The Top 10 Most Exploited Vulnerabilities: Parsing an Important Recent National Cyber Awareness System Alert

The National Cyber Awareness System (NCAS) issued its Alert numbered AA20-133A last month, which identified the 10 most exploited vulnerabilities from 2016 to 2019. The research, which came out of work done by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the broader US government, is surprising, due mostly to its utter lack of surprise. Old vulnerabilities persevere and continue to be exploited at a high rate; windows systems remain a big target for attackers; and malicious actors adapt rapidly to take advantage of changes such as the recent shift to work from home. What can InfoSec organizations learn from these observations?

First, the facts

According to NCAS, a combination of state, nonstate and unattributed cyber actors exploited the following vulnerabilities the most between 2016 and 2019: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641 and CVE-2018-7600. Highlights of the alert include:

Malicious actors exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology most frequently.

CVE-2017-11882, CVE-2017-0199 and CVE-2012-0158 were the most-often-used vulnerabilities by China, Iran, North Korea and Russia. These vulnerabilities are all related to Microsoft’s OLE technology.

Chinese hackers exploited CVE-2012-0158 many times. This is the same vulnerability the US Government publicly assessed in 2015 as the most used in their cyber operations.

Two older vulnerabilities, CVE-2012-0158 and CVE-2015-1641, were included in the list.

Why do old vulnerabilities continue to be exploited?

Why is it that old vulnerabilities, with known exploits and fixes, continue to be successfully exploited at a high rate? To get an answer, it’s worth looking beyond the headlines of last month’s NCAS alert. While the notice is ostensibly about the top 10 vulnerabilities, it highlights some systemic problems with the current state of vulnerability management.

Vulnerability prioritization should be a continuous, ongoing process

For many organizations, vulnerability prioritization is a static, one-time process. Vulnerabilities are analyzed when they are initially reported and measures such as CVSS score or scanner severity are used to identify the vulnerabilities that are targeted for remediation. While vulnerability assessment tools are continuously looking to improve and expand the details they provide, relying on just these systems can often leave organizations vulnerable. Vulnerability management programs must incorporate threat intelligence feeds, vendor advisories, and notices from government and private research organizations as part of their decision-making process. In the case of CVE-2012-0158, it was included in another NCAS alert ‘Top 30 Targeted High Risk Vulnerabilities’ issued in 2015. The fact that it continued to be exploited at a very high rate during the next 3 years points to a critical flaw in the vulnerability management processes of impacted organizations.

Remediating vulnerabilities is a non-trivial task

The remediation process typically requires major investments of time and effort. At the same time, security professionals are under pressure to balance vulnerability mitigation with the mandate to keep systems running. We see this dilemma frequently. People ask, usually in an exasperated tone, “Why can’t you patch this?” The problem is that patching system A might cause systems B, C and D to crash.

Even if a system can be patched, it can take a while to perform the process. As the Ponemon study “Costs and Consequences of Gaps in Vulnerability Response” revealed, 60 percent of organizations they surveyed had suffered a data breach that exploited a known vulnerability for which a patch existed—but was just not installed. Indeed, patch implementation can lag behind patch releases due to a lack of resources. Organizations can alleviate some of these challenges through automation and better threat response policies. Requiring analysts to take subjective decisions about SLAs, ownership, escalation chains, etc., adds delays that can be avoided through codified policies that are implemented automatically. Organizations should also strive to make remediation more efficient by reducing the volume of tickets through intelligent consolidation based on targeted systems, common solutions and ownership.

Microsoft…still a huge target

The fact that Microsoft products figure into seven of the top 10 vulnerabilities should not be a big surprise. Microsoft products are just so pervasive and essential to IT that it’s logical that they would be attacked often. IT and security organizations need to develop a better understanding of the technology components that populate their IT infrastructures—and track them much more carefully.

Robust vulnerability management programs should provide rapid insights into the prevalence and impact of known risks, such as the ones listed in the NCAS alert. With effective processes (and tooling) in place, IT and security managers should be able know how many if their IT assets have these most vulnerable products and frameworks installed.

Malicious actors quickly adapt to changes

In addition to the top 10 exploited vulnerabilities between 2016 – 2019, the alert also highlights the vulnerabilities being routinely exploited by sophisticated foreign cyber actors so far in 2020. With the Covid-19 pandemic forcing the most drastic change in workplace norms in recent times and bringing an abrupt shift to work-for-home for large parts of the workforce, it’s no surprise that VPN solutions and cloud collaboration services are big targets for malicious actors. This trend in expected to continue as businesses may have little choice but to keep workers at home. As noted in a recent study by Cybersecurity Insiders, 84 percent of businesses are set to increase work-from-home capacity due to the pandemic—despite their concerns about security. A separate study found that a third of home-based employees use corporate Zoom accounts for online socializing with friends, potentially exposing the organization to social engineering attacks and unauthorized access to corporate information.

Security practitioners should expect malicious actors to respond to changes in the status quo more quickly than software and security vendors. IT and security managers need to pay special attention to the rapid rollouts they are conducting of Microsoft O365, Zoom and other remote work tools. Attackers are poised to take advantage of vulnerabilities exposed during this transition to nearly universal home-based work. The situation also reveals the serious need for strong employee cybersecurity education along with robust cyber risk, system recovery and contingency plans.


This timely alert from NCAS and other federal agencies is a valuable opportunity for InfoSec organizations to improve their existing vulnerability management programs. Organizations should respond quickly to ensure that they are not vulnerable to the risks highlighted in the alert. More importantly, they should strive to identify and address any underlying systemic weaknesses that exist in their vulnerability management process, and that could be putting them at risk of a catastrophic breach.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • XS4 Original+

    XS4 Original+

    The SALTO XS4 Original+ design is based on the same proven housing and mechanical mechanisms of the XS4 Original. The XS4 Original+, however, is embedded with SALTO’s BLUEnet real-time functionality and SVN-Flex capability that enables SALTO stand-alone smart XS4 Original+ locks to update user credentials directly at the door. Compatible with the array of SALTO platform solutions including SALTO Space data-on-card, SALTO KS Keys as a Service cloud-based access solution, and SALTO’s JustIn Mobile technology for digital keys. The XS4 Original+ also includes RFID Mifare DESFire, Bluetooth LE and NFC technology functionality. 3

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance. 3