The Most Exploited Vulnerabilities of 2022

Arctic Wolf Presents

The Most Exploited Vulnerabilities of 2022

According to the 1National Vulnerability Database (NVD), there were more than 25,200 vulnerabilities published in 2022. Join us as we explore the 34 most high-profile vulnerabilities – and what makes them so dangerous.

2022 was another record-breaking year for vulnerabilities.

If tools alone were enough to solve the problem, they would have by now. Unfortunately, most organizations aren’t properly staffed or trained to make use of the tools they already have, which means vulnerabilities can end up going ignored. It doesn’t have to be this way.
Learn how the Arctic Wolf® Security Operations Cloud and 24×7 Concierge Security® solutions ensure you’re always ready to fight back against cyberattacks.

Fill out the form below to learn how Arctic Wolf can help prevent cyberattacks.

Filters

Filters

Clear filters

Minimum Score: 0

CVE ID Number

CVE-2021-1647

aw-bandaid-icon-white-lg.png
CVE Patch

7.8 CVSS V3 SCORE

CRITICAL NVD Risk Rating

Vulnerability NAME Microsoft Defender RCE

An authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway.

Product Microsoft Defender

Type Remote Code Execution (RCE)

Clear filters
Vulnerability Name

CVE-2022-21907

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-21907

HTTP protocol stack remote code execution vulnerability.

Product HTTP protocol stack- Windows Internet Information Services (IIS) component

Type Remote Code Execution

Vulnerability Name

CVE-2021-44228 - Log4Shell

aw-bandaid-icon-white-lg.png
CVE Patch

10 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2021-44228 - Log4Shell

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Product Log4J

Type Remote Code Execution

Vulnerability Name

CVE-2021-20038

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2021-20038

A Stack-based buffer overflow vulnerability in SMA100 Apache https server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.

Product SMA100 Series

Type Remote Code Execution

Vulnerability Name

CVE-2021-4034

aw-bandaid-icon-white-lg.png
CVE Patch

7.8 CVSS V3 SCORE

high NVD Risk Rating

Vulnerability NAME CVE-2021-4034

A local privilege escalation vulnerability was found on Polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Product Polkit pkexec

Type Privilege Escalation

Vulnerability Name

CVE-2022-22536 - ICMAD (Internet Communication Manager Advanced Desync)

10 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-22536 - ICMAD (Internet Communication Manager Advanced Desync)

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

Product NetWeaver, Content Server, and Web Dispatcher

Type Remote Code Execution

Vulnerability Name

CVE-2022-0847 - Dirty Pipe

aw-bandaid-icon-white-lg.png
CVE Patch

7.8 CVSS V3 SCORE

high NVD Risk Rating

Vulnerability NAME CVE-2022-0847 - Dirty Pipe

A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read-only files and as such escalate their privileges on the system.

Product Kernel

Type Privilege Escalation

Vulnerability Name

CVE-2022-1040

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-1040

An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.

Product Firewall

Type Authentication Bypass, Remote Code Execution

Vendor Sophos

Vulnerability Name

CVE-2022-22965 - Spring4Shell

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-22965 - Spring4Shell

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Product Spring Framework

Type Remote Code Execution

Vendor VMware

Vulnerability Name

CVE-2022-22963

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-22963

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

Product Spring Cloud Function

Type Remote Code Execution

Vendor VMware

Vulnerability Name

CVE-2022-22954

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-22954

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

Product Workspace ONE Access, Identity Manager, vRealize Automation, and vRealize Suite Lifecycle Manager

Type Remote Code Execution

Vulnerability Name

CVE-2022-22960

aw-bandaid-icon-white-lg.png
CVE Patch

7.8 CVSS V3 SCORE

high NVD Risk Rating

Vulnerability NAME CVE-2022-22960

VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to the 'root.'

Product Workspace ONE Access, Identity Manager, vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager

Type Privilege Escalation

Vulnerability Name

CVE-2022-26809

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-26809

Remote Procedure Call Runtime remote code execution vulnerability. This CVE ID is unique from CVE-2022-24492, CVE-2022-24528.

Product Remote Procedure Call (RPC) Runtime

Type Remote Code Execution

Vulnerability Name

CVE-2022-1388

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-1388

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication.

Product BIG-IP

Type Authentication Bypass

Vulnerability Name

CVE-2022-26923

aw-bandaid-icon-white-lg.png
CVE Patch

8.8 CVSS V3 SCORE

high NVD Risk Rating

Vulnerability NAME CVE-2022-26923

Active Directory Domain Services elevation of privilege vulnerability.

Product Active Directory Domain Services

Type Privilege Escalation

Vulnerability Name

CVE-2022-30525

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-30525

A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

Product CGI Program of Some Firewalls

Type Command Injection

Vulnerability Name

CVE-2022-22972

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-22972

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

Product Workspace ONE Access, Identity Manager, vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager

Type Authentication Bypass

Vulnerability Name

CVE-2022-26134

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-26134

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.

