Joint Cybersecurity Advisory TLP CLEAR: 2022 Top Routinely Exploited Vulnerabilities

SUMMARY

The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):

• United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)
• Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
• Canada: Canadian Centre for Cyber Security (CCCS)
• New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
• United Kingdom: National Cyber Security Centre (NCSC-UK)

This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and
frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness
Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more
frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.

The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of compromise by malicious cyber actors.