The 2021 vulnerability threat landscape was defined by high-profile incidents involving integral vendor software that led to widespread data breaches and malware attacks. With timing reminiscent of the SolarWinds Orion SUNBURST backdoor disclosure in December 2020, the most serious vulnerability of 2021, commonly known as “Log4Shell” and tracked as CVE- 2021-44228, was first publicly disclosed on December 9, 2021. Other major vulnerabilities throughout the year were identified affecting Microsoft Exchange and Windows Print Spoolers, VMware vCenter, legacy Accellion FTA, and the IT management company Kaseya’s Virtual System Administrator. Each of these critical vulnerabilities were exploited by criminal and state- sponsored threat actors in compromises including data breaches and ransomware attacks that had far-reaching consequences for vendors in all industry tiers.

The severity of many of the disclosed and exploited vulnerabilities in 2021, particularly the Log4Shell vulnerabilities and the numerous vulnerabilities associated with Microsoft technologies, should not distract from the number and diversity of affected products throughout 2021. High-risk vulnerabilities and actively exploited vulnerabilities disclosed in 2021 affected products belonging to a more diverse array of parent companies than prior years. Outside of the top 10, which mainly affected Microsoft products, serious actively exploited vulnerabilities were also identified affecting products from Linux, Google, Pulse Connect Secure, and Apple, among others.