# 2021 Top Routinely Exploited Vulnerabilities

**cisa.gov/uscert/ncas/alerts/aa22-117a**

## Summary

This joint Cybersecurity Advisory (CSA) was coauthored by cybersecurity authorities of the
United States, Australia, Canada, New Zealand, and the United Kingdom: the Cybersecurity
[and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau](https://www.cisa.gov/)
[of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber](https://www.fbi.gov/investigate/cyber)
[Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and United](https://www.cyber.gc.ca/en/)
[Kingdom’s National Cyber Security Centre (NCSC-UK). This advisory provides details on the](https://www.ncsc.gov.uk/)
top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber
actors in 2021, as well as other CVEs frequently exploited.

U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities assess, in 2021,
malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities
against broad target sets, including public and private sector organizations worldwide. To a
lesser extent, malicious cyber actors continued to exploit publicly known, dated software
vulnerabilities across a broad spectrum of targets.

The cybersecurity authorities encourage organizations to apply the recommendations in the
Mitigations section of this CSA. These mitigations include applying timely patches to systems
and implementing a centralized patch management system to reduce the risk of compromise
by malicious cyber actors.

Download the Joint Cybersecurity Advisory: 2021 top Routinely Exploited Vulnerabilities (pdf,
777kb).

## Technical Details

**Key Findings**

Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email
servers and virtual private network (VPN) servers, with exploits of newly disclosed
vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors
released proof of concept (POC) code within two weeks of the vulnerability’s disclosure,
likely facilitating exploitation by a broader range of malicious actors.

To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software
[vulnerabilities—some of which were also routinely exploited in 2020 or earlier. The](https://www.cisa.gov/uscert/ncas/alerts/aa21-209a)
exploitation of older vulnerabilities demonstrates the continued risk to organizations that fail


-----

to patch software in a timely manner or are using software that is no longer supported by a
vendor.

**Top 15 Routinely Exploited Vulnerabilities**

Table 1 shows the top 15 vulnerabilities U.S., Australian, Canadian, New Zealand, and UK
cybersecurity authorities observed malicious actors routinely exploiting in 2021, which
include:

**CVE-2021-44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j**
library, an open-source logging framework. An actor can exploit this vulnerability by
submitting a specially crafted request to a vulnerable system that causes that system to
execute arbitrary code. The request allows a cyber actor to take full control over the
system. The actor can then steal information, launch ransomware, or conduct other
malicious activity.[1] Log4j is incorporated into thousands of products worldwide. This
vulnerability was disclosed in December 2021; the rapid widespread exploitation of this
vulnerability demonstrates the ability of malicious actors to quickly weaponize known
vulnerabilities and target organizations before they patch.
**CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065. These**
vulnerabilities, known as ProxyLogon, affect Microsoft Exchange email servers.
Successful exploitation of these vulnerabilities in combination (i.e., “vulnerability
chaining”) allows an unauthenticated cyber actor to execute arbitrary code on
vulnerable Exchange Servers, which, in turn, enables the actor to gain persistent
access to files and mailboxes on the servers, as well as to credentials stored on the
servers. Successful exploitation may additionally enable the cyber actor to compromise
trust and identity in a vulnerable network.
**CVE-2021-34523, CVE-2021-34473, CVE-2021-31207. These vulnerabilities, known**
as ProxyShell, also affect Microsoft Exchange email servers. Successful exploitation of
these vulnerabilities in combination enables a remote actor to execute arbitrary code.
These vulnerabilities reside within the Microsoft Client Access Service (CAS), which
typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g.,
Microsoft’s web server). CAS is commonly exposed to the internet to enable users to
access their email via mobile devices and web browsers.
**CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data**
Center, could enable an unauthenticated actor to execute arbitrary code on vulnerable
systems. This vulnerability quickly became one of the most routinely exploited
vulnerabilities after a POC was released within a week of its disclosure. Attempted
mass exploitation of this vulnerability was observed in September 2021.

[Three of the top 15 routinely exploited vulnerabilities were also routinely exploited in 2020:](https://www.cisa.gov/uscert/ncas/alerts/aa21-209a)
CVE-2020-1472, CVE-2018-13379, and CVE-2019-11510. Their continued exploitation
indicates that many organizations fail to patch software in a timely manner and remain
vulnerable to malicious cyber actors.


