Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 部落格


Behind the Scenes: How We Picked 2021’s Top Vulnerabilities – and What We Left Out

The 2021 Threat Landscape Retrospective explored the top five vulnerabilities of the year. Learn about other high-impact vulnerabilities that nearly made our list.

When putting together the Threat Landscape Retrospective (TLR) for 2021, the Security Response Team had a particularly difficult challenge picking the top five vulnerabilities for the year out of the many candidates.

In this blog post, we’re pulling back the curtain on our selection process, both to highlight the high-impact vulnerabilities that almost made the cut and to discuss our methodology for selecting the top five.

Our goal is to complement the TLR, whose mission is to help cybersecurity professionals with ongoing analysis of the threat landscape, including government, vendor and researcher advisories on important vulnerabilities and noteworthy incidents.

How we chose the 2021 Top 5

When we compiled the top five vulnerabilities for the 2020 TLR, it was easier to select distinct, individual CVEs. As a matter of fact, most of 2020’s top five CVEs continue to haunt organizations well into 2021. One of them — CVE-2020-1472, aka Zerologon — even carried over to the 2021 top five).

On the other hand, 2021 was more about clusters of vulnerabilities that illustrated the cybersecurity landscape. Therefore, we selected “representative” CVEs — selecting a single vulnerability out of a cluster that effectively epitomized a class of flaws or a particular product that was highly targeted throughout the year. For example, the full TLR covers eight vulnerabilities in Microsoft Exchange Server, but CVE-2021-26855, aka ProxyLogon, was the first to gain broad exploitation that continues to this day.

That brings us to another key decision criteria for the top five: long term impact. You may notice that CVE-2021-44228, aka Log4Shell, does not appear on the list. That is because the long term effects of the vulnerabilities in Log4j 2.0 remain to be seen. We may see long term exploitation of these flaws but, when we published the 2021 TLR, they were still too new to have that level of impact. In our analysis, we find time and again that the vulnerabilities with a long tail are the biggest risk to organizations.

Zero-day vulnerabilities typically become more problematic for most organizations after they’ve made the transition to legacy status.

In short, here are our key criteria for selecting the top five vulnerabilities:

  1. Representative of a product that has been highly targeted by threat actors
  2. Has had sustained and widespread exploitation
  3. Offers high value in attack chains
  4. Affects ubiquitous products or protocols

Now, let us explore how the vulnerabilities that didn’t make the Top 5 measure up against these criteria.

CVE Description CVSSv3 Score Tenable VPR*
CVE-2021-26855 Microsoft Exchange Server remote code execution 9.8 9.9
CVE-2021-34527 Windows Print Spooler remote code execution 8.8 9.8
CVE-2021-21985 VMware Vsphere remote code execution 9.8 9.4
CVE-2021-22893 Pulse Connect Secure authentication bypass 10 10.0
CVE-2020-1472 Windows Netlogon protocol elevation of privilege 10 10.0
CVE-2021-20016 SonicWall SMA SQL injection 9.8 9.7
CVE-2021-40444 Windows MSHTML remote code execution 7.8 9.9
CVE-2021-30116 Kaseya VSA credential exposure 9.8 9.7
CVE-2021-36942 Windows LSA spoofing vulnerability 5.3 5.0
CVE-2021-27101 Accellion FTA SQL injection 9.8 9.0

* Please note Tenable VPR scores are calculated nightly. This blog post was published on March 13, 2022 and reflects VPR at that time.

CVE-2021-20016: SonicWall SMA zero day

In January 2021, SonicWall disclosed that its internal systems were breached by threat actors, and in February it followed up with an advisory for CVE-2021- 20016, a zero-day vulnerability in its Secure Mobile Access (SMA) SSL VPN. Discovered by NCC Group, CVE-2021-20016 is a SQL injection vulnerability that allows a remote, unauthenticated attacker to access login credentials and session information.

The attacks exploiting CVE-2021-20016 were tied to the FiveHands ransomware by Mandiant, though the NCC Group also saw “indication of indiscriminate” exploitation shortly after SonicWall’s initial announcement, before patches were available. NCC Group did not release significant details or a proof-of-concept (PoC) for CVE-2021-20016 because they didn’t want to facilitate future attacks.

Why it didn’t make the cut

While CVE-2021-20016 fits many of the criteria used to select the top five, it just barely missed out on inclusion because it did not quite have the same effect as those that made the cut. Perhaps because no PoC was published, we did not see widespread exploitation on the scale of vulnerabilities like ProxyLogon, PrintNightmare or even other vulnerabilities in SSL VPNs. On that note, we felt that the flaw in Pulse Connect Secure was much more illustrative of the risks to VPN products. Because CVE-2021-22893 was already in the top five, we felt the remaining slots were best used for other illustrative vulnerabilities in order to give a full view of the threat landscape.

