The Most Frequent Actively Exploited Vulnerabilities in 2020

The Most Frequent Actively Exploited Vulnerabilities in 2020

Every week, security researchers discover and publish many new actively exploited vulnerabilities. In 2020, they disclosed over 18 000 vulnerabilities. However, adversaries exploit only a small subset of these vulnerabilities. Even though the vulnerability is critical does not necessarily imply that the attackers are actively exploiting it in the wild.

It is important to keep track of currently exploited vulnerabilities and prioritize them while patching. This is the reason why we prepared this short overview of the most often exploited vulnerabilities based on findings of RecordedFuture.

Current trends

Below this paragraph, you can see the list of top 10 exploited vulnerabilities in 2020 assembled by RecordedFuture. An interesting column in this top 10 list is the „Associated malware“ column which contains names of malware using a particular vulnerability. Note, that this associated malware is very often ransomware.

Table 1 - The 10 most exploited vulnerabilities in 2020

Here are some observations based on similar reports from last years.

Microsoft is still the most popular target – the attackers were targeting it in most of the top 10 exploited vulnerabilities.

Internet Explorer was targeted only once in 2020‘s top 10 list. This number rapidly decreased in comparison with the report from 2019 – there were 4 exploited vulnerabilities of Internet Explorer in the top 10 list back then.

No Adobe products are targeted in 2020’s top 10. This may be caused by the fact that Adobe expired by the end of 2020.

Many of top 10 exploited vulnerabilities targeted applications for easing home-office work. Some examples of those are Citrix, Pulse Connect, or WebLogic.


Target: Citrix

CVE-2019-19781 is a Remote Code Execution vulnerability. The vulnerability can be exploited if a vulnerable Perl script exists on the system and two crafted http requests are made.

Citrix released not only the patch for its vulnerable Application Delivery Controller and Gateway, but they also paired up with FireEye and created Indicator of Compromise Scanner that detects if this vulnerability has been exploited on the scanned system.

CVE-2020-1472 (ZeroLogon)

Target: Netlogon

ZeroLogon is a privilege escalation vulnerability that misuses weak cryptographic algorithms during Netlogon authentication and thus impacts the security of Active Directory.

Although it has been discovered only in August 2020, it rapidly gained popularity. Six distinct proof of concepts have been observed for this vulnerability.


Target: Pulse Connect Secure

CVE-2019-11510 is an arbitrary file disclosure vulnerability in a VPN Solution from Pulse Secure. The exploitation of the vulnerability is rather simple and can result in ransomware deployment. If users try to access resources through the vulnerable VPN, ransomware can be distributed and activated through interactive prompt of the VPN interface.


It is crucial to keep track in current exploitation trends so you can prioritize patching of vulnerabilities. It is equally important to patch older vulnerabilities and not only the new ones, as an average vulnerability gets actively exploited for approximately 7 years.

To conclude, it is always a good idea to patch Microsoft vulnerabilities first, as they are very popular among attackers. Based on observations from last year, vulnerabilities in software for remote work are also highly popular and need to be patched quickly.