CISA & FBI Releases a List of Top 10 Vulnerabilities

Exploitation of these vulnerabilities often requires fewer resources compared to zero-day exploits for which no patches are available.

author-image
SMEStreet Desk
New Update
Satnam Narang, tenable
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government released a list of the top 10 vulnerabilities most commonly exploited by foreign cyber actors. The exploitation of these vulnerabilities often requires fewer resources compared to zero-day exploits for which no patches are available.
Satnam Narang, Staff Research Engineer at Tenable analysed this development and shared his views by saying, "CISA's list of the top 10 routinely exploited vulnerabilities from 2016 through 2019 primarily consists of flaws in Microsoft products, particularly in Microsoft Office. This comes as no surprise as cybercriminals go after low hanging fruit, which is often ubiquitous software with known but unpatched vulnerabilities. Many of the bad actors leverage flaws in Office when distributing spear-phishing emails to their intended targets. These emails are tailored to their victim, using a lure designed to capture their interest in order to convince them to open the malicious attachment."
However, this list is indicative of a trend we see time and time again: Cybercriminals prefer to leverage known but unpatched vulnerabilities. "Finding or acquiring zero-day vulnerabilities is a costly endeavour, so leveraging unpatched flaws with publicly available exploit code gets them to their end goal in the fastest and cheapest way possible." Satnam also added, "Vulnerabilities in Virtual Private Network (VPN) solutions are another area that has seen an increase in activity going back to 2019, when exploit code for several notable VPNs became publicly available. We anticipate that many of these flaws will continue to be leveraged by bad actors of all kinds, because as they say, if it ain't broke, don't fix it."
"This list is a solid reminder of the importance of basic cyber hygiene and systems maintenance. Knowing which vulnerabilities are being actively exploited by bad actors and prioritizing their remediation is one of the most effective ways to reduce risk." - Satnam Narang, Staff Research Engineer at Tenable.
FBI cybersecurity Tenable CERT CISA Satnam Narang