Product Confluence Server and Data Center

Type Remote Code Execution

Vulnerability Name

CVE-2022-30190

aw-bandaid-icon-white-lg.png
CVE Patch

7.8 CVSS V3 SCORE

high NVD Risk Rating

Vulnerability NAME CVE-2022-30190

Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability.

Product Windows Support Diagnostic Tool (MSDT)

Type Remote Code Execution

Vulnerability Name

CVE-2022-28219 - Zoho ManageEngine

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-28219 - Zoho ManageEngine

ManageEngine ADAudit Plus had some vulnerable API endpoints that allowed an unauthenticated attacker to exploit XML External Entities (XXE), Java deserialization and path traversal vulnerabilities. The chain could be leveraged to perform unauthenticated remote code execution. This issue has been fixed.

Product ManageEngine ADAudit Plus

Type Remote Code Execution

Vulnerability Name

CVE-2022-31656

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-31656

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

Product Workspace ONE Access, Identity Manager, vRealize Automation, VMware Cloud Foundation, Access Connector, vIDM Connector, and vRealize Suite Lifecycle Manager

Type Authentication Bypass

Vulnerability Name

CVE-2022-3236

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-3236

A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.

Product Firewall

Type Remote Code Execution, Code Injection

Vulnerability Name

CVE-2022-40684

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-40684

An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Product FortiOS, FortiProxy, FortiSwitchManager

Type Authentication Bypass

Vulnerability Name

CVE-2022-3602

aw-bandaid-icon-white-lg.png
CVE Patch

7.5 CVSS V3 SCORE

high NVD Risk Rating

Vulnerability NAME CVE-2022-3602

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution.

Product OpenSSL

Type Remote Code Execution, Denial of Service (DoS)

Vulnerability Name

CVE-2022-41128

aw-bandaid-icon-white-lg.png
CVE Patch

8.8 CVSS V3 SCORE

high NVD Risk Rating

Vulnerability NAME CVE-2022-41128

Windows Scripting Languages remote code execution vulnerability. This CVE ID is unique from CVE-2022-41118.

Product Windows Scripting Language

Type Remote Code Execution

Vulnerability Name

CVE-2022-41073

aw-bandaid-icon-white-lg.png
CVE Patch

7.8 CVSS V3 SCORE

high NVD Risk Rating

Vulnerability NAME CVE-2022-41073

Windows Print Spooler elevation of privilege vulnerability.

Product Windows Print Spooler

Type Privilege Escalation

Vulnerability Name

CVE-2022-41125

aw-bandaid-icon-white-lg.png
CVE Patch

7.8 CVSS V3 SCORE

high NVD Risk Rating

Vulnerability NAME CVE-2022-41125

Windows CNG Key Isolation Service elevation of privilege vulnerability.

Product Windows CNG Key Isolation Service

Type Privilege Escalation

Vulnerability Name

CVE-2022-41091

aw-bandaid-icon-white-lg.png
CVE Patch

5.4 CVSS V3 SCORE

medium NVD Risk Rating

Vulnerability NAME CVE-2022-41091

Windows Mark of the Web security feature bypass vulnerability. This CVE ID is unique from CVE-2022-41049.

Product Mark of the Web Security Feature

Type Security Feature Bypass

Vulnerability Name

CVE-2022-27925

aw-bandaid-icon-white-lg.png
CVE Patch

7.2 CVSS V3 SCORE

high NVD Risk Rating

Vulnerability NAME CVE-2022-27925

Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.

Product Zimbra Collaboration Suite

Type Remote Code Execution

Vulnerability Name

CVE-2022-27518

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-27518

Unauthenticated remote arbitrary code execution.

Product Gateway and ADC

Type Remote Code Execution

Vulnerability Name

CVE-2022-41080 - OWASSRF

aw-bandaid-icon-white-lg.png
CVE Patch

8.8 CVSS V3 SCORE

high NVD Risk Rating

Vulnerability NAME CVE-2022-41080 - OWASSRF

Microsoft Exchange Server elevation of privilege vulnerability.

Product Exchange Server

Type Privilege Escalation

Vulnerability Name

CVE-2022-29499

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-29499

The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.

Product MiVoice Connect

Type Remote Code Execution

Vendor Mitel

Vulnerability Name

CVE-2022-29464

aw-bandaid-icon-white-lg.png
CVE Patch

9.8 CVSS V3 SCORE

critical NVD Risk Rating

Vulnerability NAME CVE-2022-29464

Unrestricted arbitrary file upload, and remote code to execution vulnerability.

Product API Manager, Identity Server, Identity Server Analytics, Identity Server as Key Manager, Enterprise Integrator, Open Banking AM, Open Banking KM

Type Remote Code Execution

No Results

AVAILABLE FOR DOWNLOAD

What 2022 Showed us When it Comes to Vulnerabilities

While ransomware may make headlines, it’s the more technical, and less covered vulnerabilities that cause the majority of cybercrime.
The sheer volume of vulnerabilities exploded in 2022, with over 25,000 recorded, and CISA shows over 800 have been actively exploited, though that number may be higher.

Additional Resources For

Managed Risk