The exploitation of software vulnerabilities is a common cause of data breaches ransomware infections, and other security incidents. These attacks are so effective because the average organization has numerous unpatched vulnerabilities in their systems, providing attackers with numerous attack paths.

New vulnerabilities are identified each year, and many of the most successful ones are targeted by cyber threat actors for several years to come. This article explores some of the most exploitable vulnerabilities discovered in 2022, which should be at the top of any organization’s patch priority list.

The Long Tail of Vulnerability Management

Patch management is a struggle for many organizations. On average, it takes an organization 60 days to patch a critical vulnerability, and less dangerous vulnerabilities take even longer to patch if they are addressed at all. Last year, over half of the vulnerabilities identified on corporate systems were at least two years old.

As a result, many of the top vulnerabilities targeted by cyber threat actors in 2022 are not new ones. Log4Shell (CVE-2021-44228), ProxyShell, ProxyLogon, and ZeroLogon are a few examples of routinely targeted vulnerabilities that were first disclosed in 2020 and 2021.

However, these vulnerabilities are relatively recent in the grand scheme of targeted vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of actively exploited vulnerabilities with dates by which government agencies must patch them. Vulnerabilities added to the list in September 2022 stretch all the way back to 2010.

icon-alert-circle:

A failure to promptly identify and patch vulnerabilities when they are released can result in ransomware infections, data breaches, and similar security incidents.


Top CVEs of 2022

In addition to these long-lived vulnerabilities, a wave of new vulnerabilities has been discovered in 2022. In fact, 2022 is on track to beat 2021’s record number of vulnerabilities with over 17,700 vulnerabilities discovered to date, compared to just over 20,000 in all of 2021.

However, only a small percentage of vulnerabilities are actually targeted and actively exploited by cyber threat actors. To date, CISA has identified 70 vulnerabilities released in 2022 that are under active exploitation by cyber threat actors.

Some 2022 CVEs are minor or are mitigated by automatically installed patches, limiting their impact. However, others pose a significant threat, especially as three have a perfect score of 10.0 on the Common Vulnerability Scoring System (CVSS).

CVE-2022-30190 (Follina)

CVE-2022-30190, nicknamed Follina, is one of several Microsoft vulnerabilities that saw active exploitation in 2022. Follina is a remote code execution (RCE) vulnerability affecting the Microsoft Support Diagnostic Tool (MSDT). On the CVSS scale, this vulnerability is rated a 7.8, making it the only HIGH on this list.

Threat actors can exploit the Follina vulnerability via a malicious Microsoft Word document. The document uses Microsoft’s URL handlers to launch the MSDT executable. This executable has the ability to run PowerShell commands, allowing the attacker to achieve code execution on the target system.

CVE 2022-22536 (ICMAD)

CVE 2022-22536 is a vulnerability in the SAP Internet Communication Manager and is scored as a 10 on the CVSS 3.1 scale. The vulnerability allows HTTPS request smuggling, where attacker-controlled data is added to the beginning of user requests. This data may be executed by the vulnerable system under the user’s identity, breaking confidentiality, integrity, and availability.

CVE-2022-22965 (Spring4Shell) and CVE-2022-22963

Spring4Shell is an RCE vulnerability in the Spring Framework commonly used within Java applications. Tracked as CVE-2022-22965, it receives a score of 9.8 on the CVSS.

If a Spring-based Java application is run on Tomcat and packaged as a WAR, then it can be exploited via data binding. This vulnerability is actually a workaround to a patch to CVE-2010-1622.

CVE-2022-22963 is another vulnerability related to Spring that receives a CVSS score of 9.8. In this case, the vulnerability impacts the Spring Cloud Function (SCF) library. By using specially crafted SpELs as a routing expression, an attacker can achieve RCE.

CVE-2022-22947

CVE-2022-22947 is another Spring-related vulnerability and another vulnerability scoring a 10.0 on the CVSS. This CVE describes a vulnerability in Spring Cloud Gateway (SCG) when the Gateway Actuator is publicly accessible. On vulnerable versions of SCG, this vulnerability enables code injection, resulting in a complete compromise of confidentiality, integrity, and availability on the target endpoint.

CVE-2022-26134 and CVE-2022-26138

CVE-2022-26134 and CVE-2022-26138 are vulnerabilities in Atlassian Confluence. Both vulnerabilities are ranked as 9.8 on the CVSS.

CVE-2022-26134 is an OGNL injection vulnerability that allowed unauthenticated users to achieve RCE. This vulnerability was frequently exploited to install web shells, crypto miners, and other malware on vulnerable systems.

CVE-2022-26138 deals with the use of hardcoded credentials for the disabledsystemuser account within the confluence-users group. The details of this vulnerability were leaked on Twitter, allowing many attackers to access the account on vulnerable systems and see any data visible to users of the confluence-users group.

Catching Up on Vulnerability Management

Vulnerability management is a challenge for a few different reasons. One is the sheer volume of new vulnerabilities that are identified each year. However, no organization is affected by every vulnerability, and different vulnerabilities have different levels of urgency and complexity to patch. By prioritizing vulnerabilities — focusing on the ones most likely to be exploited by an attacker — security teams can reduce the number of required patches to a necessary number.

The other challenge with vulnerability management is identifying vulnerable software and systems within an organization’s network. As IT environments grow larger and more complex, identifying the systems that are affected by a new vulnerability disclosure can be a challenge.

This is where continuous penetration testing and attack surface monitoring becomes invaluable to an organization’s risk management strategy. By automating and outsourcing the process of vulnerability detection, companies can focus their efforts on patching the vulnerabilities most likely to result in a security incident.

Sprocket Security offers continuous penetration testing services to provide companies with visibility into their vulnerability exposure. A combination of automated and human testing ensures visibility into the vulnerabilities most likely to be exploited by cyber threat actors. Learn more by requesting a free quote today.