Top 30 most commonly exploited vulnerabilities over 2020 and 2021

Top 30 most commonly exploited vulnerabilities over 2020 and 2021

Cybersecurity experts from Australia, U.K., and U.S. governments have released a list of the most commonly exploited vulnerabilities over 2020 and 2021.

The joint advisory released on July 28 was coauthored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI).

The advisory is broken down into the most common 2020 exploited vulnerabilities, which consist of 12 total. Four of those affected remote work, VPNs, or cloud-based technologies.

Moreover, 18 other vulnerabilities discovered in 2021 have also been common targets. Those issues are grouped by popular products to include Microsoft Exchange, Pulse Secure, Accellion, VMware, and Fortinet.

It is important to note that many of the 2020 vulnerabilities are still being targeted today.

2020 exploited vulnerabilities

The experts identified the following most commonly exploited vulnerabilities throughout 2020:

  1. Citrix SD-WAN WANOP arbitrary code execution: CVE-2019-19781
  2. Pulse Secure VPN Servers arbitrary file reading: CVE 2019-11510
  3. Fortinet path traversal: CVE 2018-13379
  4. F5 BIG-IP remote code execution: CVE 2020-5902
  5. MobileIron remote code execution: CVE 2020-15505
  6. Microsoft Office remote code execution: CVE-2017-11882
  7. Atlassian remote code execution: CVE-2019-11580
  8. Drupal remote code execution “Drupalgeddon2”: CVE-2018-7600
  9. Telerik remote code execution: CVE 2019-18935
  10. Microsoft SharePoint remote code execution: CVE-2019-0604
  11. Microsoft BITS elevation of privilege: CVE-2020-0787
  12. Netlogon elevation of privilege “Zerologon”: CVE-2020-1472

2021 exploited vulnerabilities

In 2021, bad cyber actors continued to target perimeter devices and related vulnerabilities such as those products made by Microsoft, Pulse, Accellion, VMware, and Fortinet.

Microsoft Exchange

Microsoft released emergency out-of-band security updates back in March 2021 to fix multiple Critical Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) impacting Microsoft Exchange Server 2013, 2016 and 2019. 

CISA confirmed CVE-2021-26855 can “allow an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server.”

To add, the Exchange vulnerability basically exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). The remaining three vulnerabilities can all result in remote code execution and could be used in combination with CVE-2021-26855 to further exploit impacted systems.

Pulse Secure

In May of this year, CISA warned attackers continued to exploit Pulse Connect Secure vulnerabilities, to include CVE-2021-22893 and older vulnerabilities. Security firm Ivanti later discovered active exploits of three other Critical vulnerabilities (CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900).

Moreover, an alert was issued after CISA confirmed malicious activity on public and private entity networks on vulnerable Pulse Connect Secure appliances. Additional detection methods were also added on April 30.

Since March 31, 2021, CISA assisted multiple entities whose vulnerable Pulse Connect Secure products had been exploited by a cyber threat actor. These entities confirmed the malicious activity after running the Pulse Secure Connect Integrity Tool.


Earlier this year, cyber attackers continued to exploit Accellion File Transfer Appliance (FTA) 0-day vulnerabilities (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) to steal data and threaten their victims with extortion attempts.

Starting in mid-December 2020, FireEye’s Mandiant cybersecurity team spotted previously unknown threat actors they call UNC25346 exploiting multiple FTA vulnerabilities to install a web shell dubbed DEWMODE.


In June 2021, security researchers spotted thousands of vulnerable unpatched VMware vCenter servers exposed on the internet. Multiple proof-of-concepts (PoCs) had also been posted online for exploits against a remote code execution (RCE) vulnerability CVE-2021-21985.

VMware released a Critical security update on May 25 to fix two vulnerabilities, one in VMWare vCenter Server that could result in remote code execution (RCE) in the vSphere Client (CVE-2021-21985). According to VMware, the vSphere Client (HTML5) contains an RCE vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.


In April 2021, cybersecurity experts from the FBI and CISA issued a joint cybersecurity advisory warning of APT exploits of Fortinet FortiOS vulnerabilities (CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812).

The FBI warned that it was likely APT actors were scanning for these vulnerabilities to gain access to multiple government, commercial, and technology services networks.

Related Articles