cve,vendor,product,disclosure,first_exploited,first_reported,days_to_exploit,days_to_exploit_signed,confidence,validated,source_url,source_notes,kev_added,cve_year,is_zero_day,is_pre_disclosure
CVE-2026-8398,Daemon,Daemon Tools Lite,2026-05-15,2026-04-08,2026-05-15,0,-37,high,,https://blog.daemon-tools.cc/post/security-incident,"AVB Disc Soft DAEMON Tools Lite for Windows supply-chain compromise; attackers trojanized DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe; Daemon Tools security incident disclosure May 15 2026; part of broader TeamPCP/Mini Shai-Hulud campaign",2026-05-27,2026,True,True
CVE-2026-48027,Nx,Nx Console,2026-05-18,2026-05-18,2026-05-21,0,0,high,,https://nx.dev/blog/nx-console-v18-95-0-postmortem,Nx Console v18.95.0 VS Code extension supply-chain compromise; attacker published malicious version May 18 2026 12:30-13:09 UTC harvesting GitHub/npm credentials; Nx postmortem May 21; part of TeamPCP/Mini Shai-Hulud campaign,2026-05-27,2026,True,False
CVE-2026-45321,TanStack,TanStack,2026-05-11,2026-05-11,2026-05-11,0,0,high,,https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx,TanStack npm packages supply-chain compromise (including @tanstack/zod-adapter@1.166.15); TeamPCP threat group published malicious versions to npm registry May 11 2026; part of broader Mini Shai-Hulud campaign,2026-05-27,2026,True,False
CVE-2026-48172,LiteSpeed,cPanel Plugin,2026-05-20,2026-05-20,2026-05-21,0,0,medium,,https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/,LiteSpeed cPanel Plugin flaw; LiteSpeed advisory May 21 2026 acknowledged exploitation in the wild at disclosure; affects WordPress hosting environments,2026-05-26,2026,True,False
CVE-2026-9082,Drupal,Core,2026-05-20,2026-05-20,2026-05-20,0,0,high,,https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-9082-in-drupal-core/,"Drupal Core SA-CORE-2026-004 May 20 2026; Imperva tracked 15,000+ exploitation attempts within 48 hours of patch release; Drupal PSA warned ""within hours or days"" of disclosure based on the historical Drupalgeddon pattern",2026-05-22,2026,True,False
CVE-2026-34926,Trend Micro,Apex One,2026-05-21,2026-05-15,2026-05-21,0,-6,high,,https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-apex-one-zero-day-exploited/,Trend Micro Apex One zero-day; Trend Micro advisory May 21 2026; Trend Micro IR team discovered during active exploitation investigation against on-premises Apex One customer; continuation of CVE-2025-54948 pattern,2026-05-21,2026,True,True
CVE-2025-34291,Langflow,Langflow,2025-12-05,2026-05-21,2026-05-21,167,167,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34291,Langflow origin validation error; Langflow advisory Dec 5 2025; CISA KEV-added May 21 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-05-21,2025,False,False
CVE-2026-45498,Microsoft,Defender,2026-05-20,2026-04-15,2026-05-20,0,-35,high,,https://www.helpnetsecurity.com/2026/05/21/microsoft-defender-vulnerabilities-cve-2026-41091-cve-2026-45498/,"Microsoft Defender flaw ""UnDefend""; May 2026 Patch Tuesday; Chaotic Eclipse disclosed zero-day in April 2026 prior to patch; companion to CVE-2026-41091",2026-05-20,2026,True,True
CVE-2026-41091,Microsoft,Defender,2026-05-20,2026-04-15,2026-05-20,0,-35,high,,https://www.helpnetsecurity.com/2026/05/21/microsoft-defender-vulnerabilities-cve-2026-41091-cve-2026-45498/,"Microsoft Defender flaw; May 2026 Patch Tuesday; overlaps with ""RedSun"" zero-day disclosed by Chaotic Eclipse in April 2026 prior to patch; companion to CVE-2026-45498",2026-05-20,2026,True,True
CVE-2026-42897,Microsoft,Microsoft,2026-05-14,2026-05-14,2026-05-14,0,0,high,,https://www.securityweek.com/microsoft-warns-of-exchange-server-zero-day-exploited-in-the-wild/,Microsoft Exchange Server OWA cross-site scripting zero-day; Microsoft May 14 2026 advisory acknowledged active exploitation; no patch available at disclosure,2026-05-15,2026,True,False
CVE-2026-20182,Cisco,Catalyst SD-WAN,2026-05-14,2026-05-07,2026-05-14,0,-7,high,,https://blog.talosintelligence.com/uat-8616-sd-wan/,Cisco Catalyst SD-WAN authentication bypass; Cisco Talos disclosure May 14 2026 confirmed UAT-8616 (China-nexus) limited zero-day exploitation since May 7 2026; second wave of SD-WAN campaign after Feb 2026 chain,2026-05-14,2026,True,True
CVE-2026-42208,BerriAI,LiteLLM,2026-05-08,2026-04-26,2026-05-08,0,-12,high,,https://sysdig.com/blog/litellm-vulnerability-cve-2026-42208/,BerriAI LiteLLM unauthenticated SSRF; GHSA published Apr 24 2026; Sysdig observed first exploit attempt 36 hours 7 minutes later on Apr 26 16:17 UTC; targeting cloud AI/LLM deployments,2026-05-08,2026,True,True
CVE-2026-6973,Ivanti,Endpoint Manager Mobile (EPMM),2026-05-07,2026-05-07,2026-05-07,0,0,high,,https://community.opentextcybersecurity.com/vulnerability-vault-228,"Ivanti EPMM disclosed as zero-day May 7 2026; Ivanti acknowledged ""limited customers exploited prior to disclosure""; OpenText Vulnerability Vault 228 followed up with technical details",2026-05-07,2026,True,False
CVE-2026-0300,Palo Alto Networks,PAN-OS,2026-05-06,2026-05-05,2026-05-06,0,-1,high,,https://unit42.paloaltonetworks.com/captive-portal-zero-day/,Palo Alto Networks PAN-OS Captive Portal flaw zero-day; PAN advisory May 6 2026; Unit 42 acknowledged in-the-wild exploitation since at least May 5; CISA KEV-added May 6,2026-05-06,2026,True,True
CVE-2026-31431,Linux,Kernel,2026-04-22,2026-04-29,2026-04-29,7,7,high,,https://www.tenable.com/blog/copy-fail-cve-2026-31431-frequently-asked-questions-about-linux-kernel,"Linux Kernel ""Copy Fail"" copy_from_user race condition LPE; Tenable disclosure Apr 22 2026 with PoC; widespread in-the-wild exploitation observed Apr 29; CISA KEV-added May 1 confirming Mirai variant and post-foothold escalation usage",2026-05-01,2026,False,False
CVE-2026-41940,WebPros,cPanel & WHM and WP2 (WordPress Squared),2026-04-29,2026-02-23,2026-04-28,0,-65,high,,https://www.helpnetsecurity.com/2026/05/03/week-in-review-high-severity-lpe-vulnerability-in-the-linux-kernel/,WebPros cPanel & WHM and WP2 (WordPress Squared) flaw; cPanel advisory Apr 28 2026; KnownHost observed exploitation since Feb 23 2026 (~2 months pre-disclosure) against shared hosting providers,2026-04-30,2026,True,True
CVE-2026-32202,Microsoft,Windows,2026-04-14,2025-12-01,2026-04-14,0,-134,high,,https://www.akamai.com/blog/security-research/incomplete-patch-apt28s-zero-day-cve-2026-32202,Microsoft Windows Shell zero-day; April 2026 Patch Tuesday; Akamai disclosed as incomplete patch for CVE-2026-21510; APT28 (Forest Blizzard) continued LNK file exploitation since December 2025,2026-04-28,2026,True,True
CVE-2024-1708,ConnectWise,ScreenConnect,2024-02-21,2026-04-28,2026-04-28,797,797,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-1708,ConnectWise ScreenConnect path traversal companion to SlashAndGrab; ConnectWise advisory Feb 19 2024; CISA KEV-added Apr 28 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-04-28,2024,False,False
CVE-2025-29635,D-Link,DIR-823X,2025-03-25,2026-04-24,2026-04-24,395,395,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-29635,D-Link DIR-823X RCE; D-Link advisory Mar 25 2025; CISA KEV-added Apr 24 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-04-24,2025,False,False
CVE-2024-7399,Samsung,MagicINFO 9 Server,2024-08-09,2026-04-24,2026-04-24,623,623,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-7399,Samsung MagicINFO 9 Server path traversal; Samsung advisory Aug 9 2024; CISA KEV-added Apr 24 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-04-24,2024,False,False
CVE-2024-57728,SimpleHelp,SimpleHelp,2025-01-15,2026-04-24,2026-04-24,464,464,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-57728,SimpleHelp arbitrary file upload companion to CVE-2024-57727; SimpleHelp advisory Jan 15 2025; CISA KEV-added Apr 24 2026; KEV-fallback (later DragonForce attribution applies primarily to CVE-2024-57727),2026-04-24,2024,False,False
CVE-2024-57726,SimpleHelp,SimpleHelp,2025-01-15,2026-04-24,2026-04-24,464,464,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-57726,SimpleHelp privilege escalation; SimpleHelp advisory Jan 15 2025; CISA KEV-added Apr 24 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-04-24,2024,False,False
CVE-2026-39987,Marimo,Marimo,2026-04-09,2026-04-08,2026-04-09,0,-1,high,,https://sysdig.com/blog/marimo-cve-2026-39987/,Marimo Python notebook RCE; GHSA-2679-6mx9-h9xc Apr 8 2026; Sysdig observed first exploitation attempt 9 hours 41 minutes after disclosure (same calendar day) targeting cloud Python ML deployments,2026-04-23,2026,True,True
CVE-2026-33825,Microsoft,Defender,2026-04-14,2026-04-02,2026-04-14,0,-12,high,,https://www.securityweek.com/recent-microsoft-defender-vulnerability-exploited-as-zero-day/,"Microsoft Defender EoP zero-day ""BlueHammer""; April 2026 Patch Tuesday; Chaotic Eclipse research group released PoC Apr 2 2026 pre-disclosure; Microsoft acknowledged active exploitation",2026-04-22,2026,True,True
CVE-2026-20133,Cisco,Catalyst SD-WAN Manager,2026-02-25,2026-03-04,2026-03-04,7,7,high,,https://blog.talosintelligence.com/uat-8616-sd-wan/,Cisco Catalyst SD-WAN Manager flaw; Cisco PSIRT advisory Feb 25 2026; Talos observed UAT-8616 chain exploitation from early March 2026; CISA KEV-added Apr 20,2026-04-20,2026,False,False
CVE-2026-20128,Cisco,Catalyst SD-WAN Manager,2026-02-25,2026-03-04,2026-03-04,7,7,high,,https://blog.talosintelligence.com/uat-8616-sd-wan/,Cisco Catalyst SD-WAN Manager flaw; Cisco PSIRT advisory Feb 25 2026; Talos observed UAT-8616 chain exploitation from early March 2026,2026-04-20,2026,False,False
CVE-2026-20122,Cisco,Catalyst SD-WAN Manger,2026-02-25,2026-03-04,2026-03-04,7,7,high,,https://blog.talosintelligence.com/uat-8616-sd-wan/,Cisco Catalyst SD-WAN Manager flaw; Cisco PSIRT advisory Feb 25 2026; ZeroZenX Labs PoC; Talos observed UAT-8616 chain exploitation from early March 2026,2026-04-20,2026,False,False
CVE-2025-48700,Synacor,Zimbra Collaboration Suite (ZCS),2025-06-23,2026-04-20,2026-04-20,301,301,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48700,Synacor Zimbra Collaboration Suite RCE; Zimbra advisory Jun 23 2025; CISA KEV-added Apr 20 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-04-20,2025,False,False
CVE-2025-32975,Quest,KACE Systems Management Appliance (SMA),2025-06-24,2026-04-20,2026-04-20,300,300,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32975,Quest KACE Systems Management Appliance privilege escalation; Quest advisory Jun 24 2025; CISA KEV-added Apr 20 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-04-20,2025,False,False
CVE-2025-2749,Kentico,Kentico Xperience,2025-03-24,2026-04-20,2026-04-20,392,392,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2749,Kentico Xperience deserialization RCE; Kentico advisory Mar 13 2025; CISA KEV-added Apr 20 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-04-20,2025,False,False
CVE-2024-27199,JetBrains,TeamCity,2024-03-04,2026-04-20,2026-04-20,777,777,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27199,JetBrains TeamCity path traversal companion to CVE-2024-27198; Rapid7 Mar 4 2024; CISA KEV-added Apr 20 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-04-20,2024,False,False
CVE-2023-27351,PaperCut,NG/MF,2023-04-20,2023-04-23,2023-04-23,3,3,medium,,https://www.papercut.com/kb/Main/PO-1219,PaperCut MF/NG authentication bypass companion to CVE-2023-27350; PaperCut patched Mar 8 2023; CISA KEV-added Apr 21 alongside CVE-2023-27350 with reports of ransomware exploitation; CISA KEV updated date corrected from 2026-04-20 typo,2026-04-20,2023,False,False
CVE-2026-34197,Apache,ActiveMQ,2026-04-07,2026-04-14,2026-04-14,7,7,high,,https://www.horizon3.ai/attack-research/red-team/cve-2026-34197-apache-activemq-jolokia-rce/,Apache ActiveMQ Jolokia RCE via JNDI deserialization; Horizon3.ai disclosure Apr 7 2026; FortiGuard observed peak exploitation Apr 14 with HelloKitty/cryptominer payloads (continuation of CVE-2023-46604 pattern); CISA KEV-added Apr 16,2026-04-16,2026,False,False
CVE-2026-32201,Microsoft,SharePoint Server,2026-04-14,2026-04-13,2026-04-14,0,-1,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32201,Microsoft SharePoint XSS zero-day; April 2026 Patch Tuesday; Microsoft confirmed exploitation detected before patching; reported by Microsoft Threat Intelligence,2026-04-14,2026,True,True
CVE-2026-34621,Adobe,Acrobat and Reader,2026-04-11,2025-12-01,2026-04-08,0,-131,high,,https://thehackernews.com/2026/04/adobe-patches-actively-exploited.html,Adobe Acrobat and Reader JavaScript engine prototype pollution RCE; Adobe APSB26-43 emergency patch Apr 8 2026; EXPMON (Haifei Li) flagged in-the-wild exploitation via malicious PDFs since at least December 2025 (~4 months pre-disclosure); CISA KEV-added Apr 13,2026-04-13,2026,True,True
CVE-2026-21643,Fortinet,FortiClient EMS,2026-02-06,2026-03-26,2026-03-26,48,48,high,,https://www.fortiguard.com/psirt,Fortinet FortiClient EMS SQL injection; Fortinet PSIRT Feb 6 2026; Defused observed exploitation Mar 26 (4 days before Mar 30 reporting); continuation of CVE-2023-48788 FortiClient EMS pattern,2026-04-13,2026,False,False
CVE-2025-60710,Microsoft,Windows,2025-11-11,2026-04-13,2026-04-13,153,153,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-60710,Microsoft Windows EoP; November 2025 Patch Tuesday; CISA KEV-added Apr 13 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-04-13,2025,False,False
CVE-2023-36424,Microsoft,Windows,2023-11-14,2025-12-01,2026-04-13,748,748,high,,https://www.microsoft.com/en-us/security/blog/medusa-ransomware-exchange-exploitation,Windows Common Log File System (CLFS) EoP; November 2023 Patch Tuesday; observed in Medusa ransomware post-foothold escalation chain alongside CVE-2023-21529 Exchange exploitation; CISA KEV-added Apr 13 2026,2026-04-13,2023,False,False
CVE-2023-21529,Microsoft,Exchange Server,2023-02-14,2025-12-01,2026-04-13,1021,1021,high,,https://www.microsoft.com/en-us/security/blog/medusa-ransomware-exchange-exploitation,Microsoft Exchange Server RCE via authenticated PowerShell session; February 2023 Patch Tuesday; Microsoft attributed Medusa ransomware operator exploitation observed Dec 2025-Apr 2026 targeting unpatched on-premises Exchange servers; CISA KEV-added Apr 13 2026,2026-04-13,2023,False,False
CVE-2020-9715,Adobe,Acrobat,2020-08-19,2026-04-13,2026-04-13,2063,2063,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-9715,Adobe Acrobat use-after-free; SecurityWeek noted no reports of in-the-wild exploitation prior to CISA's April 2026 KEV addition; PoC publicly available since 2020 (ZDI blog),2026-04-13,2020,False,False
CVE-2026-1340,Ivanti,Endpoint Manager Mobile (EPMM),2026-01-29,2026-01-29,2026-01-29,0,0,high,,https://www.theregister.com/2026/01/30/ivanti_epmm_zero_days/,Ivanti EPMM code injection zero-day companion to CVE-2026-1281; Ivanti advisory Jan 29 2026; confirmed in-the-wild exploitation at disclosure; UNC5221 China-nexus continuation pattern from 2024 and 2025 EPMM attacks,2026-04-08,2026,True,False
CVE-2026-35616,Fortinet,FortiClient EMS,2026-04-04,2026-03-31,2026-04-04,0,-4,high,,https://www.fortiguard.com/psirt,Fortinet FortiClient EMS access control bypass; Fortinet PSIRT Apr 4 2026; watchTowr observed exploitation Mar 31 (4 days pre-disclosure) as zero-day,2026-04-06,2026,True,True
CVE-2026-3502,TrueConf,Client,2026-03-30,2026-01-01,2026-03-30,0,-88,high,,https://research.checkpoint.com/2026/operation-truechaos-trueconf/,TrueConf Client flaw; TrueConf advisory Mar 29 2026; Check Point Research attributed Operation TrueChaos campaign exploitation since at least Jan 2026 (~3 months pre-disclosure) targeting Russian and CIS organizations via Russian video conferencing client,2026-04-02,2026,True,True
CVE-2026-5281,Google,Dawn,2026-04-01,2026-03-31,2026-04-01,0,-1,high,,https://chromereleases.googleblog.com/,Google Dawn (WebGPU graphics layer) use-after-free zero-day; Chrome Stable Channel update Mar 31 2026 acknowledged ITW exploitation; reported by Google TAG,2026-04-01,2026,True,True
CVE-2026-3055,Citrix,NetScaler,2026-03-23,2026-03-27,2026-03-27,4,4,high,,https://labs.watchtowr.com/citrix-netscaler-saml-cve-2026-3055/,Citrix NetScaler ADC/Gateway SAML IdP memory overread; Citrix advisory Mar 23 2026; watchTowr Labs confirmed exploitation Mar 27 (4 days post-disclosure); CISA KEV-added,2026-03-30,2026,False,False
CVE-2025-53521,F5,BIG-IP,2025-10-15,2026-03-27,2026-03-27,163,163,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-53521,F5 BIG-IP improper authentication; F5 advisory Oct 15 2025; CISA KEV-added Mar 27 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-03-27,2025,False,False
CVE-2026-33634,Aquasecurity,Trivy,2026-03-23,2026-03-19,2026-03-23,0,-4,high,,https://www.aquasec.com/blog/trivy-supply-chain-attack,"Aquasecurity Trivy npm supply chain attack; threat actor published malicious trivy-action release Mar 19 2026 same day as compromise; CISA KEV-added Mar 23 part of broader npm supply-chain wave alongside Nx Console, TanStack, Daemon Tools",2026-03-26,2026,True,True
CVE-2026-33017,Langflow,Langflow,2026-03-20,2026-03-17,2026-03-20,0,-3,high,,https://sysdig.com/blog/langflow-cve-2026-33017/,Langflow code injection RCE; GHSA advisory Mar 17 2026; Sysdig observed first exploitation attempts 20 hours after disclosure (same calendar day); continuation of CVE-2025-3248 Flodrix botnet targeting,2026-03-25,2026,True,True
CVE-2025-54068,Laravel,Livewire,2025-07-17,2026-03-20,2026-03-20,246,246,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54068,Laravel Livewire path traversal; Livewire advisory Jul 17 2025; CISA KEV-added Mar 20 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-03-20,2025,False,False
CVE-2025-43520,Apple,Multiple Products,2025-12-12,2026-03-20,2026-03-20,98,98,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-43520,Apple multiple products WebKit; Apple advisory Dec 12 2025; CISA KEV-added Mar 20 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-03-20,2025,False,False
CVE-2025-43510,Apple,Multiple Products,2025-12-12,2026-03-20,2026-03-20,98,98,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-43510,Apple multiple products WebKit; Apple advisory Dec 12 2025; CISA KEV-added Mar 20 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-03-20,2025,False,False
CVE-2025-32432,Craft CMS,Craft CMS,2025-04-25,2026-03-20,2026-03-20,329,329,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432,Craft CMS RCE; Craft CMS advisory Apr 25 2025; CISA KEV-added Mar 20 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-03-20,2025,False,False
CVE-2025-31277,Apple,Multiple Products,2025-07-29,2026-03-20,2026-03-20,234,234,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31277,Apple multiple products WebKit; Apple advisory Jul 29 2025; CISA KEV-added Mar 20 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-03-20,2025,False,False
CVE-2026-20131,Cisco,Secure Firewall Management Center (FMC),2026-03-04,2026-01-26,2026-03-04,0,-37,high,,https://aws.amazon.com/security/security-bulletins/AWS-2026-001/,Cisco Secure Firewall Management Center (FMC) flaw; Cisco advisory Mar 4 2026; Amazon Threat Intelligence observed Interlock ransomware affiliate exploitation since Jan 26 2026 (~36 days pre-disclosure),2026-03-19,2026,True,True
CVE-2026-20963,Microsoft,SharePoint,2026-01-13,2026-03-18,2026-03-18,64,64,high,,https://www.securityweek.com/cisa-warns-of-attacks-exploiting-recent-sharepoint-vulnerability/,Microsoft SharePoint Server deserialization RCE; January 2026 Patch Tuesday; CISA observed in-the-wild exploitation Mar 18 2026; continuation of CVE-2025-53770 ToolShell exploitation pattern,2026-03-18,2026,False,False
CVE-2025-66376,Synacor,Zimbra Collaboration Suite (ZCS),2026-01-05,2026-03-18,2026-03-18,72,72,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66376,Synacor Zimbra Collaboration Suite RCE; Zimbra advisory Jan 5 2026; CISA KEV-added Mar 18 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-03-18,2025,False,False
CVE-2025-47813,Wing FTP Server,Wing FTP Server,2025-07-10,2026-03-16,2026-03-16,249,249,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47813,Wing FTP Server RCE; Wing FTP advisory Jul 10 2025; CISA KEV-added Mar 16 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-03-16,2025,False,False
CVE-2026-3910,Google,Chromium V8,2026-03-12,2026-03-13,2026-03-13,1,1,high,,https://chromereleases.googleblog.com/,Chrome V8 type confusion zero-day; Google Stable Channel update Mar 13 2026 acknowledged ITW exploitation; reported by Google TAG; companion to CVE-2026-3909,2026-03-13,2026,False,False
CVE-2026-3909,Google,Skia,2026-03-12,2026-03-13,2026-03-13,1,1,high,,https://chromereleases.googleblog.com/,Chrome Skia graphics out-of-bounds write zero-day; Google Stable Channel update Mar 13 2026 acknowledged ITW exploitation; reported by Google TAG,2026-03-13,2026,False,False
CVE-2025-68613,n8n,n8n,2025-12-19,2026-03-11,2026-03-11,82,82,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68613,n8n authentication bypass; n8n advisory Dec 19 2025; CISA KEV-added Mar 11 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-03-11,2025,False,False
