The Top Vulnerabilities Of The Decade

The world of cybersecurity moves fast. Crises erupt, and security teams react. There’s little time to take a break and look back. 

Kenna Security is celebrating its 10-year anniversary today, so we decided to do what we do best and take a data-based (and rare) review of the top vulnerabilities from the past decade.

The Top Vulnerabilities Year-By-Year

For the uninitiated, Kenna Security uses a whole bunch of data science to calculate the real risk posed by any given CVE. We assign scores ranging from 1 (no risk) to 100 (highest risk). Just 171 vulnerabilities have earned a score of 100 – representing the worst of the worst. Here, we highlight some of the most memorable from that list. 

• 2010:
  • Although occurring just outside of the scope of this project we would be remiss if we didn’t mention one vulnerability from 2010 that brought cyberwarfare to the mainstream, CVE-2010-2772 aka Stuxnet. This is a great example of a vulnerability that poses very little risk on its own due to the relative rarity of the devices impacted and difficulty to exploit them. However, pairing this vuln with nation-state motivations and a highly targeted mission, and you have all the makings of a Tom Clancy novel. 
• 2011: 
  • Columbia University researchers find RCE vulnerabilities in HP Printers (CVE-2011-2404, CVE-2011-4786) that can potentially be used to produce some fiery results. 
• 2012:
  • VUPEN had some fun demonstrating browser 0-days including an Internet Explorer RCE (CVE-2012-1876); taking home some trophies during Pwn2Own at CanSecWest 2012.
  • All-in-all, Microsoft had 10 vulnerabilities that we rated 100/100, all of them enabling RCE
• 2013:
  • Microsoft warns its users about an Office 0-Day (CVE-2013-3906) that enables RCE via an TIFF image embedded in an office document. This vuln was being exploited in the wild so users needed to be cautious until the patch was available in the following weeks’ patch Tuesday. 
• 2014:
  • Shellshock aka Bashdoor (CVE-2014-6271) hits the scene.
  • With Dune hitting theaters (and HBO Max) in 2021, only fitting to call out the emergence of the Sandworm (CVE-2014-4114) malware associated with Russian cyber-espionage campaigns.  
  • Heartbleed (CVE-2014-0160) is an honorable mention as another celebrity vulnerability, but didn’t quite make the grade with a Kenna severity score of 96.8. 
• 2015:
  • Adobe Flash took top honors with half of all 100 scored vulnerabilities in 2015. It’s not much of a surprise that browsers and phones began blocking Flash by default and Adobe announced end-of-life for the product in 2017. 
  • Another notable mention is the Juniper backdoor (CVE-2015-7755) in Netscreen firewalls that could lead to “complete compromise of the affected device.”
• 2016:
  • CVE-2016-10372 was a ZyXEL modem RCE vuln that put tens of thousands of Eir (Ireland’s largest ISP) internet users at risk. 
  • CVE-2016-2776 the ISC (Internet Systems Consortium) discovered a Denial of Service (DoS) from a maliciously crafted DNS request.
• 2017:
  • Petya ransomware started spreading globally exploiting a MSFT SMB protocol vuln CVE-2017-0144 to infect host machines. 
  • The infamous Equifax Apache Struts vulnerability (CVE-2017-5638) made headlines and five other Apache Vulnerabilities were scored 100/100 in 2017 (CVE-2017-12617, CVE-2017-12635, CVE-2017-12636, CVE-2017-9791, CVE-2017-9805).
• 2018:
  • While Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) made headlines in January of 2018, the massive industry response and relative difficulty of executing exploits didn’t pop them up to the top of the risk scoreboard for the year. 
  • Instead the riskiest vulnerabilities involved RCE’s in popular and widely used open source tools including Drupal (CVE-2018-7600, CVE-2018-7602), Jenkins (CVE-2018-1000861), Jquery (CVE-2018-9206), and an authentication bypass in libssh (CVE-2018-10933). 
• 2019:
  • Who can forget Microsoft’s latest and greatest RDP vulnerability BlueKeep (CVE-2019-0708)? BlueKeep was 1 of only 6 vulnerabilities that we rated 100/100 in 2019 and for good reason, the Kenna predictive algorithm noted that this would likely have an exploit (elevating the risk score to 96) and should be prioritized for remediation. The first attacks in the wild registered two months after the CVE was published. You can read how we tracked BlueKeep
• 2020 (through 11/22):
  • While 2020 has been a proverbial dumpster fire in most respects, the year has only brought us 8 new vulnerabilities that have made the riskiest of the risky list. That is relatively light if you consider that the average year sees 17 new 100-scored vulns, but read below to see why 2020 may have made up for the lower volume with some novel vulnerabilities. 
  • 2020 follows in 2019’s footsteps with a Microsoft Exchange RCE (CVE-2020-0688) that we have been tracking since it was revealed in February’s Patch Tuesday. This one is unique as it is based on a static cryptographic key in a default application that is also exposed to the internet. 
  • F5 Networks’ BIG-IP load balancing devices had an RCE (CVE-2020-5902) that was so risky that F5 noted that many devices were likely already compromised by the time they had published the vulnerability details and US CISA followed with their own advisory calling out ongoing attacks in the wild. 

The list of extremely critical vulnerabilities covers a mix of vendors, products, and attack vectors. But the similarities between them highlight the strength of risk-based vulnerability management. Attackers follow well-worn pathways. While some CVEs may be more potent than others the hackers that develop them can be somewhat predictable. 

In fact, the FireEye breach disclosure and their red team tool kit mitigations show that one of the most respected Red Teams in the world leverages vulnerabilities that are all-too familiar for anyone paying attention. Of the 16 CVE’s that are utilized, 5 have a Kenna score of 100 and they have an average risk score of 75 out of 100. That score grows to 84 if you remove two highly specific vulnerabilities. 

That insight drives Kenna Security. CVEs that allow remote code execution tend to draw a lot of interest. Likewise, vulnerabilities impacting certain operating systems and vendors are more likely to be weaponized. While these vulnerabilities represent the worst of the worst, they fit the overall pattern. And that allows companies to stay ahead of the curve. By identifying vulnerabilities that are likely to be exploited, and then correlating that with their business context, security teams can effectively reduce overall risk for their organizations.