Patched vulnerabilities that date as far back as 2017 are still being exploited by threat actors, according to the latest report from cyber intelligence agencies in Canada and its Five Eyes allies.

Issued this week, the report lists the top 15 vulnerabilities used by threat actors last year to get into IT systems of organizations.

Of those 15, one dates back to 2018 (CVE-2018-13379), a path traversal vulnerability that affects security appliances running Fortinet’s FortiOS and FortiProxy; one dates back to 2019 (CVE-2019-11510), a vulnerability that allows arbitrary file reading in Pulse Secure’s Pulse Connect Secure VPN; and two date back to 2020 (one is the Zero Logon vulnerability for Windows, while the other is for Microsoft Exchange).

“Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors,” says the report.

Rounding out the top 15 list are 11 vulnerabilities found last year: Four ProxyLogon and three ProxyShell vulnerabilities in Exchange; and single vulnerabilities in Atlassian Confluence Server and Data Center, VMware vSphere Client and Zoho ManageEngine AD SelfService Plus; and the log4j vulnerability in Apache log4j2.

The report also lists 18 more patched vulnerabilities that were routinely exploited by attackers last year, although not as often as the top 15. Of this group, two discovered in 2017 involve Microsoft Office, one discovered in 2018 is for Cisco System’s IOS and IOS XE operating systems, two were discovered in 2019 (for products from Citrix and Progress Telerik) and one in 2020 (for QNAP’s network-attached storage devices).

In addition to listing the vulnerabilities, the report also has links to the patches.

Last year, malicious cyber actors “aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” the alert warns. “To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets.”

The Five Eyes countries are Canada, the U.S., the United Kingdom, Australia and New Zealand.