CISA Cybersecurity Alerts 4.27.22
Ep 13 | 4.27.22

CISA Alert AA22-117A – 2021 top routinely exploited vulnerabilities.


This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack One One Seven Alpha.

​​Original release date: April Twenty Seventh, twenty twenty two.


This joint Cybersecurity Advisory was coauthored by the US, Australia, Canada, New Zealand, and the UK. This advisory provides details on the top 15 Common Vulnerabilities and Exposures exploited by malicious cyber actors in 2021. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors.


To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities, some of which were routinely exploited in 2020 or earlier. The use of older vulnerabilities demonstrates the significant risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.


The alert documentation includes a table with the top vulnerabilities from 2021, the targeted vendors and products, and the type of malicious activity associated with each vulnerability.

The top vulnerability of 2021 was Log4Shell, which affects Apache’s Log4j library. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system.


Other common CVEs from 2021 include a broad set of vulnerabilities known as ProxyLogon and ProxyShell that affect Microsoft Exchange email servers that allow arbitrary code execution and file exfiltration, and a CVE that affects the Atlassian Confluence Server and Data Center that enables an unauthenticated actor to execute arbitrary code on vulnerable systems. The Atlassian vulnerability quickly became one of the most routinely exploited vulnerabilities after a proof of concept was released within a week of its disclosure.


The alert documentation linked in the shownotes provides additional information on the top vulnerabilities, targeted products and vendors, and mitigation actions. The cybersecurity authorities of the US, Australia, Canada, New Zealand, and the UK recommend all organizations review and implement the strategies found in the mitigation section of this alert.


All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or


This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.


This has been a CISA Cybersecurity Alert.