Skip to main content

The top 30 cyber security vulnerabilities exploited by malicious cyber actors since 2020 have been detailed in a joint advisory issued by the Australian Cyber Security Centre (ACSC) and counterpart cyber security agencies from the United States and the United Kingdom.

The advisory, co-authored by the US Cybersecurity and Infrastructure Security Agency (CISA), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI), in addition to the ACSC, is the first time all four agencies have issued joint advice on cyber vulnerabilities of mutual concern.

A joint media release can be read here. 

Since 2020, a range of malicious cyber actors including criminal syndicates operating worldwide have continued to target Australians, conducting cyber operations that threaten national, economic and security interests in the private sector and government, as well as Australian households.

The ACSC, CISA, the NCSC and FBI detail how malicious entities have quickly and routinely sought to exploit publicly known—and often dated—software vulnerabilities against a range of targets. It notes also that organisations can mitigate the vulnerabilities in the report by applying readily available patches to systems and implementing a centralised patch management system.

The advisory assesses that organisations and households have likely been exploited by malicious cyber actors through more recently disclosed software flaws in 2020 because of the expansion of remote work arrangements during the COVID-19 pandemic. Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud technologies.

In 2021, malicious cyber actors continued to target vulnerabilities in ‘network perimeter-type devices’ that often protect and separate the internet from internal company networks, the advisory says. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet software.

The ACSC, CISA, the NCSC and FBI assess that public and private organisations worldwide remain vulnerable to compromise from the exploitation of these cyber vulnerabilities, known as Common Vulnerabilities and Exposures (CVEs), unless they are urgently patched. Advice on patching is available on cyber.gov.au.