The year 2022 was a very eventful year from a cybersecurity perspective. It began with an assault of ravaging attacks from all fronts by the Conti ransomware group, followed by numerous attacks worldwide by threat actors targeting institutions across all sectors—from healthcare to storage. We noticed that cyber attacks played a more significant role in 2022, setting the stage for the ongoing Russia-Ukraine war. DDoS attacks became ubiquitous and cyber insurance budgets escalated.
Looking back at the year that was, Secuin experts have put together a list of the top vulnerabilities that trended on the surface web and were sought out by attackers. We have made an in-depth analysis of why these vulnerabilities are serious and why they trended.
Top 10 Google Trend CVEs
Here are the top 10 trending CVEs of 2022, based on the number of times these vulnerabilities topped the search charts.
CVE |
Affected Platform |
Trending Index1 |
In CISA KEV? |
|---|---|---|---|
Adobe Flash Player |
100 |
Yes |
|
Multiple vendor products |
100 |
No |
|
Insyde (InsydeH2O), Siemens firmware versions |
100 |
No |
|
TightVNC (TightVNC) |
100 |
No |
|
phpMyAdmin (phpMyAdmin) |
100 |
Yes |
|
Apache HTTP Server |
100 |
No |
|
Microsoft Office |
100 |
No |
|
Apache HTTP Server |
100 |
No |
|
PHP (PHP), openSUSE (Leap) |
100 |
No |
|
Substack (Minimist), openSUSE (Leap) |
100 |
No |
1Trending Index (ranging from 1 to 100, where 100 is the maximum search interest) is the relative popularity of the vulnerability during the time period for which the trend is being measured.
Our analysis of the top trending vulnerabilities presents the following interesting observations:
2 CVEs have ransomware and APT group associations.
2 CVEs are marked as heavily exploited by CISA.
1 CVE has both RCE and PE exploits.
1 CVE has a pentester framework available.
6 CVEs are old vulnerabilities belonging to 2019 and earlier.
There are 2 critical and 2 medium-severity vulnerabilities on the list by CVSS rating, the rest being high.
Of the lot, below are our top callouts.
CVE-2016-4117 in Adobe Flash Player is associated with four ransomware groups (CryptXXX, Mole, Cerber, and Cyborg) and six APT groups (BlackOasis, Cobalt Group, APT29, Kimsuky, PROMETHIUM, and Lazarus Group). APT29 (Nobelium/Cozy Bear), Kimsuky, and the Lazarus Group have been some of the most destructive groups of 2022, making this vulnerability highly dangerous.
CVE-2009-1151 in phpMyAdmin is targeted by two APT groups – Sea Turtle and Emennet Pasargad and affects over 41 products. This vulnerability is capable of being exploited for remote code execution, privilege escalation, and compromising web applications, compounding its impact. The vulnerability also has a pentester framework available, simplifying the installation, packaging, and application in pentesting engagements, an exemplification of the advanced capabilities that this vulnerability offers to attackers.
Both these vulnerabilities rightly feature on the CISA KEV catalog—a warning for organizations that they are heavily exploited vulnerabilities and likely to be targeted repeatedly by attackers.
A Risk Perspective
Our Vulnerability Intelligence platform, Securin VI, gives CVE-2009-1151 a critical Definitive-VRS (D-VRS)2 rating of 9.72 as it has many APT group associations and a large number of public exploit codes available, among other factors.
CVE-2016-4117 receives a high D-VRS2 rating on the Securin VI platform.
Of the 10 vulnerabilities trending on Google in 2022, three of them—CVE-2009-1151, CVE-2016-4117, and CVE-2021-42785— have maximum P-VRS3 scores of 38.46 indicating that hackers are scouting for exposed instances of these vulnerabilities.
2Definitive-VRS or D-VRS is the Vulnerability Risk Score (VRS) ranging from 0 to 10 assigned to every vulnerability based on its CVE attributes, CVSS rating, ransomware, and APT associations, exploit code availability, past exploitation, and trending factors.
3Predictive-VRS or P-VRS is a predictive indicator for the likelihood of exploitability of every vulnerability. Ranging from 1 to 38.4615, P-VRS considers factors such as CVE chatter on the deep and dark web, vulnerability interest in hacker forums, exploitation in the wild, and mentions in the news and social media to provide early warnings to organizations about vulnerabilities that pose a threat.
Other Noteworthy Trending Vulnerabilities
Although not part of the top 10 trending vulnerabilities on Google, we call out few noteworthy vulnerabilities that trended in 2022.
Vulnerability |
Affected Platform |
CVSS |
D-VRS |
P-VRS |
Exploitation in the Wild |
In CISA KEV? |
|---|---|---|---|---|---|---|
| CVE-2016-5734 | phpMyAdmin |
Critical |
Critical |
Critical |
True |
No |
Oracle (Fusion Middleware) |
Medium |
Critical |
Critical |
True |
Yes |
|
Google (Android), Debian (Linux) |
Medium |
Medium |
Critical |
True |
Yes |
|
Multiple vendor products |
Medium |
Medium |
Critical |
True |
No |
The above list of vulnerabilities makes for a compelling study. The CVEs flagged are all of diverse complexities ranging from those already in the CISA KEV catalog, ones with maximum D-VRS/P-VRS scores, to those exploited in the wild. All these factors contribute to a vulnerability being a ‘risk’ to an organization and highlights the importance of a wholesome risk analysis.
Special Callouts:
CVE-2016-5734 ( phpMyAdmin) is a code injection vulnerability that results from improper control of code generation. The CVE has exploit codes that can be used for remote code execution, privilege escalation, or web app exploitation, making it a highly sought-out vulnerability by attackers with malicious intent.
CVE-2012-3152 (Oracle Fusion Middleware) is a 2012 vulnerability that only has a CVSS V2 score. However, it has five exploit codes available in the public domain, which can be used to remotely execute custom code and exploit web applications as well. The vulnerability has previously been exploited by the Volatile Cedar APT group and thus, Securin VRS rates it as being of critical severity.
A 360-degree analysis of vulnerabilities is important to understand which vulnerabilities could pose a threat to an enterprise at any given point in time and cannot be decided as a function of any one parameter alone.
Top 10 Popular CVEs of 2022
We also observed some vulnerabilities were pet favorites of threat actors and repeatedly kept popping on and off our threat actor radar in the past year. While these do not make the top 10 cut purely based on trending counts, these vulnerabilities fall under the high/critical bracket on Securin VI and are ones organizations must be wary of.
Below, we present the top 10 popular vulnerabilities, which have been called out by Securin multiple times in blogs and reports. All ten are in the CISA KEV catalog, and have maxed out on their P-VRS scores—a sign that there continues to be a lot of interest in these vulnerabilities from malicious actors.
Only the Fortinet FortiOS vulnerability (CVE-2018-13379) has no remote code execution nor privilege escalation capabilities by itself—although it has a heavy exposure count and multiple threat associations. The other nine have critical D-VRS severity ratings, highlighting the possible impact these vulnerabilities could have if exploited.
Vulnerability Name |
CVE Identifier |
Exploit Type4 |
D-VRS |
P-VRS |
Affected Platform |
Ransomware Associations |
APT Group Associations |
CISA KEV? |
|---|---|---|---|---|---|---|---|---|
ProxyShell |
RCE, PE, WebApp |
Critical |
Critical |
Microsoft Exchange Server |
12+ |
7+ |
Yes |
|
Log4Shell |
RCE, DoS, WebApp |
Critical |
Critical |
Multiple vendor-products |
7 |
10 |
Yes |
|
ProxyLogon |
RCE, PE, WebApp |
Critical |
Critical |
Microsoft Exchange Server |
7 |
15 |
Yes |
|
Fortinet FortiOS |
WebApp |
High |
Critical |
Fortinet FortiOS |
7 |
10 |
Yes |
|
Equation Editor RCE |
RCE, WebApp |
Critical |
Critical |
Microsoft Office |
8 |
23 |
Yes |
|
Zerologon |
PE, DoS, WebApp |
Critical |
Critical |
Multiple vendor-products |
9 |
8 |
Yes |
|
Follina |
RCE, WebApp |
Critical |
Critical |
Microsoft Windows and Server versions |
1 |
5 |
Yes |
|
Office/Word RCE |
RCE, WebApp |
Critical |
Critical |
Microsoft Office, Windows and Server versions |
5 |
17 |
Yes |
|
Print Nightmare |
RCE, DoS |
Critical |
Critical |
Microsoft Windows and Server versions |
5 |
2 |
Yes |
4Exploit Type refers to the different types of exploits associated with these vulnerabilities, as described below:
RCE: Remote Code Execution
PE: Privilege Escalation
DoS: Denial of Service
WebApp : Exploitation of Web Applications
Interestingly, on mapping these vulnerabilities to their MITRE ATT&CK Techniques, Tactics, and Procedures, we observed that all of them can be exploited for gaining initial access into vulnerable networks or allow for execution of custom code.
ProxyShell, Log4Shell, ProxyLogon, Fortinet, and PrintNightmare vulnerabilities can be mapped to initial access via exploitation of public-facing applications or external remote services.
The ZeroLogon can be exploited for code execution and privilege escalation.
The Follina, Office RCE, and Equation RCE vulnerabilities allow for initial access via spearphishing using malicious files and allow for exploitation for code execution.
It is worthy to note that all the above vulnerabilities are present in popular products and are regularly used in personal and organizational tech stacks. As instances of these vulnerabilities being open to the Internet are extremely high, they provide easy entry points to adversaries, if they are not addressed thoroughly.