CVE-2026-1603,Ivanti,Endpoint Manager (EPM),2026-02-10,2026-02-13,2026-02-13,3,3,high,,https://beazley.security/alerts-advisories/known-abuse-of-ivanti-epm-authentication-bypass-cve-2026-1603/,Ivanti Endpoint Manager (EPM) authentication bypass; Ivanti advisory Feb 10 2026; watchTowr disclosed key exploitation Feb 13; CISA confirmed in-the-wild exploitation Mar 9,2026-03-09,2026,False,False
CVE-2025-26399,SolarWinds,Web Help Desk,2025-09-23,2026-03-09,2026-03-09,167,167,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-26399,SolarWinds Web Help Desk RCE; SolarWinds advisory Sep 23 2025; CISA KEV-added Mar 9 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-03-09,2025,False,False
CVE-2021-22054,Omnissa,Workspace One UEM,2021-12-17,2025-03-09,2025-03-11,1178,1178,high,,https://www.greynoise.io/blog/new-ssrf-exploitation-surge,VMware (now Omnissa) Workspace ONE UEM pre-auth SSRF via BlobHandler.ashx hardcoded master key (Assetnote); GreyNoise observed coordinated surge Mar 9 2025 with 400+ IPs exploiting alongside other SSRF CVEs including CVE-2021-22175/39935 GitLab and CVE-2021-21973 vCenter; CISA KEV-added Mar 9 2026,2026-03-09,2021,False,False
CVE-2023-43000,Apple,Multiple Products,2025-11-05,2024-01-01,2025-11-05,0,-674,high,,https://securelist.com/coruna-ios-exploit-kit/,Apple multiple products NSURLConnection cache vulnerability; addressed in iOS 16.6 Jul 26 2023 without acknowledgement; Kaspersky GReAT publicly disclosed in Nov 2025 as part of Coruna iOS exploit kit chain (descendant of Operation Triangulation) targeting Chinese-language phishing sites; chained with CVE-2023-41974 and CVE-2024-23222 and CVE-2022-48503,2026-03-05,2023,True,True
CVE-2023-41974,Apple,iOS and iPadOS,2024-01-10,2024-01-01,2025-11-05,0,-9,high,,https://securelist.com/coruna-ios-exploit-kit/,Apple iOS/iPadOS WebKit memory corruption; addressed in iOS 17.2/16.7.3 Dec 11 2023 without acknowledgement; Kaspersky GReAT disclosed Nov 2025 as part of Coruna iOS exploit kit; chained with CVE-2023-43000 for sandbox escape; targeted Chinese-language users via phishing sites,2026-03-05,2023,True,True
CVE-2021-30952,Apple,Multiple Products,2021-08-24,2025-02-01,2026-03-03,1257,1257,high,,https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit,"Apple WebKit integer overflow (""buffout"" in Coruna iOS exploit kit, targeting iOS 13-15.1.1); Google TAG/GTIG first detected Coruna in Feb 2025 used by surveillance vendor customer, then UNC6353 (Russia espionage) on Ukrainian sites Jul 2025 and UNC6691 (China financial) on fake crypto sites Dec 2025; CISA KEV-added Mar 5 2026",2026-03-05,2021,False,False
CVE-2021-22681,Rockwell,Multiple Products,2021-03-03,2026-03-05,2026-03-05,1828,1828,high,,https://www.tenable.com/blog/what-to-know-about-cyberav3ngers-the-irgc-linked-group-targeting-critical-infrastructure,Rockwell Automation Logix Controllers insufficiently protected cryptographic key (Claroty/Kaspersky disclosure Feb 2021); Rockwell updated advisory Mar 5 2026 to confirm in-the-wild exploitation; Tenable attributed phase-4 exploitation to Iranian IRGC-linked CyberAv3ngers using Studio 5000 to bypass auth on internet-facing PLCs; CISA KEV-added Mar 5 2026,2026-03-05,2021,False,False
CVE-2026-22719,Broadcom,VMware Aria Operations,2026-02-25,2026-03-03,2026-03-03,6,6,high,,https://www.vmware.com/security/advisories/VMSA-2026-0001.html,Broadcom VMware Aria Operations command injection; VMSA-2026-0001 Feb 24 2026; CISA confirmed in-the-wild exploitation Mar 3; observed in suspected nation-state operations against virtualization management plane,2026-03-03,2026,False,False
CVE-2026-21385,Qualcomm,Multiple Chipsets,2026-03-02,2026-03-02,2026-03-02,0,0,high,,https://docs.qualcomm.com/product/publicresources/securitybulletin/,"Qualcomm multiple chipsets memory corruption zero-day; Qualcomm Mar 2 2026 security bulletin / Android March 2026 bulletin acknowledged ""indications of limited targeted exploitation""; commercial spyware vendor likely",2026-03-03,2026,True,False
CVE-2026-20127,Cisco,Catalyst SD-WAN Controller and Manager,2026-02-25,2025-12-01,2026-02-25,0,-86,high,,https://blog.talosintelligence.com/uat-8616-sd-wan/,Cisco Catalyst SD-WAN Controller and Manager zero-day; Cisco Talos attributed UAT-8616 (suspected China-nexus) exploitation since at least December 2025 (~3 months pre-disclosure); chained with CVE-2026-20122/20128/20133 and CVE-2022-20775 for full SD-WAN compromise,2026-02-25,2026,True,True
CVE-2022-20775,Cisco,SD-WAN,2022-09-30,2026-02-25,2026-02-25,1244,1244,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-20775,Cisco SD-WAN vManage privilege escalation; Cisco advisory Sep 30 2022; CISA KEV-added Feb 25 2026 retrospective tied to UAT-8616 SD-WAN exploitation chain (also exploits CVE-2026-20182/20127); used post-downgrade for root EoP; KEV-fallback URL since no specific in-the-wild attribution at addition,2026-02-25,2022,False,False
CVE-2026-25108,Soliton Systems K.K,FileZen,2026-02-13,2026-02-24,2026-02-24,11,11,high,,https://www.soliton.co.jp/products/filezen/security,Soliton FileZen file transfer OS command injection; Soliton Systems advisory Feb 24 2026; vendor reported at least one customer compromise at disclosure; targets Japanese organizations,2026-02-24,2026,False,False
CVE-2025-68461,Roundcube,Webmail,2025-12-18,2026-02-20,2026-02-20,64,64,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68461,Roundcube Webmail XSS; Roundcube advisory Dec 18 2025; CISA KEV-added Feb 20 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-02-20,2025,False,False
CVE-2025-49113,Roundcube,Webmail,2025-06-02,2025-06-02,2025-06-02,0,0,high,,https://fearsoff.org/research/roundcube,Roundcube Webmail PHP object deserialization pre-auth RCE; Roundcube advisory Jun 2 2025; FearsOff disclosed; mass exploitation observed within days; CISA KEV-added Feb 20 2026,2026-02-20,2025,True,False
CVE-2026-22769,Dell,RecoverPoint for Virtual Machines (RP4VMs),2026-02-17,2024-07-01,2026-02-17,0,-596,medium,,https://www.dell.com/support/security/en-us/details/579487,Dell PowerProtect Data Manager and RecoverPoint for VMs flaw; Dell DSA-579487 advisory Feb 17 2026; Dell acknowledged early exploitation activity mid-2024 (~18 months pre-CVE assignment); CISA KEV-added Feb 2026,2026-02-18,2026,True,True
CVE-2021-22175,GitLab,GitLab,2021-06-11,2025-03-09,2025-03-09,1367,1367,high,,https://www.greynoise.io/blog/new-ssrf-exploitation-surge,GitLab Community/Enterprise Editions SSRF; observed in GreyNoise SSRF surge Mar 9 2025 alongside CVE-2021-22054 (VMware Workspace ONE UEM) and other SSRF flaws; CISA KEV-added Feb 18 2026 retrospective,2026-02-18,2021,False,False
CVE-2026-2441,Google,Chromium,2026-02-13,2026-02-13,2026-02-13,0,0,high,,https://chromereleases.googleblog.com/,Chrome CSS engine use-after-free zero-day; Google Stable Channel emergency update Feb 13 2026 acknowledged ITW exploitation; reported by Google TAG,2026-02-17,2026,True,False
CVE-2024-7694,TeamT5,ThreatSonar Anti-Ransomware,2024-08-12,2026-02-17,2026-02-17,554,554,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-7694,TeamT5 ThreatSonar Anti-Ransomware path traversal; TeamT5 advisory Aug 12 2024; CISA KEV-added Feb 17 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-02-17,2024,False,False
CVE-2020-7796,Synacor,Zimbra Collaboration Suite,2020-02-18,2025-03-09,2026-02-18,1846,1846,high,,https://securityaffairs.com/188163/uncategorized/u-s-cisa-adds-google-chromium-css-microsoft-windows-teamt5-threatsonar-anti-ransomware-and-zimbra-flaws-to-its-known-exploited-vulnerabilities-catalog.html,Zimbra WebEx zimlet SSRF; GreyNoise observed 400+ IPs exploiting in SSRF surge starting March 9 2025; CISA KEV add Feb 18 2026,2026-02-17,2020,False,False
CVE-2026-1731,BeyondTrust,Remote Support (RS) and Privileged Remote Access (PRA),2026-02-06,2026-02-10,2026-02-10,4,4,high,,https://www.helpnetsecurity.com/2026/02/13/beyondtrust-cve-2026-1731-poc-exploit-activity/,BeyondTrust Remote Support/Privileged Remote Access RCE; BeyondTrust advisory Feb 6 2026; vendor observed first exploit attempt Feb 10 same day as first public PoC; continuation of Silk Typhoon Treasury attack pattern from 2024,2026-02-13,2026,False,False
CVE-2026-20700,Apple,Multiple Products,2026-02-11,2026-02-11,2026-02-12,0,0,high,,https://support.apple.com/en-us/121753,"Apple multiple products buffer overflow zero-day; iOS/macOS emergency update Feb 12 2026 with Apple ""may have been exploited in extremely sophisticated attacks against specific targeted individuals""; CISA KEV-added with reports of commercial spyware delivery",2026-02-12,2026,True,False
CVE-2025-40536,SolarWinds,Web Help Desk,2026-01-28,2026-02-12,2026-02-12,15,15,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-40536,SolarWinds Web Help Desk RCE companion; CISA KEV-added Feb 12 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-02-12,2025,False,False
CVE-2025-15556,Notepad++,Notepad++,2026-02-03,2026-02-12,2026-02-12,9,9,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-15556,Notepad++ DLL hijacking; CISA KEV-added Feb 12 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-02-12,2025,False,False
CVE-2024-43468,Microsoft,Configuration Manager,2024-10-08,2026-02-12,2026-02-12,492,492,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-43468,Microsoft Configuration Manager SQL injection RCE; October 2024 Patch Tuesday; CISA KEV-added Feb 12 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-02-12,2024,False,False
CVE-2026-21533,Microsoft,Windows,2026-02-10,2025-12-01,2026-02-10,0,-71,high,,https://krebsonsecurity.com/2026/02/patch-tuesday-february-2026-edition/,Microsoft Windows RDP EoP zero-day; February 2026 Patch Tuesday; CrowdStrike Intelligence observed exploitation binary in the wild since at least December 2025 (~2 months pre-disclosure),2026-02-10,2026,True,True
CVE-2026-21525,Microsoft,Windows,2026-02-10,2026-02-10,2026-02-10,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21525,"Microsoft Windows Remote Access Connection Manager (RasMan) denial of service zero-day; February 2026 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; second RasMan CVE after CVE-2025-59230",2026-02-10,2026,True,False
CVE-2026-21519,Microsoft,Windows,2026-02-10,2026-02-10,2026-02-10,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21519,"Microsoft Windows Desktop Window Manager EoP zero-day; February 2026 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2026-02-10,2026,True,False
CVE-2026-21514,Microsoft,Office,2026-02-10,2026-02-10,2026-02-10,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21514,"Microsoft Word OLE security feature bypass; February 2026 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2026-02-10,2026,True,False
CVE-2026-21513,Microsoft,Windows,2026-02-10,2025-12-01,2026-02-10,0,-71,high,,https://www.akamai.com/blog/security-research/incomplete-patch-apt28s-zero-day-cve-2026-32202,Microsoft MSHTML zero-day companion to CVE-2026-21510; February 2026 Patch Tuesday; CERT-UA + Akamai attributed APT28 exploitation via LNK files since December 2025; VirusTotal sample Jan 30 2026,2026-02-10,2026,True,True
CVE-2026-21510,Microsoft,Windows,2026-02-10,2025-12-01,2026-02-10,0,-71,high,,https://www.akamai.com/blog/security-research/incomplete-patch-apt28s-zero-day-cve-2026-32202,Microsoft Windows Shell zero-day; February 2026 Patch Tuesday; Akamai/CERT-UA attributed APT28 (Forest Blizzard) exploitation since December 2025 (~2 months pre-disclosure) via malicious LNK files; chained with CVE-2026-21513 and CVE-2026-32202 (incomplete patch),2026-02-10,2026,True,True
CVE-2026-24423,SmarterTools,SmarterMail,2026-01-23,2026-01-28,2026-01-28,5,5,high,,https://labs.watchtowr.com/smartermail-cve-2026-24423/,SmarterTools SmarterMail ConnectToHub RCE; SmarterTools advisory Jan 22 2026; watchTowr Labs observed mass exploitation from Jan 28; CISA KEV-added,2026-02-05,2026,False,False
CVE-2025-11953,React Native Community,CLI,2025-11-03,2026-02-05,2026-02-05,94,94,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953,React Native Community CLI command injection; React Native advisory Nov 3 2025; CISA KEV-added Feb 5 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-02-05,2025,False,False
CVE-2025-64328,Sangoma,FreePBX,2025-11-07,2026-02-03,2026-02-03,88,88,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64328,Sangoma FreePBX RCE; FreePBX advisory Nov 7 2025; CISA KEV-added Feb 3 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-02-03,2025,False,False
CVE-2025-40551,SolarWinds,Web Help Desk,2026-01-28,2026-02-03,2026-02-03,6,6,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-40551,SolarWinds Web Help Desk authentication bypass; CISA KEV-added Feb 3 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-02-03,2025,False,False
CVE-2021-39935,GitLab,Community and Enterprise Editions,2021-12-13,2025-03-09,2025-03-09,1182,1182,high,,https://www.greynoise.io/blog/new-ssrf-exploitation-surge,GitLab Community/Enterprise Editions info disclosure; observed in GreyNoise SSRF/info-disclosure surge Mar 9 2025; CISA KEV-added Feb 3 2026 retrospective,2026-02-03,2021,False,False
CVE-2019-19006,Sangoma,FreePBX,2019-11-21,2020-09-01,2020-11-06,285,285,high,,https://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/,"Sangoma FreePBX authentication bypass; Check Point Research documented INJ3CTOR3 operation worldwide VoIP attacks affecting ~1,200 organizations, observed from September 2020",2026-02-03,2019,False,False
CVE-2026-1281,Ivanti,Endpoint Manager Mobile (EPMM),2026-01-29,2026-01-29,2026-01-29,0,0,high,,https://www.theregister.com/2026/01/30/ivanti_epmm_zero_days/,Ivanti EPMM code injection zero-day; Ivanti advisory Jan 29 2026; confirmed zero-day exploitation at disclosure; chained with CVE-2026-1340 for unauthenticated RCE,2026-01-29,2026,True,False
CVE-2026-24858,Fortinet,Multiple Products,2026-01-27,2026-01-15,2026-01-27,0,-12,high,,https://arcticwolf.com/resources/blog/forticloud-sso-bypass-cve-2026-24858/,Fortinet FortiCloud SSO authentication bypass; Fortinet PSIRT Jan 27 2026; Arctic Wolf observed exploitation since Jan 15 2026 (~12 days pre-disclosure) against FortiCloud-managed FortiGate customers,2026-01-27,2026,True,True
CVE-2026-24061,GNU,InetUtils,2026-01-21,2026-01-25,2026-01-25,4,4,high,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24061,GNU InetUtils telnetd argument injection RCE; GNU advisory Jan 20 2026; CISA KEV-added Jan 26 with reports of mass exploitation observed Jan 25 against Internet-exposed legacy telnetd services,2026-01-26,2026,False,False
CVE-2026-23760,SmarterTools,SmarterMail,2026-01-22,2026-01-17,2026-01-22,0,-5,high,,https://www.smartertools.com/smartermail/release-notes,SmarterTools SmarterMail authentication bypass; SmarterTools advisory Jan 22 2026; security firms observed active exploitation starting Jan 17 (~5 days pre-disclosure) targeting Internet-exposed SmarterMail instances,2026-01-26,2026,True,True
CVE-2026-21509,Microsoft,Office,2026-01-26,2026-01-20,2026-01-26,0,-6,high,,https://www.techradar.com/pro/security/russian-hackers-are-targeting-a-new-office-365-zero-day-vulnerability,Microsoft Office security feature bypass zero-day; Microsoft out-of-band patch Jan 26 2026; attributed to suspected Russian APT targeting Office 365 with specially crafted documents,2026-01-26,2026,True,True
CVE-2025-52691,SmarterTools,SmarterMail,2025-12-29,2026-01-26,2026-01-26,28,28,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-52691,SmarterTools SmarterMail authentication bypass; SmarterTools release notes Dec 29 2025; CISA KEV-added Jan 26 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-01-26,2025,False,False
CVE-2018-14634,Linux,Kernel,2018-09-25,2026-01-26,2026-01-26,2680,2680,low,Yes,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-14634,Linux kernel Mutagen Astronomy integer overflow EoP; Qualys disclosed with PoC Sep 2018; no specific contemporary threat-intel report documenting in-the-wild exploitation found; CISA KEV is only documented evidence,2026-01-26,2018,False,False
CVE-2024-37079,Broadcom,VMware vCenter Server,2024-06-18,2026-01-23,2026-01-23,584,584,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-37079,Broadcom VMware vCenter Server DCERPC heap overflow; Broadcom VMSA-2024-0012 Jun 18 2024; CISA KEV-added Jan 23 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-01-23,2024,False,False
CVE-2025-68645,Synacor,Zimbra Collaboration Suite (ZCS),2025-12-22,2026-01-22,2026-01-22,31,31,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68645,Synacor Zimbra Collaboration Suite RCE; Zimbra advisory Dec 22 2025; CISA KEV-added Jan 22 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-01-22,2025,False,False
CVE-2025-54313,Prettier,eslint-config-prettier,2025-07-19,2026-01-22,2026-01-22,187,187,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54313,Prettier eslint-config-prettier supply chain compromise; Prettier advisory Jul 19 2025; CISA KEV-added Jan 22 2026 retrospective; KEV-fallback (broader supply-chain compromise context),2026-01-22,2025,False,False
CVE-2025-34026,Versa,Concerto,2025-05-21,2026-01-22,2026-01-22,246,246,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34026,Versa Concerto authentication bypass; Versa advisory May 21 2025; CISA KEV-added Jan 22 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-01-22,2025,False,False
CVE-2025-31125,Vite,Vitejs,2025-03-31,2026-01-22,2026-01-22,297,297,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31125,Vite.js path traversal; Vite advisory Mar 31 2025; CISA KEV-added Jan 22 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-01-22,2025,False,False
CVE-2026-20045,Cisco,Unified Communications Manager,2026-01-21,2026-01-21,2026-01-21,0,0,high,,https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/,Cisco Unified Communications Manager (CUCM) RCE zero-day; Cisco advisory Jan 21 2026 acknowledged limited targeted exploitation at disclosure,2026-01-21,2026,True,False
CVE-2026-20805,Microsoft,Windows,2026-01-13,2026-01-13,2026-01-13,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20805,"Microsoft Windows Desktop Window Manager (DWM) information disclosure zero-day; January 2026 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2026-01-13,2026,True,False
CVE-2025-8110,Gogs,Gogs,2025-12-10,2026-01-12,2026-01-12,33,33,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-8110,Gogs path traversal; Gogs advisory Dec 10 2025; CISA KEV-added Jan 12 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-01-12,2025,False,False
CVE-2025-37164,Hewlett Packard Enterprise (HPE),OneView,2025-12-16,2026-01-07,2026-01-07,22,22,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-37164,HPE OneView path traversal; HPE advisory Dec 16 2025; CISA KEV-added Jan 7 2026 with no specific public exploitation attribution at addition; KEV-fallback,2026-01-07,2025,False,False
CVE-2025-14847,MongoDB,MongoDB and MongoDB Server,2025-12-19,2025-12-29,2025-12-29,10,10,medium,,https://www.mongodb.com/docs/manual/release-notes/8.0/,MongoDB and MongoDB Server flaw; MongoDB Dec 19 2025 advisory; CISA KEV-added Dec 29 2025 with reports of exploitation,2025-12-29,2025,False,False
CVE-2023-52163,Digiever,DS-2105 Pro,2025-02-03,2025-12-22,2025-12-22,322,322,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-52163,Digiever DS-2105 Pro NVR path traversal; NVD published Feb 3 2025; CISA KEV-added Dec 22 2025 with no specific public exploitation attribution; KEV-fallback,2025-12-22,2023,False,False
CVE-2025-14733,WatchGuard,Firebox,2025-12-19,2025-12-19,2025-12-19,0,0,medium,,https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00018,WatchGuard Firebox flaw; CISA KEV-added Dec 19 2025 citing active exploitation; specific named threat group attribution thin,2025-12-19,2025,True,False
CVE-2025-59374,ASUS,Live Update,2025-12-17,2025-12-17,2025-12-17,0,0,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59374,ASUS Live Update flaw; CISA KEV-added Dec 17 2025 citing active exploitation but no specific named threat group attribution at addition; KEV-fallback,2025-12-17,2025,True,False
CVE-2025-40602,SonicWall,SMA1000 appliance,2025-12-18,2025-12-17,2025-12-18,0,-1,medium,,https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019,SonicWall SMA1000 stack-based buffer overflow; SonicWall PSIRT SNWLID-2025-0019; CISA KEV-added Dec 17 2025 with reports of exploitation,2025-12-17,2025,True,True
CVE-2025-20393,Cisco,Multiple Products,2025-12-17,2025-12-17,2025-12-17,0,0,medium,,https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/,Cisco Multiple Products flaw; CISA KEV-added Dec 17 2025 alongside other Cisco advisories citing active exploitation; specific named threat group attribution thin,2025-12-17,2025,True,False
CVE-2025-59718,Fortinet,Multiple Products,2025-12-09,2025-12-16,2025-12-16,7,7,medium,,https://www.fortiguard.com/psirt,Fortinet Multiple Products flaw; Fortinet PSIRT Dec 9 2025; CISA KEV-added Dec 16 2025 citing active exploitation; specific named threat group attribution thin,2025-12-16,2025,False,False
CVE-2025-43529,Apple,Multiple Products,2025-12-17,2025-12-15,2025-12-17,0,-2,medium,,https://support.apple.com/en-us/121753,Apple multiple products zero-day; CISA KEV-added Dec 15 2025 alongside other Apple flaws; Apple Dec 17 2025 advisory acknowledged exploitation; no specific named threat group attribution,2025-12-15,2025,True,True
CVE-2025-14611,Gladinet,CentreStack and Triofox,2025-12-12,2025-12-15,2025-12-15,3,3,medium,,https://www.gladinet.com/security-advisories,Gladinet CentreStack/Triofox follow-on flaw; Gladinet advisory Dec 12 2025; CISA KEV-added Dec 15 with reports of exploitation; companion to CVE-2025-12480,2025-12-15,2025,False,False
CVE-2025-14174,Google,Chromium,2025-12-12,2025-12-11,2025-12-12,0,-1,high,,https://chromereleases.googleblog.com/,Chrome ANGLE out-of-bounds memory access zero-day affecting macOS; Google Stable Channel update Dec 12 2025 acknowledged ITW exploitation; reported by Google TAG,2025-12-12,2025,True,True
CVE-2018-4063,Sierra Wireless,AirLink ALEOS,2019-05-06,2024-01-15,2025-12-12,1715,1715,low,Yes,https://www.rescana.com/post/critical-sierra-wireless-airlink-aleos-router-vulnerability-cve-2018-4063-added-to-cisa-kev-after,Sierra Wireless AirLink ALEOS file upload RCE; CISA KEV added Dec 13 2025 citing active exploitation; no specific contemporary threat-intel report documenting in-wild exploitation found beyond KEV add,2025-12-12,2018,False,False
CVE-2025-58360,OSGeo,GeoServer,2025-11-25,2025-12-11,2025-12-11,16,16,medium,,https://github.com/geoserver/geoserver/security/advisories,OSGeo GeoServer flaw; GeoServer advisory Nov 25 2025; CISA KEV-added Dec 11 2025 with reports of exploitation following pattern of CVE-2024-36401 GeoServer exploitation,2025-12-11,2025,False,False
CVE-2025-62221,Microsoft,Windows,2025-12-09,2025-12-09,2025-12-09,0,0,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62221,Microsoft Windows flaw; December 2025 Patch Tuesday; Microsoft acknowledged exploitation in the wild,2025-12-09,2025,True,False
CVE-2025-6218,RARLAB,WinRAR,2025-06-21,2025-07-03,2025-07-03,12,12,medium,,https://bi.zone/eng/expertise/blog/paper-werewolf-cves/,WinRAR path traversal via crafted archive; RARLAB v7.12 patch; BI.ZONE attributed Paper Werewolf exploitation in early July 2025 targeting Russian organizations,2025-12-09,2025,False,False
CVE-2025-66644,Array Networks,ArrayOS AG,2025-12-05,2025-12-08,2025-12-08,3,3,medium,,https://www.arraynetworks.com/support-security-advisories.html,Array Networks ArrayOS AG flaw; Array Networks advisory Dec 5 2025; CISA KEV-added Dec 8 2025 with reports of exploitation,2025-12-08,2025,False,False
CVE-2022-37055,D-Link,Routers,2022-08-28,2025-12-08,2025-12-08,1198,1198,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-37055,D-Link routers OS command injection; D-Link advisory Aug 28 2022; CISA KEV-added Dec 8 2025 with no specific public exploitation attribution; KEV-fallback,2025-12-08,2022,False,False
CVE-2025-55182,Meta,React Server Components,2025-12-03,2025-12-05,2025-12-05,2,2,medium,,https://github.com/facebook/react/security/advisories,Meta React Server Components flaw; React advisory Dec 3 2025; CISA KEV-added Dec 5 2025 with reports of exploitation in JavaScript supply chain attacks,2025-12-05,2025,False,False
CVE-2021-26828,OpenPLC,ScadaBR,2021-06-11,2025-03-01,2025-10-09,1359,1359,high,,https://www.forescout.com/blog/anatomy-of-a-hacktivist-attack-russian-aligned-group-targets-otics/,OpenPLC ScadaBR authenticated arbitrary JSP file upload via view_edit.shtm; Forescout Vedere Labs honeypot detected two Russia-linked IPs (45.14.247.87 et al.) using default creds to drop Java web shell Mar 1-3 2025; published Oct 9 2025; CISA KEV-added Dec 3 2025,2025-12-03,2021,False,False
CVE-2025-48633,Android,Framework,2025-12-08,2025-12-02,2025-12-08,0,-6,medium,,https://source.android.com/docs/security/bulletin/2025-09-01,Android Framework flaw companion to CVE-2025-48572; September 2025 Android bulletin; CISA KEV-added Dec 2 2025,2025-12-02,2025,True,True
CVE-2025-48572,Android,Framework,2025-12-08,2025-12-02,2025-12-08,0,-6,medium,,https://source.android.com/docs/security/bulletin/2025-09-01,Android Framework flaw; September 2025 Android bulletin; CISA KEV-added Dec 2 2025 with reports of exploitation but no specific named threat group attribution,2025-12-02,2025,True,True
CVE-2021-26829,OpenPLC,ScadaBR,2021-06-11,2025-09-01,2025-10-09,1543,1543,high,,https://www.forescout.com/blog/anatomy-of-a-hacktivist-attack-russian-aligned-group-targets-otics/,"OpenPLC ScadaBR XSS in system_settings.shtm; pro-Russian hacktivist group TwoNet exploited against Forescout water-treatment honeypot in Sept 2025 (login defacement ""Hacked by Barlati"", disabled logs/alarms, falsely claimed real attack on Telegram); Forescout published Oct 9 2025; CISA KEV-added Nov 28 2025",2025-11-28,2021,False,False
CVE-2025-61757,Oracle,Fusion Middleware,2025-10-21,2025-11-21,2025-11-21,31,31,medium,,https://www.oracle.com/security-alerts/,Oracle Fusion Middleware Identity Manager unspecified flaw; Oracle CPU Oct 21 2025; CISA KEV-added Nov 21 2025 citing exploitation but no specific named threat group attribution,2025-11-21,2025,False,False
CVE-2025-13223,Google,Chromium V8,2025-11-17,2025-11-17,2025-11-17,0,0,high,,https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html,Chrome V8 type confusion zero-day; Google Stable Channel update Nov 17 2025 acknowledged ITW exploitation; reported by Google TAG,2025-11-19,2025,True,False
CVE-2025-58034,Fortinet,FortiWeb,2025-11-18,2025-11-18,2025-11-18,0,0,high,,https://fortiguard.fortinet.com/psirt,Fortinet FortiWeb EoP zero-day companion; FortiGuard PSIRT advisory Nov 18 2025; CISA confirmed active exploitation; chained with CVE-2025-64446 for full takeover,2025-11-18,2025,True,False
CVE-2025-64446,Fortinet,FortiWeb,2025-11-14,2025-10-06,2025-11-14,0,-39,high,,https://www.horizon3.ai/attack-research/red-team/cve-2025-64446-fortiweb-path-traversal-auth-bypass/,Fortinet FortiWeb path traversal/authentication bypass; Fortinet silently patched then publicly disclosed Nov 14 2025; Defused/Horizon3 identified exploitation since Oct 6 2025 (~5 weeks pre-disclosure) creating admin accounts on FortiWeb instances,2025-11-14,2025,True,True
CVE-2025-9242,WatchGuard,Firebox,2025-09-17,2025-09-17,2025-09-17,0,0,medium,,https://labs.watchtowr.com/watchguard-firebox-ikev2-out-of-bounds-write-cve-2025-9242/,WatchGuard Firebox IKEv2 VPN out-of-bounds write pre-auth RCE; WatchGuard advisory Sep 17 2025; watchTowr Labs PoC; CISA KEV-added Nov 12 with active exploitation observed,2025-11-12,2025,True,False
CVE-2025-62215,Microsoft,Windows,2025-11-11,2025-11-11,2025-11-11,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62215,"Microsoft Windows kernel race condition EoP zero-day; November 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by Microsoft Threat Intelligence",2025-11-12,2025,True,False
CVE-2025-12480,Gladinet,Triofox,2025-11-10,2025-11-12,2025-11-12,2,2,high,,https://cloud.google.com/blog/topics/threat-intelligence/triofox-zero-day-exploitation-cve-2025-12480,Gladinet Triofox authentication bypass zero-day; Mandiant disclosed Nov 10 2025 attributing UNC6485 exploitation to install RMM tools on compromised Triofox servers via uploaded antivirus configuration,2025-11-12,2025,False,False
CVE-2025-21042,Samsung,Mobile Devices,2025-09-12,2024-07-23,2025-11-01,0,-416,high,,https://unit42.paloaltonetworks.com/landfall-mobile-spyware/,Samsung mobile devices media library out-of-bounds write zero-day; CISA KEV-added Nov 2025; Unit 42 attributed Korea-linked commercial spyware vendor exploitation since Jul 23 2024 (~14 months pre-disclosure) against journalists and activists,2025-11-10,2025,True,True
CVE-2025-48703,CWP,Control Web Panel,2025-09-19,2025-11-04,2025-11-04,46,46,medium,,https://control-webpanel.com/changelog,CentOS Web Panel (CWP) command injection; CWP changelog Sep 19 2025; CISA KEV-added Nov 4 2025 citing exploitation as zero-day,2025-11-04,2025,False,False
CVE-2025-11371,Gladinet,CentreStack and Triofox,2025-10-09,2025-10-08,2025-10-09,0,-1,high,,https://www.huntress.com/blog/exploitation-of-gladinet-centrestack-and-triofox,Gladinet CentreStack/Triofox local file inclusion zero-day; Huntress observed in-the-wild exploitation Oct 8 2025 leading to machineKey disclosure and chained ViewState RCE,2025-11-04,2025,True,True
CVE-2025-41244,Broadcom,VMware Aria Operations and VMware Tools,2025-09-29,2024-10-15,2025-09-29,0,-349,high,,https://blog.nviso.eu/2025/09/29/cve-2025-41244-shedding-light-on-a-silently-patched-vmware-zero-day/,Broadcom VMware Tools/Aria Operations SDMP local privilege escalation; silently patched then publicly disclosed Sep 29 2025; NVISO + Mandiant attributed UNC5174 (China-linked) exploitation since Oct 2024 (~11 months pre-disclosure),2025-10-30,2025,True,True
CVE-2025-24893,XWiki,Platform,2025-02-20,2025-09-15,2025-10-30,207,207,high,,https://vulncheck.com/blog/xwiki-cve-2025-24893-rce,XWiki Platform eval() RCE via SolrSearch endpoint; XWiki Feb 20 2025; VulnCheck Oct 30 2025 attributed observed exploitation since Sep 15 with two-step RCE deploying XMRig cryptominer; CISA KEV-added Oct 30,2025-10-30,2025,False,False
CVE-2025-6205,Dassault Systèmes,DELMIA Apriso,2025-08-04,2025-10-28,2025-10-28,85,85,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6205,Dassault DELMIA Apriso missing authentication companion to CVE-2025-6204; CISA KEV-added Oct 28 2025; KEV-fallback,2025-10-28,2025,False,False
CVE-2025-6204,Dassault Systèmes,DELMIA Apriso,2025-08-04,2025-10-28,2025-10-28,85,85,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6204,Dassault DELMIA Apriso code injection; Dassault advisory Aug 4 2025; CISA KEV-added Oct 28 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-10-28,2025,False,False
CVE-2025-59287,Microsoft,Windows,2025-10-14,2025-10-24,2025-10-24,10,10,high,,https://www.huntress.com/blog/cve-2025-59287-wsus-rce,Windows Server Update Services (WSUS) deserialization RCE; October 2025 Patch Tuesday; PoCs Oct 17; Dutch NCSC observed in-wild exploitation from Oct 24 via Internet-exposed WSUS instances,2025-10-24,2025,False,False
CVE-2025-54236,Adobe,Commerce and Magento,2025-09-09,2025-10-22,2025-10-22,43,43,high,,https://sansec.io/research/sessionreaper,"Adobe Commerce/Magento ""SessionReaper"" improper input validation pre-auth RCE; Adobe APSB25-71 Sep 9 2025; Sansec observed 250+ attacks from Oct 22 onwards targeting Internet-exposed Adobe Commerce stores",2025-10-24,2025,False,False
CVE-2025-61932,Motex,LANSCOPE Endpoint Manager,2025-10-20,2025-04-01,2025-10-20,0,-202,high,,https://www.jpcert.or.jp/english/at/2025/at250023.html,Motex LANSCOPE Endpoint Manager improper verification; Motex advisory Oct 20 2025; JPCERT/CC confirmed exploitation since at least April 2025 (~6 months pre-disclosure) against Japanese organizations,2025-10-22,2025,True,True
CVE-2025-61884,Oracle,E-Business Suite,2025-10-12,2025-10-11,2025-10-12,0,-1,high,,https://www.oracle.com/security-alerts/,Oracle E-Business Suite Configurator Runtime UI flaw; Oracle advisory Oct 12 2025; exploited as zero-day alongside CVE-2025-61882 in Cl0p extortion campaign,2025-10-20,2025,True,True
CVE-2025-33073,Microsoft,Windows,2025-06-10,2025-10-01,2025-10-01,113,113,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073,Windows SMB Client improper access control; June 2025 Patch Tuesday; PoCs released post-patch; CISA confirmed exploitation Oct 20 2025 via KEV addition,2025-10-20,2025,False,False
CVE-2025-2747,Kentico,Xperience CMS,2025-03-24,2025-10-20,2025-10-20,210,210,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2747,Kentico Xperience CMS authentication bypass companion to CVE-2025-2746; same Mar 13 2025 advisory; CISA KEV-added Oct 20 2025; KEV-fallback,2025-10-20,2025,False,False
CVE-2025-2746,Kentico,Xperience CMS,2025-03-24,2025-10-20,2025-10-20,210,210,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2746,Kentico Xperience CMS authentication bypass; Kentico advisory Mar 13 2025; CISA KEV-added Oct 20 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-10-20,2025,False,False
CVE-2022-48503,Apple,Multiple Products,2023-08-14,2025-10-20,2025-10-20,798,798,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-48503,Apple multiple products JavaScriptCore type confusion; Apple patched iOS 15.7.1/16.1 Oct 24 2022 (CVE later assigned); CISA KEV-added Oct 20 2025 with no specific public exploitation attribution; KEV-fallback,2025-10-20,2022,False,False
CVE-2025-54253,Adobe,Experience Manager (AEM) Forms,2025-08-05,2025-10-15,2025-10-15,71,71,medium,,https://helpx.adobe.com/security/products/experience-manager/apsb25-50.html,Adobe AEM Forms on JEE misconfiguration RCE; Adobe APSB25-50 Aug 5 2025; CISA KEV-added Oct 15 2025 with reports of active exploitation,2025-10-15,2025,False,False
CVE-2025-59230,Microsoft,Windows,2025-10-14,2025-10-14,2025-10-14,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59230,"Windows Remote Access Connection Manager (RasMan) EoP zero-day; October 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; first RasMan CVE exploited as zero-day",2025-10-14,2025,True,False
CVE-2025-47827,IGEL,IGEL OS,2025-06-05,2025-05-15,2025-06-05,0,-21,medium,,https://kb.igel.com/igelos-12/current/secure-boot-bypass-cve-2025-47827,IGEL OS Secure Boot bypass via Shim component; IGEL KB Jun 5 2025; PoC public since May 2025; CISA KEV-added with reports of weaponization observed in tooling,2025-10-14,2025,True,True
CVE-2025-24990,Microsoft,Windows,2025-10-14,2025-10-14,2025-10-14,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24990,"Windows Agere Modem driver (ltmdm64.sys) EoP zero-day; October 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; driver subsequently removed from Windows",2025-10-14,2025,True,False
CVE-2021-43798,Grafana Labs,Grafana,2021-12-07,2025-10-09,2025-10-09,1402,1402,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43798,Grafana directory traversal via plugin path; Grafana advisory Dec 7 2021; CISA KEV-added Oct 9 2025 (~4 years late) with no specific public exploitation attribution at addition; KEV-fallback,2025-10-09,2021,False,False
CVE-2025-27915,Synacor,Zimbra Collaboration Suite,2025-03-12,2025-10-07,2025-10-07,209,209,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27915,Synacor Zimbra Collaboration Suite stored XSS; Zimbra advisory Mar 12 2025; CISA KEV-added Oct 7 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-10-07,2025,False,False
CVE-2025-61882,Oracle,E-Business Suite,2025-10-05,2025-08-09,2025-10-05,0,-57,high,,https://www.oracle.com/security-alerts/alert-cve-2025-61882.html,Oracle E-Business Suite Concurrent Processing pre-auth RCE zero-day; Oracle emergency advisory Oct 5 2025; CrowdStrike + Google Threat Intelligence traced Cl0p (Lace Tempest/FIN11) extortion exploitation since Aug 9 2025 (~2 months pre-disclosure) targeting Fortune 500 EBS customers,2025-10-06,2025,True,True
CVE-2021-43226,Microsoft,Windows,2021-12-15,2025-10-06,2025-10-06,1391,1391,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43226,"Windows CLFS driver LPE buffer overflow to SYSTEM (CWE: improper validation; not info-disclosure as MSRC title); Microsoft patched Dec 2021; CISA KEV-added Oct 6 2025 citing PoC code circulating on underground forums and ransomware ops, but no specific threat group publicly identified; KEV-fallback",2025-10-06,2021,False,False
CVE-2021-22555,Linux,Kernel,2021-07-07,2025-10-06,2025-10-06,1552,1552,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22555,Linux netfilter heap out-of-bounds write in nft_set_elem_init; Andy Nguyen Google P0 published writeup 2021 with kCTF Kubernetes pod escape PoC; CISA KEV-added Oct 6 2025; no public in-the-wild campaign attribution though weaponized for years; KEV-fallback,2025-10-06,2021,False,False
CVE-2025-4008,Smartbedded,Meteobridge,2025-05-21,2025-10-02,2025-10-02,134,134,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-4008,Smartbedded Meteobridge command injection; advisory May 21 2025; CISA KEV-added Oct 2 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-10-02,2025,False,False
CVE-2025-21043,Samsung,Mobile Devices,2025-09-12,2025-09-15,2025-09-15,3,3,high,,https://security.samsungmobile.com/securityUpdate.smsb,Samsung mobile devices libimagecodec.quram.so image library RCE zero-day; Samsung Sep 12 2025 security update; reported by Meta/WhatsApp Security; chained in commercial spyware delivery against ~200 WhatsApp users,2025-10-02,2025,False,False
CVE-2025-59689,Libraesva,Email Security Gateway,2025-09-19,2025-09-22,2025-09-22,3,3,high,,https://docs.libraesva.com/knowledgebase/cve-2025-59689,Libraesva Email Security Gateway command injection; Libraesva advisory Sep 19 2025; vendor confirmed exploitation targeting one customer attributed to suspected nation-state actor,2025-09-29,2025,False,False
CVE-2025-32463,Sudo,Sudo,2025-06-30,2025-08-01,2025-09-29,32,32,medium,,https://www.sudo.ws/security/advisories/chroot_bug/,Sudo chroot LPE; sudo 1.9.17p1 patched Jun 30 2025; CISA KEV-added Sep 29 2025 confirming exploitation; commonly used in red-team and post-foothold escalation,2025-09-29,2025,False,False
CVE-2025-20352,Cisco,IOS and IOS XE,2025-09-24,2025-09-01,2025-09-24,0,-23,high,,https://blog.talosintelligence.com/operation-zero-disco/,"Cisco IOS/IOS XE SNMP stack overflow RCE zero-day; Cisco advisory Sep 24 2025; Cisco Talos attributed Operation Zero Disco exploitation against Cisco network devices targeting ISP, energy, government with persistent implants",2025-09-29,2025,True,True
CVE-2025-10035,Fortra,GoAnywhere MFT,2025-09-18,2025-09-10,2025-09-18,0,-8,high,,https://www.fortra.com/security/advisories/product-security/fi-2025-012,Fortra GoAnywhere MFT License Servlet deserialization pre-auth RCE zero-day; Fortra FI-2025-012 Sep 18 2025; watchTowr identified exploitation since Sep 10 (~1 week pre-disclosure) attributed to Cl0p/Storm-1175 in second major MFT extortion campaign after original 2023 GoAnywhere attacks,2025-09-29,2025,True,True
CVE-2021-21311,Adminer,Adminer,2021-02-11,2025-09-29,2025-09-29,1691,1691,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21311,"Adminer SSRF (Elasticsearch/ClickHouse drivers); CISA KEV-added Sep 29 2025 based on Recorded Future Insikt-validated TTP using Nuclei detection; no specific public campaign attribution, KEV-fallback",2025-09-29,2021,False,False
CVE-2025-20362,Cisco,Secure Firewall ASA and FTD,2025-09-25,2025-05-01,2025-09-25,0,-147,high,,https://blog.talosintelligence.com/arcanedoor-update-2025/,Cisco ASA/FTD authentication bypass zero-day; Cisco advisory Sep 25 2025; ArcaneDoor return campaign chained with CVE-2025-20333; UAT4356/Storm-1849 China-nexus exploitation since May 2025,2025-09-25,2025,True,True
CVE-2025-20333,Cisco,Secure Firewall ASA and FTD,2025-09-25,2025-05-01,2025-09-25,0,-147,high,,https://blog.talosintelligence.com/arcanedoor-update-2025/,Cisco Secure Firewall ASA/FTD VPN web server pre-auth RCE zero-day; Cisco advisory Sep 25 2025; Cisco Talos attributed ArcaneDoor return campaign by UAT4356/Storm-1849 (China-nexus); investigation began May 2025 with mass implant deployment,2025-09-25,2025,True,True
CVE-2025-10585,Google,Chromium V8,2025-09-24,2025-09-17,2025-09-24,0,-7,high,,https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop.html,Chrome V8 type confusion zero-day; Google Stable Channel update Sep 24 2025 acknowledged ITW exploitation; reported by Google TAG,2025-09-23,2025,True,True
CVE-2025-5086,Dassault Systèmes,DELMIA Apriso,2025-06-02,2025-09-01,2025-09-11,91,91,medium,,https://www.3ds.com/vulnerability/advisories,Dassault Systemes DELMIA Apriso deserialization RCE; Dassault advisory Jun 2 2025; CISA KEV-added Sep 11 2025 confirming exploitation observed in manufacturing sector,2025-09-11,2025,False,False
CVE-2025-53690,Sitecore,Multiple Products,2025-09-03,2025-08-15,2025-09-03,0,-19,high,,https://cloud.google.com/blog/topics/threat-intelligence/sitecore-deserialization-zero-day,Sitecore Multiple Products ViewState deserialization RCE zero-day; Sitecore advisory Sep 3 2025; Mandiant Sep 4 attributed exploitation since mid-Aug 2025 using exposed sample ASP.NET machineKey to deploy WeepSteel reconnaissance malware,2025-09-04,2025,True,True
CVE-2025-48543,Android,Runtime,2025-09-04,2025-09-02,2025-09-04,0,-2,high,,https://source.android.com/docs/security/bulletin/2025-09-01,"Android Runtime EoP zero-day; September 2025 Android Security Bulletin acknowledged ""indications that CVE-2025-48543 may be under limited, targeted exploitation""",2025-09-04,2025,True,True
CVE-2025-38352,Linux,Kernel,2025-07-22,2025-09-02,2025-09-02,42,42,high,,https://source.android.com/docs/security/bulletin/2025-09-01,Linux kernel POSIX CPU timers race condition LPE; original kernel commit Jul 22 2025; Android September 2025 bulletin acknowledged limited targeted exploitation,2025-09-04,2025,False,False
CVE-2025-9377,TP-Link,Multiple Routers,2025-08-29,2025-09-03,2025-09-03,5,5,high,,https://blog.sekoia.io/quad7-the-7777-botnet-continues-to-expand/,"TP-Link multiple routers command injection; TP-Link advisory Aug 29 2025; Sekoia/Microsoft attributed Quad7 (CovertNetwork-1658) botnet exploitation observed by Microsoft, which uses compromised routers as operational relay boxes for credential brute-forcing",2025-09-03,2025,False,False
