← Back to all briefings

Cybersecurity · Credibility 40/100 · · 4 min read

Cybersecurity Briefing — CISA/NSA list the top 10 exploited vulnerabilities

Alert AA20-133A from CISA, FBI, and NSA ranks the CVEs most abused from 2016–2019—Pulse Secure, Citrix ADC, SharePoint, and legacy Office flaws—so enterprise patch managers can sprint through the exact backlog adversaries keep reusing.

Executive briefing: CISA, NSA, and the FBI catalogued the 10 CVEs foreign adversaries exploit most often—everything from Microsoft Equation Editor and Apache Struts to VPN appliances from Pulse Secure and Citrix. The agencies stress that defenders can still degrade ongoing campaigns by burning down this backlog, even if the vulnerabilities date back to 2012.

Patch acceleration moves

  • Sequence work by exploit prevalence. Patch orchestration should elevate CVE-2019-11510, CVE-2019-0604, CVE-2017-0143, CVE-2018-7600, and CVE-2017-5638 ahead of routine OS updates because adversaries continue to scan for these exact weaknesses.
  • Pull vendor diagnostics. Use vendor-provided scanners (Pulse Secure’s Integrity Checker Tool, Citrix ADC detector scripts, Microsoft EMET replacements) to validate that binaries were actually updated.
  • Extend maintenance windows. Many of the listed CVEs affect perimeter appliances that rarely get downtime. Work with operations to schedule rolling maintenance so every appliance, not just lab gear, receives the patches.

Detection and resilience

  • Baseline for old exploit chains. Build detections for Equation Editor child processes, suspicious Struts deserialization errors, and spikes in VPN session creation so responders can identify exploitation attempts that slip through.
  • Instrument compensating controls. Where legacy systems cannot be patched immediately, deploy WAF signatures, disable unused components, or rate-limit inbound VPN portals per the joint alert’s mitigation table.
  • Measure closure. Track the percentage of assets running affected firmware or software versions weekly and tie executive reporting to the AA20-133A list so leadership sees risk reduction.

Source excerpts

Primary — adversaries love old CVEs: “Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations.”

CISA — AA20-133A

Primary — patching still works: “The public and private sectors could degrade some foreign cyber threats… through an increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft.”

CISA/NSA joint PDF
  • AA20-133A
  • CVE-2019-11510
  • Patch management
Back to curated briefings