-----

_Table 1: Top 15 Routinely Exploited Vulnerabilities in 2021_


**CVE** **Vulnerability**
**Name**


**Vendor and Product** **Type**


CVE-202144228

CVE-202140539

CVE-202134523

CVE-202134473

CVE-202131207

CVE-202127065

CVE-202126858

CVE-202126857

CVE-202126855

CVE-202126084

CVE-202121972

CVE-20201472


Log4Shell Apache Log4j Remote code
execution (RCE)


ZeroLogon Microsoft Netlogon Remote
Protocol (MS-NRPC)


Zoho ManageEngine AD
SelfService Plus


RCE


ProxyShell Microsoft Exchange Server Elevation of privilege

ProxyShell Microsoft Exchange Server RCE

ProxyShell Microsoft Exchange Server Security feature
bypass

ProxyLogon Microsoft Exchange Server RCE

ProxyLogon Microsoft Exchange Server RCE

ProxyLogon Microsoft Exchange Server RCE

ProxyLogon Microsoft Exchange Server RCE


Atlassian Confluence Server and
Data Center


Arbitrary code
execution


VMware vSphere Client RCE


Elevation of privilege


-----

**CVE** **Vulnerability**
**Name**

CVE-20200688

CVE-201911510

CVE-201813379


**Vendor and Product** **Type**

Microsoft Exchange Server RCE


Pulse Secure Pulse Connect
Secure


Arbitrary file reading


Fortinet FortiOS and FortiProxy Path traversal


**Additional Routinely Exploited Vulnerabilities**

In addition to the 15 vulnerabilities listed in table 1, U.S., Australian, Canadian, New Zealand,
and UK cybersecurity authorities identified vulnerabilities, listed in table 2, that were also
routinely exploited by malicious cyber actors in 2021.

These vulnerabilities include multiple vulnerabilities affecting internet-facing systems,
including Accellion File Transfer Appliance (FTA), Windows Print Spooler, and Pulse Secure
[Pulse Connect Secure. Three of these vulnerabilities were also routinely exploited in 2020:](https://www.cisa.gov/uscert/ncas/alerts/aa21-209a)
CVE-2019-19781, CVE-2019-18935, and CVE-2017-11882.

_Table 2: Additional Routinely Exploited Vulnerabilities in 2021_

**CVE** **Vendor and Product** **Type**


CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-42237)
42237

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-35464)
35464

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-27104)
27104


Sitecore XP RCE

ForgeRock OpenAM server RCE

Accellion FTA OS command execution


-----

**CVE** **Vendor and Product** **Type**


CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-27103)
27103

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-27102)
27102

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-27101)
27101

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-21985)
21985

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-20038)
20038

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-40444)
40444

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-34527)
34527

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-3156)
3156

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-27852)
27852

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-22893)
22893


Accellion FTA Server-side request forgery

Accellion FTA OS command execution

Accellion FTA SQL injection

VMware vCenter Server RCE


SonicWall Secure Mobile Access
(SMA)


RCE


Microsoft MSHTML RCE

Microsoft Windows Print Spooler RCE

Sudo Privilege escalation

Checkbox Survey Remote arbitrary code execution


Pulse Secure Pulse Connect
Secure


Remote arbitrary code execution


-----

**CVE** **Vendor and Product** **Type**


CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-20016)
20016

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-1675)
1675

CVE[2020-](https://nvd.nist.gov/vuln/detail/CVE-2020-2509)
2509

CVE[2019-](https://nvd.nist.gov/vuln/detail/CVE-2019-19781)
19781

CVE[2019-](https://nvd.nist.gov/vuln/detail/CVE-2019-18935)
18935

CVE[2018-](https://nvd.nist.gov/vuln/detail/CVE-2018-0171)
0171

CVE[2017-](https://nvd.nist.gov/vuln/detail/CVE-2017-11882)
11882

CVE[2017-](https://nvd.nist.gov/vuln/detail/CVE-2017-0199)
0199


SonicWall SSLVPN SMA100 Improper SQL command neutralization,
allowing for credential access

Windows Print Spooler RCE

QNAP QTS and QuTS hero Remote arbitrary code execution


Citrix Application Delivery
Controller (ADC) and Gateway

Progress Telerik UI for ASP.NET
AJAX

Cisco IOS Software and IOS XE
Software


Arbitrary code execution

Code execution

Remote arbitrary code execution


Microsoft Office RCE

Microsoft Office RCE


## Mitigations

**Vulnerability and Configuration Management**


-----

Update software, operating systems, applications, and firmware on IT network assets
[in a timely manner. Prioritize patching known exploited vulnerabilities, especially those](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
CVEs identified in this CSA, and then critical and high vulnerabilities that allow for
remote code execution or denial-of-service on internet-facing equipment. For patch
information on CVEs identified in this CSA, refer to the appendix.

