Four of the top 15 vulnerabilities used last year by hackers were more than a year old: Report

Patched vulnerabilities that date as far back as 2017 are still being exploited by threat actors, according to the latest report from cyber intelligence agencies in Canada and its Five Eyes allies.

Issued this week, the report lists the top 15 vulnerabilities used by threat actors last year to get into IT systems of organizations.

Of those 15, one dates back to 2018 (CVE-2018-13379), a path traversal vulnerability that affects security appliances running Fortinet’s FortiOS and FortiProxy; one dates back to 2019 (CVE-2019-11510), a vulnerability that allows arbitrary file reading in Pulse Secure’s Pulse Connect Secure VPN; and two date back to 2020 (one is the Zero Logon vulnerability for Windows, while the other is for Microsoft Exchange).

“Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors,” says the report.

Rounding out the top 15 list are 11 vulnerabilities found last year: Four ProxyLogon and three ProxyShell vulnerabilities in Exchange; and single vulnerabilities in Atlassian Confluence Server and Data Center, VMware vSphere Client and Zoho ManageEngine AD SelfService Plus; and the log4j vulnerability in Apache log4j2.

The report also lists 18 more patched vulnerabilities that were routinely exploited by attackers last year, although not as often as the top 15. Of this group, two discovered in 2017 involve Microsoft Office, one discovered in 2018 is for Cisco System’s IOS and IOS XE operating systems, two were discovered in 2019 (for products from Citrix and Progress Telerik) and one in 2020 (for QNAP’s network-attached storage devices).

In addition to listing the vulnerabilities, the report also has links to the patches.

Last year, malicious cyber actors “aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” the alert warns. “To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets.”

The Five Eyes countries are Canada, the U.S., the United Kingdom, Australia and New Zealand.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.