The U.S. government is again reminding organizations to patch some of the most routinely exploited vulnerabilities to help reduce their cyber risk exposure.

Three agencies, the Cybersecurity and Infrastructure Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), with help from cybersecurity authorities in Australia, Canada, New Zealand, and the UK, released an advisory this week detailing the 15 most popular vulnerabilities of 2021.

If you've been paying attention to the threat landscape over the past year, many of those exploited in 2021 may not surprise you.

That’s partly because a handful of the bugs, including those in VPN services and email servers, have been an issue for longer than just last year – they were also among the most exploited bugs in 2020, too.

Left unpatched, these vulnerabilities – CVE-2018-13379, a path traversal in Fortinet FortOS and FortiProxy, CVE-2019-11510, an arbitrary file read vulnerability in Pulse Secure, CVE-2020-0688, a remote code execution vulnerability in Microsoft Exchange Server, and CVE-2020-1472, the ZeroLogon bug in Microsoft Netlogon, translate to easy wins for attackers.

As CISA, NSA, and the FBI point out, the fact these bugs are still showing up in year-end lists two years later demonstrates the continued risk to organizations for failing to patch them.

Most of the other bugs are so popular they commanded headlines for weeks after they were uncovered but for some reason, continue to go unpatched by organizations. While patch management can be tricky business - there are a handful of variables that go into when exactly an organization can apply fixes across potentially thousands of machines - one of the big issues with these vulnerabilities is that many of them were weaponized early on by researchers releasing proof of concept (POC) code.

CVE-2021-44228 – Log4Shell, a vulnerability that affects Apache’s Log4j, a common logging library used in Java applications. If exploited, attackers can execute arbitrary code, steal information, launch ransomware, or carry out other activity. Apache released a fix for the vulnerability after it was disclosed in December but it still saw widespread exploitation as attackers almost instantly began scanning the internet for vulnerable instances.

CVE-2021-26855 CVE-2021-26858, CVE-2021-26857, CVE-2021-27065 - The ProxyLogon vulnerabilities. When chained together, these vulnerabilities allow unauthenticated attackers to execute arbitrary code on Microsoft Exchange servers and in turn, lets them gain persistent ccess to files and mailboxes, in addition to any credentials stored on the servers.

CVE-2021-34523, CVE-2021-34473, CVE-2021-31207 - The ProxyShell vulnerabilities. When used in tandem, these vulnerabilities, which exist in Microsoft Client Access Service (CAS), can allow an attacker to execute arbitrary code remotely

CVE-2021-26084 – This vulnerability in Atlassian Confluence Server and Data Center can allow an unauthenticated attacker to execute arbitrary code on vulnerable systems. This vulnerability quickly became exploited following its disclosure when a proof of concept attack was released.

Rounding out the top 15 are a remote code execution vulnerability (CVE-2021-21972) in VMware’s vSphere Client, a remote code execution vulnerability (CVE-2021-21972) in Zoho’s ManageEngine AD SelfService Plus.

The advisory is the government's latest push to get organizations to patch these outstanding vulnerabilities.

It issued a first of its kind Binding Operational Directive (BOD) last fall asking entities that fall under its purview to fix bugs the agency knows are being exploited. The BOD, Reducing the Significant Risk of Known Exploited Vulnerabilities, has evolved into a constantly updated catalog of vulnerabilities, containing affected software, instructions on how to patch the bugs, and a deadline for federal agencies to do so.

While defenders have no doubt seen these CVEs before, advisories like this continue to drill the point home that if an organization hasn’t already, fixing them can easily raise the bar and make it harder for hackers to infiltrate their systems and steal their data.

“We know that malicious cyber actors go back to what works, which means they target these same critical software vulnerabilities and will continue to do so until companies and organizations address them,” said CISA Director Jen Easterly, “We urge all organizations to assess their vulnerability management practices and take action to mitigate risk to the known exploited vulnerabilities.”