BitSight’s View into the NSA’s Top Vulnerabilities

Paulo Pacheco | October 23, 2020 | tag: Cybersecurity

In a highly unusual move, the National Security Agency released research on October 20, 2020, highlighting 25 common vulnerabilities that are being actively exploited by Chinese state-sponsored actors.  The NSA issued the alert in order to help companies prioritize vulnerability management.  Most of the NSA vulnerabilities can be exploited to gain initial access to networks that are directly accessible from the Internet.

Security and risk leaders should act immediately to determine whether their organizations -- and the organizations that comprise their supply chain -- are vulnerable.  It is critical to examine the supply chain -- half of BitSight’s “40 Most Subscribed Entities” have been vulnerable to a NSA-identified Remote Access vulnerability this year. 

Summary of Findings 


Leveraging our global telemetry, BitSight is helping organizations gain visibility into some of the most risky vulnerabilities identified by the NSA.  We analyzed the security performance records of more than 200,000 global entities across 22 sectors to identify trends across a number of high risk vulnerabilities highlighted in the NSA alert:

  • Remote Access vulnerabilities are prevalent across many sectors. Many sectors have a high presence of Remote Access vulnerabilities -- including BlueKeep (CVE-2019-0708), Citrix (CVE-2019-19781), PulseSecure (CVE-2019-11510), and F5 BigIP (CVE-2020-5902). 
  • Specific sectors are potentially at risk to Active Directory vulnerability.  Organizations in the Education, Utilities, Government, and Technology sectors are potentially vulnerable to the Active Directory vulnerability -- Zerologon (CVE-2020-1472). A recent BitSight assessment found at least 17,000 systems potentially vulnerable.
  • Company size matters. The analysis reveals some interesting findings when it comes to the performance of companies measured by employee size. Organizations with greater than 100,000 employees generally demonstrate weaker performance managing Remote Access vulnerabilities compared to all other organizations. This finding highlights the challenges that organizations with large attack surfaces face in managing risks.  
  • Performance varies by country. Country rates of vulnerability vary across the four major Remote Access vulnerabilities -- while China has a higher rate of BlueKeep (CVE-2019-0708), the United States has a higher rate of F5 BigIP (CVE-2020-5902) and Citrix (CVE-2019-19781). Japan outpaces all when it comes to PulseSecure (CVE-2019-11510). Vulnerability presence within countries is more likely the cause of technology adoption rather than policy initiatives.

BitSight’s Visibility into NSA Vulnerabilities by Sector


When it comes to managing Remote Access vulnerabilities -- including BlueKeep (CVE-2019-0708), Citrix (CVE-2019-19781), Pulse Secure (CVE-2020-11530), and F5 BigIP (CVE-2020-5902) -- no sector is a particularly strong performer. These vulnerabilities are common across a broad range of sectors.  

Table 1: BitSight View into Four Major Remote Access Vulnerabilities, By Sector



BitSight is able to identify systems that are potentially vulnerable to the Active Directory vulnerability known as Zerologon (CVE-2020-1472). In October 2020, we were able to identify at least 17,000 systems around the world that are potentially vulnerable to an attack leveraging this vulnerability.  In general systems like this should not be exposed outside of the firewall.

Table 2: BitSight View into Zerologon Vulnerability, By Sector

ZerologonWe did not try to directly connect to the Netlogon port on all of these systems, but manual testing on a small subset shows that the Netlogon port is unfiltered in the vast majority of cases. 


Check back Monday for our in depth analysis of the Zerologon vulnerability


Some of the vulnerabilities identified by the NSA that exploit internal servers or network devices -- including DrayTek (CVE-2020-8515), Zoho (CVE-2020-10189), and Telerik (CVE-2019-18935) -- appear less prevalent around the world:

Table 3: BitSight View into Additional NSA Vulnerabilities, By Sector


BitSight’s Visibility into NSA Vulnerabilities by Size of Company

BitSight observes weaker performance in managing vulnerabilities identified by NSA by organizations with massive numbers of employees (>100,000). These massive companies have larger networks and a larger attack footprint, making vulnerabilities more likely to be exposed.

Table 4: BitSight View into Four Major Remote Access Vulnerabilities, By Size



BitSight’s Visibility into NSA Vulnerabilities by Country

An examination of country rates of vulnerability finds different levels of performance across the four major Remote Access vulnerabilities. While China has a higher rate of BlueKeep (CVE-2019-0708), the United States has a higher rate of F5 BigIP (CVE-2020-5902) and Citrix (CVE-2019-19781). Japan outpaces all when it comes to PulseSecure (CVE-2019-11510).  

The number of vulnerable systems within these countries is likely dependent on the adoption of certain technologies rather than policy initiatives. For example, the United States is more vulnerable to F5 and Citrix because these technologies are used more frequently in the U.S. than in other countries.

Table 5: BitSight View into Four Major Remote Access Vulnerabilities, By Country


Next Steps for Security and Risk Professionals


The NSA alert should raise alarms inside organizations around the world and help them prioritize remediation for these critical vulnerabilities. Organizations must act now to gain visibility into these vulnerabilities within their own organization, as well as their supply chain partners. By identifying and mitigating these critical risks across their ecosystem, they can reduce the risk of becoming the next victim of a state-sponsored cyber attack. 

To learn how BitSight can help you manage these and other risks to your organization and your third party ecosystem, contact us for a demo and receive your complimentary vendor portfolio risk report to see where your vendor cyber risks are and how it could affect your cyber risk rating

cyber risk management


Suggested Posts

4 Tips for Reducing Your Company’s Cyber Exposure

If your organization is like many others, its cyber exposure continues to grow over time. During the pandemic, as attackers sought to exploit unprecedented changes in work environments, 35% of cyberattacks used previously unseen malware...


5 Essential Elements of a Municipal Cyber Security Plan

Cyberattacks on state and local governments are on the rise. In 2020, more than 100 government agencies, including municipalities, were targeted with ransomware – an increasingly popular attack vector

These incidents are costly and...


Do You Have What it Takes to Achieve Digital Resilience?

The term “digital resilience” has gained momentum over the past few years as cybersecurity threats have grown, but what does it really mean? And how can a company become digitally resilient?


Get the Weekly Cybersecurity Newsletter.