An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | April 27, 2022

CISA, FBI, NSA, and International Partners Warn Organizations of Top Routinely Exploited Cybersecurity Vulnerabilities

WASHINGTON – After more than 20,000 common vulnerabilities and exposures (CVEs) were disclosed in 2021, U.S and allied cybersecurity authorities are helping organizations prioritize and mitigate the most exploited vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) issued a joint Cybersecurity Advisory on the top 15 common vulnerabilities and exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.

In 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. While the top 15 vulnerabilities have previously been made public, this Advisory is meant to help organizations prioritize their mitigation strategies:

  • Vulnerability and configuration management, including update software, operating systems, applications, and firmware in a timely manner; implement a centralized patch management system; and replace end-of-life software.
  • Identity and access management, including enforce multifactor authentication (MFA) for all users, without exception; if MFA is unavailable, require employees engaging in remote work to use strong passwords; and regularly review, validate, or remove privileged accounts.
  • Positive controls and architecture, including properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices.

“We know that malicious cyber actors go back to what works, which means they target these same critical software vulnerabilities and will continue to do so until companies and organizations address them,” said CISA Director Jen Easterly. “CISA and our partners are releasing this advisory to highlight the risk that the most commonly exploited vulnerabilities pose to both public and private sector networks. We urge all organizations to assess their vulnerability management practices and take action to mitigate risk to the known exploited vulnerabilities.”  
"The FBI, together with our federal and international partners, is providing this information to better arm our private sector partners and the public to defend their systems from adversarial cyber threats," said FBI's Cyber Division Assistant Director Bryan Vorndran. "Though the FBI will continue to pursue and disrupt this type of malicious cyber activity, we need your help. We strongly encourage private sector organizations and the public to implement these steps to mitigate threats from known vulnerabilities, and if you believe you are a victim of a cyber incident, contact your local FBI field office." 
"This report should be a reminder to organizations that bad actors don't need to develop sophisticated tools when they can just exploit publicly known vulnerabilities," said NSA Cybersecurity Director Rob Joyce. "Get a handle on mitigations or patches as these CVEs are actively exploited.”
“Malicious cyber actors continue to exploit known and dated software vulnerabilities to attack private and public networks globally,” said Abigail Bradshaw, Head of the Australian Cyber Security Centre. “The ACSC is committed to providing cyber security advice and sharing threat information with our partners, to ensure a safer online environment for everyone. Organisations can implement the effective mitigations highlighted in this advisory to protect themselves.” 
“Cyber security best practices, including patch management, are essential tools for organizations to better protect themselves against malicious threat actors,” said Sami Khoury, Head of the Canadian Centre for Cyber Security. “We encourage all organizations to take action and follow the appropriate mitigations in this report against known and routinely exploited vulnerabilities, and make themselves more secure.” 
“We are seeing an increase in the speed and scale of malicious actors taking advantage of newly disclosed vulnerabilities,” said Lisa Fong, Director of the New Zealand Government Communications Security Bureau’s National Cyber Security Centre (NCSC). “The NCSC works with international partners to provide timely access to critical cyber threat information. This joint advisory underscores the importance of addressing vulnerabilities as they are disclosed and better equips New Zealand organisations to secure their information and systems.” 
“The NCSC and our allies are committed to raising awareness of global cyber vulnerabilities and presenting actionable solutions to mitigate them,” said Lindy Cameron, CEO of NCSC. “This advisory places the power in the hands of network defenders to fix the most common cyber weaknesses within the public and private sector ecosystem. Working with our international partners, we will continue to raise awareness of the threats posed by those which seek to harm us.”
Globally, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. To a lesser extent in 2021, these actors continued to exploit publicly known or dated software vulnerabilities some of which were also identified as routinely exploited in 2020 or earlier.
All organizations are encouraged to review and implement the recommended mitigations in this detailed joint CSA.

Visit our full library for more cybersecurity information and technical guidance.