Four of the top 15 vulnerabilities used last year by hackers were more than a year old: Report

Share post:

Patched vulnerabilities that date as far back as 2017 are still being exploited by threat actors, according to the latest report from cyber intelligence agencies in Canada and its Five Eyes allies. Issued this week, the report lists the top 15 vulnerabilities used by threat actors last year to get into IT systems of organizations. Of those 15, one dates back to 2018 (CVE-2018-13379), a path traversal vulnerability that affects security appliances running Fortinet’s FortiOS and FortiProxy; one dates back to 2019 (CVE-2019-11510), a vulnerability that allows arbitrary file reading in Pulse Secure’s Pulse Connect Secure VPN; and two date back to 2020 (one is the Zero Logon vulnerability for Windows, while the other is for Microsoft Exchange). “Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors,” says the report. Rounding out the top 15 list are 11 vulnerabilities found last year: Four ProxyLogon and three ProxyShell vulnerabilities in Exchange; and single vulnerabilities in Atlassian Confluence Server and Data Center, VMware vSphere Client and Zoho ManageEngine AD SelfService Plus; and the log4j vulnerability in Apache log4j2. The report also lists 18 more patched vulnerabilities that were routinely exploited by attackers last year, although not as often as the top 15. Of this group, two discovered in 2017 involve Microsoft Office, one discovered in 2018 is for Cisco System’s IOS and IOS XE operating systems, two were discovered in 2019 (for products from Citrix and Progress Telerik) and one in 2020 (for QNAP’s network-attached storage devices). In addition to listing the vulnerabilities, the report also has links to the patches. Last year, malicious cyber actors “aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” the alert warns. “To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets.” The Five Eyes countries are Canada, the U.S., the United Kingdom, Australia and New Zealand. The post Four of the top 15 vulnerabilities used last year by hackers were more than a year old: Report first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

FBI rapidly hacks into Trump shooter’s phone, raises privacy concerns

Just two days after the attempted assassination at a Trump rally, the FBI announced it had gained access...

Disney investigating a potential major leak of internal communications

Disney is investigating a significant data breach by the hacking group Nullbulge, which claims to have accessed and...

Kaspersky to shut down its US business due to sanctions

Russian cybersecurity firm Kaspersky Lab announced it will cease its U.S. operations starting July 20, following sanctions from...

Google’s Gemini AI caught scanning private Google Drive documents without permission

Google's Gemini AI has come under fire for scanning private PDF documents in Google Drive without user consent....

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways