Joint Cybersecurity Advisory: AA22-117A TLP:WHITE, 2021 Top Routinely Exploited Vulnerabilities

Released April 27, 2022


The purpose of this Joint Cybersecurity Advisory is to inform private sector partners of the top 15 exploited vulnerabilities and provide steps for mitigation. This product is marked TLP:WHITE. The information in this product may be distributed without restriction, subject to copyright controls.

Please see the attached Joint Cybersecurity Advisory: AA22-117A TLP:WHITE, 2021 Top Routinely Exploited Vulnerabilities.

2021 Top Routinely Exploited Vulnerabilities


This joint Cybersecurity Advisory (CSA) was coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom: the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and United Kingdom’s National Cyber Security Centre (NCSC-UK). This advisory provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.

U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities assess, in 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets.

The cybersecurity authorities encourage organizations to apply the recommendations in the Mitigations section of this CSA. These mitigations include applying timely patches to systems and implementing a centralized patch management system to reduce the risk of compromise by malicious cyber actors.

See the complete report PDF below.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA

(O) +1 202 626 2272