Defenders – as human beings – tend to focus on the new “shiny” threats and vulnerabilities, making sure organizations are patched and secure against the latest threats. And this is a great stance to take. Creating detection rules and mitigations for new threats is crucial, as attackers are quick to leverage zero days – something seen all too often.

With that in mind, in larger organizations, internal patching cycles, change control boards, deployment scheduling, and “shadow IT” means it can be weeks or even months before an enterprise can update everything in its estate, assuming it knows the software exists or has an active support contract to download or apply security updates.

Attackers also know this, which is why we continue to see old vulnerabilities used as part of new campaigns. Why would a sophisticated threat group burn their zero day if an old CVE still does the job?

The Known Exploited Vulnerability (KEV) Catalog is a list of actively exploited CVEs managed and maintained by the US Cyber Security & Infrastructure Security Agency (CISA). This list shows CVEs and vulnerabilities actively exploited in the wild by threat actors at scale. This catalog also sets up mandatory actions and patching deadlines for organizations operating in the government or federal space.

If it’s important enough for the government to mandate patching, then it should be important enough for any organization to do the same!

In August 2023, CISA, in partnership with the Five-Eyes community, released a list of the top 12 CVEs that were actively exploited in 2022. This list contains CVEs from 2018 through 2022, showing that attackers often focus on vulnerabilities affecting organizations that could be slow to patch.

Note that while there are 12 CVEs, there are only nine impacted applications, where multiple CVEs are used as part of a chain.

Vulnerability: Fortient – CVE-2018-13379

The earliest in the list, this vulnerability affected Fortinet SSL appliances. It allowed attackers to scan for outdated appliances and read the usernames and passwords of VPN users. With this vulnerability, attackers could access internal networks that would otherwise be inaccessible.

Vulnerability: ProxyShell (Exchange Server) – CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523

Collectively known as ProxyShell, this was a collection of three CVEs that affected Microsoft Exchange Server. Chaining all three allowed an attacker to gain code execution on the email server. With this level of access, attackers could pivot inside the network, gaining access to sensitive information and files in emails and attachments. They’d also be able to impersonate users, accessing their inboxes to support financially-motivated business email compromise (BEC) attacks.

Vulnerability: Zoho Manage Engine – CVE-2021-40539

CVE-2021-40539 affected the ADSelfService Plus component of Manage Engine, used to allow domain users to perform password resets via a web portal. This vulnerability allowed an attacker to gain code execution on an unpatched server. With this level of access, attackers could take control of any domain account, including Domain Administrators. This makes it a valuable target for attackers as it opens the door to total domain takeover.

Vulnerability: Confluence – CVE-2021-26084, CVE-2022-26134

OGNL is an expression language used within some Java applications. Despite being years apart, CVE-2021-26084 and CVE-2022-26134 are vulnerabilities that specifically affect OGNL in Confluence servers. Attackers exploiting these vulnerabilities would gain remote code execution (RCE) on unpatched servers. Attackers able to exploit this vulnerability could access all the data stored in the Confluence server. Confluence is used in large organizations to create and collaborate on documents and projects as a form of Wiki, meaning it could contain lots of sensitive information and IP for attackers.

Vulnerability: Follina (Microsoft Office) – CVE-2022-30191

Officially tracked as CVE-2022-30191, this zero-day exploit was originally discovered via a VirusTotal sample of an Office document running PowerShell scripts. It was soon discovered that on vulnerable versions of Office, a specially crafted document could be used to run code if the document was opened. This exploit was actually a form of command injection targeting the Microsoft Diagnostics tool. It’s easy to craft and send at scale in the form of phishing emails with Office attachments. Despite its social engineering aspect, this has seen active exploitation by attackers and continues to be sent in the latest phishing campaigns.

Vulnerability: VMWare – CVE-2022-22954, CVE-2022-22960

These two vulnerabilities affect VMware’s Workspace One and other product lines for access control and device management. CVE-2022-22954 was the most critical of the disclosed vulnerabilities and saw the most attacks – a template injection vulnerability that allowed an attacker to gain remote code execution. Affecting the same product lines, CVE-2022-22960 was a privilege escalation vulnerability that allowed attackers that compromised the system with CVE-2022-22954 to then gain root-level permissions – the highest level of access. With root access, attackers could achieve significant levels of access across the organization by using the native capabilities of the VMware tooling.

Immersive Labs’ CISA KEV 2022 collection

We’ve released a new 10-lab collection covering several of these vulnerabilities, including Log4j, ProxyShell, Confluence, and Office exploits. In these labs, you’ll identify signs of exploitation, reverse engineer real exploit samples, and take on the role of the attacker, using these exploits to target vulnerable servers – showing you just how significant an impact these attacks can have.

Not an Immersive Labs customer yet? Visit our Resources Page to learn more.

Check Out Immersive Labs in the News.


August 23, 2023

Kev Breen

Kevin Breen

Senior Director of Cyber Threat Research