Joint advisory: 2022 top routinely exploited vulnerabilities

The advisory outlines the most routinely exploited vulnerabilities from 2022. Threat actors continue to rely on these known CVEs to gain unauthorised access and compromise systems across a wide range of sectors. 

The authoring agencies encourage organisations to apply the recommendations in the mitigations section of this advisory and to check for signs of compromise, even if a vulnerability was previously patched.  

Key mitigations include: 

• applying timely patches to systems, and
• implementing a centralised patch management system to reduce the risk of compromise by malicious cyber actors.

Organisations should review systems for indicators of compromise linked to CVEs listed in the advisory, even if they believe vulnerabilities have already been mitigated. 

Lisa Fong, responsible for New Zealand’s National Cyber Security Centre, said, “This advisory reinforces one of the foundational aspects of cyber security. Malicious actors continue to succeed using the same techniques over and over. I can’t emphasise enough the importance of doing the basics well by understanding your assets, and rapidly applying patches when they become available. Acting on CVE reporting is the difference between getting onto your to-do list and getting onto someone else’s to-do list.” 

CERT NZ Director Rob Pope said, “This is a timely reminder for organisations that asset lifecycle management and patching policies are incredibly important. I’d also like to stress that vulnerability disclosure is a very good thing and organisations that supply software or services should have a vulnerability disclosure policy in place as part of the secure-by-design principles. Doing this makes everyone more secure in the long run.”