CVE-2023-50224,TP-Link,TL-WR841N,2024-05-03,2025-09-03,2025-09-03,488,488,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-50224,TP-Link TL-WR841N authentication bypass via cookie spoof; ZDI advisory May 3 2024; CISA KEV-added Sep 3 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-09-03,2023,False,False
CVE-2025-55177,Meta Platforms,WhatsApp,2025-08-29,2025-08-28,2025-08-29,0,-1,high,,https://www.whatsapp.com/security/advisories/2025,WhatsApp linked device synchronization authentication flaw zero-click; WhatsApp Aug 29 2025 advisory; chained with Apple CVE-2025-43300; Amnesty International + Meta reported commercial spyware (possibly Paragon/Cytrox) exploitation against ~200 targeted users including journalists and civil society,2025-09-02,2025,True,True
CVE-2020-24363,TP-Link,TL-WA855RE,2020-08-31,2025-09-02,2025-09-02,1828,1828,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-24363,TP-Link TL-WA855RE Wi-Fi range extender RCE; CISA KEV add Sep 2025; The Hacker News noted no public reports explicitly referencing exploitation prior to KEV add,2025-09-02,2020,False,False
CVE-2025-57819,Sangoma,FreePBX,2025-08-28,2025-08-21,2025-08-28,0,-7,high,,https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h,Sangoma FreePBX administrator authentication bypass zero-day; FreePBX advisory Aug 28 2025; Sangoma acknowledged exploitation since at least Aug 21 with attackers planting webshells; CISA KEV-added Aug 28,2025-08-29,2025,True,True
CVE-2025-7775,Citrix,NetScaler,2025-08-26,2025-08-26,2025-08-26,0,0,high,,https://support.citrix.com/external/article/694788,Citrix NetScaler ADC/Gateway memory overflow RCE zero-day; Citrix CTX694788 Aug 26 2025; Cloud Software Group acknowledged exploitation in the wild at or before disclosure,2025-08-26,2025,True,False
CVE-2025-48384,Git,Git,2025-07-08,2025-08-25,2025-08-25,48,48,medium,,https://github.com/git/git/security/advisories/GHSA-vmqv-hx8q-j7mg,Git submodule arbitrary file write to .git/config leading to RCE on clone; Git advisory Jul 8 2025; CISA KEV-added Aug 25 2025 confirming active exploitation,2025-08-25,2025,False,False
CVE-2024-8069,Citrix,Session Recording,2024-11-12,2025-08-25,2025-08-25,286,286,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8069,Citrix Session Recording .NET deserialization RCE; Citrix advisory CTX691941 Nov 12 2024; CISA KEV-added Aug 25 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-08-25,2024,False,False
CVE-2024-8068,Citrix,Session Recording,2024-11-12,2025-08-25,2025-08-25,286,286,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8068,Citrix Session Recording privilege escalation; Citrix advisory CTX691941 Nov 12 2024; CISA KEV-added Aug 25 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-08-25,2024,False,False
CVE-2025-43300,Apple,"iOS, iPadOS, and macOS",2025-08-21,2025-08-20,2025-08-21,0,-1,high,,https://support.apple.com/en-us/124925,"Apple ImageIO out-of-bounds write zero-day; iOS 18.6.2 Aug 21 2025; Apple acknowledged ""extremely sophisticated attack against specific targeted individuals""; chained with WhatsApp CVE-2025-55177 (Meta/WhatsApp DSP campaign targeting ~200 users)",2025-08-21,2025,True,True
CVE-2025-54948,Trend Micro,Apex One,2025-08-05,2025-08-05,2025-08-05,0,0,high,,https://success.trendmicro.com/dcx/s/solution/000310520,Trend Micro Apex One management console command injection zero-day; Trend Micro advisory Aug 5 2025 acknowledged at least one observed exploitation attempt against an on-premises Apex One customer,2025-08-18,2025,True,False
CVE-2025-8876,N-able,N-Central,2025-08-14,2025-08-13,2025-08-14,0,-1,high,,https://www.n-able.com/security-advisories,N-able N-Central command injection companion to CVE-2025-8875; Aug 14 2025 advisory; active exploitation acknowledged by N-able,2025-08-13,2025,True,True
CVE-2025-8875,N-able,N-Central,2025-08-14,2025-08-13,2025-08-14,0,-1,high,,https://www.n-able.com/security-advisories,N-able N-Central insecure deserialization RCE zero-day; N-able advisory Aug 14 2025; N-able acknowledged active exploitation; CISA KEV-added Aug 14,2025-08-13,2025,True,True
CVE-2025-8088,RARLAB,WinRAR,2025-08-08,2025-07-18,2025-08-08,0,-21,high,,https://www.welivesecurity.com/en/eset-research/romcom-exploits-winrar-zero-day-cve-2025-8088/,"WinRAR path traversal via Alternate Data Streams in RAR archives; RARLAB v7.13 patch Jul 30 2025; ESET attributed RomCom (Russia-aligned) exploitation since Jul 18 2025 (~2 weeks pre-disclosure) targeting financial, defense, manufacturing in Europe",2025-08-12,2025,True,True
CVE-2022-40799,D-Link,DNR-322L,2022-11-29,2025-08-05,2025-08-05,980,980,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-40799,D-Link DNR-322L authenticated firmware update flaw; D-Link advisory Nov 29 2022; CISA KEV-added Aug 5 2025 with no specific public exploitation attribution; KEV-fallback,2025-08-05,2022,False,False
CVE-2020-25079,D-Link,DCS-2530L and DCS-2670L Devices,2020-09-02,2025-08-05,2025-08-05,1798,1798,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-25079,D-Link DCS-2530L/2670L IP cameras authenticated command injection; FBI flagged camera models in HiatusRAT campaigns; CISA KEV add 2025-08-05; no specific contemporary threat-intel report with date attribution,2025-08-05,2020,False,False
CVE-2020-25078,D-Link,DCS-2530L and DCS-2670L Devices,2020-09-02,2025-08-05,2025-08-05,1798,1798,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-25078,D-Link DCS-2530L/2670L IP cameras unauthenticated admin password disclosure; FBI flagged camera models in HiatusRAT campaigns; CISA KEV add 2025-08-05; no specific contemporary threat-intel report with date attribution,2025-08-05,2020,False,False
CVE-2025-20337,Cisco,Identity Services Engine,2025-07-16,2025-07-17,2025-07-17,1,1,high,,https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauthrce-ZAd2GnJ6,Cisco ISE deserialization companion to CVE-2025-20281; Cisco advisory Jul 16 2025; Trend Micro ZDI confirmed exploitation within 24 hours,2025-07-28,2025,False,False
CVE-2025-20281,Cisco,Identity Services Engine,2025-06-25,2025-07-05,2025-07-05,10,10,high,,https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauthrce-ZAd2GnJ6,Cisco Identity Services Engine (ISE) unauthenticated RCE; Cisco PSIRT advisory Jun 25 2025; Shadowserver observed mass exploitation Jul 5 onwards targeting Internet-exposed ISE instances,2025-07-28,2025,False,False
CVE-2023-2533,PaperCut,NG/MF,2023-06-20,2025-07-28,2025-07-28,769,769,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-2533,PaperCut NG/MF CSRF; PaperCut advisory Jun 20 2023; CISA KEV-added Jul 28 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-07-28,2023,False,False
CVE-2025-6558,Google,Chromium,2025-07-15,2025-07-15,2025-07-15,0,0,high,,https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop.html,Chrome ANGLE/GPU insufficient input validation zero-day; Google Stable Channel update Jul 15 2025 acknowledged ITW exploitation; reported by Clement Lecigne and Vlad Stolyarov of Google TAG,2025-07-22,2025,True,False
CVE-2025-54309,CrushFTP,CrushFTP,2025-07-18,2025-07-18,2025-07-18,0,0,high,,https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update,CrushFTP AS2 validation zero-day pre-auth RCE; CrushFTP advisory Jul 18 2025; CrushFTP acknowledged exploitation at disclosure possibly earlier; chained for RCE via insufficient HTTP parsing,2025-07-22,2025,True,False
CVE-2025-49706,Microsoft,SharePoint,2025-07-08,2025-07-08,2025-07-08,0,0,high,,https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/,Microsoft SharePoint Server ToolShell authentication bypass companion to CVE-2025-49704; July 2025 Patch Tuesday; chained for unauthenticated RCE,2025-07-22,2025,True,False
CVE-2025-49704,Microsoft,SharePoint,2025-07-08,2025-07-08,2025-07-08,0,0,high,,https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/,"Microsoft SharePoint Server ""ToolShell"" chain RCE; demonstrated at Pwn2Own Berlin May 2025 by Viettel Cybersecurity; July 2025 Patch Tuesday; exploited as zero-day chained with CVE-2025-49706",2025-07-22,2025,True,False
CVE-2025-2776,SysAid,SysAid On-Prem,2025-05-07,2025-07-22,2025-07-22,76,76,medium,,https://labs.watchtowr.com/sysaid-and-the-suncave-pre-auth-rce-chain/,SysAid On-Prem XXE in ServerURL parameter companion to CVE-2025-2775; same watchTowr May 7 2025 chain; CISA KEV-added Jul 22,2025-07-22,2025,False,False
CVE-2025-2775,SysAid,SysAid On-Prem,2025-05-07,2025-07-22,2025-07-22,76,76,medium,,https://labs.watchtowr.com/sysaid-and-the-suncave-pre-auth-rce-chain/,SysAid On-Prem XXE in mdm/checkin endpoint; SysAid patched March 2025; watchTowr disclosed May 7 2025 with PoC; CISA KEV-added Jul 22 confirming exploitation,2025-07-22,2025,False,False
CVE-2025-53770,Microsoft,SharePoint,2025-07-20,2025-07-07,2025-07-19,0,-13,high,,https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/,"Microsoft SharePoint Server ""ToolShell"" RCE zero-day (patch bypass of CVE-2025-49704); Microsoft emergency advisory Jul 19 2025; Check Point + Eye Security identified mass exploitation since Jul 7 pre-disclosure; Microsoft attributed Linen Typhoon (APT27), Violet Typhoon (APT31), Storm-2603 (China-nexus)",2025-07-20,2025,True,True
CVE-2025-25257,Fortinet,FortiWeb,2025-07-17,2025-07-11,2025-07-11,0,-6,high,,https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-cve-2025-25257/,Fortinet FortiWeb Fabric Connector SQL injection pre-auth RCE; Fortinet PSIRT FG-IR-25-151 Jul 8 2025; watchTowr PoC; exploitation began Jul 11 targeting Internet-exposed FortiWeb instances,2025-07-18,2025,True,True
CVE-2025-47812,Wing FTP Server,Wing FTP Server,2025-07-10,2025-07-01,2025-07-10,0,-9,high,,https://www.huntress.com/blog/wing-ftp-server-cve-2025-47812-actively-exploited,Wing FTP Server Lua injection pre-auth RCE; Julien Ahrens disclosed Jun 30 2025; Huntress observed exploitation Jul 1 2025 within hours of public PoC; CISA KEV-added Jul 14,2025-07-14,2025,True,True
CVE-2025-5777,Citrix,NetScaler ADC and Gateway,2025-06-17,2025-06-23,2025-06-23,6,6,high,,https://www.greynoise.io/blog/citrix-bleed-2-cve-2025-5777-mass-exploitation,"Citrix NetScaler ADC/Gateway ""CitrixBleed 2"" memory disclosure leaking session tokens; Citrix CTX693420 Jun 17 2025; GreyNoise/Imperva observed mass exploitation Jun 23 onwards; similar to original Citrix Bleed CVE-2023-4966",2025-07-10,2025,False,False
CVE-2019-9621,Synacor,Zimbra Collaboration Suite (ZCS),2019-04-30,2023-06-01,2023-09-18,1493,1493,high,,https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html,Zimbra ProxyServlet SSRF; exploited by China-linked Earth Lusca in H1 2023 for web shells and Cobalt Strike; Trend Micro report Sep 18 2023; CISA added to KEV July 7 2025,2025-07-07,2019,False,False
CVE-2019-5418,Rails,Ruby on Rails,2019-03-27,2025-07-07,2025-07-07,2294,2294,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418,"Ruby on Rails Action View path traversal; CISA KEV add 2025-07-07; multiple news outlets (gbhackers, SecPod, cybersecuritynews) report only on the KEV add, not on any specific contemporary attribution of in-the-wild attacks",2025-07-07,2019,False,False
CVE-2025-6554,Google,Chromium V8,2025-06-30,2025-06-26,2025-06-30,0,-4,high,,https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html,Chrome V8 type confusion zero-day; Google Stable Channel update Jun 30 2025; reported by Clement Lecigne of Google TAG; emergency config push Jun 26,2025-07-02,2025,True,True
CVE-2025-48928,TeleMessage,TM SGNL,2025-05-28,2025-05-05,2025-05-28,0,-23,medium,,https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/,TeleMessage TM SGNL credential exposure companion to CVE-2025-48927; same May 5 2025 disclosure pattern; mass scraping,2025-07-01,2025,True,True
CVE-2025-48927,TeleMessage,TM SGNL,2025-05-28,2025-05-05,2025-05-28,0,-23,medium,,https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/,TeleMessage TM SGNL Spring Boot Actuator information disclosure; exposed after Signal-clone usage became public; mass scraping observed,2025-07-01,2025,True,True
CVE-2025-6543,Citrix,NetScaler ADC and Gateway,2025-06-25,2025-05-01,2025-06-25,0,-55,high,,https://www.ncsc.nl/onderwerpen/citrix-netscaler,Citrix NetScaler memory overflow leading to unintended control flow; Citrix CTX694788 Jun 25 2025; NCSC-NL Aug attributed exploitation against Dutch critical organizations since May 2025 by unknown nation-state actor,2025-06-30,2025,True,True
CVE-2024-54085,AMI,MegaRAC SPx,2025-03-11,2025-06-25,2025-06-25,106,106,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-54085,AMI MegaRAC SPx Redfish authentication bypass; AMI advisory Mar 11 2025; CISA KEV-added Jun 25 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-06-25,2024,False,False
CVE-2024-0769,D-Link,DIR-859 Router,2024-01-21,2025-06-25,2025-06-25,521,521,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-0769,D-Link DIR-859 router path traversal; D-Link advisory Jan 21 2024 (EOL device); CISA KEV-added Jun 25 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-06-25,2024,False,False
CVE-2019-6693,Fortinet,FortiOS,2019-11-21,2025-06-25,2025-06-25,2043,2043,low,,https://www.fortiguard.com/psirt/FG-IR-19-007,Fortinet FortiOS hardcoded encryption credentials; KEV-added 2025-06-25 retrospective,2025-06-25,2019,False,False
CVE-2023-0386,Linux,Kernel,2023-03-22,2025-06-17,2025-06-17,818,818,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-0386,Linux Kernel OverlayFS UID/GID mapping local privilege escalation; original disclosure Mar 22 2023; PoCs immediate; CISA KEV-added Jun 17 2025 with no specific public exploitation campaign attribution at addition; KEV-fallback,2025-06-17,2023,False,False
CVE-2025-43200,Apple,Multiple Products,2025-06-16,2025-01-01,2025-06-11,0,-166,high,,https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-spyware-found-on-european-journalists-iphones/,Apple Messages logic flaw silently patched in iOS 18.3.1 Feb 10 2025; Apple disclosed Jun 11; Citizen Lab confirmed Paragon Graphite commercial spyware exploitation since at least Jan 2025 targeting European journalists via iMessage zero-click,2025-06-16,2025,True,True
CVE-2023-33538,TP-Link,Multiple Routers,2023-06-07,2025-06-16,2025-06-16,740,740,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-33538,TP-Link multiple routers command injection via locale parameter; original disclosure Jun 7 2023; CISA KEV-added Jun 16 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-06-16,2023,False,False
CVE-2025-33053,Microsoft,Windows,2025-06-10,2025-03-01,2025-06-10,0,-101,high,,https://research.checkpoint.com/2025/stealth-falcon-zero-day/,Microsoft Windows WebDAV RCE zero-day; June 2025 Patch Tuesday; Check Point Research attributed Stealth Falcon (UAE-linked APT) exploitation since March 2025 (~3 months pre-disclosure) targeting Turkish defense industry via .url files,2025-06-10,2025,True,True
CVE-2025-24016,Wazuh,Wazuh Server,2025-02-10,2025-03-01,2025-03-01,19,19,high,,https://www.akamai.com/blog/security-research/wazuh-cve-2025-24016-exploit-mirai,Wazuh Server unsafe deserialization pre-auth RCE; Wazuh advisory Feb 10 2025; Akamai SIRT observed Mirai variant botnet exploitation from early March 2025; CISA KEV-added Mar 11,2025-06-10,2025,False,False
CVE-2025-32433,Erlang,Erlang/OTP,2025-04-16,2025-04-21,2025-04-21,5,5,high,,https://blog.talosintelligence.com/erlang-otp-ssh-cve-2025-32433/,Erlang/OTP SSH server unauthenticated RCE; Erlang advisory Apr 16 2025; Cisco Talos observed exploitation Apr 21 onwards targeting OT/industrial Erlang deployments; CISA KEV-added Jun 9,2025-06-09,2025,False,False
CVE-2024-42009,Roundcube,Webmail,2024-08-05,2024-08-04,2024-08-05,0,-1,high,,https://www.welivesecurity.com/en/eset-research/operation-roundpress/,"Roundcube Webmail XSS via email message rendering; Roundcube advisory Aug 4 2024; ESET attributed Sednit/APT28 exploitation in Operation RoundPress targeting Ukrainian, Bulgarian, Romanian government webmail (with CVE-2023-43770 chain); CISA KEV-added Jun 9 2025",2025-06-09,2024,True,True
CVE-2025-5419,Google,Chromium V8,2025-06-02,2025-06-02,2025-06-02,0,0,high,,https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html,Chrome V8 out-of-bounds read/write zero-day; Google Stable Channel emergency update Jun 2 2025 acknowledged ITW exploitation; reported by Clement Lecigne and Benoît Sevens of Google TAG,2025-06-05,2025,True,False
CVE-2025-27038,Qualcomm,Multiple Chipsets,2025-06-03,2025-06-02,2025-06-02,0,-1,high,,https://docs.qualcomm.com/product/publicresources/securitybulletin/,Qualcomm Adreno GPU use-after-free zero-day; Qualcomm Jun 2 2025 bulletin acknowledged Google TAG indications of limited targeted exploitation,2025-06-03,2025,True,True
CVE-2025-21480,Qualcomm,Multiple Chipsets,2025-06-03,2025-06-02,2025-06-02,0,-1,high,,https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html,Qualcomm Adreno GPU unauthorized command execution zero-day; Qualcomm Jun 2 2025 bulletin acknowledged Google TAG indications of limited targeted exploitation; companion to CVE-2025-21479,2025-06-03,2025,True,True
CVE-2025-21479,Qualcomm,Multiple Chipsets,2025-06-03,2025-06-02,2025-06-02,0,-1,high,,https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html,Qualcomm Adreno GPU unauthorized command execution zero-day; Qualcomm Jun 2 2025 security bulletin acknowledged Google TAG indications of limited targeted exploitation; commercial spyware vendor likely,2025-06-03,2025,True,True
CVE-2025-3935,ConnectWise,ScreenConnect,2025-04-25,2025-04-24,2025-04-25,0,-1,high,,https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-bulletin,ConnectWise ScreenConnect ViewState code injection; ConnectWise advisory Apr 25 2025; Mandiant attributed nation-state actor pre-disclosure exploitation of ConnectWise hosted ScreenConnect environment via stolen machine keys,2025-06-02,2025,True,True
CVE-2025-35939,Craft CMS,Craft CMS,2025-05-07,2025-05-07,2025-05-07,0,0,high,,https://craftcms.com/knowledge-base/security,Craft CMS session storage misconfiguration RCE; Craft CMS advisory May 7 2025; CISA KEV-added Jun 2 2025 confirming exploitation,2025-06-02,2025,True,False
CVE-2024-56145,Craft CMS,Craft CMS,2024-12-18,2025-06-02,2025-06-02,166,166,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145,Craft CMS PHP register_argc_argv configuration RCE; Craft CMS advisory Dec 18 2024; CISA KEV-added Jun 2 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-06-02,2024,False,False
CVE-2023-39780,ASUS,RT-AX55 Routers,2023-09-11,2025-03-01,2025-03-28,537,537,high,,https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers,"ASUS RT-AX55 router authenticated OS command injection; ASUS advisory Sep 11 2023; GreyNoise published Mar 28 2025 attributing the AyySSHush botnet exploitation campaign that backdoored ~9,000 ASUS routers via persistent SSH keys with operations since March 2025",2025-06-02,2023,False,False
CVE-2021-32030,ASUS,Routers,2021-05-06,2025-06-02,2025-06-02,1488,1488,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32030,ASUS GT-AC2900 routers authentication bypass; ASUS advisory May 2021; CISA KEV-added Jun 2 2025 with no specific public exploitation campaign attribution; KEV-fallback,2025-06-02,2021,False,False
CVE-2025-4632,Samsung,MagicINFO 9 Server,2025-05-13,2025-04-30,2025-05-13,0,-13,high,,https://arcticwolf.com/resources/blog/follow-up-samsung-patches-zero-day-vulnerability-magicinfo-9-server/,Samsung MagicINFO 9 Server path traversal zero-day; Samsung patch May 13 2025; SSD Disclosure published PoC Apr 30 with Arctic Wolf observing exploitation before vendor patch,2025-05-22,2025,True,True
CVE-2025-4428,Ivanti,Endpoint Manager Mobile (EPMM),2025-05-13,2025-05-15,2025-05-15,2,2,high,,https://www.wiz.io/blog/ivanti-epmm-rce-vulnerability-chain-cve-2025-4427-cve-2025-4428,Ivanti EPMM code injection via API; Ivanti advisory May 13 2025; chained with CVE-2025-4427 for unauthenticated RCE; UNC5221 China-nexus exploitation since May 15,2025-05-19,2025,False,False
CVE-2025-4427,Ivanti,Endpoint Manager Mobile (EPMM),2025-05-13,2025-05-15,2025-05-15,2,2,high,,https://www.wiz.io/blog/ivanti-epmm-rce-vulnerability-chain-cve-2025-4427-cve-2025-4428,Ivanti EPMM authentication bypass; Ivanti advisory May 13 2025; Wiz/Mandiant attributed UNC5221 exploitation since May 15 with full RCE chain via CVE-2025-4428,2025-05-19,2025,False,False
CVE-2025-27920,Srimax,Output Messenger,2025-05-05,2024-04-01,2025-05-05,0,-399,high,,https://cloud.google.com/blog/topics/threat-intelligence/triplestrength-hits-victims-with-triple-threat,Srimax Output Messenger directory traversal; Mandiant May 2025 attributed UNC3886 China-nexus exploitation since at least April 2024 (~13 months pre-disclosure) targeting government and telecom in Southeast Asia,2025-05-19,2025,True,True
CVE-2024-27443,Synacor,Zimbra Collaboration Suite (ZCS),2024-08-12,2025-05-19,2025-05-19,280,280,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27443,Synacor Zimbra Collaboration Suite XSS in CalendarInvite handler; Zimbra advisory Aug 12 2024; CISA KEV-added May 19 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-05-19,2024,False,False
