Joint Cyber Security Advisory: Top 15 routinely exploited vulnerabilities of 2021


New Zealand’s National Cyber Security Centre (NCSC) has issued a cyber security advisory in conjunction with its international partners the Cybersecurity and Infrastructure Security Agency (CISA(external link)), National Security Agency (NSA(external link)), Federal Bureau of Investigation (FBI)(external link), Australian Cyber Security Centre (ACSC(external link)), Canadian Centre for Cyber Security (CCCS(external link)), and the United Kingdom’s National Cyber Security Centre (NCSC-UK(external link)).

The joint cyber security advisory(external link) details common vulnerabilities and exposures (CVEs) frequently exploited by malicious cyber actors, including the 15 most commonly exploited of 2021. 

Malicious cyber actors continue to aggressively target disclosed critical software vulnerabilities against broad target sets in both the public and private sectors. While the top 15 vulnerabilities have previously been made public, this advisory is meant to help organisations prioritise their mitigation strategies.

The cybersecurity authorities recommend the following prioritised mitigation measures:    


  • Vulnerability and configuration management, including updating software, operating systems, applications, and firmware, with a prioritisation on patching known exploited vulnerabilities; implementing a centralised patch management system; and replacing end-of-life software.   
  • Identity and access management, including enforcing multi-factor authentication (MFA) for all users; if MFA is unavailable, require employees engaging in remote work to use strong passwords; and regularly reviewing, validating, or removing privileged accounts.    
  • Protective controls and architecture, including properly configuring and secure internet-facing network devices, disabling unused or unnecessary network ports and protocols, encrypting network traffic, and disabling unused network services and devices.    


Read the full cyber security advisory on CISA’s website.(external link)

Read the full media statement on CISA’s website.(external link)