Top CVEs Actively Exploited By malicious cyber actor

licious cyber actors continue to exploit known vulnerabilities and use publicly available tools to target networks of interest. Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine. RCE vulnerabilities are some of the most risky and high-impact vulnerabilities today. Many major cyberattacks have been enabled by RCE vulnerabilities for example: Log4j, ProxyShell.

See below for the top used CVEs by malicious cyber actor.

Apache CVE-2021-44228 CVSS 3.0: 10 (Critical)

Vulnerability Description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against malicious actor controlled LDAP and other JNDI related endpoints. A malicious actor who can control log messages or log message parameters could execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Recommended Mitigations

Apply patches provided by vendor and perform required system updates.

Reference

https://logging.apache.org/log4j/2.x/security.html

Apache CVE-2022-24112 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

A malicious actor can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX’s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

Recommended Mitigations

  • In affected versions of Apache APISIX, you can avoid this risk by explicitly commenting out batch-requests in the conf/config.yaml and conf/config-default.yaml files and restarting Apache APISIX.
  • Update to 2.10.4 or 2.12.1.

Reference

https://apisix.apache.org/blog/2022/02/11/cve-2022-24112/
https://www.openwall.com/lists/oss-security/2022/02/11/3
https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94

Apache CVE-2021-41773 CVSS 3.0: 7.5 (High)

Vulnerability Description

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. A malicious actor could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied,” these requests can succeed. Enabling CGI scripts for these aliased paths could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 is incomplete (see CVE-2021-42013).

Recommended Mitigations

Apply update or patch.

Reference

https://httpd.apache.org/security/vulnerabilities_24.html
https://nvd.nist.gov/vuln/detail/CVE-2021-41773

Microsoft Exchange CVE-2021-26855 Remote Code Execution CVSS 3.0: 9.8 (Critical)

Vulnerability Description

Microsoft has released security updates for Windows Exchange Server. To exploit these vulnerabilities, an authenticated malicious actor could send malicious requests to an affected server. A malicious actor  who successfully exploited these vulnerabilities would execute arbitrary code and compromise the affected systems. If successfully exploited, these vulnerabilities could allow an adversary to obtain access to sensitive information, bypass security restrictions, cause a denial of service conditions, and/or perform unauthorized actions on the affected Exchange server, which could aid in further malicious activity.

Recommended Mitigations

Apply the appropriate Microsoft Security Update.

Microsoft Exchange Server 2013 Cumulative Update 23 (KB5000871)

Microsoft Exchange Server 2016 Cumulative Update 18 (KB5000871)

Microsoft Exchange Server 2016 Cumulative Update 19 (KB5000871)

Microsoft Exchange Server 2019 Cumulative Update 7 (KB5000871)

Microsoft Exchange Server 2019 Cumulative Update 8 (KB5000871)

Restrict untrusted connections.

Reference

https://msrc-blog.microsoft.com/tag/cve-2021-26855/
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855
https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705

Microsoft CVE-2021-26857 CVSS 3.0: 7.8 (High)

Vulnerability Description

Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.

Recommended Mitigations

Update to support latest version.

Install Microsoft security patch.

Use Microsoft Exchange On-Premises Mitigation Tool.

Microsoft CVE-2021-26858 CVSS 3.0: 7.8 (High)

Vulnerability Description

Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.

Recommended Mitigations

Update to support latest version.

Install Microsoft security patch.

Use Microsoft Exchange On-Premises Mitigation Tool.

Microsoft CVE-2021-27065 CVSS 3.0: 7.8 (High)

Vulnerability Description

Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.

Recommended Mitigations

Update to support latest version.

Install Microsoft security patch.

Use Microsoft Exchange On-Premises Mitigation Tool.

CVE-2022-30190/ Follina: Microsoft Office vulnerability CVSS 3.0: 7.8 (High)

Vulnerability Description

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

Recommended Mitigations

See Vendor Advisory for recommended mitigations.

Reference

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
https://nvd.nist.gov/vuln/detail/cve-2022-30190

Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 CVSS 3.0: 8.8 (High)

Vulnerability Description

Microsoft Exchange Server Elevation of Privilege Vulnerability.

Recommended Mitigations

See Vendor Advisory for recommended mitigations.

Reference

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41040
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082
https://nvd.nist.gov/vuln/detail/CVE-2022-41082
https://nvd.nist.gov/vuln/detail/CVE-2022-41040

F5 CVE-2020-5902 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

Recommended Mitigations

  • Apply FY BIG-IP Update.
  • Restrict access to the configuration utility.

Reference

https://www.f5.com/services/support/big-ip-vulnerability-cve-2020-5902
https://support.f5.com/csp/article/K52145254
https://support.f5.com/csp/article/K00091341
https://support.f5.com/csp/article/K07051153
https://support.f5.com/csp/article/K20346072
https://support.f5.com/csp/article/K31301245
https://support.f5.com/csp/article/K33023560
https://support.f5.com/csp/article/K43638305
https://support.f5.com/csp/article/K82518062

F5 CVE-2022-1388 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Recommended Mitigations

  • Block iControl REST access through the self IP address.
  • Block iControl REST access through the management interface.
  • Modify the BIG-IP httpd configuration

Reference

https://support.f5.com/csp/article/K23605346
https://nvd.nist.gov/vuln/detail/CVE-2022-1388

CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxy CVSS 3.0: 9.6 (Critical)

Vulnerability Description

An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Recommended Mitigations

Update to support latest version.

Workaround is available in https://www.fortiguard.com/psirt/FG-IR-22-377

Reference

https://www.fortiguard.com/psirt/FG-IR-22-377

Citrix CVE-2019-19781 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

 An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

Recommended Mitigations

See Vendor Advisory for recommended mitigations.

Reference

https://support.citrix.com/article/CTX267679/mitigation-steps-for-cve201919781
https://support.citrix.com/article/CTX269180/cve201919781-verification-tool

VMware CVE-2021-22005 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.

Recommended Mitigations

See Vendor Advisory for recommended mitigations.

Reference

https://www.vmware.com/security/advisories/VMSA-2021-0020.html
https://kb.vmware.com/s/article/85717

Cisco CVE-2021-1497 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote malicious actor to perform a command injection against an affected device.

Recommended Mitigations

See Vendor Advisory for recommended mitigations.

Reference

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR

GitLab CVE-2021-22205 CVSS 3.0: 10 (Critical)

Vulnerability Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files passed to a file parser, which resulted in a remote command execution.

Recommended Mitigations

See Vendor Advisory for recommended mitigations.

Reference

https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/
https://about.gitlab.com/blog/2021/11/04/action-needed-in-response-to-cve2021-22205/

CVE-2022-0847: The Dirty Pipe Vulnerability CVSS 3.0: 7.8 (High)

Vulnerability Description

A flaw was found in the way the “flags” member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

Recommended Mitigations

The vulnerability was fixed in Linux 5.16.11, 5.15.25, and 5.10.102.

See Vendor Advisory for recommended mitigations.

Reference

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847
https://www.debian.org/security/2022/dsa-5092
https://bugzilla.redhat.com/show_bug.cgi?id=2060795
https://bugzilla.redhat.com/show_bug.cgi?id=2044561
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42933c8aa14be1caa9eda41f65cde8a3a95d3e39
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d2231c5d74e13b2a0546fee6737ee4446017903
https://dirtypipe.cm4all.com

CVE-2021-3560: The polkit Vulnerability CVSS 3.0: 7.8 (High)

Vulnerability Description

It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Recommended Mitigations

See Vendor Advisory for recommended mitigations.

Reference

https://access.redhat.com/security/cve/cve-2021-3560
https://access.redhat.com/errata/RHSA-2021:2238
https://ubuntu.com/security/CVE-2021-3560
https://security-tracker.debian.org/tracker/CVE-2021-3560
https://www.suse.com/security/cve/CVE-2021-3560/
https://security.archlinux.org/CVE-2021-3560
https://linux.oracle.com/cve/CVE-2021-3560.html

CVE-2021-4034: The polkit’s pkexec CVSS 3.0: 7.8 (High)

Vulnerability Description

A local privilege escalation vulnerability was found on polkit’s pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it’ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Recommended Mitigations

See Vendor Advisory for recommended mitigations.

Reference

https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

Hikvision CVE-2021-36260 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

A command injection vulnerability exists in the web server of some Hikvision products. Due to the insufficient input validation, a malicious actor can exploit the vulnerability to launch a command injection by sending some messages with malicious commands.

Recommended Mitigations

Apply the latest firmware updates.

Reference

https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/security-notification-command-injection-vulnerability-in-some-hikvision-products/
Share