CVE-2024-11182,MDaemon,Email Server,2024-11-15,2024-01-01,2025-05-19,0,-319,high,,https://www.welivesecurity.com/en/eset-research/operation-roundpress/,MDaemon Email Server XSS via Compose mail; MDaemon advisory Nov 15 2024; ESET attributed Sednit/APT28 Operation RoundPress exploitation since at least Jan 2024 targeting government and defense webmail users in CIS region,2025-05-19,2024,True,True
CVE-2023-38950,ZKTeco,BioTime,2023-08-03,2025-05-19,2025-05-19,655,655,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38950,ZKTeco BioTime path traversal; original disclosure Aug 3 2023; CISA KEV-added May 19 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-05-19,2023,False,False
CVE-2025-42999,SAP,NetWeaver,2025-05-13,2025-03-14,2025-05-13,0,-60,high,,https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/,SAP NetWeaver deserialization companion zero-day chained with CVE-2025-31324; SAP May 13 2025 Patch Day; Onapsis confirmed exploitation since mid-March 2025; CISA KEV-added May 15,2025-05-15,2025,True,True
CVE-2024-12987,DrayTek,Vigor Routers,2024-12-27,2025-05-15,2025-05-15,139,139,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-12987,DrayTek Vigor routers OS command injection; DrayTek advisory Dec 27 2024; CISA KEV-added May 15 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-05-15,2024,False,False
CVE-2025-32756,Fortinet,Multiple Products,2025-05-13,2025-04-01,2025-05-13,0,-42,high,,https://fortiguard.fortinet.com/psirt/FG-IR-25-254,Fortinet FortiVoice/FortiMail/FortiNDR/FortiRecorder/FortiCamera stack-based buffer overflow zero-day; Fortinet PSIRT FG-IR-25-254 May 13 2025; Fortinet acknowledged exploitation against FortiVoice in the wild; observed since at least April 2025,2025-05-14,2025,True,True
CVE-2025-32709,Microsoft,Windows,2025-05-13,2025-05-13,2025-05-13,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32709,"Microsoft Windows Ancillary Function Driver for WinSock EoP zero-day; May 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2025-05-13,2025,True,False
CVE-2025-32706,Microsoft,Windows,2025-05-13,2025-05-13,2025-05-13,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32706,"Microsoft Windows CLFS EoP zero-day; May 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; companion CLFS bug to CVE-2025-32701",2025-05-13,2025,True,False
CVE-2025-32701,Microsoft,Windows,2025-05-13,2025-05-13,2025-05-13,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32701,"Microsoft Windows CLFS EoP zero-day; May 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; CLFS bug pattern continues from 2022-2024",2025-05-13,2025,True,False
CVE-2025-30400,Microsoft,Windows,2025-05-13,2025-05-13,2025-05-13,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30400,"Microsoft Windows DWM Core Library EoP zero-day; May 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2025-05-13,2025,True,False
CVE-2025-30397,Microsoft,Windows,2025-05-13,2025-05-13,2025-05-13,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30397,"Microsoft Scripting Engine memory corruption RCE zero-day; May 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; affects Edge IE mode",2025-05-13,2025,True,False
CVE-2025-47729,TeleMessage,TM SGNL,2025-05-08,2025-05-05,2025-05-08,0,-3,medium,,https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/,TeleMessage TM SGNL (Signal-clone enterprise messaging app) hidden cleartext message logging; disclosed May 5 2025 after high-profile usage by Trump administration officials; data scraped from internet-exposed instances,2025-05-12,2025,True,True
CVE-2024-6047,GeoVision,Multiple Devices,2024-06-17,2024-08-01,2025-05-07,45,45,high,,https://www.akamai.com/blog/security-research/2024-akamai-discovered-vulnerabilities-iot-botnet-mirai-eol-geovision,GeoVision multiple devices OS command injection; CISA disclosure Jun 17 2024 (EOL devices); Akamai SIRT attributed Mirai variant botnet exploitation from August 2024 targeting GeoVision IoT cameras; CISA KEV-added May 7 2025,2025-05-07,2024,False,False
CVE-2024-11120,GeoVision,Multiple Devices,2024-11-15,2024-12-01,2025-05-07,16,16,high,,https://www.akamai.com/blog/security-research/2024-akamai-discovered-vulnerabilities-iot-botnet-mirai-eol-geovision,GeoVision multiple devices OS command injection; TWCERT/CC advisory Nov 15 2024; Akamai SIRT attributed Mirai variant botnet exploitation; CISA KEV-added May 7 2025 alongside CVE-2024-6047,2025-05-07,2024,False,False
CVE-2025-27363,FreeType,FreeType,2025-03-11,2025-05-06,2025-05-06,56,56,high,,https://source.android.com/docs/security/bulletin/2025-05-01,"FreeType font rendering library out-of-bounds write affecting Android; Android May 2025 security bulletin acknowledged ""indications that CVE-2025-27363 may be under limited, targeted exploitation""; reported by Google",2025-05-06,2025,False,False
CVE-2025-3248,Langflow,Langflow,2025-04-07,2025-04-09,2025-04-09,2,2,high,,https://www.trendmicro.com/en_us/research/25/f/langflow-vulnerability-flodric-botnet.html,Langflow Python AI/LLM framework unauthenticated RCE via code validation endpoint; Langflow GHSA Apr 7 2025; CrowdSec observed Flodrix botnet immediate exploitation post-disclosure same day; Trend Micro June 2025 documented continued campaign,2025-05-05,2025,False,False
CVE-2025-34028,Commvault,Command Center,2025-04-22,2025-05-02,2025-05-02,10,10,high,,https://labs.watchtowr.com/commvault-command-center-pre-auth-rce-cve-2025-34028/,Commvault Command Center path traversal pre-auth RCE; watchTowr disclosure Apr 11 2025; CISA KEV-added May 2 2025 confirming exploitation; widely scanned by IABs,2025-05-02,2025,False,False
CVE-2024-58136,Yiiframework,Yii,2025-04-10,2025-05-02,2025-05-02,22,22,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-58136,Yii Framework configuration injection via behaviors array; Yii GitHub advisory Apr 10 2025; CISA KEV-added May 2 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-05-02,2024,False,False
CVE-2024-38475,Apache,HTTP Server,2024-07-01,2024-07-04,2024-07-04,3,3,high,,https://blog.orange.tw/posts/2024-08-confusion-attacks-en/,Apache HTTP Server mod_rewrite improper escaping of output path traversal; Apache advisory Jul 1 2024; Orange Tsai presented at DEFCON 32; Akamai observed mass exploitation from Jul 4 with widespread file disclosure attacks,2025-05-01,2024,False,False
CVE-2023-44221,SonicWall,SMA100 Appliances,2023-12-05,2025-05-01,2025-05-01,513,513,medium,,https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0018,SonicWall SMA100 OS command injection (post-auth); SonicWall PSIRT SNWLID-2023-0018 Dec 5 2023; CISA KEV-added May 1 2025 alongside CVE-2025-32819/32820/32821 SMA100 cluster citing active exploitation observed by Arctic Wolf and others; specific 2023-era attribution thin,2025-05-01,2023,False,False
CVE-2025-31324,SAP,NetWeaver,2025-04-24,2025-03-14,2025-04-24,0,-41,high,,https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/,SAP NetWeaver Visual Composer Metadata Uploader unauthenticated file upload pre-auth RCE; SAP emergency patch Apr 24 2025; Onapsis + ReliaQuest confirmed exploitation since mid-March 2025 (~5 weeks pre-disclosure) by initial access broker; CISA KEV-added Apr 29,2025-04-29,2025,True,True
CVE-2025-42599,Qualitia,Active! Mail,2025-04-18,2025-04-18,2025-04-21,0,0,high,,https://www.jpcert.or.jp/english/at/2025/at250010.html,Qualitia Active! Mail stack-based buffer overflow zero-day; Qualitia advisory Apr 21 2025; JPCERT/CC confirmed exploitation against multiple Japanese organizations,2025-04-28,2025,True,False
CVE-2025-3928,Commvault,Web Server,2025-04-25,2025-02-01,2025-04-25,0,-83,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-118a,Commvault Web Server unspecified flaw; Commvault patched Feb 27 2025; CISA AA25-118A May 7 2025 attributed nation-state exploitation of Commvault Azure environment since February 2025 against SaaS company,2025-04-28,2025,True,True
CVE-2025-1976,Broadcom,Brocade Fabric OS,2025-04-24,2025-04-17,2025-04-24,0,-7,high,,https://www.broadcom.com/support/fibre-channel-networking/security-advisories,Broadcom Brocade Fabric OS code injection; Brocade advisory Apr 17 2025; Broadcom confirmed in-wild exploitation against storage area network management,2025-04-28,2025,True,True
CVE-2025-31201,Apple,Multiple Products,2025-04-16,2025-04-16,2025-04-16,0,0,high,,https://support.apple.com/en-us/122282,Apple RPAC (Reactive Pointer Authentication Code) bypass zero-day; iOS 18.4.1 Apr 16 2025; chained with CVE-2025-31200 in sophisticated targeted attacks,2025-04-17,2025,True,False
CVE-2025-31200,Apple,Multiple Products,2025-04-16,2025-04-16,2025-04-16,0,0,high,,https://support.apple.com/en-us/122282,"Apple CoreAudio memory corruption zero-click RCE zero-day; iOS 18.4.1 Apr 16 2025 with Apple ""may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS""",2025-04-17,2025,True,False
CVE-2025-24054,Microsoft,Windows,2025-03-11,2025-03-19,2025-03-19,8,8,high,,https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/,Microsoft Windows NTLM hash disclosure spoofing; March 2025 Patch Tuesday; Check Point Research observed exploitation campaigns Mar 19-25 2025 targeting government and private entities in Poland and Romania via Dropbox-hosted ZIPs containing crafted .library-ms files,2025-04-17,2025,False,False
CVE-2021-20035,SonicWall,SMA100 Appliances,2021-09-27,2025-04-16,2025-04-16,1297,1297,medium,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20035,SonicWall SMA100 OS command injection (post-auth); SonicWall PSIRT advisory SNWLID-2021-0017 Sep 27 2021; CISA KEV-added Apr 16 2025 (~3.5 years late) noting exploitation observed by Arctic Wolf and others; KEV-fallback URL since no specific 2021-era attribution,2025-04-16,2021,False,False
CVE-2024-53197,Linux,Kernel,2024-12-27,2025-02-01,2025-04-09,36,36,high,,https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/,Linux Kernel ALSA USB-audio out-of-bounds; original kernel commit Dec 27 2024; Amnesty International Security Lab attributed Cellebrite exploitation against Serbian student activist Android phone Feb 2025; chain with CVE-2024-50302 and CVE-2024-53104,2025-04-09,2024,False,False
CVE-2024-53150,Linux,Kernel,2024-12-24,2025-04-09,2025-04-09,106,106,medium,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-53150,Linux Kernel ALSA USB-audio out-of-bounds; original kernel commit Dec 24 2024; CISA KEV-added Apr 9 2025 with reports of forensic firm exploitation alongside other Linux USB stack CVEs,2025-04-09,2024,False,False
CVE-2025-30406,Gladinet,CentreStack,2025-04-03,2025-03-01,2025-04-03,0,-33,high,,https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild,Gladinet CentreStack/Triofox hardcoded machineKey ViewState deserialization RCE; CVE published Apr 3 2025; Huntress disclosed and observed exploitation since at least March 2025 (~1 month pre-disclosure) targeting MSP-managed file sharing infrastructure,2025-04-08,2025,True,True
CVE-2025-29824,Microsoft,Windows,2025-04-08,2025-04-08,2025-04-08,0,0,high,,https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/,"Microsoft Windows CLFS driver EoP zero-day; April 2025 Patch Tuesday; Microsoft attributed Storm-2460 exploitation deploying PipeMagic loader and RansomEXX ransomware against US IT, real estate, finance, and Venezuelan retail; chained with PipeMagic",2025-04-08,2025,True,False
CVE-2025-31161,CrushFTP,CrushFTP,2025-04-03,2025-04-03,2025-04-03,0,0,high,,https://www.huntress.com/blog/crushftp-cve-2025-31161,CrushFTP authentication bypass zero-day; CrushFTP advisory Apr 3 2025; Huntress observed in-wild exploitation at disclosure targeting Internet-exposed CrushFTP instances; CISA KEV-added Apr 7,2025-04-07,2025,True,False
CVE-2025-22457,Ivanti,"Connect Secure, Policy Secure, and ZTA Gateways",2025-04-03,2025-03-15,2025-04-03,0,-19,high,,https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability/,Ivanti Connect Secure/Policy Secure/ZTA Gateway buffer overflow; silent patch Feb 11 2025 in 22.7R2.6; Ivanti disclosed exploitation Apr 3 2025; Mandiant attributed UNC5221 China-nexus exploitation since mid-March 2025 with TRAILBLAZE/BRUSHFIRE in-memory implants,2025-04-04,2025,True,True
CVE-2025-24813,Apache,Tomcat,2025-03-10,2025-03-17,2025-03-17,7,7,high,,https://www.wallarm.com/blog/cve-2025-24813-rce-in-apache-tomcat,Apache Tomcat partial PUT and path equivalence RCE; Apache advisory Mar 10 2025; Wallarm and others observed exploitation Mar 17 onwards via deserialization of session files,2025-04-01,2025,False,False
CVE-2024-20439,Cisco,Smart Licensing Utility,2024-09-04,2025-03-31,2025-03-31,208,208,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20439,Cisco Smart Licensing Utility (CSLU) hardcoded static credentials; Cisco advisory Sep 4 2024; CISA KEV-added Mar 31 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-03-31,2024,False,False
CVE-2025-2783,Google,Chromium Mojo,2025-03-26,2025-03-24,2025-03-25,0,-2,high,,https://securelist.com/operation-forumtroll/116232/,"Chromium Mojo sandbox escape zero-day; Google Stable Channel update Mar 25 2025; Kaspersky GReAT attributed exploitation to Operation ForumTroll (suspected TaxOff group) targeting Russian government, media, financial sector via spear-phishing with malicious URLs",2025-03-27,2025,True,True
CVE-2019-9875,Sitecore,CMS and Experience Platform (XP),2019-05-31,2025-03-26,2025-03-26,2126,2126,medium,,https://kb.sitecore.net/articles/548120,Sitecore CMS/XP AntiCSRF deserialization companion; KEV-added 2025-03-26,2025-03-26,2019,False,False
CVE-2019-9874,Sitecore,CMS and Experience Platform (XP),2019-05-31,2025-03-26,2025-03-26,2126,2126,medium,,https://kb.sitecore.net/articles/824478,Sitecore CMS/XP Sitecore.Security.AntiCSRF deserialization RCE; KEV-added 2025-03-26,2025-03-26,2019,False,False
CVE-2025-30154,reviewdog,action-setup GitHub Action,2025-03-19,2025-03-11,2025-03-19,0,-8,high,,https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction-setup,reviewdog/action-setup GitHub Action supply chain compromise; Mar 11 2025 attack led to subsequent tj-actions/changed-files compromise CVE-2025-30066; CISA Mar 18 advisory,2025-03-24,2025,True,True
CVE-2025-1316,Edimax,IC-7100 IP Camera,2025-03-04,2024-05-01,2025-03-04,0,-307,high,,https://www.akamai.com/blog/security-research/march-edimax-cameras-command-injection-mirai,Edimax IC-7100 IP Camera OS command injection; CISA ICSA-25-063-01 Mar 4 2025; Akamai SIRT attributed Mirai variant botnet exploitation since May 2024 (~10 months pre-disclosure) targeting EOL camera devices,2025-03-19,2025,True,True
CVE-2024-48248,NAKIVO,Backup and Replication,2025-03-04,2025-03-19,2025-03-19,15,15,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-48248,NAKIVO Backup and Replication path traversal pre-auth file disclosure; NAKIVO advisory Mar 4 2025; CISA KEV-added Mar 19 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-03-19,2024,False,False
CVE-2025-30066,tj-actions,changed-files GitHub Action,2025-03-15,2025-03-14,2025-03-15,0,-1,high,,https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction-setup,"tj-actions/changed-files GitHub Action supply chain attack; CISA Mar 18 2025 advisory; malicious commits pushed Mar 14-15 to leak CI/CD secrets from ~23,000 repositories via mutated tag references; CISA KEV-added Mar 18",2025-03-18,2025,True,True
CVE-2025-24472,Fortinet,FortiOS and FortiProxy,2025-02-11,2024-11-16,2025-02-11,0,-87,high,,https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/,Fortinet FortiOS/FortiProxy authentication bypass via crafted CSF proxy requests; Feb 11 2025 added to existing CVE-2024-55591 advisory after Forescout/Arctic Wolf identified second flaw exploited since Nov 16 2024 (~3 months pre-disclosure),2025-03-18,2025,True,True
CVE-2025-24201,Apple,Multiple Products,2025-03-11,2025-03-11,2025-03-11,0,0,high,,https://support.apple.com/en-us/122281,"Apple WebKit out-of-bounds write zero-day; iOS 18.3.2 Mar 11 2025 with Apple ""may have been exploited in extremely sophisticated attacks against specific targeted individuals on iOS versions before iOS 17.2""",2025-03-13,2025,True,False
CVE-2025-21590,Juniper,Junos OS,2025-03-12,2024-12-01,2025-03-12,0,-101,high,,https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-juniper-routers,Juniper Junos OS improper process isolation kernel injection; Juniper out-of-cycle bulletin Mar 12 2025; Mandiant attributed UNC3886 (China-nexus) exploitation since at least late 2024 against Juniper MX routers with custom TINYSHELL backdoors,2025-03-13,2025,True,True
CVE-2025-26633,Microsoft,Windows,2025-03-11,2024-01-01,2025-03-11,0,-435,high,,https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html,"Microsoft Management Console (MMC) security feature bypass zero-day ""MSC EvilTwin""; March 2025 Patch Tuesday; Trend Micro ZDI attributed Water Gamayun (suspected Russian) exploitation since at least January 2024 (~14 months pre-disclosure) via crafted MSC files",2025-03-11,2025,True,True
CVE-2025-24993,Microsoft,Windows,2025-03-11,2025-03-11,2025-03-11,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24993,"Microsoft Windows NTFS RCE zero-day; March 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2025-03-11,2025,True,False
CVE-2025-24991,Microsoft,Windows,2025-03-11,2025-03-11,2025-03-11,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24991,"Microsoft Windows NTFS information disclosure zero-day; March 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2025-03-11,2025,True,False
CVE-2025-24985,Microsoft,Windows,2025-03-11,2025-03-11,2025-03-11,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24985,"Microsoft Windows Fast FAT file system driver RCE zero-day; March 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2025-03-11,2025,True,False
CVE-2025-24984,Microsoft,Windows,2025-03-11,2025-03-11,2025-03-11,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24984,"Microsoft Windows NTFS information disclosure zero-day; March 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2025-03-11,2025,True,False
CVE-2025-24983,Microsoft,Windows,2025-03-11,2023-03-01,2025-03-11,0,-741,high,,https://www.welivesecurity.com/en/eset-research/back-mic-windows-zero-day-vulnerability-cve-2025-24983-exploited-pipemagic/,Windows Win32 Kernel subsystem EoP zero-day; March 2025 Patch Tuesday; ESET attributed exploitation since March 2023 (~2 years pre-disclosure) by PipeMagic malware operator chained with RansomEXX deployment,2025-03-11,2025,True,True
CVE-2025-25181,Advantive,VeraCore,2025-02-03,2020-01-01,2025-02-03,0,-1860,high,,https://intezer.com/blog/research/xe-group-veracore-exploitation/,Advantive VeraCore SQL injection in timeoutWarning.asp; Intezer + Solis Security disclosed Feb 5 2025 attributing Vietnamese XE Group exploitation since at least 2020 (~5 years pre-disclosure) with persistent webshells against supply chain and manufacturing,2025-03-10,2025,True,True
CVE-2024-57968,Advantive,VeraCore,2025-02-03,2025-01-01,2025-03-10,0,-33,high,,https://intezer.com/blog/research/xe-group-veracore-exploitation/,Advantive VeraCore unrestricted file upload; Intezer Mar 10 2025 attributed XE Group (Vietnamese-speaking) supply-chain exploitation since at least Jan 2025 targeting supply chain manufacturing and distribution sectors,2025-03-10,2024,True,True
CVE-2024-13161,Ivanti,Endpoint Manager (EPM),2025-01-14,2025-03-10,2025-03-10,55,55,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13161,Ivanti EPM absolute path traversal companion; Ivanti advisory Jan 14 2025; CISA KEV-added Mar 10 2025; KEV-fallback,2025-03-10,2024,False,False
CVE-2024-13160,Ivanti,Endpoint Manager (EPM),2025-01-14,2025-03-10,2025-03-10,55,55,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13160,Ivanti EPM absolute path traversal companion; Ivanti advisory Jan 14 2025; CISA KEV-added Mar 10 2025; KEV-fallback,2025-03-10,2024,False,False
CVE-2024-13159,Ivanti,Endpoint Manager (EPM),2025-01-14,2025-03-10,2025-03-10,55,55,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13159,Ivanti EPM absolute path traversal; Ivanti advisory Jan 14 2025; CISA KEV-added Mar 10 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-03-10,2024,False,False
CVE-2025-22226,VMware,"ESXi, Workstation, and Fusion",2025-03-04,2025-03-04,2025-03-04,0,0,high,,https://www.vmware.com/security/advisories/VMSA-2025-0004.html,Broadcom VMware ESXi information disclosure zero-day; VMSA-2025-0004 Mar 4 2025; MSTIC reported in-the-wild exploitation; ESXi hypervisor breakout chain component,2025-03-04,2025,True,False
CVE-2025-22225,VMware,ESXi,2025-03-04,2025-03-04,2025-03-04,0,0,high,,https://www.vmware.com/security/advisories/VMSA-2025-0004.html,Broadcom VMware ESXi arbitrary write zero-day; VMSA-2025-0004 Mar 4 2025; MSTIC reported in-the-wild exploitation; companion to CVE-2025-22224,2025-03-04,2025,True,False
CVE-2025-22224,VMware,ESXi and Workstation,2025-03-04,2025-03-04,2025-03-04,0,0,high,,https://www.vmware.com/security/advisories/VMSA-2025-0004.html,Broadcom VMware ESXi/Workstation TOCTOU race condition VMX escape zero-day; Broadcom VMSA-2025-0004 Mar 4 2025; Microsoft Threat Intelligence Center reported in-the-wild exploitation; chained with CVE-2025-22225/22226 for full hypervisor breakout,2025-03-04,2025,True,False
