National Cyber Security Centre
Printable version

NCSC and allies publish advisory on the most commonly exploited vulnerabilities in 2021

A joint advisory from the NCSC and international partners details the 15 most commonly exploited vulnerabilities in 2021.

  • UK and international allies share details of the top 15 vulnerabilities routinely exploited by malicious actors in 2021
  • Advisory highlights aggressive targeting of newly disclosed critical software vulnerabilities against a broad set of targets
  • NCSC CEO Lindy Cameron says that the advice “places the power in the hands of network defenders to fix the most common cyber weaknesses”

The UK and international partners have published an advisory for public and private sector organisations on the 15 most commonly exploited vulnerabilities in 2021.

The National Cyber Security Centre (NCSC), a part of GCHQ, has jointly published an advisory with agencies in the US, Australia, Canada and New Zealand, showing that malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities across the public and private sector worldwide.

Threat actors often geared their efforts towards targeting internet-facing systems, such as email and virtual private network (VPN) servers.

It also indicates that, to a lesser extent, actors continue to exploit publicly known – and often dated – vulnerabilities, some of which were routinely exploited in 2020 or earlier.

The advisory directs organisations to follow specific mitigation advice to protect against exploitation, which includes applying timely patches, using a centralised patch management system and replacing any software no longer supported by the vendor.

Lindy Cameron, NCSC CEO, said:

The NCSC and our allies are committed to raising awareness of vulnerabilities and presenting actionable solutions to mitigate them.

This advisory places the power in the hands of network defenders to fix the most common cyber weaknesses in the public and private sector ecosystem.

Working with our international partners, we will continue to raise awareness of the threats posed by those who seek to harm us.

Additional guidance for organisations on how to protect themselves in cyberspace can be found on the NCSC website. Our 10 Steps to Cyber Security collection provides a summary of advice for security and technical professionals.

To mitigate vulnerabilities, organisations should review NCSC guidance on an effective vulnerability management process. The NCSC Early Warning Service also provides vulnerability and open port alerts for subscribed organisations.

The advisory is available to read in full on the Cybersecurity and Infrastructure Security Agency's (CISA) website.

Read the advisory

Quotes from our international partners

Rob Joyce, NSA Cybersecurity Director

"This report should be a reminder to organisations that bad actors don't need to develop sophisticated tools when they can just exploit publicly known vulnerabilities.

"Getting a handle on patch management will go a long way in forcing adversaries to spend a lot more resources to even try and get in to targeted networks."

Jen Easterly, CISA Director

“CISA and our interagency and international partners are releasing this advisory to highlight the risk that commonly exploited vulnerabilities pose to both public and private sector networks.

“We know that malicious cyber actors target these critical software vulnerabilities across many public and private organisations worldwide. CISA and our partners urge all organisations to assess their vulnerability management practices and take action to mitigate risk to the known exploited vulnerabilities outlined in this advisory.”

Abigail Bradshaw, Head of the Australian Cyber Security Centre

“Malicious cyber actors continue to exploit known and dated software vulnerabilities to attack private and public networks globally.

“The ACSC is committed to providing cyber security advice and sharing threat information with our partners, to ensure a safer online environment for everyone. Organisations can implement the effective mitigations highlighted in this advisory to protect themselves.”

Sami Khoury, Head of the Canadian Centre for Cyber Security

“Cyber security best practices, including patch management, are essential tools for organisations to better protect themselves against malicious threat actors.

“We encourage all organisations to take action and follow the appropriate mitigations in this report against known and routinely exploited vulnerabilities, and make themselves more secure.”

Lisa Fong, Director of the New Zealand National Cyber Security Centre

“We are seeing an increase in the speed and scale of malicious actors taking advantage of newly disclosed vulnerabilities.

“The NCSC works with international partners to provide timely access to critical cyber threat information.

This joint advisory underscores the importance of addressing vulnerabilities as they are disclosed and better equips New Zealand organisations to secure their information and systems.”

Channel website:

Original article link:

Share this article

Latest News from
National Cyber Security Centre