If a patch for a known exploited or critical vulnerability cannot be quickly applied,
implement vendor-approved workarounds.
Use a centralized patch management system.
Replace end-of-life software, i.e., software that is no longer supported by the vendor.
For example, Accellion FTA was retired in April 2021.
Organizations that are unable to perform rapid scanning and patching of internet-facing
systems should consider moving these services to mature, reputable cloud service
providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can
patch applications—such as webmail, file storage, file sharing, and chat and other
employee collaboration tools—for their customers. However, as MSPs and CSPs
expand their client organization's attack surface and may introduce unanticipated risks,
organizations should proactively collaborate with their MSPs and CSPs to jointly
reduce that risk. For more information and guidance, see the following resources.

CISA Insights [Risk Considerations for Managed Service Provider Customers](https://cisa.gov/sites/default/files/publications/cisa-insights_risk-considerations-for-msp-customers_508.pdf)
CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Midsized Businesses
ACSC advice on How to Manage Your Security When Engaging a Managed
Service Provider

**Identity and Access Management**

Enforce multifactor authentication (MFA) for all users, without exception.
Enforce MFA on all VPN connections. If MFA is unavailable, require employees
engaging in remote work to use strong passwords.
Regularly review, validate, or remove privileged accounts (annually at a minimum).
Configure access control under the concept of least privilege principle.

Ensure software service accounts only provide necessary permissions (least
privilege) to perform intended functions (non-administrative privileges).

**Note: see** [CISA Capacity Enhancement Guide – Implementing Strong Authentication and](https://cisa.gov/sites/default/files/publications/CISA_CEG_Implementing_Strong_Authentication_508_1.pdf)
[ACSC guidance on Implementing Multi-Factor Authentication for more information on](https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-multi-factor-authentication)
hardening authentication systems.

**Protective Controls and Architecture**


-----

Properly configure and secure internet-facing network devices, disable unused or
unnecessary network ports and protocols, encrypt network traffic, and disable unused
network services and devices.

Harden commonly exploited enterprise network services, including Link-Local
Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP),
Common Internet File System (CIFS), Active Directory, and OpenLDAP.
Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to
minimize Golden Ticket attacks and Kerberoasting.
Strictly control the use of native scripting applications, such as command-line,
PowerShell, WinRM, Windows Management Instrumentation (WMI), and
Distributed Component Object Model (DCOM).
Segment networks to limit or block lateral movement by controlling access to
applications, devices, and databases. Use private virtual local area networks.
Continuously monitor the attack surface and investigate abnormal activity that may
indicate lateral movement of a threat actor or malware.

Use security tools, such as endpoint detection and response (EDR) and security
information and event management (SIEM) tools. Consider using an information
technology asset management (ITAM) solution to ensure your EDR, SIEM,
vulnerability scanner etc., are reporting the same number of assets.
Monitor the environment for potentially unwanted programs.
Reduce third-party applications and unique system/application builds; provide
exceptions only if required to support business critical functions.
Implement application allowlisting.

## Resources

For the top vulnerabilities exploited in 2020, see joint CSA Top Routinely Exploited
Vulnerabilities
For the top exploited vulnerabilities 2016 through 2019, see joint CSA Top 10 Routinely
Exploited Vulnerabilities.
See the appendix for additional partner resources on the vulnerabilities mentioned in
this CSA.

## Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA,
the FBI, NSA, ACSC, CCCS, NZ NCSC, and NCSC-UK do not endorse any commercial
product or service, including any subjects of analysis. Any reference to specific commercial
products, processes, or services by service mark, trademark, manufacturer, or otherwise,
does not constitute or imply endorsement, recommendation, or favoring.

