An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | Aug. 3, 2023

CISA, NSA, FBI and International Partners Issue Advisory on the Top Routinely Exploited Vulnerabilities in 2022

In 2022, malicious cyber actors continued exploiting known software vulnerabilities to target unpatched systems and applications, including some vulnerabilities that have been known for more than five years, according to a newly released joint Cybersecurity Advisory (CSA) from U.S. and foreign partner intelligence agencies.
 
The “2022 Top Routinely Exploited Vulnerabilities” CSA provides details on the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors who continue targeting unpatched systems and applications – all known vulnerabilities from 2017 to 2022 that have not been mitigated. The authoring agencies recommend immediate patching of these CVEs to reduce the risk of compromise.
 
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released the CSA in partnership with the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communication Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).
 
“Organizations continue using unpatched software and systems, leaving easily discovered openings for cyber actors to target,” said Neal Ziring, the Technical Director for NSA’s Cybersecurity Directorate. “Older vulnerabilities can provide low-cost and high impact means for these actors to access sensitive data.”
 
In 2022, over 25,000 new security vulnerabilities were published by the Common Vulnerabilities and Exposures (CVE) Program.  From those, only five are within the top 12 software vulnerabilities exploited by malicious cyber actor during 2022, according to the CSA.
 
Several vulnerabilities listed in the advisory were also reported in the “2021 Top Routinely Exploited Vulnerabilities” CSA and continued to be exploited by cyber actors in 2022. PRC state-sponsored cyber actors, for example, have been using some of the vulnerabilities listed in the CSA to actively target U.S. and allied networks, as indicated in the “Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors."
 
To improve cybersecurity posture, the co-authoring agencies recommend organizations implement the mitigations listed in the advisory primarily by prioritizing scanning for and patching of vulnerable software.

Read the full report here.
 
Visit our full library for more cybersecurity information and technical guidance.
 

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721
 

Related Press Advisories

NSA Releases Guide to Mitigate BlackLotus Threat
NSA and CISA Best Practices to Secure Cloud Continuous Integration/Continuous Delivery Environments
New Cybersecurity Advisory Warns About Web Application Vulnerabilities
NSA Releases Guide to Harden Cisco Next Generation Firewalls
CVE actor Cyber NSA CISA FBI ACSC NCSC CCCS network mitigation cybersecurity exploit
Hosted by Defense Media Activity - WEB.mil Veterans Crisis Line