Greetings SAFECOM Members,

The Cybersecurity and Infrastructure Security Agency, National Security Agency, and the Federal Bureau of Investigation, together with the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom released a joint advisory assessing the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.

In 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public safety agencies, public, and private sector organizations worldwide.  Some of the known vendors and products as well as the type of attack included:

Apache Log4j – Remote code execution (RCE)

Microsoft Exchange Server – RCE; Elevation of Privilege; Security feature bypass

VMware vSphere Client – RCE

Accellion File Transfer Appliance – Operating system command execution; Server-side request forgery; Structured Query Language injection

For a full list of these vulnerabilities and attacks, please see the advisory.  We strongly encourage you to apply the recommended mitigations, and sign up for U.S. Computer Emergency Readiness Team (US-CERT) alerts at cisa.gov/uscert to receive timely, important updates.  Visit cisa.gov/publication/communications-resiliency for additional cyber and communications resiliency resources.

Thank you for your continued support.

Major George Perera
Miami-Dade Police Department
Chair, SAFECOM Cybersecurity Working Group