The top 15 routinely exploited flaws include the Log4j vulnerability known as Log4Shell, four Microsoft Exchange flaws tracked as ProxyLogon, and the three Exchange bugs tracked as ProxyShell.
The list also includes CVE-2021-26084, an Atlassian Confluence Server and Data Center vulnerability that threat actors started exploiting in early September 2021, less than a week after the vendor announced the availability of a patch.