12 Critical Vulnerabilities Expose Alarming Lack of Patching Among Organizations

Threats Top 12 vulnerabilities list highlights troubling reality: many organizations still aren’t patching

By Christian Vasquez | August 3, 2023

Image credit: Jenar

A joint advisory issued by U.S. and allied cybersecurity agencies has highlighted the top routinely exploited vulnerabilities that many organizations have failed to patch. The annual release of this list underscores the Biden administration’s push for secure-by-design coding and engineering practices, aiming to address the hundreds of vulnerabilities that criminal hackers commonly exploit.

The Importance of Patching

The release of the top vulnerabilities list serves as a stark reminder of the troubling reality that many organizations are still not prioritizing patching. Unpatched vulnerabilities remain the easiest way for criminal hackers to gain access to a target, and until technology providers commit to secure-by-design practices, malicious actors will continue exploiting organizations worldwide.

Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), emphasized the need for technology providers to address these vulnerabilities and for organizations to prioritize mitigation. He urged technology providers to take accountability for the security outcomes of their customers by reducing the prevalence of vulnerabilities through design.

Collaborative Efforts

The joint advisory includes CISA, the National Security Agency, the FBI, and cybersecurity agencies from five-eye allies Australia, Canada, New Zealand, and the U.K. This collaborative effort underlines the global importance of addressing these vulnerabilities.

Ongoing Issues with Patching

The inclusion of well-known vulnerabilities in the top list highlights the alarming fact that many organizations either ignore vulnerability reports or fail to patch all their systems. For example, one of the most dangerous vulnerabilities affecting Fortinet SSL VPNs has made the list for the past three years. This continued exploitation indicates a failure to patch in a timely manner, leaving organizations vulnerable to malicious cyber actors.

In response, Fortinet has continuously communicated with customers, urging them to implement mitigations and address the vulnerabilities. However, there are still organizations that have not taken adequate action. This situation underscores the need for organizations to prioritize patching and follow the guidance of technology providers.

Vulnerabilities on the List

Among the vulnerabilities on the list are some well-known bugs that have been routinely exploited. One example is ProxyShell, a collection of vulnerabilities that impact Microsoft Exchange email servers. CISA warned about this campaign in August 2021. Another notable vulnerability is the Log4Shell bug, which made headlines in 2021 after it was described as one of the most serious exploits by CISA Director Jen Easterly.

Ron Fabela, CTO at cybersecurity firm XONA Systems, highlighted that malicious hackers only need to exploit the bare minimum vulnerabilities to gain access to target networks and achieve their objectives. He also noted that while the vulnerabilities on this list primarily impact enterprise technologies, they can also serve as a gateway for attacks against critical infrastructure. Therefore, it is crucial to consider these threats in overall IT/OT security planning.

The Importance of Holistic Security

The top vulnerabilities list serves as a clear reminder of the importance of holistic security practices. Organizations must prioritize patching and implement secure-by-design principles to reduce their exposure to cyber threats. Technology providers, in turn, must take responsibility for securing their products and addressing vulnerabilities by design.

Conclusion

The annual release of the top vulnerabilities list is a critical step in the ongoing battle against cyber threats. It highlights the need for organizations and technology providers to work together to prioritize patching and reduce the prevalence of vulnerabilities. It also underscores the importance of secure-by-design principles in building resilient and secure systems. Failure to address these vulnerabilities puts organizations at risk and leaves them vulnerable to exploitation by malicious actors. It is crucial for all stakeholders to take immediate action and prioritize cybersecurity in order to protect critical infrastructure and ensure a safer digital future.