The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), the FBI, and international cybersecurity agencies issued a joint cybersecurity advisory on August 3 warning organizations of common vulnerabilities and exposures (CVEs) that were frequently exploited by malicious actors in 2022.
The joint Cybersecurity Advisory – titled “2022 Top Routinely Exploited Vulnerabilities” – outlines 12 of the most exploited vulnerabilities and provides an overview of an additional 30 vulnerabilities often used to compromise organizations.
The advisory also includes steps that vendors and tech organizations can use to identify and mitigate their exposure, such as implementing secure-by-design practices, and prioritizing patching known exploited vulnerabilities to reduce the risk of compromise. The advisory also recommends that vendors establish a coordinated vulnerability disclosure program that includes processes to determine the root causes of discovered vulnerabilities.
The security agencies also recommended that end-user organizations apply timely patches to systems, implement a centralized patch management system, and use security tools such as endpoint detection and response tools.
“Today, adversaries commonly exploit categories of vulnerabilities that can and must be addressed by technology providers as part of their commitment to Secure by Design,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein, said in a statement.
“With our partners, we urge all organizations to review our joint advisory, for every enterprise to prioritize mitigation of these vulnerabilities, and for every technology provider to take accountability for the security outcomes of their customers by reducing the prevalence of these vulnerabilities by design.”
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), Computer Emergency Response Team New Zealand (CERT NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) collaborated with CISA, NSA, and the FBI to publish the joint cybersecurity advisory.
“This advisory reinforces one of the foundational aspects of cyber security, said Lisa Fong, head of NZ NCSC. “Malicious actors continue to succeed using the same techniques over and over. I can’t emphasize enough the importance of doing the basics well by understanding your assets, and rapidly applying patches when they become available. Acting on CVE reporting is the difference between getting onto your to-do list and getting onto someone else’s to-do list.”