CSW Discovers its 50th Zero Day!

20 Percent of CVEs Listed in CISA’s Latest Directive have Ransomware Associations

Posted on Nov 15, 2021 | By Surojoy Gupta

On November 03, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released a list of 291 vulnerabilities in a directive aimed at organizations from all sectors. The CISA list puts special emphasis on patching known and exploited vulnerabilities associated with software and hardware commonly found on the US federal information systems, and those used by third-party agencies.

On November 15, 2021, CISA published a list of vulnerabilities as part of the Industrial Control Systems Advisory (ICSA) that are found in data distribution and implementation service software. 

Our security analysts took a deeper look at the list and discovered that several of the vulnerabilities have been exploited by or are associated with multiple ransomware groups. 


CSW Ransomware Spotlight Reports 2021 Call Out 53 of the 54 vulnerabilities

CSW experts have mentioned 53 of the 54 vulnerabilities that have ransomware associations in the Ransomware Spotlight Report 2021 and its subsequent index updates, Q1 to Q3

CSW Called out 53 of 54 ransomware CVEs in the Spotlight Reports

We have also identified a total of 92 unique ransomware families that are associated with the 53 vulnerabilities called out by CISA in their directive. Our researchers have also noted that out of a total of 85 Advanced Persistent Threat (APT) groups affecting the 291 vulnerabilities, 35 are using the ransomware CVEs enumerated in the report. 

CVEs with Most Ransomware Associations


The top 5 CVEs with the highest number of ransomware family associations include:


  • CVE-2018-4878 is an arbitrary code execution vulnerability discovered in the Adobe Flash Player v28.0.0.161.

  • The vulnerability occurs due to a dangling pointer in the Primetime SDK that handles listener objects in the media player.                                       

  • The critical severity CVE is categorized under the CWE 416 (use-after-free) weakness enumeration and carries a CVSS v3 score of 9.8. 

  • CWE 416 is one of the Top 10 Most Dangerous Software Weaknesses listed by MITRE.

  • It has associations with the highest number of ransomware families that include infamous groups like Locky, BitPaymer, Stop, GandCrab, Nemty, and others.



  • CVE-2019-19781 is a remote code execution vulnerability that allows directory traversal in Citrix Application Delivery Controller (ADC) and Gateway versions 10.5, 11.1, 12.0, 12.1, and 13.0.

  • Categorized under CWE 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')), this critical vulnerability has a CVSS v3 score of 9.8.

  • CWE 22 is one of the Top 10 Most Dangerous Software Weaknesses listed by MITRE.

  • This vulnerability has been associated with 11 ransomware families that include DoppelPaymer, Maze, Pay2Key, Ragnarok, and Sodinokibi.



  • CVE-2017-0143 is a remote code execution vulnerability that exists in the Microsoft Server Message Block v1.0 and affects all Windows Server versions from Windows Vista SP2 to Windows 10 Gold. 

  • It is classified under the weakness enumeration CWE 20 (Improper Input Validation), and has a severity rating of 8.1 on the CVSS v3 score. 

  • CWE 20 is one of the Top 10 Most Dangerous Software Weaknesses listed by MITRE.

  • CVE-2017-0143 is associated with ten ransomware families that include Conti, Petya, Ryuk, WannaCry, and several others.


  • CVE-2017-11882 is a remote code execution vulnerability that exists in Microsoft Office 2007 to 2016.

  • The vulnerability allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory.

  • Classified under the weakness enumeration, CWE 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), this high severity CVE has a CVSS v3 score of 7.8.

  • CWE 119 is one of the Top 20 Most Dangerous Software Weaknesses listed by MITRE.

  • Ransomware groups like Locky, Lokibot, and OnyxLocker amongst others are associated with this vulnerability.



  • CVE-2020-1472 is a privilege escalation vulnerability that exists in Microsoft’s  Netlogon Remote Protocol (MS-NRPC).

  • When an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC) vulnerability, the attacker gains elevation of privilege.

  • The critical vulnerability is classified under the weakness enumeration, CWE 330 (Use of Insufficiently Random Values), and has a CVSS v3 score of 10.0. 

  • The vulnerability has been found to be exploited by seven ransomware groups. They include major groups like Conti, Darkside, Ryuk, and Babuk to name a few.


Top Vendors Affected by Ransomware

Our research on the vendors most affected by ransomware puts VMWare at the top of the list with 224 affected products, and Pulse Secure in the second position with 135 products. 

Here is a detailed insight into the Top Vendors Affected by Ransomware.

Vendor Total CVEs Associated
with the vendors
Most Critical CVE Ransomware
Number of Unique Products
Affected by the CVE
Internet-facing Instances
(Critical CVE)









CVE-2020-3992 2 224 97,256
Pulse Secure








CVE-2019-11539 1 135 39,978



CVE-2020-5902 2 84 68





























Here is a detailed look into the most critical CVEs associated with each vendor:


  • CVE-2020-3992 is a use-after-free vulnerability in the OpenSLP that VMware uses in its ESXi Servers. It affects ESXi servers prior to v6.5, v6.7, and v7.0.

  • The vulnerability can result in a remote code execution if an attacker on an ESXi machine has access to port 427 on the management network.  

  • Classified under CWE 416 (use-after-free), this CVE has a CVSS v3 score of 9.8, making it critical in severity.

  • CWE 416 is one of the Top 10 Most Dangerous Software Weaknesses listed by MITRE.

  • The CVE is associated with Darkside and RansomEXX ransomware groups. It also has APT group associations.


  • CVE-2019-11539 is a remote code execution vulnerability contained in the admin web interface for Pulse Secure's Connect and Policy Secure platforms. 

  • The vulnerability allows an authenticated attacker to inject and execute commands. 

  • The vulnerability is classified under CWE 78 (Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) and has a CVSS v3 score of 7.2 (high).

  • The CVE has been associated with the Sodinokibi (also known as Sodin and REvil) ransomware.


  • CVE-2020-5902 is a remote code execution vulnerability in the F5 BIG IP Traffic Management User Interface.

  • Classified under the weakness enumeration CWE 22 (Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) and CWE 829 (Inclusion of Functionality from Untrusted Control Sphere), this critical vulnerability has a CVSS v3 score of 9.8.

  • The CVE has been associated with the Maze and Pay2Key ransomware families.


  • CVE-2017-9805 is a remote code execution vulnerability existing in the REST Plugin in multiple versions of Apache Struts. 

  • The vulnerability has a CVSS score of 8.1 (high) and is classified under CWE 502 (Deserialization of Untrusted Data).

  • The CVE is associated with the Cerber ransomware family.


  • CVE-2017-5638 is an arbitrary command execution vulnerability in the Jakarta Multipart Parse in Apache Struts.  

  • The vulnerability has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header.

  • The CVE is categorized under the weakness enumeration CWE 20 (Improper Input Validation). It is a critical vulnerability with a CVSS v3 score of 10.0.

  • The CVE was exploited in the wild in March 2017 and is also associated with multiple ransomware families that include Cerber and Satan. 


Top Products Affected by Ransomware

Our analysts noted that VMware’s ESXi Servers were the worst hit by ransomware and account for more than 40 percent of the total affected products. 

Pulse Secure’s Connect Secure and Policy Secure products account for almost 25 percent of the total. 

Apache Struts is affected by three separate vulnerabilities (CVE-2017-9805, CVE-2017-5638, and CVE-2018-11776) that take the tally of products to 113, about 20 percent of the total.

The remaining slice of the pie is taken up by F5’s product, Big IP. 

The Shodan exposure details paint a rather frightening picture for Apache Struts products with a hefty 20 million public-facing instances. With close to 100,000 exposed instances, VMware’s ESXi servers appear less menacing in comparison but are just as dangerous. 


Top Trending CVEs

There are a total of 18 CVEs that are trending, of which, Microsoft has a majority of products. Of these 18 vulnerabilities, our team of expert pentesters has prioritized a handful of them for further research. 

Here is an in-depth analysis of the trending CVEs selected by our researchers which have the largest impact:

Ransomware CVEs that Ought to be Patched in November

Out of the 18 most trending vulnerabilities, CISA has identified 13 that need to be patched by November 17, 2021. 


Here is a detailed look at the vulnerabilities that should be prioritized this month:

Fix these Vulnerabilities Now! Conduct Regular Ransomware Pentesting Assessments to Secure your Attack Surface. 


Of the 291 known and exploited vulnerabilities that CISA places emphasis on in their directive for organizations to patch, 13 vulnerabilities with ransomware associations require urgent patching by November 2021.  

At CSW, our expert pentesters and security researchers can help you prioritize the patching of the thirteen vulnerabilities and ensure that all organizations meet the deadlines set by the directive. 

CSW experts believe that organizations that conduct monthly or quarterly ransomware penetration assessments have a greater chance of identifying and fixing vulnerabilities that can potentially affect their systems, thereby ensuring a secure attack surface. This, in turn, helps to improve an organization’s cyber hygiene, reinforces security management teams, and boosts brand reputation.



Worried about how susceptible your organization is to a ransomware attack? 

Get a Ransomware Penetration Assessment done today! 

Click here to talk to us. 




Secure your environment from cyber-attacks!

Know How