CVE-2024-50302,Linux,Kernel,2024-11-19,2025-03-04,2025-03-04,105,105,high,,https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/,Linux Kernel HID-core report buffer leak; Amnesty International Security Lab attributed Cellebrite/Serbian forensic firm exploitation against Serbian student activist Android phone in Feb 2025; chained with CVE-2024-53104 and CVE-2024-53197,2025-03-04,2024,False,False
CVE-2024-4885,Progress,WhatsUp Gold,2024-06-25,2025-03-03,2025-03-03,251,251,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4885,Progress WhatsUp Gold path traversal RCE via Iperov Server credentials; Progress advisory Jun 25 2024; CISA KEV-added Mar 3 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-03-03,2024,False,False
CVE-2023-20118,Cisco,Small Business RV Series Routers,2023-04-05,2025-03-03,2025-03-03,698,698,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20118,Cisco Small Business RV Series Routers authenticated command injection; Cisco advisory Apr 5 2023; CISA KEV-added Mar 3 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-03-03,2023,False,False
CVE-2022-43939,Hitachi Vantara,Pentaho Business Analytics (BA) Server,2023-04-03,2025-03-03,2025-03-03,700,700,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-43939,Hitachi Vantara Pentaho BA Server authorization bypass via non-canonical URL paths; Hitachi advisory Apr 3 2023 (Fortra/Harold Logan); CISA KEV-added Mar 3 2025 with no specific public exploitation attribution; KEV-fallback,2025-03-03,2022,False,False
CVE-2022-43769,Hitachi Vantara,Pentaho Business Analytics (BA) Server,2023-04-03,2025-03-03,2025-03-03,700,700,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-43769,Hitachi Vantara Pentaho BA Server Server-Side Template Injection (Velocity); Hitachi advisory Apr 3 2023; CISA KEV-added Mar 3 2025 with no specific public exploitation attribution; KEV-fallback,2025-03-03,2022,False,False
CVE-2018-8639,Microsoft,Windows,2018-12-12,2023-02-13,2023-02-13,1524,1524,medium,Yes,https://asec.ahnlab.com/en/47455/,Windows Win32k EoP zero-day; Microsoft MSRC advisory CVE-2018-8639 marked exploited at time of December 2018 Patch Tuesday release,2025-03-03,2018,False,False
CVE-2024-49035,Microsoft,Partner Center,2024-11-26,2025-02-25,2025-02-25,91,91,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-49035,Microsoft Partner Center improper access control allowing privilege escalation; Nov 26 2024 advisory; CISA KEV-added Feb 25 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-02-25,2024,False,False
CVE-2023-34192,Synacor,Zimbra Collaboration Suite (ZCS),2023-07-06,2025-02-25,2025-02-25,600,600,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-34192,Synacor Zimbra Collaboration Suite XSS in /h/autoSaveDraft; Zimbra advisory Jul 6 2023; CISA KEV-added Feb 25 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-02-25,2023,False,False
CVE-2024-20953,Oracle,Agile Product Lifecycle Management (PLM),2024-02-17,2025-02-24,2025-02-24,373,373,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20953,Oracle Agile PLM deserialization RCE; Oracle CPU Jan 16 2024; CISA KEV-added Feb 24 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-02-24,2024,False,False
CVE-2025-24989,Microsoft,Power Pages,2025-02-19,2025-02-01,2025-02-19,0,-18,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989,Microsoft Power Pages improper access control zero-day; Microsoft Feb 19 2025 advisory acknowledged limited targeted exploitation; reported by Microsoft Threat Intelligence,2025-02-21,2025,True,True
CVE-2025-23209,Craft CMS,Craft CMS,2025-01-18,2025-01-17,2025-01-18,0,-1,high,,https://censys.com/advisory/cve-2025-23209,Craft CMS code injection RCE via crafted user template; Craft CMS advisory Jan 17 2025; Censys observed mass exploitation; CISA KEV-added Feb 20 2025,2025-02-20,2025,True,True
CVE-2025-0111,Palo Alto Networks,PAN-OS,2025-02-12,2025-02-19,2025-02-19,7,7,high,,https://security.paloaltonetworks.com/CVE-2025-0111,Palo Alto PAN-OS authenticated file read; PAN advisory Feb 12 2025; PAN warned Feb 19-20 of active chaining exploitation with CVE-2025-0108 and CVE-2024-9474 for full firewall takeover,2025-02-20,2025,False,False
CVE-2025-0108,Palo Alto Networks,PAN-OS,2025-02-12,2025-02-13,2025-02-13,1,1,high,,https://security.paloaltonetworks.com/CVE-2025-0108,Palo Alto PAN-OS management web interface authentication bypass; PAN advisory Feb 12 2025; Shadowserver/GreyNoise observed mass exploitation from Feb 13 chained with CVE-2025-0111 for unauthenticated config disclosure,2025-02-18,2025,False,False
CVE-2024-53704,SonicWall,SonicOS,2025-01-09,2025-02-18,2025-02-18,40,40,high,,https://arcticwolf.com/resources/blog/sonicwall-sslvpn-exploited-cve-2024-53704/,SonicWall SonicOS SSL VPN authentication bypass; SonicWall PSIRT SNWLID-2025-0003 Jan 9 2025; Bishop Fox PoC Feb 10; Arctic Wolf observed Abyss/Akira/Fog ransomware exploitation from Feb 18,2025-02-18,2024,False,False
CVE-2024-57727,SimpleHelp,SimpleHelp,2025-01-15,2025-01-22,2025-02-13,7,7,high,,https://arcticwolf.com/resources/blog/cleo-cve-2024-50623/,SimpleHelp remote support software path traversal pre-auth file disclosure; SimpleHelp advisory Jan 15 2025; Arctic Wolf attributed exploitation since Jan 22 2025 by DragonForce ransomware affiliate via RMM tool abuse against MSP customers,2025-02-13,2024,False,False
CVE-2025-24200,Apple,iOS and iPadOS,2025-02-10,2025-02-10,2025-02-10,0,0,high,,https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-spyware-found-on-european-journalists-iphones/,Apple iOS USB Restricted Mode bypass zero-day; iOS 18.3.1 Feb 10 2025; Citizen Lab confirmed sophisticated targeted attacks against specific individuals; later linked to Paragon Graphite spyware,2025-02-12,2025,True,False
CVE-2024-41710,Mitel,SIP Phones,2024-08-12,2025-02-12,2025-02-12,184,184,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-41710,Mitel SIP phones argument injection in firmware update parameter; Mitel advisory Aug 12 2024; CISA KEV-added Feb 12 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-02-12,2024,False,False
CVE-2025-21418,Microsoft,Windows,2025-02-11,2025-02-11,2025-02-11,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21418,"Microsoft Windows AFD.sys EoP zero-day; February 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2025-02-11,2025,True,False
CVE-2025-21391,Microsoft,Windows,2025-02-11,2025-02-11,2025-02-11,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21391,"Microsoft Windows Storage EoP zero-day; February 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2025-02-11,2025,True,False
CVE-2024-40891,Zyxel,DSL CPE Devices,2025-02-04,2025-01-28,2025-02-04,0,-7,high,,https://www.greynoise.io/blog/zyxel-cve-2024-40890-and-cve-2024-40891-mass-exploitation,Zyxel DSL CPE devices command injection companion to CVE-2024-40890; same GreyNoise/Censys Mirai botnet exploitation Jan-Feb 2025,2025-02-11,2024,True,True
CVE-2024-40890,Zyxel,DSL CPE Devices,2025-02-04,2025-01-28,2025-02-04,0,-7,high,,https://www.greynoise.io/blog/zyxel-cve-2024-40890-and-cve-2024-40891-mass-exploitation,Zyxel DSL CPE devices CGI command injection; GreyNoise/Censys observed mass exploitation Jan-Feb 2025 by Mirai variant botnet against ~1500 internet-exposed Zyxel routers; CISA KEV-added Feb 11,2025-02-11,2024,True,True
CVE-2025-0994,Trimble,Cityworks,2025-02-06,2025-01-01,2025-02-06,0,-36,high,,https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/,Trimble Cityworks .NET deserialization RCE; Trimble advisory Feb 6 2025; Cisco Talos May 22 2025 attributed UAT-6382 (suspected China-nexus) exploitation since January 2025 (~1 month pre-disclosure) against US local government via Cobalt Strike and VShell,2025-02-07,2025,True,True
CVE-2025-0411,7-Zip,7-Zip,2025-01-25,2024-09-25,2025-01-25,0,-122,high,,https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html,7-Zip Mark of the Web bypass zero-day; patched Nov 30 2024 in v24.09 silently; publicly disclosed Jan 24 2025; Trend Micro ZDI attributed exploitation since Sep 25 2024 (~4 months pre-disclosure) targeting Ukrainian government and businesses by suspected Russian actors,2025-02-06,2025,True,True
CVE-2024-21413,Microsoft,Office Outlook,2024-02-13,2025-02-06,2025-02-06,359,359,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21413,Microsoft Outlook MonikerLink RCE; Check Point disclosed Feb 13 2024; CISA KEV-added Feb 6 2025 with no specific public exploitation attribution at addition; KEV-fallback,2025-02-06,2024,False,False
CVE-2022-23748,Audinate,Dante Discovery,2022-11-17,2025-02-06,2025-02-06,812,812,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-23748,Audinate Dante Discovery mDNS service DLL hijacking; Audinate advisory Nov 17 2022; CISA KEV-added Feb 6 2025 with no specific public exploitation attribution; KEV-fallback,2025-02-06,2022,False,False
CVE-2020-29574,Sophos,CyberoamOS,2020-12-11,2025-02-06,2025-02-06,1518,1518,medium,,https://www.sophos.com/en-us/security-advisories/sophos-sa-20201207-cyberoam,Sophos CyberoamOS SQLi; KEV-added 2025-02-06 retrospective,2025-02-06,2020,False,False
CVE-2020-15069,Sophos,XG Firewall,2020-06-29,2020-04-25,2025-02-06,0,-65,medium,,https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/,Sophos XG Firewall buffer overflow in HTTP/S Bookmarks; linked to Asnarok campaign by Chinese state-sponsored actors; Sophos published advisory June 30 2020; CISA KEV add Feb 6 2025,2025-02-06,2020,True,True
CVE-2024-53104,Linux,Kernel,2024-12-02,2025-02-05,2025-02-05,65,65,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-53104,Linux Kernel media UVC driver out-of-bounds write; original kernel commit Dec 2 2024; CISA KEV-added Feb 5 2025 with no specific public exploitation attribution; KEV-fallback (suspected forensic firm exploitation),2025-02-05,2024,False,False
CVE-2024-45195,Apache,OFBiz,2024-09-04,2025-02-04,2025-02-04,153,153,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-45195,Apache OFBiz pre-authentication RCE via view name parameter; Apache advisory Sep 4 2024; CISA KEV-added Feb 4 2025 with no specific public attribution; KEV-fallback,2025-02-04,2024,False,False
CVE-2024-29059,Microsoft,.NET Framework,2024-03-22,2025-02-04,2025-02-04,319,319,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-29059,Microsoft .NET Framework information disclosure (ObjectRef leak); Mar 12 2024 Patch Tuesday; CISA KEV-added Feb 4 2025 with no specific public exploitation attribution; KEV-fallback,2025-02-04,2024,False,False
CVE-2018-9276,Paessler,PRTG Network Monitor,2018-07-02,2025-02-04,2025-02-04,2409,2409,low,Yes,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-9276,PRTG Network Monitor command injection; no specific threat-intel report documenting in-the-wild exploitation found; CISA KEV is only documented evidence,2025-02-04,2018,False,False
CVE-2018-19410,Paessler,PRTG Network Monitor,2018-11-21,2025-02-04,2025-02-04,2267,2267,low,Yes,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-19410,PRTG Network Monitor LFI/unauth admin user creation; CISA KEV added Feb 4 2025; no specific contemporary threat-intel report documenting in-wild exploitation found beyond KEV add,2025-02-04,2018,False,False
CVE-2025-24085,Apple,Multiple Products,2025-01-27,2024-12-01,2025-01-27,0,-57,high,,https://support.apple.com/en-us/121838,"Apple CoreMedia use-after-free zero-day; iOS 18.3 Jan 27 2025 with Apple ""may have been actively exploited against versions of iOS before iOS 17.2""; reported anonymously",2025-01-29,2025,True,True
CVE-2025-23006,SonicWall,SMA1000 Appliances,2025-01-23,2025-01-22,2025-01-23,0,-1,high,,https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002,SonicWall SMA1000 pre-auth deserialization RCE zero-day; SonicWall PSIRT SNWLID-2025-0002 Jan 22 2025; Microsoft Threat Intelligence Center reported possible active exploitation as zero-day,2025-01-24,2025,True,True
CVE-2020-11023,JQuery,JQuery,2020-04-29,2024-02-01,2025-01-23,1373,1373,high,,https://thehackernews.com/2025/01/cisa-adds-five-year-old-jquery-xss-flaw.html,jQuery XSS via crafted <option> HTML in DOM manipulation methods; EclecticIQ reported Feb 2024 that C2 infrastructure of malicious Ivanti exploitation campaign ran vulnerable jQuery exploiting CVE-2020-11023 + CVE-2020-11022 + CVE-2019-11358,2025-01-23,2020,False,False
CVE-2024-50603,Aviatrix,Controllers,2025-01-08,2025-01-16,2025-01-16,8,8,high,,https://www.wiz.io/blog/cve-2024-50603-aviatrix-network-controller-rce,Aviatrix Controllers OS command injection pre-auth RCE; Aviatrix advisory Jan 8 2025; Wiz Threat Research observed exploitation from Jan 16 deploying Sliver C2 and XMRig cryptominer on compromised cloud Aviatrix instances,2025-01-16,2024,False,False
CVE-2025-21335,Microsoft,Windows,2025-01-14,2025-01-14,2025-01-14,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21335,"Microsoft Windows Hyper-V NT Kernel Integration VSP EoP zero-day; January 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; companion to CVE-2025-21333/21334",2025-01-14,2025,True,False
CVE-2025-21334,Microsoft,Windows,2025-01-14,2025-01-14,2025-01-14,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21334,"Microsoft Windows Hyper-V NT Kernel Integration VSP EoP zero-day; January 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; companion to CVE-2025-21333",2025-01-14,2025,True,False
CVE-2025-21333,Microsoft,Windows,2025-01-14,2025-01-14,2025-01-14,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21333,"Microsoft Windows Hyper-V NT Kernel Integration VSP EoP zero-day; January 2025 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported anonymously",2025-01-14,2025,True,False
CVE-2024-55591,Fortinet,FortiOS and FortiProxy,2025-01-14,2024-11-16,2025-01-14,0,-59,high,,https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/,Fortinet FortiOS/FortiProxy node.js websocket module authentication bypass; Fortinet PSIRT FG-IR-24-535 Jan 14 2025; Arctic Wolf attributed exploitation since Nov 16 2024 (~2 months pre-disclosure) by unattributed threat actor creating admin accounts,2025-01-14,2024,True,True
CVE-2024-12686,BeyondTrust,Privileged Remote Access (PRA) and Remote Support (RS),2024-12-18,2024-12-13,2024-12-18,0,-5,high,,https://www.beyondtrust.com/remote-support-saas-service-security-investigation,BeyondTrust PRA/RS command injection companion to CVE-2024-12356; BeyondTrust BT24-11 Dec 18 2024; chained by Silk Typhoon in Treasury attack; CISA KEV-added Jan 13 2025,2025-01-13,2024,True,True
CVE-2023-48365,Qlik,Sense,2023-11-15,2023-11-30,2023-11-30,15,15,high,,https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/,Qlik Sense HTTP tunneling unauthorized request execution (patch bypass of CVE-2023-41265); Qlik advisory Nov 15 2023; Arctic Wolf observed Cactus ransomware exploitation from late Nov 2023 against ~130 Internet-exposed Qlik instances,2025-01-13,2023,False,False
CVE-2025-0282,Ivanti,"Connect Secure, Policy Secure, and ZTA Gateways",2025-01-08,2024-12-15,2025-01-08,0,-24,high,,https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day/,Ivanti Connect Secure stack-based buffer overflow zero-day; Ivanti advisory Jan 8 2025; Mandiant attributed UNC5337 (related to UNC5221 China-nexus) exploitation since mid-December 2024 (~3 weeks pre-disclosure) with SPAWNCHIMERA tool family,2025-01-08,2025,True,True
CVE-2024-55550,Mitel,MiCollab,2024-12-10,2025-01-07,2025-01-07,28,28,medium,,https://labs.watchtowr.com/exploit-mitel-micollab-path-traversal-cve-2024-41713/,Mitel MiCollab path traversal companion to CVE-2024-41713; same watchTowr Dec 5 2024 chain; CISA KEV-added Jan 7 2025,2025-01-07,2024,False,False
CVE-2024-41713,Mitel,MiCollab,2024-10-21,2025-01-07,2025-01-07,78,78,medium,,https://labs.watchtowr.com/exploit-mitel-micollab-path-traversal-cve-2024-41713/,Mitel MiCollab path traversal allowing unauthorized file access; watchTowr published Dec 5 2024 attempting to chain with CVE-2024-55550 for full RCE bypass; CISA KEV-added Jan 7 2025 with reports of exploitation,2025-01-07,2024,False,False
CVE-2020-2883,Oracle,WebLogic Server,2020-04-15,2020-04-29,2020-05-01,14,14,high,,https://www.tenable.com/blog/cve-2020-2883-oracle-weblogic-deserialization-vulnerability-exploited-in-the-wild,Oracle WebLogic Coherence deserialization via T3 port; Oracle CPU Apr 14 2020; CISA published alert May 1 2020 about active exploitation reported by Oracle; Tenable detailed analysis May 14 2020,2025-01-07,2020,False,False
CVE-2024-3393,Palo Alto Networks,PAN-OS,2024-12-27,2024-11-26,2024-12-27,0,-31,high,,https://security.paloaltonetworks.com/CVE-2024-3393,Palo Alto Networks PAN-OS DNS Security parsing denial of service zero-day; PAN advisory Dec 27 2024; PAN acknowledged ongoing exploitation since at least Nov 26 2024 (~1 month pre-disclosure) causing firewall reboots,2024-12-30,2024,True,True
CVE-2021-44207,Acclaim Systems,USAHERDS,2021-12-21,2021-05-01,2022-03-08,0,-234,high,,https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments,Acclaim USAHERDS hardcoded ValidationKey/DecryptionKey ASP.NET ViewState deserialization to RCE; Mandiant attributed APT41 (China state-sponsored) exploitation against multiple US state government networks beginning May 2021 (~7 months pre-disclosure); CVE assigned Dec 2021,2024-12-23,2021,True,True
CVE-2024-12356,BeyondTrust,Privileged Remote Access (PRA) and Remote Support,2024-12-17,2024-12-08,2024-12-17,0,-9,high,,https://www.beyondtrust.com/remote-support-saas-service-security-investigation,BeyondTrust Privileged Remote Access/Remote Support command injection zero-day; BeyondTrust BT24-10 Dec 17 2024; US Treasury OFAC disclosed Dec 30 attributing exploitation to Silk Typhoon (China-nexus) since Dec 8 2024 targeting Treasury Department workstations via stolen API key,2024-12-19,2024,True,True
CVE-2022-23227,NUUO,NVRmini2 Devices,2022-01-14,2024-12-18,2024-12-18,1069,1069,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-23227,NUUO NVRmini2 missing authentication and hardcoded credentials; disclosed Jan 14 2022; CISA KEV-added Dec 18 2024 with no specific public exploitation attribution; KEV-fallback,2024-12-18,2022,False,False
CVE-2021-40407,Reolink,RLC-410W IP Camera,2022-01-28,2024-12-18,2024-12-18,1055,1055,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40407,"Reolink RLC-410W OS command injection (TALOS-2021-1424 disclosed Jan 2022); CISA KEV-added Dec 18 2024 with no public third-party exploitation report; EoL product, KEV-fallback",2024-12-18,2021,False,False
CVE-2019-11001,Reolink,Multiple IP Cameras,2019-04-08,2024-12-18,2024-12-18,2081,2081,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11001,Reolink IP cameras authenticated OS command injection; CISA KEV add 2024-12-18; no specific contemporary threat-intel report found documenting in-the-wild exploitation - only KEV add,2024-12-18,2019,False,False
CVE-2018-14933,NUUO,NVRmini Devices,2018-08-04,2020-04-26,2020-04-26,631,631,low,Yes,https://www.cvedetails.com/cve/CVE-2018-14933/,NUUO NVRmini OS command injection; no specific contemporary threat-intel report documenting in-the-wild exploitation; CISA KEV is only documented evidence,2024-12-18,2018,False,False
CVE-2024-55956,Cleo,Multiple Products,2024-12-13,2024-12-08,2024-12-13,0,-5,high,,https://www.huntress.com/blog/cleo-cve-2024-55956,Cleo Harmony/VLTrader/LexiCom unrestricted file upload zero-day discovered after CVE-2024-50623 patch bypass; Cleo emergency patch Dec 13 2024; Cl0p ransomware exploitation since Dec 8; Cl0p later claimed responsibility for Cleo intrusions,2024-12-17,2024,True,True
CVE-2024-35250,Microsoft,Windows,2024-06-11,2024-06-11,2024-06-11,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35250,Windows Kernel-Mode Driver EoP zero-day demonstrated at Pwn2Own Vancouver 2024 by DEVCORE; June 2024 Patch Tuesday; CISA KEV-added Dec 16 2024 with reports of in-the-wild exploitation,2024-12-16,2024,True,False
CVE-2024-20767,Adobe,ColdFusion,2024-03-18,2024-12-16,2024-12-16,273,273,medium,,https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html,Adobe ColdFusion improper access control allowing arbitrary file read; Adobe APSB24-14 Mar 12 2024; CISA KEV-added Dec 16 2024 with reports of in-the-wild exploitation though no specific public attribution,2024-12-16,2024,False,False
CVE-2024-50623,Cleo,Multiple Products,2024-10-27,2024-12-03,2024-12-03,37,37,high,,https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild,Cleo Harmony/VLTrader/LexiCom file transfer pre-auth RCE; Cleo advisory Oct 27 2024 (initial patch incomplete); Huntress disclosed Dec 9 attributing Cl0p ransomware operator exploitation since Dec 3 2024 targeting MFT-style file transfer products,2024-12-13,2024,False,False
CVE-2024-49138,Microsoft,Windows,2024-12-10,2024-12-10,2024-12-10,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49138,"Windows Common Log File System (CLFS) driver EoP zero-day; December 2024 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by CrowdStrike Advanced Research Team",2024-12-10,2024,True,False