CVE-2021-40444:Microsoft MSHTML zero day

CVE-2021-40444 is a remote code execution vulnerability in Microsoft’s MSHTML (Trident) platform. Microsoft announced the vulnerability on September 7, 2021, in response to active exploitation but did not release patches until that month’s dedicated Patch Tuesday a week later. By then, nearly two dozen PoC repositories had been published on GitHub. To exploit this vulnerability, an attacker would use social engineering like phishing to convince targets to open a malicious Microsoft Office document.

CVE-2021-40444 was exploited as a zero day in limited, targeted attacks and continues to be exploited, notably in targeted cyberespionage attacks by an advanced persistent threat group. After the full advisory was published, Microsoft confirmed that “multiple threat actors, including ransomware-as-a-service affiliates” had adopted CVE-2021-40444.

While RiskIQ did find that initial attacks exploiting CVE-2021-40444 shared common infrastructure with the Ryuk ransomware family, the researchers were careful to note that this overlap is inconclusive.

Why it didn’t make the cut

Despite being adopted by ransomware groups, the primary attacks exploiting CVE-2021-40444 were targeted and leveraged specially tailored phishing lures that require user interaction. This specificity limits the scope of this vulnerability and, while we expect to see it used in ongoing phishing attacks, it did not meet the level of concern we felt for the Microsoft Exchange vulnerabilities.

CVE-2021-30116、CVE-2021-30119、CVE-2021-30120:Kaseya VSA

There is an unfortunate precedent of cybersecurity incidents ruining a holiday weekend. Chief among them in 2021, Kaseya Limited announced on July 5 that three zero-day vulnerabilities in its Virtual System Administrator (VSA) remote monitoring and management software were exploited in a large-scale ransomware attack later tied to the REvil ransomware group.

CVE 說明 CVSSv3 Tenable VPR*
CVE-2021-30116 Insufficiently protected credentials 9.8 9.7
CVE-2021-30119 Cross-site scripting 5.4 5.7
CVE-2021-30120 Incorrect authorization vulnerability 7.5 5.1

The disclosure and investigation of this incident was a whirlwind, developing quickly over the Fourth of July holiday weekend in the United States. The attack was first reported on July 2 and patches were released on July 11.

Since the incident in July, more vulnerabilities have been disclosed in Kaseya products, but none have been exploited in the wild, and one (CVE-2021-40386) remains unpatched at the time this blog post was published.

Why it didn’t make the cut

This set of vulnerabilities falls into the subcategory of zero days that made a big splash, but it didn’t have the long tails we have seen on other vulnerabilities in the top five. According to Kaseya, “only a very small percentage of our customers were affected — currently estimated at fewer than 40 worldwide.” Interestingly, only CVE-2021-30116 has been added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog. While that doesn’t necessarily mean there hasn’t been known exploitation of the other vulnerabilities, it does offer additional context for evaluating these vulnerabilities against the rest of the top five.

PetitPotam (CVE-2021-36942)

Somewhat unique on this list is PetitPotam, which is a new technology LAN manager (NTLM) relay attack rather than a distinct vulnerability. Originally disclosed by Gilles Lionel, PetitPotam can force domain controllers to authenticate to an attacker-controlled destination. Shortly after disclosure, the PoC was adopted by ransomware groups like LockFile. At first, Microsoft labeled this issue as “won’t fix,” and continues to primarily rely on its general mitigation guidance for defending against NTLM Relay Attacks.

There is a vulnerability associated with this attack, CVE-2021-36942, which is a Windows LSA Spoofing Vulnerability that received a CVSSv3 score of 7.8 and was patched in August’s Patch Tuesday release. However, later reports indicate that this patch was incomplete. It is important to note that, in this case, the vulnerability itself does not represent the true risks of this attack vector.

Why it didn’t make the cut

PetitPotam has seen similar use to Zerologon by threat actors but with a smaller attack surface and more limited adoption. The CVE associated with PetitPotam does have the lowest CVSSv3 score on the list but that wasn’t a factor in our decision. It is perhaps more notable that a vulnerability with a score of 5.3 made it into the top 10 at all.

CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104: Accellion File Transfer Appliance

At the end of 2020 and into the beginning of 2021, a large number of organizations — we have tracked more than 40 — were breached using four zero day vulnerabilities in Accellion’s File Transfer Appliance (FTA).

CVE 說明 CVSSv3 Tenable VPR*
CVE-2021-27101 SQL injection 9.8 9.0
CVE-2021-27102 Operating system command injection 7.8 8.4
CVE-2021-27103 Server-side request forgery 9.8 8.4
CVE-2021-27104 Operating system command injection 9.8 8.4

Almost immediately upon the announcement of these attacks, some were traced back to the Clop/CL0P ransomware group. Disclosures of breaches linked to Accellion FTA continued to occur throughout the beginning of 2021, making these zero days some of the most exploited vulnerabilities in the first half of the year.

Why it didn’t make the cut

While these vulnerabilities had considerable impact on the organizations breached using them, the effects were relatively short-lived. Attacks exploiting Accellion peaked in January 2021 and these vulnerabilities don’t appear to have the long tail that characterize those in the top five.

