GCHQ’s National Cyber Security Centre and its international allies have issued a fresh warning to organisations about the importance of updating systems after malicious cyber attackers were found to be routinely targeting older software vulnerabilities in 2022.

In a new joint advisory, the NCSC and agencies in the US, Australia, Canada and New Zealand, have revealed a list of the top 12 vulnerabilities that were routinely exploited last year. More than half of the top vulnerabilities listed for 2022 also appeared on the previous year’s list, highlighting how malicious cyber actors continued targeting previously disclosed flaws in internet-facing systems despite security updates being available to fix them.

The new document says that attackers generally see the most success exploiting known vulnerabilities within the first two years of public disclosure and likely target their exploits to maximise impact, emphasising the benefit of organisations applying security updates promptly.

In addition to the top 12 list, the advisory also provides technical details about 30 other routinely exploited vulnerabilities, alongside mitigation advice to help organisations and software developers reduce the risk of compromise. UK organisations are also encouraged to sign up for the NCSC’s Early Warning service to receive alerts about potential issues, including vulnerabilities, affecting their networks.

Jonathon Ellison, NCSC’s director of resilience and future technology, said: “Vulnerabilities are sadly part and parcel of our online world and we see threat actors continue to take advantage of these weaknesses to compromise systems. This joint advisory with our allies raises awareness of the most routinely exploited vulnerabilities in 2022 to help organisations identify where they might be at risk and take action.

“To bolster resilience, we encourage organisations to apply all security updates promptly and call on software vendors to ensure security is at the core of their product design to help shift the burden of responsibility away from consumers.”

All UK organisations are eligible to sign up for Early Warning and can register via the NCSC website. The NCSC also has guidance to help organisations with vulnerability management.
Software vendors, designers and developers are encouraged to embed secure-by-design practices into every stage of the development life cycle to help identify root causes of vulnerabilities and address them.

Share Story: