The Top 10 Most Exploited Vulnerabilities: Parsing an Important Recent National Cyber Awareness System Alert

The National Cyber Awareness System (NCAS) issued its Alert numbered AA20-133A last month, which identified the 10 most exploited vulnerabilities from 2016 to 2019. The research, which came out of work done by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the broader US government, is surprising, due mostly to its utter lack of surprise. Old vulnerabilities persevere and continue to be exploited at a high rate; windows systems remain a big target for attackers; and malicious actors adapt rapidly to take advantage of changes such as the recent shift to work from home. What can InfoSec organizations learn from these observations?

First, the facts

According to NCAS, a combination of state, nonstate and unattributed cyber actors exploited the following vulnerabilities the most between 2016 and 2019: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641 and CVE-2018-7600. Highlights of the alert include:

Malicious actors exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology most frequently.

CVE-2017-11882, CVE-2017-0199 and CVE-2012-0158 were the most-often-used vulnerabilities by China, Iran, North Korea and Russia. These vulnerabilities are all related to Microsoft’s OLE technology.

Chinese hackers exploited CVE-2012-0158 many times. This is the same vulnerability the US Government publicly assessed in 2015 as the most used in their cyber operations.

Two older vulnerabilities, CVE-2012-0158 and CVE-2015-1641, were included in the list.

Why do old vulnerabilities continue to be exploited?

Why is it that old vulnerabilities, with known exploits and fixes, continue to be successfully exploited at a high rate? To get an answer, it’s worth looking beyond the headlines of last month’s NCAS alert. While the notice is ostensibly about the top 10 vulnerabilities, it highlights some systemic problems with the current state of vulnerability management.

Vulnerability prioritization should be a continuous, ongoing process

For many organizations, vulnerability prioritization is a static, one-time process. Vulnerabilities are analyzed when they are initially reported and measures such as CVSS score or scanner severity are used to identify the vulnerabilities that are targeted for remediation. While vulnerability assessment tools are continuously looking to improve and expand the details they provide, relying on just these systems can often leave organizations vulnerable. Vulnerability management programs must incorporate threat intelligence feeds, vendor advisories, and notices from government and private research organizations as part of their decision-making process. In the case of CVE-2012-0158, it was included in another NCAS alert ‘Top 30 Targeted High Risk Vulnerabilities’ issued in 2015. The fact that it continued to be exploited at a very high rate during the next 3 years points to a critical flaw in the vulnerability management processes of impacted organizations.

Remediating vulnerabilities is a non-trivial task

The remediation process typically requires major investments of time and effort. At the same time, security professionals are under pressure to balance vulnerability mitigation with the mandate to keep systems running. We see this dilemma frequently. People ask, usually in an exasperated tone, “Why can’t you patch this?” The problem is that patching system A might cause systems B, C and D to crash.

Even if a system can be patched, it can take a while to perform the process. As the Ponemon study “Costs and Consequences of Gaps in Vulnerability Response” revealed, 60 percent of organizations they surveyed had suffered a data breach that exploited a known vulnerability for which a patch existed—but was just not installed. Indeed, patch implementation can lag behind patch releases due to a lack of resources. Organizations can alleviate some of these challenges through automation and better threat response policies. Requiring analysts to take subjective decisions about SLAs, ownership, escalation chains, etc., adds delays that can be avoided through codified policies that are implemented automatically. Organizations should also strive to make remediation more efficient by reducing the volume of tickets through intelligent consolidation based on targeted systems, common solutions and ownership.

Microsoft…still a huge target

The fact that Microsoft products figure into seven of the top 10 vulnerabilities should not be a big surprise. Microsoft products are just so pervasive and essential to IT that it’s logical that they would be attacked often. IT and security organizations need to develop a better understanding of the technology components that populate their IT infrastructures—and track them much more carefully.

Robust vulnerability management programs should provide rapid insights into the prevalence and impact of known risks, such as the ones listed in the NCAS alert. With effective processes (and tooling) in place, IT and security managers should be able know how many if their IT assets have these most vulnerable products and frameworks installed.

Malicious actors quickly adapt to changes

In addition to the top 10 exploited vulnerabilities between 2016 – 2019, the alert also highlights the vulnerabilities being routinely exploited by sophisticated foreign cyber actors so far in 2020. With the Covid-19 pandemic forcing the most drastic change in workplace norms in recent times and bringing an abrupt shift to work-for-home for large parts of the workforce, it’s no surprise that VPN solutions and cloud collaboration services are big targets for malicious actors. This trend in expected to continue as businesses may have little choice but to keep workers at home. As noted in a recent study by Cybersecurity Insiders, 84 percent of businesses are set to increase work-from-home capacity due to the pandemic—despite their concerns about security. A separate study found that a third of home-based employees use corporate Zoom accounts for online socializing with friends, potentially exposing the organization to social engineering attacks and unauthorized access to corporate information.

Security practitioners should expect malicious actors to respond to changes in the status quo more quickly than software and security vendors. IT and security managers need to pay special attention to the rapid rollouts they are conducting of Microsoft O365, Zoom and other remote work tools. Attackers are poised to take advantage of vulnerabilities exposed during this transition to nearly universal home-based work. The situation also reveals the serious need for strong employee cybersecurity education along with robust cyber risk, system recovery and contingency plans.


This timely alert from NCAS and other federal agencies is a valuable opportunity for InfoSec organizations to improve their existing vulnerability management programs. Organizations should respond quickly to ensure that they are not vulnerable to the risks highlighted in the alert. More importantly, they should strive to identify and address any underlying systemic weaknesses that exist in their vulnerability management process, and that could be putting them at risk of a catastrophic breach.


  • Achieving Clear Communications

    Achieving Clear Communications

    Technology within the security industry has adapted to numerous changes through the years, from the early days of analog devices to today’s IP-based solutions, networked cameras, and access control solutions, in addition to analytics, cloud-based products, virtual security guards, and more. Read Now

  • Taking Flight

    Taking Flight

    Airport security is a complex system that incorporates multiple technologies to ensure the safety and security of travelers, employees and the facility itself. Sound-based technologies are integral pieces of this system, providing means of communication, notification and monitoring. Read Now

  • Live From ISC West 2023 Preview

    Live From ISC West 2023 Preview

    ISC West 2023 is right around the corner! This year’s trade show is scheduled from March 28–31 at the Venetian Expo in Las Vegas, Nevada. The Campus Security & Life Safety and Security Today staff will be on hand to provide live updates about the security industry’s latest innovations, trends, and products. Read Now

    • Industry Events
    • ISC West
  • A Break from Routine

    A Break from Routine

    It was three years ago right about now that COVID was bringing the world to its knees. In mid-March of 2020, the president put travel restrictions on all flights in and out of Europe, the NBA suspended its season, and Tom Hanks announced that he’d tested positive for the disease—all in the same night. It was officially a national emergency two days later. Read Now

    • Industry Events
    • ISC West

Featured Cybersecurity

New Products

  • CyberAudit Introduced to Manage Systems, Intuitive Interface

    CyberAudit Web

    CyberLock, Inc. announces the release of CyberAudit Web 9.4! CyberAudit-Web (CAW), the software suite for managing CyberLock systems, provides an intuitive interface to assign keys, set expirations, monitor staff and configure access schedules. 3

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance. 3

  • Pivot3 Surety

    Pivot3 Surety

    Pivot3 has announced Surety, a new intelligent software framework to simplify the management and monitoring of physical security environments. 3