Common themes among the outliers

One thing that stands out for several of these entries is that they are not a distinct CVE but rather groups or chains of vulnerabilities. While this wasn’t a conscious decision factor when we selected the top five, it shows an important component of our decision criteria. We sought out vulnerabilities that not only represented considerable, long-term risks to organizations but also those that were uniquely illustrative. We could have compiled the top five just out of flaws in Microsoft Exchange Server and Print Spooler but decided to instead highlight a diverse set of products that many organizations might deploy.

Also interesting is that the vulnerabilities that did not make the cut were all zero days, while only two of the final top five were. While we did see more threat actors exploiting zero days in attacks this year, 83% of the zero days we tracked for the 2021 TLR were exploited in the wild, unpatched known vulnerabilities continue to be a fertile ground for attackers.

While the effects of these vulnerabilities were acutely felt by those organizations breached using them, the wide-scale impact was lacking. Attackers have a plethora of vulnerabilities from which to choose, and the vulnerabilities that did make it into the top five represent those that a large number of attackers chose to exploit in a greater number of attacks than those that just missed the cut. That being said, organizations with any of the vulnerabilities discussed here should immediately set a plan to identify and remediate any affected assets.


Tenable has released scan templates for Tenable.io, Tenable.sc and Nessus Professional which are pre-configured to allow quick scanning for the vulnerabilities discussed in this report. In addition, Tenable.io customers have a new dashboard and widgets in the widgets library and Tenable.sc users also have a new dashboard covering the 2021 Threat Landscape Retrospective.

加入 Tenable Community 的 Tenable 安全回應團隊

深入瞭解 Tenable,這是用於全面管理新型攻擊破綻的首創 Cyber Exposure 平台。

索取 Tenable.io Vulnerability Management 的 30 天免費試用



輸入您的電子郵件地址,以便收到最新 cyber exposure 警示。



您的 Tenable.io Vulnerability Management 試用版也包含 Tenable Lumin、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

tenable.io 購買

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

65 項資產



免費試用 Nessus Professional

免費試用 7 天

Nessus® 是現今市場上功能最全面的弱點掃描工具。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊合作。

購買 Nessus Professional

Nessus® 是現今市場上功能最全面的弱點掃描工具。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊合作。

購買多年期授權,節省更多。新增 365 天全年無休 24 小時全天候可使用電話、社群及對談的進階支援。






您的 Tenable.io Vulnerability Management 試用版也包含 Tenable Lumin、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

Tenable.io 購買

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

65 項資產



試用 Tenable.io Web Application Scanning

享受我們專為現代應用程式而設計,屬於 Tenable.io 平台一部分的最新 Web 應用程式掃描產品的所有功能。不需耗費大量人力或中斷重要 Web 應用程式,即可高度準確且安全地掃描您整個線上產品系列中是否含有任何弱點。 立即註冊。

您的 Tenable Web Application Scanning 試用版也包含 Tenable.io Vulnerability Management、Tenable Lumin 和 Tenable.cs Cloud Security。

購買 Tenable.io Web Application Scanning

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

5 個 FQDN



試用 Tenable.io Container Security

享受整合至弱點管理平台中的唯一容器安全產品的完整功能。監控容器映像中是否有弱點、惡意軟體及政策違規的情形。與持續整合和持續部署 (CI/CD) 系統整合,以支援 DevOps 作法、加強安全性並支援企業政策合規性。

購買 Tenable.io Container Security

Tenable.io Container Security 整合了建置程序,能提供包含弱點、惡意軟體和政策違規等容器映像安全性的能見度,讓您無縫並安全地啟用 DevOps 流程。

試用 Tenable Lumin

透過 Tenable Lumin,能夠以視覺方式呈現 Cyber Exposure 並加以探索,長期追蹤風險降低狀況,以及對照同業進行指標分析。

您的 Tenable Lumin 試用版也包含 Tenable.io Vulnerability Management、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

購買 Tenable Lumin

聯絡業務代表,瞭解 Lumin 如何協助您獲得整個企業的深入洞見,並管理網路風險。

試用 Tenable.cs


您的 Tenable.cs Cloud Security 試用版也包含 Tenable.io Vulnerability Management、Tenable Lumin 和 Tenable.io Web Application Scanning。

聯絡業務代表購買 Tenable.cs

聯絡業務代表,以深入瞭解 Tenable.cs Cloud Security 如何輕鬆讓您的雲端帳戶上線,以及如何在數分鐘內輕鬆取得雲端錯誤設定與弱點的能見度。

免費試用 Nessus Expert

免費試用 7 天

Nessus Expert 是專為現代攻擊破綻所打造,它能讓您從 IT 到雲端洞察更多資訊,並保護貴公司免於弱點危害。

您已擁有 Nessus Professional 嗎?
升級至 Nessus Expert,免費試用 7 天。

購買 Nessus Expert

Nessus Expert 是專為現代攻擊破綻所打造,它能讓您從 IT 到雲端洞察更多資訊,並保護貴公司免於弱點危害。


促銷價格將延長至 12 月 31 日止。