Multiple US Government agencies have collaborated on a list of the 10 most exploited security vulnerabilities in the past three years.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and other US agencies used the National Cyber Awareness System to release the AA20-133A alert, hoping to improve the patching process for businesses in both the private and public sector.
According to CISA, by patching regularly, companies in both sectors can prevent foreign cybercriminals working against US interests.
"A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective,” said the agency.
According to the warning, flaws in Microsoft’s Object Linking and Embedding (OLE) technology were the most widely exploited, followed by the Apache Struts web framework.
"Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158," explained CISA. "All three of these vulnerabilities are related to Microsoft’s OLE technology."
The report also claims Chinese hackers have taken advantage of CVE-2012-0158 since December, suggesting businesses have not installed patches diligently.
According to the report, Citrix VPN and Pulse Secure VPN vulnerabilities have been heavily exploited this year, as well as Microsoft Office 365.
You can find the full list of the most exploited vulnerabilities in the past three years here.