{"id":2930,"date":"2021-07-19T15:13:07","date_gmt":"2021-07-19T13:13:07","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2930"},"modified":"2026-06-08T22:33:53","modified_gmt":"2026-06-08T22:33:53","slug":"trending-vulnerabilities-cybercriminals","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/trending-vulnerabilities-cybercriminals\/","title":{"rendered":"The most trending vulnerabilities among Cybercriminals"},"content":{"rendered":"\n<p style=\"text-align: justify\">Cyber-criminals exploit software and infrastructure vulnerabilities to obtain initial access, escalate privileges, or move laterally within target environments. Identifying and remediating critical vulnerabilities represents a high-priority activity that directly constrains adversary operational movement across compromised systems.<\/p>\n<p style=\"text-align: justify\">Applying security updates reduces exposure to cyber-attacks. However, threat actors frequently leverage logic flaws and misconfigurations to traverse infrastructure without relying on exploits or known vulnerabilities. Detection of lateral movement requires dedicated <strong>Security Monitoring<\/strong>, <strong>Malware Analysis<\/strong>, and <strong>Threat Hunting<\/strong> activities.<\/p>\n<p style=\"text-align: justify\">Based on <a href=\"https:\/\/threatpost.com\/top-cves-trending-with-cybercriminals\/167889\/\">published analysis<\/a>, the following list documents the most frequently exploited vulnerabilities by threat actors:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a rel=\"noreferrer noopener\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2020-1472\" target=\"_blank\" class=\"ek-link\">CVE-2020-1472<\/a>&nbsp;&#8211; SMB protocol attack enabling lateral movement and perimeter compromise<\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2020-0796\" target=\"_blank\" class=\"ek-link\">CVE-2020-0796<\/a>&nbsp;&#8211; SMB protocol attack enabling lateral movement and perimeter compromise<\/li><li><a class=\"ek-link ek-link\" rel=\"noreferrer noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-19781\" target=\"_blank\">CVE-2019-19781<\/a> &#8211; Citrix systems attack<\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2019-0708\" target=\"_blank\" class=\"ek-link\">CVE-2019-0708<\/a>&nbsp;&#8211; BlueKeep, RDP service attack<\/li><li><a class=\"ek-link ek-link\" rel=\"noreferrer noopener\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2017-11882\" target=\"_blank\">CVE-2017-11882<\/a> &#8211; Email and attachment-based attack<\/li><li><a class=\"ek-link ek-link\" rel=\"noreferrer noopener\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2017-0199\" target=\"_blank\">CVE-2017-0199<\/a> &#8211; Email and attachment-based attack<\/li><\/ul>\n\n\n\n<p style=\"text-align: justify\">Many of these <strong>CVEs<\/strong> are dated; patches addressing them have been available for extended periods. Analysis by threat intelligence teams indicates that the most discussed CVEs vary by language used in underground forums. Russian-language forums prioritize CVE-2019-19781; Chinese-language forums focus on CVE-2020-0796; English-language forums discuss CVE-2019-19781 and CVE-2020-0688; Turkish-language forums emphasize CVE-2019-6340.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CVE-2020-1472<\/h3>\n\n\n\n<p style=\"text-align: justify\">This vulnerability relates to privilege escalation when an attacker establishes a connection to a <strong>domain controller<\/strong> over a <strong>Netlogon<\/strong> channel, affecting the Netlogon Remote Protocol. An attacker successfully exploiting this vulnerability can execute arbitrary processes on networked devices. Exploitation requires an unauthenticated threat actor to use MS-NRPC to connect to a domain controller.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CVE-2020-0796<\/h3>\n\n\n\n<p style=\"text-align: justify\">Remote code execution vulnerability stems from improper handling of specific requests by the <strong>SMBv3<\/strong> (Microsoft Server Message Block 3.1.1) protocol. An attacker successfully exploiting this vulnerability can execute code on target servers or clients.<\/p>\n\n\n\n<p style=\"text-align: justify\">To exploit this vulnerability against a server, an unauthenticated attacker can send a specially crafted packet to a target <strong>SMBv3<\/strong> server.<\/p>\n\n\n\n<p style=\"text-align: justify\">The security update resolves the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CVE-2019-19781<\/h3>\n\n\n\n<p style=\"text-align: justify\">This issue affects <strong>Citrix Application Delivery Controller<\/strong> (ADC) and Gateway versions 10.5, 11.1, 12.0, 12.1, and 13.0. The vulnerability permits an unauthenticated remote attacker to write files to arbitrary disk paths via directory traversal. When combined with <strong>Perl Templating Toolkit<\/strong>, this vulnerability enables remote code execution on the affected system.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CVE-2019-0708<\/h3>\n\n\n\n<p style=\"text-align: justify\">This vulnerability resides in the <strong>Remote Desktop<\/strong> service and permits code execution through specially crafted requests. The vulnerability requires no user interaction. An attacker successfully exploiting this vulnerability can execute arbitrary code on the target system.<\/p>\n\n\n\n<p style=\"text-align: justify\">The update resolves the vulnerability by correcting how Remote Desktop Services handles connection requests.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CVE-2017-11882<\/h3>\n\n\n\n<p style=\"text-align: justify\">A remote code execution vulnerability exists in Microsoft Office when the software fails to properly handle objects in memory. An attacker successfully exploiting this vulnerability can execute arbitrary code in the context of the current user. Users whose accounts operate with reduced privileges face lower risk than those with administrative rights.<\/p>\n\n\n\n<p style=\"text-align: justify\">Exploitation requires a user to open a specially crafted file with a vulnerable version of <strong>Microsoft Office<\/strong> or <strong>Microsoft WordPad<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CVE-2017-0199<\/h3>\n\n\n\n<p style=\"text-align: justify\">A remote code execution vulnerability exists in how Microsoft Office and WordPad parse specially crafted files. An attacker successfully exploiting this vulnerability can assume control of an affected system. The attacker could then install programs, view, modify, or delete data, or create new accounts with full user rights.<\/p>\n<p style=\"text-align: justify\">Exploitation requires a user to open or preview a specially crafted file with a vulnerable version of Microsoft Office or WordPad. In email-based attack scenarios, an attacker can exploit this vulnerability by sending a specially crafted file to a user and convincing the user to open it. Continuous <a href=\"https:\/\/fortgale.com\/en\/cybersecurity-advisory\/\">Cybersecurity Advisory<\/a> monitoring of exploitation patterns remains critical for detecting such campaigns in real time.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVEs most actively exploited by criminal groups: targeting trends, time-to-exploit metrics and prioritisation guidance for vulnerability management programmes.<\/p>\n","protected":false},"author":1,"featured_media":1169,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[89,3174,3175,212,230,231,321,322,3176,382,3173],"class_list":["post-2930","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-cve","tag-cve-trends","tag-exploitation-trends","tag-malware","tag-mitigation","tag-mitigazione","tag-smb","tag-smbghost","tag-time-to-exploit","tag-vulnerabilita","tag-vulnerability-management"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2930","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2930"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2930\/revisions"}],"predecessor-version":[{"id":9859,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2930\/revisions\/9859"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2930"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2930"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2930"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}