Popular entertainment would have us believe that hackers are all sophisticated attackers ready to strike the latest vulnerabilities. That is sometimes true, but it’s become increasingly apparent that whether it’s the latest zero-day bug or something that was discovered the same year Apple released the iPad, hackers are equal-opportunity offenders.    

“Classic” Vulnerabilities

Cybersecurity professionals know the list of common vulnerabilities and exposures (CVE) seems never ending. While conscientious organizations may work to stay on top of the latest vulnerabilities, it’s easy to forget that some of the biggest threats have been around for a long time, and cyber attackers are not above going back to the classics.  Companies that haven’t always addressed CVEs in a timely manner may be surprised to learn that they’ve left some older issues unaddressed even though solutions are known and readily available. In fact, of the top most exploited CVEs, according to the US Cybersecurity and Infrastructure Agency (CISA), seven are from 2019 or earlier.  Here are a few examples:

CVE-2019-11510

Pulse Connect Secure and Pulse Policy Secure VPNs (now owned by Ivanti) contain vulnerabilities that allow an attacker to bypass authentication and access files and directories on an exposed system. It has been used in high-profile ransomware attacks, including those using Sodinokibi (aka Sodin or REvil) malware.   

Learn more about CVE-2019-11510.

Common Vulnerability Scoring System (CVSS) rating – 10, critical  

CVE-2018-13379

Fortinet FortiOS and FortiProxy can be exploited to allow a remote, unauthenticated user to execute a directory transversal attack by accessing plaintext user credentials stored in the system. Hackers used the credentials of domain administrators where multi-factor authentication wasn’t in use and gained complete access to the SSL VPN. Because the fix for this vulnerability required a password reset, which many end users neglected, organizations remain unprotected even though IT teams undertook remediation. It also highlights the importance of asset inventory and forced reboots.

Learn more about CVE-2018-13379.

CVSS rating – 9.8, critical 

CVE-2019-19781

A vulnerability in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, can allow an attacker to scan the system for vulnerable servers and perform arbitrary code execution. Hackers can access configuration and other crucial files. 

Learn more about CVE-2019-19781.

CVSS rating – 9.8, critical

CVE-2019-18935

Telerik UI for ASP.NET AJAX, a set of tools for creating web apps, contains an insecure deserialization vulnerability within RadAsyncUpload. By exploiting prior vulnerabilities CVE-2017-11317 and CVE-2017-11357, attackers obtain encryption keys to exploit this bug for remote code execution. 

Learn more about CVE-2019-18935.

CVSS rating – 9.8, critical

CVE-2018-0171

A bug in Cisco IOS software’s Smart Install could allow a remote attacker to execute arbitrary code or cause a reload and, consequently, a DoS. System reboots of affected systems leads to network outages.   

Learn more about CVE-2018-0171.

CVSS rating – 9.8, critical

CVE-2017-11882

Known as the Microsoft Office Memory Corruption Vulnerability, this CVE affects Microsoft Office 2007 Service Pack 3, 2010 Service Pack 2, 2013 Service Pack 1, and Microsoft Office 2016. It’s a memory corruption problem in a part of Office that handles object linking embedding (OLE). Once the user opens a malicious document, the attacker can execute remote code. Homeland Security and the FBI say this vulnerability, which has been around since 2000, is still one of the most frequently used by hackers in China, Russia, and North Korea. 

Learn more about CVE-2017-11882.

CVSS rating – 7.8, high

CVE-2017-0199

Another Microsoft bug, affecting Office SP3, 2010 SP2, 2013 SP1, 2016, Vista SP2, Server 2008 SP2, Windows 7 SP1,  and Windows 8.1, allows attackers to take over an infected system. The vulnerability relates to the way Microsoft Office and WordPad parse specially crafted files. 

Learn more about CVE-2017-0199.

CVSS rating – 7.8, high

Not on the list of most exploited CVEs, but still worth a mention because it illustrates just how long some problems can remain unaddressed is CVE-2014-0160, aka Heartbleed. This flaw was first discovered and documented in 2014 and is still being exploited today. It has a CVSS rating of 7.5, or high.   

Potential Risks

All of these CVEs are at least three years old yet they are still among the currently exploited vulnerabilities cataloged by CISA and private cybersecurity firms. That illustrates the fact that, old or not, these CVEs are still threats to the security of systems large and small. Many of the vulnerabilities listed here can result in compromised accounts that are offered by criminals in access-as-a-service schemes. 

In its 2023 Threat Report, cybersecurity firm Sophos noted that ransomware no longer focuses almost exclusively on Windows. Mac, Linux, and mobile platforms are increasingly in the crosshairs. Attackers are also using new methods of exploitation, including leveraging data from leak sites.  

The number of CVEs cataloged each year has grown steadily since 2010. That trend is likely to continue along with increasing financial ramifications. One of the primary motivations of maliciously targeting a system is financial gain, usually achieved by ransomware attacks for ransom payment or confidential data exfiltration and sale. Many of the CVEs listed above can be used for this type of exploit. Ransomware costs American businesses $1.4 million on average per occurrence with 90% of organizations saying the attack impacted their ability to operate, according to Sophos. And Forbes reports that even after paying the ransom, businesses were only able to restore 65% of their data. Furthermore, it’s illegal to pay a ransom so even with 100% data recovery, companies can still face legal problems and lawsuits from customers and other affected parties. 

Why Old Vulnerabilities Persist

The reason these CVEs, old and new, are still exploitable is simply because systems haven’t been patched. But the why behind that can vary. In some organizations, IT staff is overwhelmed with an ever increasing workload and not enough people. Sometimes the vulnerability is so old, the staff isn’t even aware of it or may think it’s already been addressed. And as newer issues come along, grabbing headlines and attention, they may be prioritized over older CVEs that don’t seem to pose as much of a threat. Unfortunately, attackers are aware of all this. With all the attention on newer vulnerabilities, it’s often easier for hackers to slip through by exploiting older CVEs that cybersecurity teams have forgotten about or assigned a low priority. 

The bottom line is that IT teams need to be given the resources to conduct thorough assessment, testing, and remediation for the most critical threats. Additionally, cooperation of other parts of the business will make or break successful patching efforts. Employees need to follow reboot, password reset, and other instructions from security teams. Even C-level personnel, who may feel too busy to reboot, must be persuaded to take steps necessary to secure the company’s systems. In fact, IT teams may want to prioritize those machines, with their extremely sensitive data, for security audits. 

What to Do About It

While it can seem overwhelming to contend with new threats as well as old ones, it doesn’t have to be. It’s not the age, but more the risk that matters. Teams that prioritize as such can speed up time-to-remediation for vulnerabilities that are the most likely to be exploited.

Risk-based vulnerability management (VM) allows each company to examine which CVEs are most likely to impact the business and handle those issues first. Penetration testing not only identifies weaknesses, but also verifies the exploitability of vulnerabilities discovered during scans. Combining proactive security measures like VM and penetration testing help security teams pinpoint high-risk weaknesses before attacker exploits can them.