## Purpose


-----

This document was developed by U.S., Australian, Canadian, New Zealand, and UK
cybersecurity authorities in furtherance of their respective cybersecurity missions, including
their responsibilities to develop and issue cybersecurity specifications and mitigations.

## References

[1] [CISA’s Apache Log4j Vulnerability Guidance](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)

## Appendix: Patch Information and Additional Resources for Top Exploited Vulnerabilities

**CVE** **Vendor** **Affected Products** **Patch Information** **Resources**


CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-42237)
42237

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-35464)
35464

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-27104)
27104

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-27103)
27103


Sitecore Sitecore XP 7.5.0 Sitecore XP 7.5.2

Sitecore XP 8.0.0 Sitecore XP 8.2.7

ForgeRock Access
Management (AM)
5.x, 6.0.0.x, 6.5.0.x,
6.5.1, 6.5.2.x and
6.5.3

OpenAM 9.x, 10.x,
11.x, 12.x and 13.x

Accellion FTA 9_12_370 and
earlier

FTA 9_12_411
and earlier


Sitecore Security
[Bulletin SC2021-](https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776#HistoryOfUpdates)
003-499266

ForgeRock AM
[Security Advisory](https://backstage.forgerock.com/knowledge/kb/article/a47894244)
#202104

Accellion Press
Release: Update to
Recent FTA
Security Incident


ACSC Alert Active
Exploitation of
vulnerable
Sitecore
Experience
Platform Content
Management
Systems

ACSC Advisory
Active exploitation
of ForgeRock
Access Manager /
OpenAM servers

CCCS ForgeRock
Security Advisory

Joint CSA
Exploitation of
[Accellion File](https://www.cisa.gov/uscert/ncas/alerts/aa21-055a)
Transfer Appliance

ACSC Alert
Potential Accellion
File Transfer
Appliance
compromise


-----

**CVE** **Vendor** **Affected Products** **Patch Information** **Resources**


CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-27102)
27102

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-27101)
27101

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-21985)
21985

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-21972)
21972

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-20038)
20038


FTA versions
9_12_411 and
earlier

FTA 9_12_370
and earlier

VMware vCenter Server 7.0,
6.7, 6.5

Cloud Foundation
(vCenter Server) 4.x
and 3.x

VMware vCenter Server 7.0,
6.7, 6.5

Cloud Foundation
(vCenter Server) 4.x
and 3.x

SonicWall SMA 100 Series
(SMA 200, 210, 400,
410, 500v), versions
10.2.0.8-37sv,
10.2.1.1-19sv,
10.2.1.2-24sv


VMware Advisory
VMSA-2021-0010

VMware Advisory
VMSA-2021-0002

SonicWall Security
[Advisory SNWLID-](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026)
2021-0026


CCCS VMware
Security Advisory

ACSC Alert
VMware vCenter
Server plugin
[remote code](https://www.cyber.gov.au/acsc/view-all-content/alerts/vmware-vcenter-server-plugin-remote-code-execution-vulnerability-cve-2021-21972)
execution
vulnerability

CCCS VMware
Security Advisory

CCCS Alert APT
Actors Target U.S.
[and Allied](https://www.cyber.gc.ca/en/alerts/apt-actors-target-us-and-allied-networks-nsacisafbi)
Networks - Update
1

ACSC Alert
Remote code
execution
vulnerability
[present in](https://www.cyber.gov.au/acsc/view-all-content/alerts/remote-code-execution-vulnerability-present-sonicwall-sma-100-series-appliances)
SonicWall SMA
100 series
appliances

CCCS SonicWall
Security Advisory


-----

**CVE** **Vendor** **Affected Products** **Patch Information** **Resources**


CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
44228

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-40539)
40539

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-40444)
40444


Apache Log4j, all versions
from 2.0-beta9 to
2.14.1

For other affected
vendors and
products, see CISA's
GitHub repository.


Microsoft Multiple Windows
products; see
Microsoft Security
Update Guide:
MSHTML Remote
Code Execution
Vulnerability, CVE2021-40444


Log4j: Apache
[Log4j Security](https://logging.apache.org/log4j/2.x/security.html)
Vulnerabilities

For additional
information, see
joint CSA:
Mitigating
Log4Shell and
[Other Log4j-](https://www.cisa.gov/uscert/ncas/alerts/aa21-356a)
Related
Vulnerabilities

Zoho
ManageEngine:
[ADSelfService Plus](https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6114-security-fix-release)
6114 Security Fix
Release

Microsoft Security
Update Guide:
MSHTML Remote
Code Execution
Vulnerability, CVE2021-40444


CISA webpage
Apache Log4j
[Vulnerability](https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance)
Guidance

CCCS Active
exploitation of
[Apache Log4j](https://www.cyber.gc.ca/en/alerts/active-exploitation-apache-log4j-vulnerability)
vulnerability Update 7

Joint CSA APT
Actors Exploiting
Newly Identified
[Vulnerability in](https://www.cisa.gov/uscert/ncas/alerts/aa21-259a)
ManageEngine
ADSelfService
Plus

CCCS Zoho
Security Advisory


Zoho
ManageEngine


ADSelfService Plus
version 6113 and
prior


-----

**CVE** **Vendor** **Affected Products** **Patch Information** **Resources**


CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-34527)
34527

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-34523)
34523


Microsoft Multiple Windows
products; see
Microsoft Security
Update Guide:
Windows Print
[Spooler Remote](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527)
Code Execution
Vulnerability, CVE2021-34527

Microsoft Microsoft Exchange
Server 2013
Cumulative Update
23

Microsoft Exchange
Server 2016
Cumulative Updates
19 and 20

Microsoft Exchange
Server 2019
Cumulative Updates
8 and 9


Microsoft Security
Update Guide:
Windows Print
[Spooler Remote](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527)
Code Execution
Vulnerability, CVE2021-34527

Microsoft Security
Update Guide:
Microsoft Exchange
[Server Elevation of](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523)
Privilege
Vulnerability, CVE2021-34523


Joint CSA Russian
State-Sponsored
Cyber Actors Gain
Network Access
by Exploiting
Default Multifactor
Authentication
Protocols and
“PrintNightmare”
Vulnerability

CCCS Alert
Windows Print
Spooler
[Vulnerability](https://www.cyber.gc.ca/en/alerts/windows-print-spooler-vulnerability-remains-unpatched)
Remains
Unpatched –
Update 3

Joint CSA Iranian
GovernmentSponsored APT
Cyber Actors
Exploiting
Microsoft
Exchange and
Fortinet
Vulnerabilities in
Furtherance of
Malicious
Activities

ACSC Alert
Microsoft
Exchange
[ProxyShell](https://www.cyber.gov.au/acsc/view-all-content/alerts/microsoft-exchange-proxyshell-targeting-australia)
Targeting in
Australia


-----

**CVE** **Vendor** **Affected Products** **Patch Information** **Resources**


CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-34473)
34473

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-31207)
31207

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-3156)
3156

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-27852)
27852


Microsoft Multiple Exchange
Server versions;
see: Microsoft
Security Update
Guide: Microsoft
Exchange Server
Remote Code
Execution
Vulnerability, CVE2021-34473

Microsoft Multiple Exchange
Server versions; see
Microsoft Update
Guide: Microsoft
Exchange Server
Security Feature
Bypass Vulnerability,
CVE-2021-31207


Microsoft Security
Update Guide:
Microsoft Exchange
[Server Remote](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473)
Code Execution
Vulnerability, CVE2021-34473

Microsoft Update
Guide: Microsoft
Exchange Server
[Security Feature](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207)
Bypass
Vulnerability, CVE2021-31207


Sudo Sudo before 1.9.5p2 Sudo Stable
Release 1.9.5p2


Checkbox
Survey


Checkbox Survey
versions prior to 7


-----

**CVE** **Vendor** **Affected Products** **Patch Information** **Resources**


CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-27065)
27065

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-26858)
26858

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-26857)
26857


Microsoft
Exchange
Server


Microsoft Exchange Server,
multiple versions;
see Microsoft
Security Update
Guide: Microsoft
Exchange Server
Remote Code
Execution
Vulnerability, CVE2021-26858

Microsoft Exchange Server,
multiple versions;
see Microsoft
Security Update
Guide: Microsoft
Exchange Server
Remote Code
Execution
Vulnerability, CVE2021-26857


Multiple versions;
see: Microsoft
Security Update
Guide: Microsoft
Exchange Server
Remote Code
Execution
Vulnerability, CVE2021-27065


Microsoft Security
Update Guide:
Microsoft Exchange
[Server Remote](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065)
Code Execution
Vulnerability, CVE2021-27065

Microsoft Security
Update Guide:
Microsoft Exchange
[Server Remote](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858)
Code Execution
Vulnerability, CVE2021-26858

Microsoft Security
Update Guide:
Microsoft Exchange
[Server Remote](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857)
Code Execution
Vulnerability, CVE2021-26857


CISA Alert:
Mitigate Microsoft
[Exchange Server](https://www.cisa.gov/uscert/ncas/alerts/aa21-062a)
Vulnerabilities

ACSC Advisory
Active exploitation
of Vulnerable
Microsoft
Exchange servers

CCCS Alert Active
Exploitation of
Microsoft
Exchange
Vulnerabilities Update 4


-----

**CVE** **Vendor** **Affected Products** **Patch Information** **Resources**


CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-26855)
26855

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-26084)
26084

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-22893)
22893

CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-20016)
20016


Microsoft Exchange Server,
multiple versions;
see Microsoft
Security Update
Guide: Microsoft
Exchange Server
Remote Code
Execution
Vulnerability, CVE2021-26855

Jira Atlassian Confluence Server
and Data Center,
versions 6.13.23,
from version 6.14.0
before 7.4.11, from
version 7.5.0 before
7.11.6, and from
version 7.12.0
before 7.12.5.

Pulse Secure PCS 9.0R3/9.1R1
and Higher

SonicWall SMA 100 devices
(SMA 200, SMA
210, SMA 400, SMA
410, SMA 500v)


Microsoft Security
Update Guide:
Microsoft Exchange
[Server Remote](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855)
Code Execution
Vulnerability, CVE2021-26855

Jira Atlassian:
Confluence Server
[Webwork OGNL](https://jira.atlassian.com/browse/CONFSERVER-67940)
injection - CVE2021-26084

Pulse Secure
SA44784 - 202104: Out-of-Cycle
Advisory: Multiple
Vulnerabilities
Resolved in Pulse
Connect Secure
9.1R11.4

SonicWall Security
[Advisory SNWLID-](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001)
2021-0001


ACSC Alert
Remote code
execution
vulnerability
[present in certain](https://www.cyber.gov.au/acsc/view-all-content/alerts/remote-code-execution-vulnerability-present-certain-versions-atlassian-confluence)
versions of
Atlassian
Confluence

CCCS Atlassian
Security Advisory

CCCS Alert
Active Exploitation
of Pulse Connect
Secure
Vulnerabilities Update 1


-----

**CVE** **Vendor** **Affected Products** **Patch Information** **Resources**


CVE[2021-](https://nvd.nist.gov/vuln/detail/CVE-2021-1675)
1675

CVE[2020-](https://nvd.nist.gov/vuln/detail/CVE-2020-2509)
2509

CVE[2020-](https://nvd.nist.gov/vuln/detail/CVE-2020-1472)
1472


Microsoft Multiple Windows
products; see
Microsoft Security
Update Guide
Windows Print
[Spooler Remote](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675)
Code Execution
Vulnerability, CVE2021-1675

QNAP QTS, multiple
versions; see QNAP:
Command Injection
Vulnerability in QTS
and QuTS hero

QuTS hero
h4.5.1.1491 build
20201119 and later

Microsoft Windows Server,
multiple versions;
see Microsoft
Security Update
Guide: Netlogon
[Elevation of](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472)
Privilege
Vulnerability, CVE2020-1472


Microsoft Security
Update Guide:
Windows Print
[Spooler Remote](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675)
Code Execution
Vulnerability, CVE2021-1675

QNAP: Command
Injection
Vulnerability in QTS
and QuTS hero

Microsoft Security
Update Guide:
Netlogon Elevation
of Privilege
Vulnerability, CVE2020-1472


CCCS Alert
Windows Print
Spooler
[Vulnerability](https://www.cyber.gc.ca/en/alerts/windows-print-spooler-vulnerability-remains-unpatched)
Remains
Unpatched –
Update 3

ACSC Alert
Netlogon elevation
of privilege
vulnerability (CVE2020-1472)

Joint CSA APT
Actors Chaining
Vulnerabilities
Against SLTT,
Critical
Infrastructure, and
Elections
Organizations

CCCS Alert
Microsoft Netlogon
Elevation of
Privilege
Vulnerability CVE-2020-1472 Update 1


-----

**CVE** **Vendor** **Affected Products** **Patch Information** **Resources**


CVE[2020-](https://nvd.nist.gov/vuln/detail/CVE-2020-0688)
0688


Microsoft Exchange Server,
multiple versions;
see Microsoft
Security Update
Guide: Microsoft
Exchange Validation
Key Remote Code
Execution
Vulnerability, CVE2020-0688


Microsoft Security
Update Guide:
Microsoft Exchange
Validation Key
Remote Code
Execution
Vulnerability, CVE2020-0688


CISA Alert
Chinese Ministry
of State Security[Affiliated Cyber](https://www.cisa.gov/uscert/ncas/alerts/aa20-258a)
Threat Actor
Activity

Joint CSA Russian
State-Sponsored
Cyber Actors
Target Cleared
Defense
[Contractor](https://www.cisa.gov/uscert/ncas/alerts/aa22-047a)
Networks to
Obtain Sensitive
U.S. Defense
Information and
Technology

CCCS Alert
Microsoft
Exchange
Validation Key
Remote Code
Execution
Vulnerability


-----

**CVE** **Vendor** **Affected Products** **Patch Information** **Resources**


CVE[2019-](https://nvd.nist.gov/vuln/detail/CVE-2019-19781)
19781

CVE[2019-](https://nvd.nist.gov/vuln/detail/CVE-2019-18935)
18935


Citrix ADC and Gateway
version 13.0 all
supported builds
before 13.0.47.24

NetScaler ADC and
NetScaler Gateway,
version 12.1 all
supported builds
before 12.1.55.18;
version 12.0 all
supported builds
before 12.0.63.13;
version 11.1 all
supported builds
before 11.1.63.15;
version 10.5 all
supported builds
before 10.5.70.12

SD-WAN WANOP
appliance models
4000-WO, 4100WO, 5000-WO, and
5100-WO all
supported software
release builds before
10.2.6b and 11.0.3b


Citrix Security
[Bulletin](https://support.citrix.com/article/CTX267027)
CTX267027

Telerik UI for
ASP.NET AJAX
Allows
JavaScriptSerializer
Deserialization


Joint CSA APT
Actors Chaining
Vulnerabilities
Against SLTT,
Critical
Infrastructure, and
Elections
Organizations

CISA Alert
Chinese Ministry
of State Security[Affiliated Cyber](https://www.cisa.gov/uscert/ncas/alerts/aa20-258a)
Threat Actor
Activity

CCCS Alert
Detecting
Compromises
relating to Citrix
CVE-2019-19781

ACSC Alert Active
exploitation of
vulnerability in
Microsoft Internet
Information
Services


Progress
Telerik


UI for ASP.NET
AJAX through
2019.3.1023


-----

**CVE** **Vendor** **Affected Products** **Patch Information** **Resources**


CVE[2019-](https://nvd.nist.gov/vuln/detail/CVE-2019-11510)
11510


Pulse Secure Pulse Connect
Secure 8.2 before
8.2R12.1, 8.3 before
8.3R7.1, and 9.0
before 9.0R3.4


Pulse Secure:
SA44101 - 201904: Out-of-Cycle
Advisory: Multiple
[vulnerabilities](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/)
resolved in Pulse
Connect Secure /
Pulse Policy
Secure 9.0RX


CISA Alert
Continued
Exploitation of
Pulse Secure VPN
Vulnerability

CISA Alert
Chinese Ministry
of State Security[Affiliated Cyber](https://www.cisa.gov/uscert/ncas/alerts/aa20-258a)
Threat Actor
Activity

ACSC Advisory
Recommendations
to mitigate
vulnerability in
Pulse Connect
Secure VPN
Software

Joint CSA APT
Actors Chaining
Vulnerabilities
Against SLTT,
Critical
Infrastructure, and
Elections
Organizations

CCCS Alert APT
Actors Target U.S.
[and Allied](https://www.cyber.gc.ca/en/alerts/apt-actors-target-us-and-allied-networks-nsacisafbi)
Networks - Update
1


-----

**CVE** **Vendor** **Affected Products** **Patch Information** **Resources**


CVE[2018-](https://nvd.nist.gov/vuln/detail/CVE-2018-13379)
13379


Fortinet FortiProxy 2.0.2,
2.0.1, 2.0.0, 1.2.8,
1.2.7, 1.2.6, 1.2.5,
1.2.4, 1.2.3, 1.2.2,
1.2.1, 1.2.0, 1.1.6


Fortinet FortiGuard
[Labs: FG-IR-20-](https://www.fortiguard.com/psirt/FG-IR-20-233)
233


Joint CSA Russian
State-Sponsored
Cyber Actors
Target Cleared
Defense
[Contractor](https://www.cisa.gov/uscert/ncas/alerts/aa22-047a)
Networks to
Obtain Sensitive
U.S. Defense
Information and
Technology

Joint CSA Iranian
GovernmentSponsored APT
Cyber Actors
Exploiting
Microsoft
Exchange and
Fortinet
Vulnerabilities in
Furtherance of
Malicious
Activities

Joint CSA APT
Actors Chaining
Vulnerabilities
Against SLTT,
Critical
Infrastructure, and
Elections
Organizations

ACSC Alert APT
exploitation of
Fortinet
Vulnerabilities

CCCS Alert
Exploitation of
Fortinet FortiOS
[vulnerabilities](https://www.cyber.gc.ca/en/alerts/exploitation-fortinet-fortios-vulnerabilities-cisa-fbi)
(CISA, FBI) Update 1


-----

**CVE** **Vendor** **Affected Products** **Patch Information** **Resources**


CVE[2018-](https://nvd.nist.gov/vuln/detail/CVE-2018-0171)
0171

CVE[2017-](https://nvd.nist.gov/vuln/detail/CVE-2017-11882)
11882

CVE[2017-](https://nvd.nist.gov/vuln/detail/CVE-2017-0199)
0199


Cisco See Cisco Security
[Advisory: cisco-sa-](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2#fixed)
20180328-smi2

Microsoft Office, multiple
versions; see
Microsoft Security
Update Guide:
Microsoft Office
Memory Corruption
Vulnerability, CVE2017-11882

Microsoft Multiple products;
see Microsoft
Security Update
Guide: Microsoft
Office/WordPad
[Remote Code](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199)
Execution
Vulnerability
w/Windows, CVE2017-0199


Cisco Security
[Advisory: cisco-sa-](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2#fixed)
20180328-smi2

Microsoft Security
Update Guide:
Microsoft Office
Memory Corruption
Vulnerability, CVE2017-11882

Microsoft Security
Update Guide:
Microsoft
Office/WordPad
[Remote Code](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199)
Execution
Vulnerability
w/Windows, CVE2017-0199


CCCS Action
Required to
Secure the Cisco
IOS and IOS XE
Smart Install
Feature

CCCS Alert
Microsoft Office
Security Update

CCCS Microsoft
Security Updates


## Contact Information

**U.S. organizations: all organizations should report incidents and anomalous activity to CISA**
[24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your](http://10.10.0.46/mailto:report@cisa.gov)
[local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.](https://www.fbi.gov/contact-us/field-offices)
When available, please include the following information regarding the incident: date, time,
and location of the incident; type of activity; number of people affected; type of equipment
used for the activity; the name of the submitting company or organization; and a designated
point of contact. For NSA client requirements or general cybersecurity inquiries, contact
[Cybersecurity_Requests@nsa.gov. Australian organizations: visit](http://10.10.0.46/mailto:Cybersecurity_Requests@nsa.gov) [cyber.gov.au or call](https://www.cyber.gov.au/)
1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and
advisories. Canadian organizations: report incidents by emailing CCCS at
[contact@cyber.gc.ca. New Zealand organizations: report cyber security incidents to](http://10.10.0.46/mailto:contact@cyber.gc.ca)


-----

[incidents@ncsc.govt.nz or call 04 498 7654. United Kingdom organizations: report a](http://10.10.0.46/mailto:incidents@ncsc.govt.nz)
[significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for](https://www.ncsc.gov.uk/section/about-this-website/contact-us)
urgent assistance, call 03000 200 973.

## Revisions

April 27, 2022: Initial Version

[This product is provided subject to this Notification and this](https://www.cisa.gov/privacy/notification) [Privacy & Use policy.](https://www.dhs.gov/privacy-policy)

**Please share your thoughts.**

[We recently updated our anonymous product survey; we'd welcome your feedback.](https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/alerts/aa22-117a)


-----