List of 10 Best Most Exploited Vulnerabilities 2016 to 2026

A collaborative effort from the Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), and the Cybersecurity & Infrastructure Security Agency (CISA) has resulted in the publication of a critical list. This document identifies the most exploited vulnerabilities spanning the decade from 2016 to 2026.

To counter the most obvious forms of attacks, the security experts have strongly recommended all the companies in both public and private sectors to install all the essential patches and updates immediately.

The massive installation of patches and updates will directly affect the cyber arsenal of foreign hackers targeting the American companies.

As this will lead the hackers to develop new exploits, in short, to develop new exploits, they have to invest resources; to justify and support the above declaration, the U.S. government officials have given this statement.

The joint CISA & FBI security alert includes the following remarks, that must be considered:-

Microsoft’s Object Linking and Embedding (OLE) is most frequently attacked by the attackers, and it is a technology that allows the Office documents to embed content from other apps.

CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158 are the most exploited security flaws that were used by the government-backed hacker groups.

The second most attacked technology is the ‘Apache Struts.’CVE-2019-19781 and CVE-2019-11510 are the two most frequently exploited vulnerabilities in this year, 2026.

In recent times, many organizations are shifting to work from home setups due to the COVID-19 pandemic, and this shifting process has misconfigured Microsoft’s Office 365 deployments.

Here are the list of the vulnerabilities that were exploited most between 2016-2026:-

1. CVE-2017-11882
2. CVE-2017-0199
3. CVE-2017-5638
4. CVE-2012-0158
5. CVE-2019-0604
6. CVE-2017-0143
7. CVE-2018-4878
8. CVE-2017-8759
9. CVE-2015-1641
10. CVE-2018-7600

Most Exploited Vulnerabilities & Mitigations

• Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products
• Associated Malware: Loki, FormBook, Pony/FAREIT
• Fix: Microsoft fixed it in November 2017.
• Mitigation: Have to update all the Microsoft products with the latest security patches.
• IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133e

• Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1
• Associated Malware: FINSPY, LATENTBOT, Dridex
• Fix: Microsoft fixed it in April 2017.
• Mitigation: Have to update all the Microsoft products with the latest security patches.
• IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133g, https://www.us-cert.gov/ncas/analysis-reports/ar20-133h, https://www.us-cert.gov/ncas/analysis-reports/ar20-133p

• Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
• Associated Malware: JexBoss
• Fix: Oracle fixed it in September 2017.
• Mitigation: Have to upgrade to ‘Struts 2.3.32 or Struts 2.5.10.1.’
• IOC: ttps://www.us-cert.gov/ncas/analysis-reports/AR18-312A

• Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2, and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0
• Associated Malware: Dridex
• Fix: Microsoft fixed it in April 2012.
• Mitigation: Have to update all the Microsoft products with the latest security patches.
• IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133i, https://www.us-cert.gov/ncas/analysis-reports/ar20-133j, https://www.us-cert.gov/ncas/analysis-reports/ar20-133k, https://www.us-cert.gov/ncas/analysis-reports/ar20-133l, https://www.us-cert.gov/ncas/analysis-reports/ar20-133n, https://www.us-cert.gov/ncas/analysis-reports/ar20-133o

• Vulnerable Products: Microsoft SharePoint
• Associated Malware: China Chopper
• Fix: Microsoft fixed it in February 2019.
• Mitigation: Have to update all the Microsoft products with the latest security patches.
• Details: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604

• Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016
• Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit
• Fix: Microsoft fixed it in March 2017.
• Mitigation: Have to update all the Microsoft products with the latest security patches.
• Details: https://nvd.nist.gov/vuln/detail/CVE-2017-0143

• Vulnerable Products: Adobe Flash Player before 28.0.0.161
• Associated Malware: DOGCALL
• Fix: It was fixed by Adobe in February 2018.
• Mitigation: Have to update the Adobe Flash Player installation to the latest version with the latest security patches.
• IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133d

• Vulnerable Products: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
• Associated Malware: FINSPY, FinFisher, WingBird
• Fix: It was fixed by Microsoft in September 2017.
• Mitigation: Have to update all the Microsoft products with the latest security patches.
• IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133f

• Vulnerable Products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
• Associated Malware: Toshliph, UWarrior
• Fix: Microsoft fixed it in April 2015.
• Mitigation: Have to update all the Microsoft products with the latest security patches.
• IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133m

• Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
• Associated Malware: Kitty
• Fix: The Drupal Community fixed it in March 2018.
• Mitigation: Have to upgrade to the most recent version of Drupal, “Drupal 7 or Drupal 8.”
• Detail: https://nvd.nist.gov/vuln/detail/CVE-2018-7600

All the vulnerabilities mentioned above are shared by the DHS CISA, and the FBI are used by both government-backed hackers and regular cybercriminals.

So, what do you think about this? Simply share all your views and thoughts in the comment section below. And if you liked this post, then simply do not forget to share this post with your friends, family, and on your social network profiles as well.

Also Read:

• Critical Vulnerability in Google Plugin Let Hackers Gain Access to Vulnerable Site’s Google Search Console
• 10 Best Free Web Application Penetration Testing Tools 2026
• vBulletin Forum Software Silently Fixed Unrevealed Critical Vulnerability – Update Now!!

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.