The National Cyber Security Centre (NCSC), in collaboration with agencies from the US, Australia, Canada, and New Zealand, released a joint advisory on the cyber vulnerabilities most exploited in 2022.

The report revealed that malicious cyber attackers had a greater inclination towards exploiting older software vulnerabilities rather than recently disclosed ones.

Interestingly, over half of the vulnerabilities listed for 2022 were also part of the 2021 list, underscoring that attackers repeatedly targeted known flaws in internet-facing systems, even when security patches were available.

The advisory detailed that attackers often found the most success in exploiting vulnerabilities within two years of their public revelation. They strategically aimed their exploits to achieve the maximum impact, emphasizing the necessity for organisations to implement security updates without delay. The advisory further shared technical details on an additional 30 vulnerabilities that were commonly exploited and offered mitigation advice to reduce risks.

UK’s NCSC Director of Resilience and Future Technology, Jonathon Ellison, stated, “Vulnerabilities are sadly part and parcel of our online world and we see threat actors continue to take advantage of these weaknesses to compromise systems. This joint advisory with our allies raises awareness of the most routinely exploited vulnerabilities in 2022 to help organisations identify where they might be at risk and take action.”

To reinforce cyber defences, Ellison encourages organisations to apply all available security updates promptly. Moreover, software vendors are urged to place security at the forefront of their product designs, shifting the responsibility from consumers. All UK organisations can enlist for the NCSC’s Early Warning service to receive timely alerts regarding potential network vulnerabilities.

Guidance for effective vulnerability management is available on the NCSC website, and software professionals are advised to adopt secure-by-design practices throughout the development process.

The comprehensive advisory was jointly issued by multiple global agencies, including the US’s CISA, NSA, FBI, Australia’s ACSC, Canada’s CCCS, New Zealand’s CERT NZ and NCSC-NZ. The full advisory is accessible on CISA’s website.

Avatar photo
George has a degree in Cyber Security from Glasgow Caledonian University and has a keen interest in naval and cyber security matters and has appeared on national radio and television to discuss current events. He also previously worked for the NHS. George is on Twitter at @geoallison
Notify of

1 Comment
Inline Feedbacks
View all comments
3 months ago

BAE been given a £89m five year R&D contract to develop and provide a military WAN called Trinity from Dec 2025 to replace inter-tactical node links provided by the Falcon tactical communications network which is retiring in 2026. Mirrors the US JASDC2, though rather than one integrated system in the US each service branch is separately procuring how they will talk to the one inter-service network.