Top 30 Most Targeted Vulnerabilities For The Last 2 Years – FBI

Each and every year in the software and hardware that we use every day thousands of vulnerabilities are discovered by security researchers. 

In the year 2019, the security experts detected 12174 vulnerabilities, and among them, they discovered more than a thousand vulnerabilities that exceeded the score of 8 in terms of severity.

Here, the hackers took the opportunity to exploit these security flaws, since, many of them were not patched by the companies.

However, now the FBI and the CISA have taken a step further to reveal the most targeted vulnerabilities for the last 2 years, as this will help the security researchers and security organizations to patch the vulnerabilities that were not fixed yet.

Apart from this, many of these vulnerabilities affect Microsoft Office, and among all these security flaws, the experts have evaluated that three out of ten vulnerabilities are related to Microsoft Office.

Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies

And maximum of these flaws were abused by the state-sponsored hackers of countries like North Korea, China, Russia, and Iran against the US.

Also Read: Top MITRE CWE 25 Most Dangerous Software Vulnerabilities – 2021

Top 30 Most Targeted Vulnerabilities

1. CVE-2021-26855: It is a Microsoft Exchange Server Remote Code Execution vulnerability with CVSS:3.0 9.1 / 8.4.
2. CVE-2021-26857: It is a Microsoft Exchange Server Remote Code Execution vulnerability with CVSS:3.0 7.8 / 7.2.
3. CVE-2021-26858: It is a Microsoft Exchange Server Remote Code Execution vulnerability with CVSS:3.0 7.8 / 7.2.
4. CVE-2021-27065: It is a Microsoft Exchange Server Remote Code Execution vulnerability with CVSS:3.0 7.8 / 7.2.
5. CVE-2021-22893: It is an Improper Authentication vulnerability that is marked as critical since it achieved a CVS score of 10.0.
6. CVE-2021-22894: It is a buffer overflow vulnerability that enables an attacker to execute arbitrary code, and it has achieved a CVS score of 8.8.
7. CVE-2021-22899: It is a command injection vulnerability that enables an attacker to execute remote code through Windows Resource Profiles Feature, and it has achieved a CVS score of 8.8.
8. CVE-2021-22900: It is an Improper Control of Generation of Code vulnerability with a CVS score of 7.2.
9. CVE-2021-27101: It is an Improper Neutralization of Special Elements used in an SQL Command vulnerability with a CVS score of 9.8, and it is also marked as critical.
10. CVE-2021-27102: It is an Improper Neutralization of Special Elements used in an OS Command vulnerability with a CVS score of 7.8.
11. CVE-2021-27103: It is a Server-Side Request Forgery (SSRF) vulnerability with a CVS score of 9.8, and it is also marked as critical.
12. CVE-2021-27104: It is an Improper Neutralization of Special Elements used in an OS Command vulnerability with a CVS score of 9.8, and it is also marked as critical.
13. CVE-2021-21985: It is an Improper Input Validation vulnerability with a CVS score of 9.8, and it is also marked as critical.
14. CVE-2018-13379: It is an Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability with a CVS score of 9.8 and it is also marked as critical.
15. CVE-2020-12812: It is an Improper Authentication vulnerability with a CVS score of 9.8 and it is also marked as critical.
16. CVE-2019-5591: It is a Missing Authentication for Critical Function vulnerability with a CVS score of 6.5.
17. CVE-2019-19781: It is an Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability with a CVS score of 9.8 and it is also marked as critical.
18. CVE 2019-11510: It is an Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability with a CVS score of 10.0 and it is also marked as critical.
19. CVE 2018-13379: It is an Improper Limitation of a Pathname to a Restricted Directory vulnerability with a CVS score of 9.8 and it is also marked as critical.
20. CVE 2020-5902: It is an Inclusion of Functionality from Untrusted Control Sphere and Improper Limitation of a Pathname to a Restricted Directory vulnerability with a CVS score of 9.8 and it is also marked as critical.
21. CVE 2020-15505: It is an Insufficient Information vulnerability with a CVS score of 9.8 and it is also marked as critical.
22. CVE-2017-11882: It is a Microsoft Office Memory Corruption vulnerability that enables an attacker to execute arbitrary code.
23. CVE-2019-11580: It is an Insufficient Information vulnerability with a CVS score of 9.8 and it is also marked as critical.
24. CVE-2018-7600: It is an Improper Input Validation vulnerability with a CVS score of 9.8 and it is also marked as critical.
25. CVE 2019-18935: It is a Deserialization of Untrusted Data vulnerability with a CVS score of 9.8 and it is also marked as critical.
26. CVE-2019-0604: It is a Microsoft SharePoint Remote Code Execution Vulnerability with a CVS score of 9.8 and it is also marked as critical.
27. CVE-2020-0787: It is a Windows Background Intelligent Transfer Service Elevation of Privilege vulnerability with CVSS:3.0 7.8 / 7.0.
28. CVE-2020-1472: It is a Netlogon Elevation of Privilege vulnerability with CVSS:3.0 10.0 / 9.0.
29. CVE-2020-15505: It is an Insufficient Information vulnerability with a CVS score of 9.8 and it is also marked as critical.
30. CVE-2020-0688: It is a Use of Hard-coded Credentials vulnerability with a CVS score of 8.8 that is marked as “High Severity.”

The FBI also asserted that due to the pandemic situations the vulnerabilities related to remote work have also appeared on remote platforms like Zoom and in Office 365.

However, they have strongly recommended to users to keep their software and hardware updated with the latest version and security patches if available.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.