Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

A Closer Look at the US-CERT Top 10 Vulnerabilities List

Cracked brick wall with graffiti smiley face


In early May 2020, US-CERT published an alert of the Top 10 vulnerabilities exploited by attackers from 2016 to 2019. The list reveals some patterns and attack methods preferred by malicious actors. We’re going to dig a bit deeper into these attacks in this article.

The underlying theme for defenders is a lack of proper patch and configuration management. There will always be compromises that exploit zero-day vulnerabilities; however, the blast radius increases over time as organizations struggle to keep up with patching their systems. This remains true in 2020 as much as it was in 2000.

Most of the exploited vulnerabilities between 2016 and 2019 are based on vulnerable software. This matches the pattern we've seen by looking at the vulnerabilities we've discovered for clients in the first part of 2020.


Analyzing the list of the most exploited vulnerabilities also yields an unsurprising view, one in which the majority of attacks have targeted business productivity tools, such as Microsoft Office or supporting services like Apache Tomcat. Microsoft operating systems and software will continue to be the most attacked software for the foreseeable future due to its nearly universal adoption, market share, and the many (?) lagging organizations that struggle to upgrade to the latest and arguably more secure versions. This will shift once Microsoft can natively mitigate attacks by adopting a secure by default approach.


Interestingly enough, specifically called out in the aforementioned US-CERT Alert is increased malicious activity against VPN technologies. This is not really a new tactic by malicious actors; however, with the workforce being more remote than ever, and especially with the present COVID-19 situation, attackers are like bees and following the honey. We've performed some recent technical analysis of such vulnerabilities, which you can read here: Pulse SSL VPN Arbitrary File Read Vulnerability (CVE-2019-11510) and ConnectWise Control 19.3.25270.7185 (Eight Vulnerabilities, Including Critical).


Targeting employees through social engineering remains a tried-and-true tactic, mainly because you can bypass technical controls due to a lack of proper employee training and awareness. Often, the easiest way to compromise an organization is not through overtly attacking it via technical means, but by focusing on soft targets – aka, its people. Over the past few years, we've noticed that ransomware attacks have succeeded by convincing employees to open emails and click on malicious links; however, we can’t neglect to mention the effectiveness of simply calling employees and exploiting their willingness to help someone.


There aren’t any fancy tricks or tips to avoid these issues. Lists like this one from the US-CERT are very useful for showing real-world attacks and reminding us that security basics and good overall hygiene will make a massive difference in an organization’s security profile. The emerging threats that make headlines in the press are worth monitoring and checking for within your attack surface, but don’t focus in only that one area at the expense of protecting the low-hanging fruit. Play good offense, hire reputable external security firms to run regular pen tests, explore continuous pen testing, which gives you a broader view of your real-time threats, and train your employees.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Dan Wood, Bishop Fox Alumnus

About the author, Daniel Wood

AVP of Consulting

Daniel Wood (CISSP, GPEN) is a Bishop Fox Alumni. Daniel was Associate Vice President of Consulting at Bishop Fox, where he led all service lines, developed strategic initiatives, and established the Applied Research and Development program. Daniel has over 15 years of experience in cybersecurity and is a subject matter expert in red teaming, insider threat, and counterintelligence. Daniel was previously the manager of security engineering and technology at Bridgewater Associates, where he shaped the strategic direction of technology for the firm and oversaw technical security assessments of Bridgewater's international office expansions.

Daniel has also served in roles supporting the U.S. government in security architecture, engineering, and offensive operations as a Security Engineer and Red Team Leader. He supported the U.S. Special Operations Command (USSOCOM) on red teaming and digital warfare operations, and the U.S. Army on the Wargaming Cyber Effects on Soldiers' Decision-Making project. Daniel is currently a member of the Ithaca College Cybersecurity Advisory Board. He holds a Bachelor of Science in Administration of Justice from George Mason University.
More by Daniel

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.