Business Security Essentials – What are the most routinely exploited Vulnerabilities in 2022?
From remote code execution and privilege escalation to security bypasses and path traversal, software vulnerabilities are a threat actor’s stock-in-trade for initial access and compromise. In the past 12 months, we’ve seen a number of new flaws, including Log4Shell, ProxyShell, and ProxyLogon, being exploited in attacks against enterprises.
| CveID | VendorProject | Product | VulnerabilityName | shortDescription | requiredAction |
| CVE-2022-22587 | Apple | iOS and macOS | Apple Memory Corruption Vulnerability | Apple IOMobileFrameBuffer contains a memory corruption vulnerability which can allow a malicious application to execute arbitrary code with kernel privileges. | Apply updates per vendor instructions. |
| CVE-2022-21882 | Microsoft | Win32k | Microsoft Win32k Privilege Escalation Vulnerability | Microsoft Win32k contains an unspecified vulnerability which allows for privilege escalation. | Apply updates per vendor instructions. |
| CVE-2022-22620 | Apple | Webkit | Apple Webkit Remote Code Execution Vulnerability | Apple Webkit, which impacts iOS, iPadOS, and macOS, contains a vulnerability which allows for remote code execution. | Apply updates per vendor instructions. |
| CVE-2022-24086 | Adobe | Commerce and Magento Open Source | Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability | Adobe Commerce and Magento Open Source contain an improper input validation vulnerability which can allow for arbitrary code execution. | Apply updates per vendor instructions. |
| CVE-2022-0609 | Chrome | Google Chrome Use-After-Free Vulnerability | The vulnerability exists due to a use-after-free error within the Animation component in Google Chrome. | Apply updates per vendor instructions. | |
| CVE-2022-23131 | Zabbix | Frontend | Zabbix Frontend Authentication Bypass Vulnerability | Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML. | Apply updates per vendor instructions. |
| CVE-2022-23134 | Zabbix | Frontend | Zabbix Frontend Improper Access Control Vulnerability | Malicious actors can pass step checks and potentially change the configuration of Zabbix Frontend. | Apply updates per vendor instructions. |
| CVE-2022-24682 | Zimbra | Webmail | Zimbra Webmail Cross-Site Scripting Vulnerability | Zimbra webmail clients running versions 8.8.15 P29 & P30 contain a XSS vulnerability that would allow attackers to steal session cookie files. | Apply updates per vendor instructions. |
| CVE-2022-20708 | Cisco | Small Business RV160, RV260, RV340, and RV345 Series Routers | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS). | Apply updates per vendor instructions. |
| CVE-2022-20703 | Cisco | Small Business RV160, RV260, RV340, and RV345 Series Routers | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS). | Apply updates per vendor instructions. |
| CVE-2022-20701 | Cisco | Small Business RV160, RV260, RV340, and RV345 Series Routers | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS). | Apply updates per vendor instructions. |
| CVE-2022-20700 | Cisco | Small Business RV160, RV260, RV340, and RV345 Series Routers | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS). | Apply updates per vendor instructions. |
| CVE-2022-20699 | Cisco | Small Business RV160, RV260, RV340, and RV345 Series Routers | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, or cause a denial of service (DoS). | Apply updates per vendor instructions. |
| CVE-2022-26486 | Mozilla | Firefox | Mozilla Firefox Use-After-Free Vulnerability | Mozilla Firefox contains a use-after-free vulnerability in WebGPU IPC Framework which can be exploited to perform arbitrary code execution. | Apply updates per vendor instructions. |
| CVE-2022-26485 | Mozilla | Firefox | Mozilla Firefox Use-After-Free Vulnerability | Mozilla Firefox contains a use-after-free vulnerability in XSLT parameter processing which can be exploited to perform arbitrary code execution. | Apply updates per vendor instructions. |
| CVE-2022-26318 | WatchGuard | Firebox and XTM Appliances | WatchGuard Firebox and XTM Appliances Arbitrary Code Execution | On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code. | Apply updates per vendor instructions. |
| CVE-2022-26143 | Mitel | MiCollab, MiVoice Business Express | MiCollab, MiVoice Business Express Access Control Vulnerability | A vulnerability has been identified in MiCollab and MiVoice Business Express that may allow a malicious actor to gain unauthorized access to sensitive information and services, cause performance degradations or a denial of service condition on the affected system. | Apply updates per vendor instructions. |
| CVE-2022-21999 | Microsoft | Windows | Microsoft Windows Print Spooler Privilege Escalation Vulnerability | Microsoft Windows Print Spooler contains an unspecified vulnerability which can allow for privilege escalation. | Apply updates per vendor instructions. |
| CVE-2022-1096 | Chromium V8 | Google Chromium V8 Type Confusion Vulnerability | The vulnerability exists due to a type confusion error within the V8 component in Chromium, affecting all Chromium-based browsers. | Apply updates per vendor instructions. | |
| CVE-2022-0543 | Redis | Debian-specific Redis Servers | Debian-specific Redis Server Lua Sandbox Escape Vulnerability | Redis is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution. | Apply updates per vendor instructions. |
| CVE-2022-26871 | Trend Micro | Apex Central | Trend Micro Apex Central Arbitrary File Upload Vulnerability | An arbitrary file upload vulnerability in Trend Micro Apex Central could allow for remote code execution. | Apply updates per vendor instructions. |
| CVE-2022-1040 | Sophos | Firewall | Sophos Firewall Authentication Bypass Vulnerability | An authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution. | Apply updates per vendor instructions. |
| CVE-2022-22965 | VMware | Spring Framework | Spring Framework JDK 9+ Remote Code Execution Vulnerability | Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. | Apply updates per vendor instructions. |
| CVE-2022-22675 | Apple | macOS | Apple macOS Out-of-Bounds Write Vulnerability | macOS Monterey contains an out-of-bounds write vulnerability that could allow an application to execute arbitrary code with kernel privileges. | Apply updates per vendor instructions. |
| CVE-2022-22674 | Apple | macOS | Apple macOS Out-of-Bounds Read Vulnerability | macOS Monterey contains an out-of-bounds read vulnerability that could allow an application to read kernel memory. | Apply updates per vendor instructions. |
| CVE-2022-23176 | WatchGuard | Firebox and XTM | WatchGuard Firebox and XTM Privilege Escalation Vulnerability | WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. | Apply updates per vendor instructions. |
| CVE-2022-24521 | Microsoft | Windows | Microsoft Windows CLFS Driver Privilege Escalation Vulnerability | Microsoft Windows Common Log File System (CLFS) Driver contains an unspecified vulnerability that allows for privilege escalation. | Apply updates per vendor instructions. |
| CVE-2022-22954 | VMware | Workspace ONE Access and Identity Manager | VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability | VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection. | Apply updates per vendor instructions. |
| CVE-2022-22960 | VMware | Multiple Products | VMware Multiple Products Privilege Escalation Vulnerability | VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. | Apply updates per vendor instructions. |
| CVE-2022-1364 | Chromium V8 Engine | Google Chromium V8 Type Confusion Vulnerability | Google Chromium V8 engine contains a type confusion vulnerability. | Apply updates per vendor instructions. | |
| CVE-2022-22718 | Microsoft | Windows | Microsoft Windows Print Spooler Privilege Escalation Vulnerability | Microsoft Windows Print Spooler contains an unspecified vulnerability which allow for privilege escalation. | Apply updates per vendor instructions. |
| CVE-2022-29464 | WSO2 | Multiple Products | WSO2 Multiple Products Unrestrictive Upload of File Vulnerability | Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution. | Apply updates per vendor instructions. |
| CVE-2022-26904 | Microsoft | Windows | Microsoft Windows User Profile Service Privilege Escalation Vulnerability | Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation. | Apply updates per vendor instructions. |
| CVE-2022-21919 | Microsoft | Windows | Microsoft Windows User Profile Service Privilege Escalation Vulnerability | Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation. | Apply updates per vendor instructions. |
| CVE-2022-0847 | Linux | Kernel | Linux Kernel Privilege Escalation Vulnerability | Linux kernel contains an improper initialization vulnerability where an unprivileged local user could escalate their privileges on the system. This vulnerability has the moniker of “Dirty Pipe.” | Apply updates per vendor instructions. |
| CVE-2022-1388 | F5 | BIG-IP | F5 BIG-IP Missing Authentication Vulnerability | F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services. | Apply updates per vendor instructions. |
| CVE-2022-30525 | Zyxel | Multiple Firewalls | Zyxel Multiple Firewalls OS Command Injection Vulnerability | A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. | Apply updates per vendor instructions. |
| CVE-2022-22947 | VMware | Spring Cloud Gateway | VMware Spring Cloud Gateway Code Injection Vulnerability | Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. | Apply updates per vendor instructions. |
| CVE-2022-20821 | Cisco | IOS XR | Cisco IOS XR Open Port Vulnerability | Cisco IOS XR software health check opens TCP port 6379 by default on activation. An attacker can connect to the Redis instance on the open port and allow access to the Redis instance that is running within the NOSi container. | Apply updates per vendor instructions. |
| CVE-2022-26134 | Atlassian | Confluence Server/Data Center | Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability | Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code execution. | Immediately block all internet traffic to and from affected products AND apply the update per vendor instructions [https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html] OR remove the affected products by the due date on the right. Note: Once the update is successfully deployed, agencies can reassess the internet blocking rules. |
| CVE-2022-31460 | Owl Labs | Meeting Owl Pro and Whiteboard Owl | Meeting Owl Pro and Whiteboard Owl Hard-Coded Credentials Vulnerability | Owl Labs Meeting Owl and Whiteboard Owl allow attackers to activate Tethering Mode with hard-coded hoothoot credentials via a certain c 150 value. | Apply updates per vendor instructions. |
| CVE-2022-30190 | Microsoft | Windows | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability | A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run code with the privileges of the calling application. | Apply updates per vendor instructions. |
| CVE-2022-29499 | Mitel | MiVoice Connect | Mitel MiVoice Connect Data Validation Vulnerability | The Service Appliance component in Mitel MiVoice Connect allows remote code execution due to incorrect data validation. | Apply updates per vendor instructions. |
| CVE-2022-26925 | Microsoft | Windows | Microsoft Windows LSA Spoofing Vulnerability | Microsoft Windows Local Security Authority (LSA) contains a spoofing vulnerability where an attacker can coerce the domain controller to authenticate to the attacker using NTLM. | Apply remediation actions outlined in CISA guidance [https://www.cisa.gov/guidance-applying-june-microsoft-patch]. |
| CVE-2022-22047 | Microsoft | Windows | Microsoft Windows Client Server Runtime Subsystem (CSRSS) Privilege Escalation Vulnerability | Microsoft Windows CSRSS contains an unspecified vulnerability which allows for privilege escalation to SYSTEM privileges. | Apply updates per vendor instructions. |
Mitigations
Vulnerability and Configuration Management
- Update software, operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix.
- If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.
- Use a centralized patch management system.
- Replace end-of-life software, i.e., software that is no longer supported by the vendor. For example, Accellion FTA was retired in April 2021.
- Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications—such as webmail, file storage, file sharing, and chat and other employee collaboration tools—for their customers. However, as MSPs and CSPs expand their client organization’s attack surface and may introduce unanticipated risks, organizations should proactively collaborate with their MSPs and CSPs to jointly reduce that risk. For more information and guidance, see the following resources.
