Top CVEs Trending with Cybercriminals

An analysis of criminal forums reveal what publicly known vulnerabilities attackers are most interested in.

Criminal small talk in underground forums offer critical clues about which known Common Vulnerabilities and Exposures (CVEs) threat actors are most focused on. This, in turn, offers defenders clues on what to watch out for.

An analysis of such chatter, by Cognyte, examined 15 cybercrime forums between Jan. 2020 and March 2021. In its report, researchers highlight what CVEs are the most frequently mentioned and try to determine where attackers might strike next.

“Our findings revealed that there is no 100 percent correlation between the two parameters, since the top five CVEs that received the highest number of posts are not exactly the ones that were mentioned on the highest number of Dark Web forums examined,” the report said. “However, it is still enough to understand which CVEs were popular among threat actors on the Dark Web during the time examined.”The researchers found ZeroLogon, SMBGhost and BlueKeep were among the most buzzed about vulnerabilities among attackers between Jan. 2020 and March 2021.

Six CVEs Popular with Criminals

CVE-2020-1472 (aka ZeroLogon)

CVE-2020-0796 (aka SMBGhost)


CVE-2019-0708 (aka BlueKeep)



“Most of the CVEs in this list were abused by nation-state groups and cybercriminals, such as ransomware gangs, during worldwide campaigns against different sectors,” the report said.

Notably, all the CVEs threat actors are still focused on are old, meaning that basic patching and mitigation could have stopped many attacks before they even got started.

The report added, the 9-year-old CVE-2012-0158 was exploited by threat actors during the COVID-19 pandemic in 2020, which, “indicates that organizations are not patching their systems and are not maintaining a resilient security posture.”

Microsoft has the dubious distinction of being behind five of the six most popular vulns on the Dark Web, Cognyte found. Microsoft has also had a tough time getting users to patch them.

ZeroLogon is a prime example. The flaw in Microsoft’s software allows threat actors to access domain controllers and breach all Active Directory identity services. Patching ZeroLogon was so slow, Microsoft announced in January it would start blocking Active Directory domain access to unpatched systems with an “enforcement mode.”

In March 2020, Microsoft patched the number two vulnerability on the list, CVE-2020-0796, but as of October, 100,000 Windows systems were still vulnerable.

The analysts explained varying CVEs were more talked about depending on the forum language. The CVE favored by Russian-language forums was CVE-2019-19781. Chinese forums were buzzing most about CVE-2020-0796. There was a tie between CVE-2020-0688 and CVE-2019-19781 in English-speaking threat actor circles. And Turkish forums were focused on CVE-2019-6340.

The researchers add, for context, that about half of the monitored forums were Russian-speaking and that Spanish forums aren’t mentioned because there wasn’t a clear frontrunning CVE discussed.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles