Joint Advisory: 2022 top routinely exploited vulnerabilities

New Zealand’s National Cyber Security Centre (NCSC) has issued a joint cyber security advisory in partnership with CERT NZ(external link), the USA's Cybersecurity and Infrastructure Security Agency (CISA(external link)), the National Security Agency (NSA(external link)), the Federal Bureau of Investigation (FBI(external link)), and the cybersecurity authorities of Australia(external link), Canada(external link), and the United Kingdom(external link).

The joint advisory [PDF, 981 KB] provides details on the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2022, as well as other CVEs frequently exploited.

The authoring agencies encourage organisations to apply the recommendations in the mitigations section of this advisory, and to check for signs of compromise even if the vulnerability was previously mitigated. These mitigations include applying timely patches to systems and implementing a centralised patch management system to reduce the risk of compromise by malicious cyber actors.

“This advisory reinforces one of the foundational aspects of cyber security," said Lisa Fong, responsible for New Zealand’s National Cyber Security Centre. “Malicious actors continue to succeed using the same techniques over and over. I can’t emphasise enough the importance of doing the basics well by understanding your assets, and rapidly applying patches when they become available. Acting on CVE reporting is the difference between getting onto your to-do list and getting onto someone else’s to-do list.”

“This is a timely reminder for organisations that asset lifecycle management and patching policies are incredibly important,” said Rob Pope, Director CERT NZ. “I’d also like to stress that vulnerability disclosure is a very good thing and organisations that supply software or services should have a vulnerability disclosure policy in place as part of the secure-by-design principles. Doing this makes everyone more secure in the long run.”

For queries related to this advisory, please contact: info@ncsc.govt.nz