CVE-2024-51378,CyberPersons,CyberPanel,2024-10-29,2024-10-29,2024-10-29,0,0,high,,https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce,"CyberPersons CyberPanel authentication bypass plus command injection in upgrademysqlstatus endpoint; researcher DreyAnd disclosed Oct 29 2024; PSAUX ransomware operator mass exploitation observed within hours encrypting ~22,000 Internet-exposed CyberPanel instances",2024-12-04,2024,True,False
CVE-2024-11680,ProjectSend,ProjectSend,2024-11-26,2024-09-01,2024-11-26,0,-86,high,,https://vulncheck.com/blog/projectsend-cve-2024-11680,"ProjectSend improper authentication; Synacktiv disclosure May 16 2024; VulnCheck Nov 26 attributed widespread exploitation since September 2024 by botnet operators creating malicious admin accounts on ~99,000 internet-exposed ProjectSend instances",2024-12-03,2024,True,True
CVE-2024-11667,Zyxel,Multiple Firewalls,2024-11-27,2024-12-03,2024-12-03,6,6,high,,https://blog.sekoia.io/helldown-ransomware-an-overview-of-this-emerging-threat/,Zyxel ATP/USG FLEX/VPN firewalls directory traversal in web management interface; Zyxel advisory Nov 27 2024; Sektor7 Institute/Sekoia observed Helldown ransomware exploitation from early December targeting Zyxel firewalls in Germany,2024-12-03,2024,False,False
CVE-2023-45727,North Grid,Proself,2023-10-18,2024-12-03,2024-12-03,412,412,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-45727,North Grid Proself improper XXE; North Grid advisory Oct 18 2023; CISA KEV-added Dec 3 2024 with no specific public exploitation attribution at addition; KEV-fallback (later loosely tied to MirrorFace campaign),2024-12-03,2023,False,False
CVE-2023-28461,Array Networks,AG/vxAG ArrayOS,2023-03-15,2024-11-25,2024-11-25,621,621,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28461,Array Networks AG/vxAG ArrayOS authentication bypass; Array Networks advisory Mar 9 2023; CISA KEV-added Nov 25 2024 with no specific public exploitation attribution at addition; KEV-fallback (later loosely tied to Earth Kasha campaign),2024-11-25,2023,False,False
CVE-2024-44309,Apple,Multiple Products,2024-11-19,2024-11-19,2024-11-19,0,0,high,,https://support.apple.com/en-us/121753,Apple WebKit cookie management XSS zero-day; iOS 18.1.1/macOS 15.1.1 Nov 19 2024 with Apple ITW acknowledgement; chained with CVE-2024-44308 for arbitrary code execution; reported by Google TAG,2024-11-21,2024,True,False
CVE-2024-44308,Apple,Multiple Products,2024-11-19,2024-11-19,2024-11-19,0,0,high,,https://support.apple.com/en-us/121753,Apple JavaScriptCore arbitrary code execution zero-day; iOS 18.1.1/macOS 15.1.1 Nov 19 2024 with Apple ITW acknowledgement; reported by Clement Lecigne and Benoît Sevens of Google TAG,2024-11-21,2024,True,False
CVE-2024-21287,Oracle,Agile Product Lifecycle Management,2024-11-18,2024-11-18,2024-11-18,0,0,high,,https://www.oracle.com/security-alerts/alert-cve-2024-21287.html,Oracle Agile Product Lifecycle Management (PLM) Framework file disclosure zero-day; Oracle alert Nov 18 2024 acknowledged ongoing in-the-wild exploitation; CrowdStrike disclosed and observed exploitation,2024-11-21,2024,True,False
CVE-2024-38813,VMware,vCenter Server,2024-09-17,2024-09-17,2024-09-17,0,0,medium,,https://www.vmware.com/security/advisories/VMSA-2024-0019.html,VMware vCenter Server privilege escalation companion to CVE-2024-38812; Broadcom VMSA-2024-0019 Sep 17 2024; chained for RCE; CISA KEV-added Nov 20 confirming exploitation,2024-11-20,2024,True,False
CVE-2024-38812,VMware,vCenter Server,2024-09-17,2024-09-17,2024-09-17,0,0,medium,,https://www.vmware.com/security/advisories/VMSA-2024-0019.html,VMware vCenter Server DCERPC heap-based buffer overflow; Broadcom VMSA-2024-0019 Sep 17 2024; Broadcom updated advisory Nov 18 confirming exploitation in the wild,2024-11-20,2024,True,False
CVE-2024-9474,Palo Alto Networks,PAN-OS,2024-11-18,2024-11-18,2024-11-18,0,0,high,,https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/,Palo Alto Networks PAN-OS privilege escalation zero-day; PAN advisory Nov 18 2024; chained with CVE-2024-0012 for unauthenticated RCE; Unit 42 attributed Operation Lunar Peek to suspected nation-state actor,2024-11-18,2024,True,False
CVE-2024-1212,Progress,Kemp LoadMaster,2024-02-21,2024-11-18,2024-11-18,271,271,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-1212,Progress Kemp LoadMaster OS command injection; Progress advisory Feb 22 2024; CISA KEV-added Nov 18 2024 with no specific public exploitation attribution at addition; KEV-fallback,2024-11-18,2024,False,False
CVE-2024-0012,Palo Alto Networks,PAN-OS,2024-11-18,2024-11-18,2024-11-18,0,0,high,,https://security.paloaltonetworks.com/CVE-2024-0012,Palo Alto Networks PAN-OS management interface authentication bypass zero-day; PAN advisory Nov 18 2024 acknowledged active exploitation; chained with CVE-2024-9474 by suspected nation-state attacker (Operation Lunar Peek per WatchTowr),2024-11-18,2024,True,False
CVE-2024-9465,Palo Alto Networks,Expedition,2024-10-09,2024-11-14,2024-11-14,36,36,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-9465,Palo Alto Networks Expedition SQL injection companion to CVE-2024-9463; PAN advisory Oct 9 2024; CISA KEV-added Nov 14 with reports of exploitation; KEV-fallback,2024-11-14,2024,False,False
CVE-2024-9463,Palo Alto Networks,Expedition,2024-10-09,2024-11-14,2024-11-14,36,36,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-9463,Palo Alto Networks Expedition OS command injection allowing PAN-OS firewall credential disclosure; PAN advisory Oct 9 2024; CISA KEV-added Nov 14 2024 with reports of exploitation but no specific named threat group; KEV-fallback,2024-11-14,2024,False,False
CVE-2024-49039,Microsoft,Windows,2024-11-12,2024-11-12,2024-11-12,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49039,"Windows Task Scheduler EoP zero-day; November 2024 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by Vlad Stolyarov and Bahare Sabouri of Google TAG",2024-11-12,2024,True,False
CVE-2024-43451,Microsoft,Windows,2024-11-12,2024-06-01,2024-11-12,0,-164,high,,https://www.clearskysec.com/wp-content/uploads/2024/11/CVE-2024-43451-Russian-Group-Attacks-Ukrainian-Entities-with-New-Zero-Day-vulnerability.pdf,"Windows MSHTML NTLMv2 hash disclosure zero-day; November 2024 Patch Tuesday; ClearSky attributed UAC-0194 (Russian-aligned, possibly UAC-0050) exploitation since June 2024 targeting Ukrainian organizations via malicious URL files",2024-11-12,2024,True,True
CVE-2021-41277,Metabase,Metabase,2021-11-17,2024-11-12,2024-11-12,1091,1091,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-41277,Metabase GeoJSON map URL pre-auth file disclosure; Metabase advisory Nov 17 2021; CISA KEV-added Nov 12 2024 with no specific public exploitation attribution; KEV-fallback,2024-11-12,2021,False,False
CVE-2021-26086,Atlassian,Jira Server and Data Center,2021-08-16,2024-11-12,2024-11-12,1184,1184,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26086,Atlassian Jira Server/Data Center path traversal; Atlassian advisory Jul 21 2021; CISA KEV-added Nov 12 2024 with no specific public exploitation report; KEV-fallback,2024-11-12,2021,False,False
CVE-2024-5910,Palo Alto Networks,Expedition,2024-07-10,2024-11-07,2024-11-07,120,120,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-5910,Palo Alto Networks Expedition missing authentication for admin account reset; PAN advisory Jul 10 2024; CISA KEV-added Nov 7 2024 with no specific public exploitation attribution at addition; KEV-fallback,2024-11-07,2024,False,False
CVE-2024-51567,CyberPersons,CyberPanel,2024-10-29,2024-10-29,2024-10-29,0,0,high,,https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce,CyberPersons CyberPanel command injection companion to CVE-2024-51378; same DreyAnd disclosure Oct 29 2024; PSAUX ransomware mass exploitation,2024-11-07,2024,True,False
CVE-2024-43093,Android,Framework,2024-11-13,2024-11-04,2024-11-13,0,-9,high,,https://source.android.com/docs/security/bulletin/2024-11-01,"Android Framework EoP zero-day; Android November 2024 security bulletin acknowledged ""indications that CVE-2024-43093 may be under limited, targeted exploitation""; reported anonymously",2024-11-07,2024,True,True
CVE-2019-16278,Nostromo,nhttpd,2019-10-14,2024-11-07,2024-11-07,1851,1851,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-16278,Nostromo nhttpd directory traversal RCE; CISA KEV add 2024-11-07; multiple Metasploit modules and PoCs publicly available but no specific contemporary threat-intel report documenting in-the-wild exploitation found,2024-11-07,2019,False,False
CVE-2024-8957,PTZOptics,PT30X-SDI/NDI Cameras,2024-09-17,2024-09-25,2024-10-17,8,8,high,,https://www.greynoise.io/blog/the-perils-of-ptz-cameras,PTZOptics PT30X-SDI/NDI cameras OS command injection companion to CVE-2024-8956; same Oct 17 2024 advisory; GreyNoise Mirai variant botnet exploitation,2024-11-04,2024,False,False
CVE-2024-8956,PTZOptics,PT30X-SDI/NDI Cameras,2024-09-17,2024-09-25,2024-10-17,8,8,high,,https://www.greynoise.io/blog/the-perils-of-ptz-cameras,PTZOptics PT30X-SDI/NDI cameras CGI authentication bypass; CISA ICSA-24-291-01 Oct 17 2024; GreyNoise attributed Mirai variant botnet exploitation from late September 2024,2024-11-04,2024,False,False
CVE-2024-37383,Roundcube,Webmail,2024-06-07,2024-06-01,2024-10-24,0,-6,high,,https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/cve-2024-37383-attack-on-cis-governmental-organization-via-roundcube,Roundcube Webmail XSS via SVG animate tag; Roundcube advisory May 19 2024; Positive Technologies attributed exploitation to suspected APT group targeting CIS government webmail since June 2024 (chained with credential phishing),2024-10-24,2024,True,True
CVE-2024-20481,Cisco,ASA and FTD,2024-10-23,2024-09-01,2024-10-23,0,-52,medium,,https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-dos-FzL7H6sn,Cisco ASA/FTD Remote Access VPN denial of service zero-day; Cisco advisory Oct 23 2024 acknowledged exploitation against numerous Cisco customers in large-scale brute force campaigns,2024-10-24,2024,True,True
CVE-2024-47575,Fortinet,FortiManager,2024-10-23,2024-06-27,2024-10-23,0,-118,high,,https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575,Fortinet FortiManager fgfmd missing authentication for critical function (FortiJump); Fortinet PSIRT FG-IR-24-423 Oct 23 2024; Mandiant attributed UNC5820 exploitation since Jun 27 2024 (~4 months pre-disclosure) targeting government and large enterprise,2024-10-23,2024,True,True
CVE-2024-38094,Microsoft,SharePoint,2024-07-09,2024-08-01,2024-10-22,23,23,high,,https://www.rapid7.com/blog/post/2024/10/22/etr-cve-2024-38094-microsoft-sharepoint-deserialization/,Microsoft SharePoint Server deserialization RCE; July 2024 Patch Tuesday; Rapid7 observed Storm-0501 ransomware affiliate exploitation since August 2024 chained with Entra ID cloud lateral movement; CISA KEV-added Oct 22,2024-10-22,2024,False,False
CVE-2024-9537,ScienceLogic,SL1,2024-10-18,2024-05-01,2024-10-21,0,-170,high,,https://www.theregister.com/2024/10/18/rackspace_internal_monitoring_web_servers_hit_by_zeroday/,ScienceLogic SL1 third-party component (Chart Director) RCE zero-day; ScienceLogic advisory Oct 21 2024; Rackspace disclosed May 2024 breach attributed to undisclosed actor; CISA KEV-added Oct 21,2024-10-21,2024,True,True
CVE-2024-40711,Veeam,Backup & Replication,2024-09-07,2024-09-15,2024-09-15,8,8,high,,https://news.sophos.com/en-us/2024/10/10/veeam-exploit-seen-used-again-with-a-new-ransomware-blame-frag/,Veeam Backup & Replication .NET deserialization RCE; Veeam KB4649 Sep 4 2024; watchTowr PoC Sep 9; Sophos X-Ops observed Akira and Fog ransomware affiliate exploitation from mid-Sept targeting backup infrastructure,2024-10-17,2024,False,False
CVE-2024-9680,Mozilla,Firefox,2024-10-09,2024-10-09,2024-10-09,0,0,high,,https://www.welivesecurity.com/en/eset-research/firefox-and-windows-zero-days-chained-to-deliver-romcom-backdoor/,Mozilla Firefox Animation Timeline use-after-free zero-day; Mozilla MFSA 2024-51 Oct 9 2024; ESET attributed Russia-aligned Storm-0978/RomCom exploitation chained with CVE-2024-49039 Windows Task Scheduler EoP for sandbox escape and FudModule rootkit delivery,2024-10-15,2024,True,False
CVE-2024-30088,Microsoft,Windows,2024-06-11,2024-06-11,2024-06-11,0,0,high,,https://decoded.avast.io/janvojtesek/lazarus-fudmodule-2024/,Windows Kernel TOCTOU race condition EoP zero-day; June 2024 Patch Tuesday; Avast attributed Lazarus Group exploitation to deliver FudModule rootkit (companion to CVE-2024-21338),2024-10-15,2024,True,False
CVE-2024-28987,SolarWinds,Web Help Desk,2024-08-21,2024-10-15,2024-10-15,55,55,medium,,https://www.horizon3.ai/attack-research/red-team/cve-2024-28987-solarwinds-web-help-desk-hardcoded-credentials/,SolarWinds Web Help Desk hardcoded credentials; SolarWinds advisory Aug 21 2024; Horizon3.ai PoC; CISA KEV-added Oct 15 confirming exploitation,2024-10-15,2024,False,False
CVE-2024-9380,Ivanti,Cloud Services Appliance (CSA),2024-10-08,2024-09-01,2024-10-08,0,-37,high,,https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa,Ivanti CSA command injection zero-day companion; Ivanti advisory Oct 8 2024; Fortinet chain with CVE-2024-8963 and CVE-2024-9379,2024-10-09,2024,True,True
CVE-2024-9379,Ivanti,Cloud Services Appliance (CSA),2024-10-08,2024-09-01,2024-10-08,0,-37,high,,https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa,Ivanti CSA SQL injection zero-day; Ivanti advisory Oct 8 2024; Fortinet attributed nation-state exploitation chained with CVE-2024-8963 and CVE-2024-9380 since at least September 2024; CISA AA24-275A confirmed federal exploitation,2024-10-09,2024,True,True
CVE-2024-23113,Fortinet,Multiple Products,2024-02-15,2024-10-09,2024-10-09,237,237,medium,,https://www.fortiguard.com/psirt/FG-IR-24-029,Fortinet FortiOS fgfmd daemon format string vulnerability; Fortinet PSIRT FG-IR-24-029 Feb 8 2024; CISA KEV-added Oct 9 2024 with reports of active exploitation,2024-10-09,2024,False,False
CVE-2024-43573,Microsoft,Windows,2024-10-08,2024-10-08,2024-10-08,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43573,"Windows MSHTML platform spoofing zero-day; October 2024 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; bypass of CVE-2024-38112 patch",2024-10-08,2024,True,False
CVE-2024-43572,Microsoft,Windows,2024-10-08,2024-10-08,2024-10-08,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43572,"Microsoft Management Console RCE zero-day via crafted .msc files; October 2024 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2024-10-08,2024,True,False
CVE-2024-43047,Qualcomm,Multiple Chipsets,2024-10-07,2024-10-07,2024-10-07,0,0,high,,https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2024-bulletin.html,Qualcomm DSP UAF zero-day; Qualcomm Oct 7 2024 security bulletin acknowledged limited targeted exploitation; reported by Seth Jenkins of Google Project Zero and Conghui Wang of Amnesty International Security Lab (commercial spyware),2024-10-08,2024,True,False
CVE-2024-45519,Synacor,Zimbra Collaboration Suite,2024-10-02,2024-09-28,2024-10-02,0,-4,high,,https://www.proofpoint.com/us/blog/threat-insight/security-brief-zimbra-rce-cve-2024-45519-actively-exploited,Synacor Zimbra Collaboration postjournal service command injection pre-auth RCE; Zimbra patches Sep 4 2024; ProjectDiscovery PoC Sep 27; Shadowserver/Proofpoint observed exploitation from late September with malicious SMTP messages containing command-injected CC headers,2024-10-03,2024,True,True
CVE-2024-29824,Ivanti,Endpoint Manager (EPM),2024-05-31,2024-10-02,2024-10-02,124,124,high,,https://www.horizon3.ai/attack-research/red-team/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/,Ivanti Endpoint Manager (EPM) SQL injection RCE; Ivanti advisory May 21 2024; Horizon3.ai PoC June 11; CISA KEV-added Oct 2 confirming active exploitation,2024-10-02,2024,False,False
CVE-2023-25280,D-Link,DIR-820 Router,2023-03-16,2024-09-30,2024-09-30,564,564,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-25280,D-Link DIR-820 router OS command injection; D-Link advisory Mar 16 2023; CISA KEV-added Sep 30 2024 with no specific public exploitation attribution at addition; KEV-fallback,2024-09-30,2023,False,False
CVE-2020-15415,DrayTek,Multiple Vigor Routers,2020-06-30,2024-09-18,2024-09-18,1541,1541,high,,https://www.forescout.com/blog/draytek-routers-exploited-in-massive-ransomware-campaign-analysis-and-recommendations/,"DrayTek Vigor3900/2960/300B command injection via mainfunction.cgi; FBI announced takedown of botnet exploiting CVE-2023-242290, CVE-2020-15415 and CVE-2020-8515 on Sep 18 2024; Forescout later documented massive ransomware campaign",2024-09-30,2020,False,False
CVE-2019-0344,SAP,Commerce Cloud,2019-08-14,2024-09-30,2024-09-30,1874,1874,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0344,SAP Commerce Cloud virtualjdbc deserialization RCE; CISA KEV add 2024-09-30; no specific contemporary threat-intel report documenting in-the-wild exploitation found - SecurityWeek only reports on KEV add,2024-09-30,2019,False,False
CVE-2024-7593,Ivanti,Virtual Traffic Manager,2024-08-13,2024-08-15,2024-08-15,2,2,high,,https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593,Ivanti Virtual Traffic Manager (vTM) authentication bypass for admin UI; Ivanti advisory Aug 13 2024; PoCs public Aug 15; CISA KEV-added Sep 24 with confirmation of in-the-wild exploitation,2024-09-24,2024,False,False
CVE-2024-8963,Ivanti,Cloud Services Appliance (CSA),2024-09-19,2024-09-13,2024-09-19,0,-6,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-275a,Ivanti CSA path traversal zero-day; Ivanti advisory Sep 19 2024; Fortinet attributed exploitation chain with CVE-2024-8190 by suspected nation-state actor since early September; CISA AA24-275A documented federal exploitation,2024-09-19,2024,True,True
CVE-2024-27348,Apache,HugeGraph-Server,2024-04-22,2024-09-18,2024-09-18,149,149,medium,,https://blog.securelayer7.net/poc-apache-hugegraph-server-rce-vulnerability-cve-2024-27348/,Apache HugeGraph-Server OGNL injection RCE; Apache advisory Apr 22 2024; SecureLayer7 PoC June 2024; CISA KEV-added Sep 18 with reports of exploitation,2024-09-18,2024,False,False
CVE-2022-21445,Oracle,ADF Faces,2022-04-19,2024-09-18,2024-09-18,883,883,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-21445,"Oracle ADF Faces deserialization pre-auth RCE; Oracle CPU April 2022; Peterjson/Nguyen Jang published ""Miracle Exploit"" Apr 2024; CISA KEV-added Sep 18 2024 with no specific public exploitation attribution; KEV-fallback",2024-09-18,2022,False,False
CVE-2020-14644,Oracle,WebLogic Server,2020-07-15,2024-09-18,2024-09-18,1526,1526,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-14644,Oracle WebLogic Server deserialization RCE via T3/IIOP; Oracle CPU July 2020; CISA KEV add Sep 18 2024; no specific contemporary threat-intel report with exploitation date attribution found,2024-09-18,2020,False,False
CVE-2020-0618,Microsoft,SQL Server,2020-02-11,2024-09-18,2024-09-18,1681,1681,low,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0618,Microsoft SQL Server Reporting Services RCE; KEV-added 2024-09-18 retrospective,2024-09-18,2020,False,False
CVE-2024-6670,Progress,WhatsUp Gold,2024-08-29,2024-09-16,2024-09-16,18,18,medium,,https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-vulnerability-cve-2024-6670.html,"Progress WhatsUp Gold SQL injection; Progress advisory Aug 16 2024; Trend Micro ZDI observed exploitation in deployment of MSI-based remote access tools (NetSupport, AnyDesk) from mid-Sept 2024",2024-09-16,2024,False,False
CVE-2024-43461,Microsoft,Windows,2024-09-10,2024-07-01,2024-09-10,0,-71,high,,https://www.zerodayinitiative.com/blog/2024/9/18/cve-2024-43461-void-banshee,Windows MSHTML spoofing zero-day via Braille whitespace character to mask file extension; September 2024 Patch Tuesday; Trend Micro ZDI attributed Void Banshee APT exploitation since July 2024 in Atlantida Stealer campaign (continuation of CVE-2024-38112 chain),2024-09-16,2024,True,True
CVE-2024-8190,Ivanti,Cloud Services Appliance,2024-09-10,2024-09-10,2024-09-10,0,0,high,,https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa,Ivanti Cloud Services Appliance (CSA) command injection zero-day; Ivanti advisory Sep 10 2024 acknowledged limited targeted exploitation; Fortinet FortiGuard attributed exploitation chain to suspected nation-state with CVE-2024-8963 SQL injection,2024-09-13,2024,True,False
CVE-2024-38226,Microsoft,Publisher,2024-09-10,2024-09-10,2024-09-10,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38226,"Microsoft Publisher security feature bypass zero-day; September 2024 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; macro security bypass",2024-09-10,2024,True,False
CVE-2024-38217,Microsoft,Windows,2024-09-10,2018-01-01,2024-09-10,0,-2444,high,,https://www.elastic.co/security-labs/dismantling-smart-app-control,"Windows Mark of the Web bypass zero-day ""LNK Stomping""; September 2024 Patch Tuesday; Elastic Security Labs disclosed exploitation by multiple threat actors via crafted LNK files since at least 2018 (~6 years pre-disclosure)",2024-09-10,2024,True,True
