Remote Code
MSHTML Remote Code

Page 10 of 20 | Product ID: AA22-117

TLP: WHITE
 TLP:WHITE Product ID: AA22-117A

CVE Vendor Affected Products Patch Information Resources

Execution Vulnerability, Execution Vulnerability,
CVE-2021-40444 CVE-2021-40444
CVE-2021-34527 Microsoft Multiple Windows Microsoft Security Joint CSA Russian
products; see Microsoft Update Guide: Windows State-Sponsored Cyber
Security Update Guide: Print Spooler Remote Actors Gain Network
Windows Print Spooler Code Execution Access by Exploiting
Remote Code Vulnerability, CVE- Default Multifactor
Execution Vulnerability, 2021-34527 Authentication Protocols
CVE-2021-34527 and “PrintNightmare”
Vulnerability
CCCS Alert Windows
Print Spooler
Vulnerability Remains
Unpatched – Update 3
CVE-2021-34523 Microsoft Microsoft Exchange Microsoft Security Joint CSA Iranian
Server 2013 Cumulative Update Guide: Microsoft Government-Sponsored
Update 23 Exchange Server APT Cyber Actors
Elevation of Privilege Exploiting Microsoft
Microsoft Exchange
Vulnerability, CVE- Exchange and Fortinet
Server 2016 Cumulative
2021-34523 Vulnerabilities in
Updates 19 and 20
Furtherance of
Microsoft Exchange Malicious Activities
Server 2019 Cumulative
Updates 8 and 9

Page 11 of 20 | Product ID: AA22-117

TLP: WHITE
 TLP:WHITE Product ID: AA22-117A

CVE Vendor Affected Products Patch Information Resources

CVE-2021-34473 Microsoft Multiple Exchange Microsoft Security ACSC Alert Microsoft
Server versions; see: Update Guide: Microsoft Exchange ProxyShell
Microsoft Security Exchange Server Targeting in Australia
Update Guide: Microsoft Remote Code
Exchange Server Execution Vulnerability,
Remote Code CVE-2021-34473
Execution Vulnerability,
CVE-2021-34473
CVE-2021-31207 Microsoft Multiple Exchange Microsoft Update Guide:
Server versions; see Microsoft Exchange
Microsoft Update Guide: Server Security Feature
Microsoft Exchange Bypass Vulnerability,
Server Security Feature CVE-2021-31207
Bypass Vulnerability,
CVE-2021-31207
CVE-2021-3156 Sudo Sudo before 1.9.5p2 Sudo Stable Release
1.9.5p2
CVE-2021-27852 Checkbox Survey Checkbox Survey
versions prior to 7
CVE-2021-27065 Microsoft Exchange Multiple versions; see: Microsoft Security CISA Alert: Mitigate
Server Microsoft Security Update Guide: Microsoft Microsoft Exchange
Update Guide: Microsoft Exchange Server Server Vulnerabilities
Exchange Server Remote Code
Remote Code

Page 12 of 20 | Product ID: AA22-117

TLP: WHITE
 TLP:WHITE Product ID: AA22-117A

CVE Vendor Affected Products Patch Information Resources

Execution Vulnerability, Execution Vulnerability, ACSC Advisory Active
CVE-2021-27065 CVE-2021-27065 exploitation of
Vulnerable Microsoft
CVE-2021-26858 Microsoft Exchange Server, Microsoft Security
Exchange servers
multiple versions; see Update Guide: Microsoft
Microsoft Security Exchange Server CCCS Alert Active
Update Guide: Microsoft Remote Code Exploitation of Microsoft
Exchange Server Execution Vulnerability, Exchange
Remote Code CVE-2021-26858 Vulnerabilities - Update
Execution Vulnerability, 4
CVE-2021-26858
CVE-2021-26857 Microsoft Exchange Server, Microsoft Security
multiple versions; see Update Guide: Microsoft
Microsoft Security Exchange Server
Update Guide: Microsoft Remote Code
Exchange Server Execution Vulnerability,
Remote Code CVE-2021-26857
Execution Vulnerability,
CVE-2021-26857
CVE-2021-26855 Microsoft Exchange Server, Microsoft Security
multiple versions; see Update Guide: Microsoft
Microsoft Security Exchange Server
Update Guide: Microsoft Remote Code
Exchange Server Execution Vulnerability,
Remote Code CVE-2021-26855

Page 13 of 20 | Product ID: AA22-117

TLP: WHITE
 TLP:WHITE Product ID: AA22-117A

CVE Vendor Affected Products Patch Information Resources

Execution Vulnerability,
CVE-2021-26855
Jira Atlassian Confluence Server and Jira Atlassian: ACSC Alert Remote
CVE-2021-26084
Data Center, versions Confluence Server code execution
6.13.23, from version Webwork OGNL vulnerability present in
6.14.0 before 7.4.11, injection - CVE-2021- certain versions of
from version 7.5.0 26084 Atlassian Confluence
before 7.11.6, and from
CCCS Atlassian
version 7.12.0 before
Security Advisory
7.12.5.
CVE-2021-22893 Pulse Secure PCS 9.0R3/9.1R1 and Pulse Secure SA44784 CCCS Alert Active
Higher - 2021-04: Out-of-Cycle Exploitation of Pulse
Advisory: Multiple Connect Secure
Vulnerabilities Resolved Vulnerabilities - Update
in Pulse Connect 1
Secure 9.1R11.4
CVE-2021-20016 SonicWall SMA 100 devices (SMA SonicWall Security
200, SMA 210, SMA Advisory SNWLID-
400, SMA 410, SMA 2021-0001
500v)
CVE-2021-1675 Microsoft Multiple Windows Microsoft Security CCCS Alert Windows
products; see Microsoft Update Guide: Windows Print Spooler
Security Update Guide Print Spooler Remote Vulnerability Remains
Windows Print Spooler Code Execution Unpatched – Update 3

Page 14 of 20 | Product ID: AA22-117

TLP: WHITE
 TLP:WHITE Product ID: AA22-117A

CVE Vendor Affected Products Patch Information Resources

Remote Code Vulnerability, CVE-
Execution Vulnerability, 2021-1675
CVE-2021-1675
CVE-2020-2509 QNAP QTS, multiple versions; QNAP: Command
see QNAP: Command Injection Vulnerability in
Injection Vulnerability in QTS and QuTS hero
QTS and QuTS hero
QuTS hero h4.5.1.1491
build 20201119 and
later
CVE-2020-1472 Microsoft Windows Server, Microsoft Security ACSC Alert Netlogon
multiple versions; see Update Guide: Netlogon elevation of privilege
Microsoft Security Elevation of Privilege vulnerability (CVE-
Update Guide: Netlogon Vulnerability, CVE- 2020-1472)
Elevation of Privilege 2020-1472
Joint CSA APT Actors
Vulnerability, CVE-
Chaining Vulnerabilities
2020-1472
Against SLTT, Critical
Infrastructure, and
Elections Organizations
CCCS Alert Microsoft
Netlogon Elevation of
Privilege Vulnerability -
CVE-2020-1472 -
Update 1

Page 15 of 20 | Product ID: AA22-117

TLP: WHITE
 TLP:WHITE Product ID: AA22-117A

CVE Vendor Affected Products Patch Information Resources

CVE-2020-0688 Microsoft Exchange Server, Microsoft Security CISA Alert Chinese
multiple versions; see Update Guide: Microsoft Ministry of State
Microsoft Security Exchange Validation Security-Affiliated Cyber
Update Guide: Microsoft Key Remote Code Threat Actor Activity
Exchange Validation Execution Vulnerability,
Joint CSA Russian
Key Remote Code CVE-2020-0688
State-Sponsored Cyber
Execution Vulnerability,
Actors Target Cleared
CVE-2020-0688
Defense Contractor
Networks to Obtain
Sensitive U.S. Defense
Information and
Technology
CCCS Alert Microsoft
Exchange Validation
Key Remote Code
Execution Vulnerability
CVE-2019-19781 Citrix ADC and Gateway Citrix Security Bulletin Joint CSA APT Actors
version 13.0 all CTX267027 Chaining Vulnerabilities
supported builds before Against SLTT, Critical
13.0.47.24 Infrastructure, and
Elections Organizations
NetScaler ADC and
NetScaler Gateway, CISA Alert Chinese
version 12.1 all Ministry of State
supported builds before

Page 16 of 20 | Product ID: AA22-117

TLP: WHITE
 TLP:WHITE Product ID: AA22-117A

CVE Vendor Affected Products Patch Information Resources

12.1.55.18; version 12.0 Security-Affiliated Cyber
all supported builds Threat Actor Activity
before 12.0.63.13;
CCCS Alert Detecting
version 11.1 all
Compromises relating
supported builds before
to Citrix CVE-2019-
11.1.63.15; version 10.5
19781
all supported builds
before 10.5.70.12
SD-WAN WANOP
appliance models 4000-
WO, 4100-WO, 5000-
WO, and 5100-WO all
supported software
release builds before
10.2.6b and 11.0.3b
CVE-2019-18935 Progress Telerik UI for ASP.NET AJAX Telerik UI for ASP.NET ACSC Alert Active
through 2019.3.1023 AJAX Allows exploitation of
JavaScriptSerializer vulnerability in Microsoft
Deserialization Internet Information
Services

CVE-2019-11510 Pulse Secure Pulse Connect Secure Pulse Secure: SA44101 CISA Alert Continued
8.2 before 8.2R12.1, 8.3 - 2019-04: Out-of-Cycle Exploitation of Pulse
Advisory: Multiple

Page 17 of 20 | Product ID: AA22-117

TLP: WHITE
 TLP:WHITE Product ID: AA22-117A

CVE Vendor Affected Products Patch Information Resources

before 8.3R7.1, and 9.0 vulnerabilities resolved Secure VPN
before 9.0R3.4 in Pulse Connect Vulnerability
Secure / Pulse Policy
CISA Alert Chinese
Secure 9.0RX
Ministry of State
Security-Affiliated Cyber
Threat Actor Activity
ACSC Advisory
Recommendations to
mitigate vulnerability in
Pulse Connect Secure
VPN Software
Joint CSA APT Actors
Chaining Vulnerabilities
Against SLTT, Critical
Infrastructure, and
Elections Organizations
CCCS Alert APT Actors
Target U.S. and Allied
Networks - Update 1
CVE-2018-13379 Fortinet FortiProxy 2.0.2, 2.0.1, Fortinet FortiGuard Joint CSA Russian
2.0.0, 1.2.8, 1.2.7, Labs: FG-IR-20-233 State-Sponsored Cyber
1.2.6, 1.2.5, 1.2.4, Actors Target Cleared
1.2.3, 1.2.2, 1.2.1, Defense Contractor
1.2.0, 1.1.6 Networks to Obtain

Page 18 of 20 | Product ID: AA22-117

TLP: WHITE
 TLP:WHITE Product ID: AA22-117A

CVE Vendor Affected Products Patch Information Resources

Sensitive U.S. Defense
Information and
Technology
Joint CSA Iranian
Government-Sponsored
APT Cyber Actors
Exploiting Microsoft
Exchange and Fortinet
Vulnerabilities in
Furtherance of
Malicious Activities
Joint CSA APT Actors
Chaining Vulnerabilities
Against SLTT, Critical
Infrastructure, and
Elections Organizations
ACSC Alert APT
exploitation of Fortinet
Vulnerabilities
CCCS Alert Exploitation
of Fortinet FortiOS
vulnerabilities (CISA,
FBI) - Update 1

Page 19 of 20 | Product ID: AA22-117

TLP: WHITE
 TLP:WHITE Product ID: AA22-117A

CVE Vendor Affected Products Patch Information Resources

CVE-2018-0171 Cisco See Cisco Security Cisco Security Advisory: CCCS Action Required
Advisory: cisco-sa- cisco-sa-20180328- to Secure the Cisco IOS
20180328-smi2 smi2 and IOS XE Smart
Install Feature
CVE-2017-11882 Microsoft Office, multiple Microsoft Security CCCS Alert Microsoft
versions; see Microsoft Update Guide: Microsoft Office Security Update
Security Update Guide: Office Memory
Microsoft Office Corruption Vulnerability,
Memory Corruption CVE-2017-11882
Vulnerability, CVE-
2017-11882
CVE-2017-0199 Microsoft Multiple products; see Microsoft Security CCCS Microsoft
Microsoft Security Update Guide: Microsoft Security Updates
Update Guide: Microsoft Office/WordPad
Office/WordPad Remote Code
Remote Code Execution Vulnerability
Execution Vulnerability w/Windows, CVE-2017-
w/Windows, CVE-2017- 0199
0199

Page 20 of 20 | Product ID: AA22-117

TLP: WHITE