Four of the top 15 vulnerabilities used last year by hackers were more than a year old: Report

Share post:

Patched vulnerabilities that date as far back as 2017 are still being exploited by threat actors, according to the latest report from cyber intelligence agencies in Canada and its Five Eyes allies. Issued this week, the report lists the top 15 vulnerabilities used by threat actors last year to get into IT systems of organizations. Of those 15, one dates back to 2018 (CVE-2018-13379), a path traversal vulnerability that affects security appliances running Fortinet’s FortiOS and FortiProxy; one dates back to 2019 (CVE-2019-11510), a vulnerability that allows arbitrary file reading in Pulse Secure’s Pulse Connect Secure VPN; and two date back to 2020 (one is the Zero Logon vulnerability for Windows, while the other is for Microsoft Exchange). “Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors,” says the report. Rounding out the top 15 list are 11 vulnerabilities found last year: Four ProxyLogon and three ProxyShell vulnerabilities in Exchange; and single vulnerabilities in Atlassian Confluence Server and Data Center, VMware vSphere Client and Zoho ManageEngine AD SelfService Plus; and the log4j vulnerability in Apache log4j2. The report also lists 18 more patched vulnerabilities that were routinely exploited by attackers last year, although not as often as the top 15. Of this group, two discovered in 2017 involve Microsoft Office, one discovered in 2018 is for Cisco System’s IOS and IOS XE operating systems, two were discovered in 2019 (for products from Citrix and Progress Telerik) and one in 2020 (for QNAP’s network-attached storage devices). In addition to listing the vulnerabilities, the report also has links to the patches. Last year, malicious cyber actors “aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” the alert warns. “To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets.” The Five Eyes countries are Canada, the U.S., the United Kingdom, Australia and New Zealand. The post Four of the top 15 vulnerabilities used last year by hackers were more than a year old: Report first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Cyber Security Today, April 24, 2024 – Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more

This episode reports on the danger of using expired open-source packages, a tool used by a Russian hacking group and passw

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways