Vulnerabilities can be found in just about any type of software—and even some pieces of hardware. Threat actors are all too eager to take advantage of these vulnerabilities, leveraging them to gain access to or escalate privileges in an organization’s IT infrastructure. When these vulnerabilities are discovered before the vendor is aware, these are known as zero-day threats. Since these are vulnerabilities that don’t yet have workarounds or patches, anyone who uses an affected device can be attacked, making zero-day threats incredibly dangerous.
However, just because a vulnerability is known, doesn’t mean it isn’t hazardous. Even if a patch is available, users may not have applied it successfully, if they applied it at all. With thousands of vulnerabilities of varying severity levels out in the wild, which ones are keeping cybersecurity professionals up at night? While the answer to this question is often changing as new threats emerge, the following list highlights the current most worrisome vulnerabilities.
1. Microsoft Exchange Vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
Easily one of the most popular cybersecurity topics in the news lately, these vulnerabilities began as zero-day, though Microsoft quickly came out with patches. However, in the following weeks, attacks continued to surge, meaning that far too many users had yet to implement the patches. This was particularly concerning given the severity of the vulnerabilities. CVE-2021-26855 could give an attacker access to mailboxes, while CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 all allow for remote code execution.
In their April Security Update, Microsoft disclosed and patched another series of remote code execution vulnerabilities that affect Exchange Server 2013, 2016, and 2019, making updating all the more critical.
2. Fortinet FortiGate SSL VPN: CVE-2018-13379, CVE-2020-12812, CVE-2019-5591
Multiple government agencies have released official warnings of these vulnerabilities, including the United Kingdom’s National Cyber Security Centre (NCSC) as well as the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA). These alerts detailed how Advanced Persistent Threat (APT) actors and cyber criminals were scanning for and using these vulnerabilities for cyber-espionage purposes against government services, as well as in ransomware attacks against commercial enterprises. Patches for all of these vulnerabilities were released almost two years ago, but in November of 2020, attackers published a list of over 50,000 IPs related to devices which remain unpatched.
3. Synacor Zimbra Collaboration Suite (XXE): CVE-2019-9670
In a joint statement by the National Security Agency (NSA), CISA, and the FBI, these agencies warned that the Russian Foreign Intelligence Service (SVR) had exploited five known vulnerabilities on multiple occasions, targeting “U.S. and allied networks, including national security and government related systems.” Any government agency, as well as anyone with government contracts, was urged to check if any of these vulnerabilities apply to their IT environments, and if so, to take measures to mitigate the vulnerabilities.
The mailbox feature of the Synacor Zimbra Collaboration Suite has an XML Eternal Entity Injection which can be exploited to gain access to credentials. In addition to being listed in the joint statement, the NCSC also listed it in an earlier advisory about vulnerabilities being exploited in attacks targeting COVID-19 vaccine research and development. A patch for this vulnerability came out with the 8.7.11 release.
4. Pulse Secure Pulse Connect Secure VPN: CVE-2019-11510
This vulnerability was another one of the five known vulnerabilities being used by the SVR. In certain versions of this Pulse VPN, a path traversal vulnerability can be exploited to enable unauthenticated remote attackers to gain access to sensitive information. This vulnerability was part of a previous advisory from CISA in 2020, which noted seeing wide use of the exploitation, despite a patch being released in April 2019.
5. Citrix Application Delivery Controller and Gateway: CVE-2019-19781
Similar to the Pulse VPN, this path traversal vulnerability was also being exploited by the SVR. First discovered as a zero-day, it allowed unauthenticated attackers to access sensitive information, including configuration files. Attackers could also use the vulnerability for DoS attacks, phishing and remote code execution. Despite multiple instances of this exploit being used by threat actors and being known for how easy it was to exploit, 19 percent of the 80,000 affected companies had yet to make the recommended fixes months later.
6. VMware Workspace ONE Access: CVE-2020-4006
This command injection vulnerability was also on the list of those being exploited by the SVR, and can be used by attackers to execute commands on systems in order to access protected data. A December 2020 advisory by the NSA warned of the vulnerability, and advised strengthening passwords, since the vulnerability still required authenticated access in order to be used. Additionally, a patch was already available and linked to in the advisory, but appears to not yet be widely implemented, since it’s being actively used in further attacks.
7. Microsoft SMBGhost: CVE-2020-0796
Part of the worry over this remote code execution vulnerability is that it involves the Microsoft Server Message Block (SMB) protocol, which was the same protocol that was targeted by WannaCry ransomware. Since WannaCry affected over 100 countries with estimated damages of over one billion dollars, cybersecurity experts want to do whatever they can to avoid a repeat incident.
8. VMWare vCenter RCE: CVE-2021-21972
This remote code execution vulnerability is similar to the Citrix vulnerability listed earlier, in that it was publicized for being simple to exploit, since any unauthorized user can take advantage of it. Despite quickly posting patches, many threat actors were already working on posting Proof of Concepts for exploiting this vulnerability on Github, emphasizing how important it is for organizations to update vulnerable systems as soon as possible.
These three vulnerabilities were all released as zero-day threats. CVE-2021-21193 is a use after free vulnerability in Chrome’s browser engine, Blink, which could allow a remote attacker to exploit heap corruption. The latter two were announced in the same week, both of which can be used for remote code execution. Though Google quickly released new versions to fix these vulnerabilities, the real concern is over what is becoming a pattern of zero-day threats. Given Chrome’s popularity, a lingering vulnerability could cause damage on a global scale. The discovery of three zero-day threats in a such a short span of time has made some wary of its overall security approach, so experts may begin to keep a closer eye on the browser for the time-being.
10. Cisco AnyConnect Posture: CVE-2021-1366
Improper Access Control and Uncontrolled Search Path Element vulnerabilities were discovered in the in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows. These vulnerabilities could allow an authenticated, local user to elevate privileges and execute any application under the SYSTEM account. Cisco has released free software updates that address the vulnerability.
A Way Forward: Discovery, Regular Updates, and Remediation Validation
The sooner a vulnerability is found and patched, the better. Luckily, there are multiple cybersecurity research groups, including Core Security's Core Labs, constantly looking for vulnerabilities in order to catch them before a threat actor can execute a zero-day attack. Groups like Core Labs contact the vendors, working with them to release an advisory informing users as soon as possible, hopefully with an available patch at the ready.
As for organizations, the running thread through all of these vulnerabilities is clear: if a patch is available, apply it! Though regular updates can be time consuming and tedious, recovering from a breach takes even more time, patience, and money. But updates and patches are useless if they aren’t correctly applied—sometimes something as simple as failure to restart can mean that you’re still at risk. The best way to assess the state of your security is to regularly pen test your environment, both to uncover vulnerabilities you may not be aware of, but also to ensure that any remediation efforts have been implemented properly.