CISA AA23-215A: Lessons Learned from Top Routinely Exploited Vulnerabilities of 2022

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On August 03, 2023 CISA released a joint Cybersecurity Advisory, listing the top routinely exploited vulnerabilities in 2022 [1]. This advisory shows nothing but the truth: Many organizations use old, unpatched software or system versions that provide a low-risk and high-reward impact for adversaries. With various publicly available exploits and Proof-of-Concept (PoC) for these vulnerabilities, adversaries did not rest even a bit in 2022. In fact, these vulnerabilities are still routinely exploited in 2023!

In this blog, we provide the top routinely exploited vulnerabilities in 2022, along with corresponding CVE IDs, affected products and versions, available patches, security upgrade reports, exploit trends, and the lessons that need to be learned from these trends.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Executive Summary

  • The common thing about these vulnerabilities is that they are old, and they have patches that have been available for years with detailed support documents.

  • All of these listed vulnerabilities have publicly available exploits and Proof-of-Concept (PoC) explanations, even available on giant video platforms such as YouTube. 

  • Attackers target older vulnerabilities because they offer a low-cost and impactful way to access confidential information [2].

  • A vast number of organizations continue using unpatched software and systems for various reasons. These include not running a vulnerability management program, delaying patching processes, lack of awareness, or insufficient visibility into their IT infrastructure to identify vulnerable software or systems.

  • Many organizations do not even take the temporary precautions advised by affected vendors until they have properly patched their systems and software, such as implementing multi-factor authentication and limiting VPN access.

  • Patching might not always be enough; organizations need to apply suggested detection techniques for continuous monitoring. In some cases, as it was for CVE-2022-1388 and CVE-2022-22954 vulnerabilities, attackers can reverse-engineer the updates and find ways to workaround the released patches with new exploit variants [3], emphasizing the need for organizations to continuously monitor their networks and systems.

In the following table, you will find the list of twelve routinely exploited vulnerabilities with affected vendors and products, as well as the type of vulnerability. Detailed information will be provided in the rest of this blog.

CVE ID

Vendor

Affected Product

Vulnerability Type

CVE-2018-13379

Fortinet

FortiOS [4] 

Path Traversal Vulnerability

CVE-2021-34473
(ProxyShell)

Microsoft

Exchange Server 2013, 2016 and 2019 [5]

Remote Code Execution (RCE)

CVE-2021-31207
(ProxyShell)

Microsoft

Exchange Server 2013, 2016 and 2019 [6]

Security Feature Bypass

CVE-2021-34523
(ProxyShell)

Microsoft

Exchange Server 2013, 2016 and 2019 [7]

Elevation of Privilege

CVE-2021-40539

Zoho

ADSelfService Plus Version 6113 and Prior [8]

Remote Code Execution (RCE) / Authentication Bypass

CVE-2021-26084

Atlassian

Confluence Server/Data Center with Various Affected Versions [9]

OGNL Injection Vulnerability / Remote Code Execution (RCE)

CVE-2021-44228 (Log4Shell)

Apache

Apache Log4j2 2.0-beta9 through 2.15.0 [10]

Remote Code Execution (RCE)

CVE-2022-22954

VMware

Workspace ONE [11]

Remote Code Execution (RCE) due to Server-Side Template Injection 

CVE-2022-22960

VMware

Workspace ONE [11]

Improper Privilege Management

CVE-2022-1388

F5 Networks

BIG-IP [11]

Missing Authentication

CVE-2022-30190

Microsoft

Multiple Products and Versions [12]

Remote Code Execution (RCE)

CVE-2022-26134

Atlassian

Confluence Server/Data Center [13]

OGNL Injection Vulnerability / Remote Code Execution (RCE)

How Can Picus Help You?

In the Picus Complete Security Control Validation Platform, a ready-to-run attack template titled “Top Routinely Exploited Vulnerabilities of 2022” is available in line with CISA’s advisory CISA AA23-215A. By accessing the Threat Templates on the platform, users can conduct non-disruptive attack simulations based on real-life exploit attacks discovered by our Red Team engineers for all twelve vulnerabilities. Utilizing this threat template allows you to evaluate your security controls and overall posture against the most commonly exploited attacks of 2022.

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus The Complete Security Validation Platform.

1. CVE-2018-13379: Fortinet SSL VPNs Vulnerability

CVE-2018-13379 is a high-severity path traversal vulnerability (with a CVSS Base Score of 9.8) affecting Fortinet SSL VPNs. This flaw enables an unauthenticated adversary to retrieve arbitrary files from the system by manipulating HTTP requests  [4]. Specifically, by crafting malicious HTTP requests, an attacker can exploit inadequate input validation mechanisms to access files outside the intended directory.

  • Patch for CVE-2018-13379

Certain versions of Fortinet's FortiOS (6.0.0 to 6.0.4, 5.6.3 to 5.6.7, 5.4.6 to 5.4.12) are affected by a vulnerability if the SSL VPN service is enabled [4]. Fortinet suggests upgrading to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above as a solution, along with disabling all VPN activity until these steps are taken. As precaution, it advises treating all credentials as potentially compromised and performing an organization-wide password reset, plus implementing multi-factor authentication.

  • Lessons to Learn

Despite these solutions, the vulnerability, first identified in 2018, continues to be exploited in even 2023. This could be due to organizations not performing the recommended upgrades promptly, ineffective password reset procedures, or the absence of multi-factor authentication which allows for continued exploitation of compromised credentials. The continued exploitation of CVE-2018-13379 is a reminder of the importance of timely patching. Organizations that fail to apply security patches leave themselves vulnerable to attack.

The Complete Security Validation Platform includes a range of simulated attack threats, including the exploitation of the CVE-2018-13379 vulnerability. As Picus Security, we strongly recommend organizations to validate their existing security controls against the CVE-2018-13379 vulnerability, and to implement appropriate countermeasures accordingly.

The threats listed in our Threat Library carry out a simulated attack exploiting the CVE-2018-13379 vulnerability.

Threat ID

Threat Name

Attack Module

57719

CISA Critical Infrastructure Vulnerabilities Campaign

Web Application

99053

Web App Vulnerabilities Heavily used by Ransomware

Web Application

2. CVE-2021-34473, CVE-2021-31207, CVE-2021-34523: ProxyShell Vulnerabilities 

ProxyShell is the collective name for three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting the unpatched and on-premise versions of Microsoft Exchange servers only. When these vulnerabilities are chained together, it enables adversaries to perform pre-authenticated remote code execution (RCE). 

These vulnerabilities lie in the Microsoft Client Access Service (CAS) in the IIS web server. Unfortunately, due to its nature, CAS is publicly exposed to the Internet to enable users to access their email via their mobile devices and web browsers. This exposure helped attackers remotely execute arbitrary code on the compromised system, similar to HAFNIUM APT campaigns.

Here is a detailed table that shows the types of the vulnerabilities and their corresponding CWEs.

CVE

Vendor

Product

Type

CWE

CVE-2021-31207

Microsoft

Exchange Server

Remote Code Execution (RCE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE-2021-34523

Microsoft

Exchange Server

Security Feature Bypass

CWE-287 Improper Authentication

CVE-2021-34473

Microsoft

Exchange Server

Elevation of Privilege

CWE-918 Server-Side Request Forgery (SSRF)

  • Lessons to Learn

Even though Microsoft released and issued patches for each vulnerability in May-July 2021 (Refer to [5], [6] and [7]), we still see that threat actors are exploiting the three ProxyShell vulnerabilities in unpatched Microsoft Exchange Servers. 

Here is an example of attacks that exploited the ProxyShell vulnerabilities.

In 2022, LV ransomware gang, a threat group linked to REvil, leveraged the ProxyShell vulnerability for initial access to the Exchange servers of a Jordan-based company, subsequently deploying malicious PowerShell code and a tunneling tool for data exfiltration, leading to a double-extortion attack involving data encryption and a threat to release stolen information [14].

Considering that two of the ProxyShell vulnerabilities have a CVSS score of 9.8 (Critical) and a quick Shodan search shows there are many unpatched on-premise Windows Exchange Servers, it is no surprise that adversaries keep targeting these vulnerabilities. Please visit our blog on simulation and preventing ProxyShell exploits for further information.

As Picus Security, we highly recommend organizations to test the effectiveness of implemented security measures against the ProxyShell vulnerabilities. The following threats listed in our Threat Library carry out a simulated attack exploiting the ProxyShell vulnerabilities

Threat ID

Threat Name

Attack Module

92370

ProxyShell Web Attack Campaign

Web Application

55867

Unauthorized Access Web Attack Campaign

Web Application

24723

Microsoft Exchange Web Attack Campaign

Web Application

39875

CVE 2021 Web Attack Campaign - 4

Web Application

25671

CVE 2021 Web Attack Campaign - 3

Web Application

94541

CVE 2021 Web Attack Campaign - 2

Web Application

65732

CVE 2021 Web Attack Campaign - 1

Web Application

3. CVE-2021-40539: ZOHO ManageEngine ADSelfService Plus Vulnerability 

In September 2021, a critical vulnerability (CVE-2021-40539) with a CVSS score of 9.8 was discovered in ZOHO ManageEngine ADSelfService Plus, a widely used enterprise-grade application management technology. This vulnerability allows attackers to bypass REST API authentication in version 6113 and earlier, enabling unauthenticated remote code execution (RCE). Given that ADSelfService Plus is employed as a password management and single sign-on solution, including by nearly 60% of Fortune 500 companies, this vulnerability poses a substantial risk. Particularly, it may cause substantial disruptions in organizations with unpatched ADSelfService Plus. 

  • Patch for CVE-2021-40539

For the CVE-2021-40539 vulnerability in ADSelfService Plus, a clear update path has been provided based on specific build numbers. Users can identify their current build and then follow the recommended path to upgrade to the requisite version to mitigate this vulnerability. 

  • Lessons to Learn

Exploitation, which began in late 2021 and continued throughout 2022, has been linked to the use of an outdated third-party dependency.

In October 2022, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) have released a joint cybersecurity advisory warning about the top Common Vulnerabilities and Exposures (CVEs) that have been exploited by People’s Republic of China (PRC) state-sponsored cyber actors since 2020, which included the CVE-2021-40539 remote code execution (RCE) vulnerability.

Thus, despite the patch's availability and advisories from CISA, we see that many organizations fail to implement the corresponding patches promptly due to factors such as operational disruption, resource allocation, or lack of awareness, leaving their systems vulnerable [15]. This vulnerability is then exploited by adversaries, causing significant harm and data breaches. It underscores the importance of timely patch management and system updates.

The threats listed in our Threat Library carry out a simulated attack exploiting the CVE-2021-40539 vulnerability.

Threat ID

Threat Name

Attack Module

99053

Web App Vulnerabilities Heavily used by Ransomware

Web Application

62195

Zoho ManageEngine Web Attack Campaign

Web Application

45543

Generic Code Execution Web Attack Campaign - 7

Web Application

63009

ManageEngine Web Attack Campaign

Web Application

39875

CVE 2021 Web Attack Campaign - 4

Web Application

4. CVE-2021-26084: Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability

On August 25, 2021, Atlassian published a security advisory about a Confluence Server Webwork OGNL (Object-Graph Navigation Language) injection vulnerability, CVE-2021-26084, considered critical (CVSS 9.8) by Atlassian. This vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance, posing a significant security risk.

The products affected by this vulnerability are Confluence Server and Confluence Data Center versions. Notably, all versions prior to 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5 are impacted [16]. However, Confluence Cloud sites are not affected by this vulnerability. 

  • Patch for CVE-2021-26084

To remediate this issue, Atlassian recommends users to upgrade to the latest Long Term Support release, version 7.13.0 (LTS) or higher. If for any reason users are unable to upgrade to the LTS version, they should upgrade to the fixed versions corresponding to their current versions. That is, for instance, users on the 6.13.x versions should upgrade to version 6.13.23, and users on the 7.4.x versions should upgrade to version 7.4.11. See the advisory for more detailed information.

Figure 1. Patches Released by Atlassian Confluence as a Remediation Action for CVE-2021-26084 [16]. 

As an immediate temporary workaround for those unable to upgrade immediately, a mitigation script is provided that users can run on the Operating System that Confluence is hosted on.

Figure 2. Exploits of CVE-2021-26084 in 2022 by [17].

  • Lessons to Learn

The fact that this vulnerability was actively exploited in 2022, despite the availability of patching solutions, demonstrates that many organizations either have not or cannot perform the necessary updates, leaving them vulnerable to cyber attacks.

The threats listed in our Threat Library carry out a simulated attack exploiting the CVE-2021-26084 vulnerability.

Threat ID

Threat Name

Attack Module

58423

Atlassian Confluence Web Attack Campaign

Web Application

20701

Generic Code Execution Web Attack Campaign - 2

Web Application

59633

Generic Code Execution Web Attack Campaign - 4

Web Application

65732

CVE 2021 Web Attack Campaign - 1

Web Application

94541

CVE 2021 Web Attack Campaign - 2

Web Application

99053

Web App Vulnerabilities Heavily used by Ransomware

Web Application

5. CVE-2021-44228: Apache Log4j Remote Code Execution Vulnerability 

The CVE-2021-44228 vulnerability, also known as Log4Shell, impacts the Apache Log4j Java logging library, which is widely utilized in several Apache frameworks. This vulnerability enables unauthorized attackers to execute arbitrary code remotely on affected systems. The flaw is present in versions of Apache Log4j prior to 2.15.0, where the system doesn't offer protection against attacker-controlled LDAP and other JNDI-related endpoints. This allows attackers to run malicious code loaded from LDAP servers by manipulating log messages or log message parameters.

What makes the CVE-2021-44228 vulnerability especially critical is its extensive reach. It affects the default configurations of several widely used Apache frameworks, such as Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. As a result, it provides potential attackers with complete control over the affected server, permitting them to run malicious codes, install backdoors, and conduct post-exploitation activities.

  • Patch for Apache Log4j RCE Vulnerability

However, it's important to note that patches are available to rectify this vulnerability. Apache released the updated 2.15.0 version of Log4j on December 9th, 2021 to address the vulnerability, following its private reporting on November 24th. However, it was later revealed that under certain non-default conditions, the original patch was insufficient. Consequently, a new vulnerability, CVE-2021-45046, was designated, and an improved patch was released with the 2.16.0 version of Log4j. More recently, Log4j 2.17.1 was released to address the latest Log4j vulnerability, CVE-2021-44832.

Figure 3. Exploitation Trend of Log4Shell Vulnerability by [18]

  • Lessons to Learn

The fact that the Log4Shell vulnerability, patched initially in 2021, continued to be one of the most exploited vulnerabilities throughout 2022 and even into 2023 raises a question: What should we learn from this trend data? 

  1. The Log4j vulnerability affects a wide range of software, including many popular open source applications. It can be difficult and time-consuming to identify all of the affected software and apply the patches. As a result, many organizations are still vulnerable to the Log4j vulnerability. 

  2. Even if an organization has applied the patches, there is a risk that they have done so incorrectly. This can happen if the patches are not applied to all of the affected software, or if they are not applied in the correct way.

These insights underscore the imperative for organizations to have complete visibility on their IT infrastructure, coupled with a proactive vulnerability management and timely patching strategy. One last thing to note here is that organizations should have a deep understanding of the patching documents provided by the corresponding vendor to make sure that patching is done correctly.

The threats listed in our Threat Library carry out a simulated attack exploiting the CVE-2021-44228 vulnerability.

Threat ID

Threat Name

Attack Module

21296

Apache Log4j Web Attack Campaign - 1

Web Application

24688

Apache Log4j Web Attack Campaign - 2

Web Application

6. CVE-2022-22954 (Combined with CVE-2022-22960): VMware Workspace ONE Access and Identity Manager Server-side Template Injection RCE Vulnerability

The CVE-2022-22954 vulnerability is a remote code execution (RCE) flaw that resides in VMware Workspace ONE Access and Identity Manager. It's specifically a server-side template injection vulnerability, meaning an attacker can manipulate the web application's server-side rendering of templates. The vulnerability arises due to improper sanitization of user inputs or inadequate coding patterns, allowing an attacker to inject malicious templates. These injected templates are then interpreted by the server-side template engine, leading to the execution of arbitrary code.

The exploitation involves sending a specially crafted request to the vulnerable web interface. Once the request is processed by the server, it triggers the template injection, leading to the execution of arbitrary shell commands with the permissions of the VMware user. It's a severe vulnerability because it doesn't require authentication and can be initiated remotely. 

This vulnerability was later combined with CVE-2022-22960, which was a local privilege escalation vulnerability. In combination, these two vulnerabilities allowed remote attackers to execute commands with root privileges.

  • Patch for CVE-2022-22954 and CVE-2022-22960

The affected products include versions 21.03 and earlier of VMware Workspace ONE Access and Identity Manager. Other VMware suites like vRealize Automation (vRA), vRealize Suite Lifecycle Manager (vRSLCM), and VMware Cloud Foundation (VCF) can also be impacted if they incorporate the vulnerable vIDM components.

On 2022-04-06, VMware released patches for these vulnerabilities, as stated in VMware Security Advisory (VMSA-2022-0011).

Figure 4. Exploitation Trend of CVE-2022-22954 and CVE-2022-22960 Vulnerabilities by [18]

  • Lessons to Learn

Despite VMware promptly releasing a patch for this remote code execution flaw back in April 2022, hackers quickly reverse-engineered the update and have been exploiting unpatched systems ever since, deploying a mix of ransomware and cryptocurrency miners. This vulnerability demonstrates that even servers not directly connected to the internet can be compromised if attackers gain access to an enterprise's internal network. Organizations must prioritize patching their VMware Workspace to the latest version immediately and continuously ensure that all software across their infrastructure remains up to date to safeguard against such high-risk threats.

7. CVE-2022-1388: Remote Code Execution (RCE) Vulnerability in BIG-IP F5

The BIG-IP iControl REST vulnerability, identified as CVE-2022-1388, was discovered in various versions of the BIG-IP product line. This critical vulnerability, rated 9.8 on the CVSSv3 scale, allows undisclosed requests to bypass the iControl REST authentication. If exploited, an unauthenticated attacker with network access could execute arbitrary system commands, create or delete files, or disable services on the affected BIG-IP system, though this is only a control plane issue with no data plane exposure.

  • Patch for CVE-2022-1388

The vulnerability, CVE-2022-1388, significantly impacts certain versions of the F5 BIG-IP products, including BIG-IP versions 16.1.0 to 16.1.2, 15.1.0 to 15.1.5, 14.1.0 to 14.1.4, and 13.1.0 to 13.1.4. Older versions such as 12.x (12.1.0 to 12.1.6) and 11.x (11.6.1 to 11.6.5) are also affected but won't receive patches as they've reached their End of Technical Support (EoTS) phase. 

In response to this vulnerability, F5 released patches on May 4, 2022, with detailed guidance provided in their security advisory K23605346. The patches cover all the vulnerable branches, ensuring systems running 17.x and other listed versions are protected

Figure 5. Exploitation Trend of the CVE-2022-1388 by [18].

  • Lessons to Learn

Even though a patch for CVE-2022-1388 was released in 2022, the exploit continued to be a security concern in 2023 due to the emergence of various variants. This persistence highlights a common issue: while patches are made available, not every organization or individual is prompt in applying them. Some systems remain outdated due to negligence, lack of resources, or simply being unaware. Furthermore, attackers, realizing the potential of exploiting such unpatched systems, constantly innovate and find new variants or methods to bypass security measures. 

In the case of CVE-2022-1388, while the original exploit might have been mitigated by the patch, the variants that emerged afterward continued to exploit the same underlying vulnerability, but with different techniques to evade detection or increase the effectiveness of the attack [3]. This underscores the importance of proactive patch management and the need for continuous security monitoring to adapt to the evolving threat landscape.

The threats listed in our Threat Library carry out a simulated attack exploiting the CVE-2022-1388 vulnerability.

Threat ID

Threat Name

Attack Module

97569

F5 Web Attack Campaign

Web Application

For more information, visit our blog “Simulating and Preventing F5 BIG-IP CVE-2022-1388 RCE Exploits” here.

8. CVE-2022-30190: Follina MSDT Vulnerability

The Microsoft Office Word vulnerability, identified as CVE-2022-30190 and nicknamed "Follina," was discovered in various versions such as Microsoft Windows Server 2016, Microsoft Windows Server 2019, and Windows Server version 1809. This significant vulnerability, rated 7.8 on the CVSSv3 scale, can be exploited even if macros are disabled or if the malicious document is opened in Protected View. Specifically, a malicious Word document can download an external HTML file and abuse the Microsoft Support Diagnostic Tool (ms-msdt) to execute PowerShell commands. The flaw's exploit permits remote execution of malicious code without requiring heavy interaction from the user.

  • Patch for CVE-2022-30190

On May 31, 2022, before the patch was released, CISA released a workaround guidance for the Follina vulnerability. On June 14, 2022, Microsoft issued security patches for a variety of Windows Server and Client versions. Specifically, these updates span from the latest Windows Server 2022 and Windows 11 down to older versions like Windows 7 SP1. All recommended patches, like KB5014678 for Windows Server 2022 and KB5014697 for Windows 11, are integral to enhancing security against potential unauthorized access. Microsoft stresses the significance of these patches, especially since the vulnerability has been flagged as "important". Their advisory strongly suggests the immediate installation of these patches, assuring that those who have their systems set to automatic updates need not take additional actions.

  • Lessons to Learn

Considering the public availability of Proof-of-Concept (PoC) exploits for CVE-2022-30190, organizations should prioritize updating their systems with the security patch. If an update is not feasible for their IT environment, they must implement workaround measures and maintain continuous monitoring.

The vulnerabilities detailed in Picus Threat Library, including the Microsoft Support Diagnostics Tool (MSDT), CVE-2022-30190, are subject to simulated attack scenarios.

Threat ID

Threat Name

Attack Module

43958

MSDT Compatibility Troubleshooter Vulnerability Threat

E-mail Infiltration

23559

MSDT Compatibility Troubleshooter Vulnerability Threat

Network Infiltration

71494

Microsoft Support Diagnostics Tool (MSDT) Attack Campaign (CVE-2022-30190)

Windows Endpoint

9. CVE-2022-26134:  Confluence Server and Data Center OGNL Injection Vulnerability 

The Confluence Server and Data Center vulnerability, classified as CVE-2022-26134, was identified across various versions of the Confluence product suite. This paramount flaw, carrying a "critical" severity level as defined by Atlassian's scale, allows an unauthenticated remote attacker to exploit an OGNL injection vulnerability. When successfully harnessed, this breach permits execution of arbitrary code on a Confluence Server or Data Center instance. It is pertinent to note that all versions of Confluence Server and Data Center preceding the specified fixed versions are susceptible to this exploit.

  • Patch for CVE-2022-26134

The vulnerability, designated as CVE-2022-26134, has significant repercussions for many editions of Confluence's products, including Confluence Server and Data Center versions post the 1.3.0 release. In response to the detected vulnerability, Atlassian disseminated patches on June 3, 2022. These included versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1, as detailed in their security advisories. 

  • Lessons to Learn

In light of the exploitation of the Atlassian Confluence vulnerability, CVE-2022-26134, it's evident that while its primary abuse has been for cryptocurrency mining, the potential damage this vulnerability can inflict is much broader. Simple to exploit, attackers can manipulate the Confluence domain, control the server for diverse malicious activities, and even jeopardize the infrastructure. Notably, aside from cryptocurrency-related malware, there have been sightings of other malicious software like Kinsing, Dark.IoT, Mirai, and web shells such as China Chopper exploiting this vulnerability. Given that Confluence serves over 75,000 customers across multiple sectors, the potential reach and impact of this exploit are significant. To minimize risks, organizations must follow the Confluence's advisory and patch their systems promptly.

We also strongly suggest simulating the CVE-2022-26134 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus The Complete Security Validation Platform.

Picus Threat Library includes the following threat for CVE-2022-26134 confluence server and data center OGNL injection vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

58423

Atlassian Confluence Web Attack Campaign

Web Application

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus The Complete Security Validation Platform.

References

[1] “2022 Top Routinely Exploited Vulnerabilities,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a. [Accessed: Aug. 10, 2023]

[2] “CISA, NSA, FBI and International Partners Issue Advisory on the Top Routinely Exploited Vulnerabilities in 2022,” National Security Agency/Central Security Service, Aug. 03, 2023. Available: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3481350/cisa-nsa-fbi-and-international-partners-issue-advisory-on-the-top-routinely-exp/. [Accessed: Aug. 10, 2023]

[3] “Finding Something New About CVE-2022-1388,” Finding Something New About CVE-2022-1388 - Blog - VulnCheck. Available: https://vulncheck.com/blog/new-cve-2022-1388. [Accessed: Aug. 08, 2023]

[4] “PSIRT Advisories,” FortiGuard. Available: https://fortiguard.com/psirt/FG-IR-18-384. [Accessed: Aug. 06, 2023]

[5] “Security Update Guide - Microsoft Security Response Center.” Available: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473. [Accessed: Aug. 10, 2023]

[6] “Security Update Guide - Microsoft Security Response Center.” Available: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207. [Accessed: Aug. 10, 2023]

[7] “Security Update Guide - Microsoft Security Response Center.” Available: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523. [Accessed: Aug. 10, 2023]

[8] “CVE - CVE-2021-40539.” Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539#:~:text=Zoho%20ManageEngine%20ADSelfService%20Plus%20version,with%20resultant%20remote%20code%20execution.&text=Note%3A%20References%20are%20provided%20for,to%20help%20distinguish%20between%20vulnerabilities. [Accessed: Aug. 10, 2023]

[9] “CVE - CVE-2021-26084.” Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26084#:~:text=In%20affected%20versions%20of%20Confluence,23%2C%20from%20version%206.14. [Accessed: Aug. 10, 2023]

[10] “CVE - CVE-2021-44228.” Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-44228. [Accessed: Aug. 10, 2023]

[11] “Website.” Available: https://kb.vmware.com/s/article/88099

[12] “Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability.” Available: https://msrc.microsoft.com/blog/2022/05/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/. [Accessed: Aug. 10, 2023]

[13] “CVE - CVE-2022-26134.” Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134#:~:text=In%20affected%20versions%20of%20Confluence,0%20before%207.4. [Accessed: Aug. 10, 2023]

[14] “LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company,” Trend Micro, Oct. 25, 2022. Available: https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html. [Accessed: Aug. 06, 2023]

[15] ManageEngine, “Fixing the authentication bypass vulnerability affecting REST APIs.” Available: https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html. [Accessed: Aug. 07, 2023]

[16] “Confluence Security Advisory - 2021-08-25.” Available: https://confluence.atlassian.com/. [Accessed: Aug. 07, 2023]

[17] Sangfor Technologies, “CVE-2021-26084: Atlassian Confluence Server Webwork OGNL Injection Vulnerability,” SANGFOR. Available: https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/cve-2021-26084-atlassian-confluence-server-webwork-ognl-injection-vulnerability. [Accessed: Aug. 07, 2023]

[18] H. Anand, “Unmasking the top exploited vulnerabilities of 2022,” The Cloudflare Blog, Aug. 04, 2023. Available: http://blog.cloudflare.com/unmasking-the-top-exploited-vulnerabilities-of-2022/. [Accessed: Aug. 07, 2023]