On July 28, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) issued a cybersecurity alert entitled “Top Routinely Exploited Vulnerabilities” in collaboration with the Australian Cyber Security Centre, the United Kingdom’s National Cyber Security Centre, and the FBI.

The Alert concludes that cyber criminals are exploiting vulnerabilities in unpatched systems, but that many of the vulnerabilities that criminals are exploiting recently are those that have already been disclosed (and should have already been patched) over the past two years. This means that companies are not patching against well-known vulnerabilities and leaving themselves at risk.

In addition, a remote workforce has contributed to the exploitation of vulnerabilities. According to the Alert, “[T]he rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.” CISA points out that “four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies.”

The Alert contains a table of the “top Routinely Exploited CVEs in 2020” which lists 12 vulnerabilities, including the type of vulnerabilities that are being exploited in the wild, and states that “malicious cyber actors will most likely continue to use older known vulnerabilities, …as long as they remain effective and systems remain unpatched.”

Therefore, CISA and the FBI are encouraging organizations “to remediate or mitigate vulnerabilities as quickly as possible to reduce the risk of exploitation. Most can be remediated by patching and updating systems. Organizations that have not remediated these vulnerabilities should investigate for the presence of IOCs and, if compromised, initiate incident response and recovery plans.”

The point of the Alert is that companies that have not patched known vulnerabilities continue to be at risk as cyber criminals are always going to take the easy path to crime. They would rather get into an unlocked house than try to bust through a locked door or window.

Take a look at the Alert and confirm that the known vulnerabilities are patched already, and if not, make the patching of these vulnerabilities high priority.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.