CVE-2024-38014,Microsoft,Windows,2024-09-10,2024-09-10,2024-09-10,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38014,"Windows Installer EoP zero-day; September 2024 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by Michael Baer of SEC Consult",2024-09-10,2024,True,False
CVE-2024-40766,SonicWall,SonicOS,2024-08-23,2024-08-28,2024-08-28,5,5,high,,https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/,SonicWall SonicOS improper access control on management interface; SonicWall PSIRT SNWLID-2024-0015 Aug 22 2024; Arctic Wolf attributed Akira ransomware affiliate exploitation from Aug 28 onwards targeting SSL VPN with valid credentials,2024-09-09,2024,False,False
CVE-2024-7262,Kingsoft,WPS Office,2024-08-15,2024-04-01,2024-08-15,0,-136,high,,https://www.welivesecurity.com/en/eset-research/cyberespionage-apt-c-60-exploits-zero-day-wps-office/,Kingsoft WPS Office for Windows path traversal arbitrary code execution zero-day; ESET attributed APT-C-60 (South Korea-aligned) exploitation since April 2024 (~4 months pre-disclosure) targeting East Asian users with SpyGlace malware,2024-09-03,2024,True,True
CVE-2021-20124,DrayTek,VigorConnect,2021-10-13,2024-09-03,2024-09-03,1056,1056,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20124,DrayTek VigorConnect path traversal companion to CVE-2021-20123; same Oct 13 2021 advisory; CISA KEV-added Sep 3 2024 with no specific public exploitation report; KEV-fallback,2024-09-03,2021,False,False
CVE-2021-20123,DrayTek,VigorConnect,2021-10-13,2024-09-03,2024-09-03,1056,1056,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20123,DrayTek VigorConnect path traversal pre-auth file disclosure; DrayTek advisory Oct 13 2021; CISA KEV-added Sep 3 2024 with no specific public exploitation report; KEV-fallback,2024-09-03,2021,False,False
CVE-2024-7965,Google,Chromium V8,2024-08-21,2024-08-21,2024-08-21,0,0,high,,https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html,Chrome V8 inappropriate implementation zero-day; Google Stable Channel update Aug 21 2024 acknowledged ITW exploitation; reported by TheDog,2024-08-28,2024,True,False
CVE-2024-38856,Apache,OFBiz,2024-08-05,2024-08-27,2024-08-27,22,22,high,,https://www.rapid7.com/blog/post/2024/08/05/cve-2024-38856-apache-ofbiz-unauthenticated-remote-code-execution/,Apache OFBiz authentication bypass pre-auth RCE; Apache advisory Aug 5 2024; Rapid7 disclosed; CISA KEV-added Aug 27 with reports of active exploitation against ERP systems,2024-08-27,2024,False,False
CVE-2024-7971,Google,Chromium V8,2024-08-21,2024-08-19,2024-08-21,0,-2,high,,https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/,Chrome V8 type confusion zero-day; Google Stable Channel update Aug 21 2024; Microsoft Threat Intelligence attributed Citrine Sleet (DPRK/North Korean Lazarus subset) exploitation since Aug 19 targeting cryptocurrency sector with FudModule rootkit chain (with CVE-2024-38106 Windows kernel),2024-08-26,2024,True,True
CVE-2024-39717,Versa,Director,2024-08-22,2023-06-12,2024-08-22,0,-437,high,,https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/,"Versa Director Change Favicon endpoint file upload zero-day; Versa advisory Aug 22 2024; Lumen Black Lotus Labs attributed Volt Typhoon (China-nexus) exploitation since Jun 12 2023 (~14 months pre-disclosure) targeting MSP, ISP, and IT sector via VersaMem credential harvesting implant",2024-08-23,2024,True,True
CVE-2022-0185,Linux,Kernel,2022-02-11,2024-08-21,2024-08-21,922,922,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-0185,Linux Kernel fs_context heap buffer overflow EoP / container escape; Crusaders of Rust CTF team reported Jan 18 2022; PoCs immediate; CISA KEV-added Aug 21 2024 with no specific public exploitation campaign attribution; KEV-fallback (commonly used in red-team training),2024-08-21,2022,False,False
CVE-2021-33045,Dahua,IP Camera Firmware,2021-09-15,2024-08-21,2024-08-21,1071,1071,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-33045,Dahua IP camera authentication bypass companion to CVE-2021-33044; Dahua advisory Sep 15 2021; CISA KEV-added Aug 21 2024 with no specific public exploitation report; KEV-fallback,2024-08-21,2021,False,False
CVE-2021-33044,Dahua,IP Camera Firmware,2021-09-15,2024-08-21,2024-08-21,1071,1071,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-33044,Dahua IP camera identity authentication bypass; Dahua advisory Sep 15 2021; CISA KEV-added Aug 21 2024 with no specific public exploitation report; KEV-fallback,2024-08-21,2021,False,False
CVE-2021-31196,Microsoft,Exchange Server,2021-07-14,2024-08-21,2024-08-21,1134,1134,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-31196,"Microsoft Exchange Server information disclosure (per CISA description ""allows for remote code execution""); patched July 2021; CISA KEV-added Aug 21 2024 with no specific public threat group attribution; KEV-fallback",2024-08-21,2021,False,False
CVE-2024-23897,Jenkins,Jenkins CLI,2024-01-24,2024-01-24,2024-01-24,0,0,high,,https://www.jenkins.io/security/advisory/2024-01-24/,Jenkins CLI args4j library arbitrary file read pre-auth; Jenkins advisory Jan 24 2024; Sonatype/Trend Micro observed mass exploitation within days; CISA KEV-added Aug 19 2024 (citing IntelBroker breaches of multiple organizations),2024-08-19,2024,True,False
CVE-2024-28986,SolarWinds,Web Help Desk,2024-08-13,2024-08-15,2024-08-15,2,2,high,,https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28986,SolarWinds Web Help Desk Java deserialization RCE; SolarWinds advisory Aug 13 2024; CISA KEV-added Aug 15 with reports of in-the-wild exploitation but no specific named threat group attribution,2024-08-15,2024,False,False
CVE-2024-38213,Microsoft,Windows,2024-08-13,2024-03-01,2024-08-13,0,-165,high,,https://www.zerodayinitiative.com/blog/2024/8/14/cve-2024-38213-from-bypass-to-bypass-with-darkgate-and-mots,"Windows Mark of the Web bypass zero-day ""copy2pwn""; August 2024 Patch Tuesday; Trend Micro ZDI attributed DarkGate operator exploitation since Mar 2024 via WebDAV-served files bypassing MOTW",2024-08-13,2024,True,True
CVE-2024-38193,Microsoft,Windows,2024-08-13,2024-06-01,2024-08-13,0,-73,high,,https://www.gen-digital.com/blog/news/insights/lazarus-rootkit,Windows Ancillary Function Driver for WinSock EoP zero-day; August 2024 Patch Tuesday; Gen Digital (Avast) attributed Lazarus Group exploitation since June 2024 to deploy FudModule rootkit,2024-08-13,2024,True,True
CVE-2024-38189,Microsoft,Project,2024-08-13,2024-08-13,2024-08-13,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38189,"Microsoft Project RCE zero-day via macro security feature bypass; August 2024 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2024-08-13,2024,True,False
CVE-2024-38178,Microsoft,Windows,2024-08-13,2024-08-13,2024-08-13,0,0,high,,https://asec.ahnlab.com/en/82499/,Windows MSHTML scripting engine memory corruption zero-day; August 2024 Patch Tuesday; AhnLab/NCSC Korea attributed North Korea-aligned ScarCruft (APT37) exploitation via Internet Explorer engine in Edge IE mode,2024-08-13,2024,True,False
CVE-2024-38107,Microsoft,Windows,2024-08-13,2024-08-13,2024-08-13,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38107,"Windows Power Dependency Coordinator EoP zero-day; August 2024 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2024-08-13,2024,True,False
CVE-2024-38106,Microsoft,Windows,2024-08-13,2024-08-13,2024-08-13,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38106,"Windows Kernel EoP race condition zero-day; August 2024 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported anonymously",2024-08-13,2024,True,False
CVE-2024-36971,Android,Kernel,2024-06-10,2024-07-01,2024-08-07,21,21,high,,https://source.android.com/docs/security/bulletin/2024-08-01,Linux Kernel UAF in network route management exploited on Android; Android August 2024 security bulletin; Clement Lecigne of Google TAG reported limited targeted exploitation (commercial surveillance vendor),2024-08-07,2024,False,False
CVE-2024-32113,Apache,OFBiz,2024-05-08,2024-08-07,2024-08-07,91,91,medium,,https://blog.sonicwall.com/en-us/2024/05/apache-ofbiz-cve-2024-32113-path-traversal-vulnerability/,Apache OFBiz path traversal RCE; Apache advisory May 1 2024; SonicWall PoC; CISA KEV-added Aug 7 confirming exploitation observed by SonicWall and Trustwave,2024-08-07,2024,False,False
CVE-2018-0824,Microsoft,Windows,2018-05-09,2023-07-01,2024-08-01,1879,1879,high,,https://www.computerweekly.com/news/366599914/Chinese-cyber-attack-sparks-alert-over-six-year-old-MS-vuln,"Microsoft COM for Windows deserialization RCE; Cisco Talos disclosed APT41 (China) campaign targeting Taiwan government-affiliated research institute starting mid-2023, with custom UnmarshalPwn loader; deployed ShadowPad and Cobalt Strike",2024-08-05,2018,False,False
CVE-2024-37085,VMware,ESXi,2024-06-25,2024-06-25,2024-06-25,0,0,high,,https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/,"VMware ESXi Active Directory authentication bypass zero-day via ""ESX Admins"" group; Broadcom VMSA-2024-0013 Jun 25 2024; Microsoft attributed Storm-0506 (Black Basta), Octo Tempest (Scattered Spider), Storm-1175, Manatee Tempest exploitation for ransomware encryption of ESXi VMs",2024-07-30,2024,True,False
CVE-2024-5217,ServiceNow,Now Platform,2024-07-10,2024-07-11,2024-07-11,1,1,high,,https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data,ServiceNow Glide UI Jelly template injection companion to CVE-2024-4879; ServiceNow Jul 10 2024; chained with CVE-2024-4879 and CVE-2024-5178 for full unauthenticated RCE; Resecurity observed exploitation,2024-07-29,2024,False,False
CVE-2024-4879,ServiceNow,Now Platform,2024-07-10,2024-07-11,2024-07-11,1,1,high,,https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data,ServiceNow Now Platform Jelly template injection pre-auth RCE; ServiceNow advisory Jul 10 2024; AssetNote/ProjectDiscovery PoC; Resecurity observed exploitation from Jul 11 with widespread credential dumping campaigns targeting government and enterprise,2024-07-29,2024,False,False
CVE-2023-45249,Acronis,Cyber Infrastructure (ACI),2024-07-24,2024-07-29,2024-07-29,5,5,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-45249,Acronis Cyber Infrastructure default password; Acronis SEC-6328 advisory Oct 24 2023; CISA KEV-added Jul 29 2024 with no specific public exploitation attribution at addition; KEV-fallback,2024-07-29,2023,False,False
CVE-2024-39891,Twilio,Authy,2024-07-02,2024-06-30,2024-07-02,0,-2,high,,https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS,Twilio Authy account enumeration via unauthenticated API; Twilio disclosed Jul 2 2024 after threat actor ShinyHunters claimed leak of 33M Authy phone numbers; data scraped before fix,2024-07-23,2024,True,True
CVE-2024-34102,Adobe,Commerce and Magento Open Source,2024-06-13,2024-07-11,2024-07-11,28,28,high,,https://sansec.io/research/cosmicsting,"Adobe Commerce/Magento Open Source CosmicSting XXE pre-auth RCE; Adobe APSB24-40 Jun 13 2024; Sansec disclosed Jun 14 and observed mass exploitation from Jul 11 onwards via ""TrojanOrders"" skimmer campaigns; ~5% of Adobe Commerce stores compromised",2024-07-17,2024,False,False
CVE-2024-28995,SolarWinds,Serv-U,2024-06-06,2024-06-12,2024-06-12,6,6,high,,https://www.greynoise.io/blog/cve-2024-28995-solarwinds-serv-u-directory-traversal,SolarWinds Serv-U FTP/MFT path traversal; SolarWinds advisory Jun 5 2024; Rapid7 disclosed Jun 11; GreyNoise observed mass exploitation Jun 12 onwards by multiple threat actors targeting Internet-exposed Serv-U instances,2024-07-17,2024,False,False
CVE-2022-22948,VMware,vCenter Server,2022-03-29,2024-07-17,2024-07-17,841,841,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22948,VMware vCenter Server information disclosure via improper default file permissions; VMSA-2022-0009 Mar 29 2022; CISA KEV-added Jul 17 2024 with no specific public exploitation attribution; KEV-fallback,2024-07-17,2022,False,False
CVE-2024-36401,OSGeo,GeoServer,2024-07-01,2024-07-11,2024-07-11,10,10,high,,https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv,OSGeo GeoServer GeoTools OGC API eval injection pre-auth RCE; GeoServer advisory Jul 1 2024; CISA AA24-241A Aug 28 confirmed federal civilian agency exploitation Jul 11 2024 by Earth Baxia (China-nexus) and ResolverRAT operators,2024-07-15,2024,False,False
CVE-2024-38112,Microsoft,Windows,2024-07-09,2023-01-01,2024-07-09,0,-555,high,,https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-trick-to-launch-malware/,Windows MSHTML spoofing zero-day; July 2024 Patch Tuesday; Check Point Research attributed Void Banshee APT exploitation since at least Jan 2023 (~18 months pre-disclosure) via .url files leveraging Internet Explorer disabled rendering to spread Atlantida Stealer,2024-07-09,2024,True,True
CVE-2024-38080,Microsoft,Windows,2024-07-09,2024-07-09,2024-07-09,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38080,"Windows Hyper-V EoP zero-day; July 2024 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; first Hyper-V CVE exploited in the wild as zero-day",2024-07-09,2024,True,False
CVE-2024-23692,Rejetto,HTTP File Server,2024-05-31,2024-06-12,2024-06-12,12,12,medium,,https://asec.ahnlab.com/en/68362/,Rejetto HTTP File Server template injection pre-auth RCE; Rejetto disclosed May 23 2024 (no patch as EOL product); ZDI public advisory May 31; AhnLab observed exploitation from mid-Jun deploying GhostRAT/MoneRA cryptominers,2024-07-09,2024,False,False
CVE-2024-20399,Cisco,NX-OS,2024-07-01,2024-04-01,2024-07-01,0,-91,high,,https://www.sygnia.co/blog/china-nexus-threat-actor-deploys-custom-velvet-malware/,Cisco NX-OS CLI command injection zero-day; Cisco advisory Jul 1 2024; Sygnia attributed Velvet Ant (suspected China-nexus) exploitation since April 2024 (~3 months pre-disclosure) for persistent network access via reverse shell,2024-07-02,2024,True,True
CVE-2022-2586,Linux,Kernel,2024-01-08,2024-06-26,2024-06-26,170,170,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-2586,Linux Kernel netfilter nf_tables UAF LPE; original kernel fix 2022; CISA KEV-added Jun 26 2024 with no specific public exploitation attribution; KEV-fallback,2024-06-26,2022,False,False
CVE-2022-24816,OSGeo,JAI-EXT,2022-04-13,2024-06-26,2024-06-26,805,805,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24816,OSGeo GeoServer JAI-EXT code injection via Jiffle/Janino; GeoServer/JAI-EXT advisory Apr 13 2022; CISA KEV-added Jun 26 2024 retrospective with GeoServer attack reports but no specific named threat group at addition; KEV-fallback URL since no 2022-era attribution,2024-06-26,2022,False,False
CVE-2020-13965,Roundcube,Webmail,2020-06-09,2024-06-26,2024-06-26,1478,1478,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13965,Roundcube Webmail XSS via XML attachment; CISA KEV add 2024-06-26; Roundcube exploited by Winter Vivern/APT28 via CVE-2020-35730 (different CVE); no specific contemporary attribution for CVE-2020-13965 found,2024-06-26,2020,False,False
CVE-2024-4358,Progress,Telerik Report Server,2024-05-29,2024-06-13,2024-06-13,15,15,high,,https://www.rapid7.com/blog/post/2024/06/03/multiple-vulnerabilities-in-telerik-report-server/,Progress Telerik Report Server authentication bypass via dnn parameter; Progress advisory May 29 2024; Sina Kheirkhah/SummoningTeam PoC Jun 3; CISA KEV-added Jun 13 with reports of exploitation observed by Rapid7,2024-06-13,2024,False,False
CVE-2024-32896,Android,Pixel,2024-06-13,2024-06-13,2024-06-13,0,0,high,,https://source.android.com/docs/security/bulletin/pixel/2024-06-01,"Pixel firmware EoP zero-day; Pixel June 2024 security bulletin acknowledged ""indications that CVE-2024-32896 may be under limited, targeted exploitation""; reported by GrapheneOS",2024-06-13,2024,True,False
CVE-2024-26169,Microsoft,Windows,2024-03-12,2024-02-01,2024-03-12,0,-40,high,,https://www.security.com/threat-intelligence/black-basta-ransomware-zero-day,Windows Werkernel Error Reporting EoP zero-day; March 2024 Patch Tuesday; Symantec/Broadcom attributed Black Basta ransomware (Cardinal/Storm-1811) exploitation since Feb 2024 (~1 month pre-disclosure) for privilege escalation chain,2024-06-13,2024,True,True
CVE-2024-4610,Arm,Mali GPU Kernel Driver,2024-06-07,2024-06-07,2024-06-07,0,0,medium,,https://developer.arm.com/documentation/110456/latest,"Arm Mali GPU kernel driver UAF; Arm advisory Jun 7 2024 acknowledged ""evidence that this vulnerability may be under limited, targeted exploitation""; reported by Google TAG",2024-06-12,2024,True,False
CVE-2024-4577,PHP Group,PHP,2024-06-09,2024-06-07,2024-06-07,0,-2,high,,https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/,PHP CGI argument injection on Windows via Best-Fit character encoding; DEVCORE Orange Tsai disclosed Jun 6 2024; Imperva/Censys observed TellYouThePass ransomware exploitation from Jun 7 within hours of disclosure,2024-06-12,2024,True,True
CVE-2024-24919,Check Point,Quantum Security Gateways,2024-05-28,2024-04-30,2024-05-28,0,-28,high,,https://research.checkpoint.com/2024/30th-may-enhanced-visibility-and-hardening-guidance/,Check Point Quantum Security Gateways VPN information disclosure zero-day allowing password hash extraction; Check Point advisory May 28 2024; Check Point acknowledged active exploitation since Apr 30 2024 (~1 month pre-disclosure); watchTowr published technical details,2024-05-30,2024,True,True
CVE-2024-1086,Linux,Kernel,2024-01-31,2024-03-26,2024-03-26,55,55,high,,https://pwning.tech/nftables/,Linux Kernel netfilter nf_tables UAF EoP; original kernel fix Jan 31 2024; Notselwyn published full PoC chain Mar 26 2024 achieving root from unprivileged user; widely adopted in red-team and post-exploitation; CISA KEV-added May 30,2024-05-30,2024,False,False
CVE-2024-4978,Justice AV Solutions,Viewer,2024-05-23,2024-02-10,2024-05-23,0,-103,high,,https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/,Justice AV Solutions Viewer software supply chain attack with backdoored installer; Rapid7 May 23 2024; malicious installer signed Feb 10 2024 with valid AVS code-signing certificate distributing GateDoor/RustDoor; detected by S2W Talon early April 2024,2024-05-29,2024,True,True
CVE-2024-5274,Google,Chromium V8,2024-05-28,2024-05-23,2024-05-23,0,-5,high,,https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html,Chrome V8 type confusion zero-day; Google Stable Channel update May 23 2024 acknowledged ITW exploitation; reported by Clement Lecigne of Google TAG and Brendon Tiszka of Chrome Security,2024-05-28,2024,True,True
CVE-2020-17519,Apache,Flink,2021-01-05,2021-01-04,2021-01-04,0,-1,high,,https://www.tenable.com/blog/cve-2020-17518-cve-2020-17519-two-apache-flink-vulnerabilities-with-public-pocs,Apache Flink improper access control; PoC released early Jan 2021; widely scanned/exploited,2024-05-23,2020,True,True
CVE-2024-4947,Google,Chromium V8,2024-05-15,2024-05-15,2024-05-15,0,0,high,,https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html,Chrome V8 type confusion zero-day; Google Stable Channel update May 15 2024 acknowledged ITW exploitation; reported by Vasily Berdnikov and Boris Larin of Kaspersky,2024-05-20,2024,True,False
CVE-2023-43208,NextGen Healthcare,Mirth Connect,2023-10-26,2024-05-20,2024-05-20,207,207,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-43208,NextGen Healthcare Mirth Connect Java XStream deserialization RCE; Horizon3.ai advisory Oct 26 2023; CISA KEV-added May 20 2024 with no specific public exploitation attribution at addition; KEV-fallback,2024-05-20,2023,False,False
CVE-2024-4761,Google,Chromium V8,2024-05-14,2024-05-13,2024-05-13,0,-1,high,,https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html,Chrome V8 out-of-bounds write zero-day; Google Stable Channel update May 13 2024 acknowledged ITW exploitation; reported anonymously,2024-05-16,2024,True,True
CVE-2021-40655,D-Link,DIR-605 Router,2021-09-24,2024-05-16,2024-05-16,965,965,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40655,D-Link DIR-605 router credential disclosure via getcfg.php; D-Link advisory SAP10242 Sep 24 2021; CISA KEV-added May 16 2024 with no specific public exploitation report; KEV-fallback,2024-05-16,2021,False,False
CVE-2024-30051,Microsoft,DWM Core Library,2024-05-14,2024-04-01,2024-05-14,0,-43,high,,https://securelist.com/cve-2024-30051/112618/,Windows DWM Core Library heap-based buffer overflow EoP zero-day; May 2024 Patch Tuesday; Kaspersky GReAT attributed exploitation by QakBot operators since April 2024 (~6 weeks pre-disclosure) for post-exploitation privilege escalation,2024-05-14,2024,True,True
CVE-2024-30040,Microsoft,Windows,2024-05-14,2024-05-14,2024-05-14,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30040,"Windows MSHTML platform security feature bypass zero-day; May 2024 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; bypass of OLE COM mitigations",2024-05-14,2024,True,False
CVE-2024-4671,Google,Chromium,2024-05-09,2024-05-09,2024-05-09,0,0,high,,https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.html,Chrome Visuals use-after-free zero-day; Google Stable Channel update May 9 2024 acknowledged ITW exploitation; reported anonymously,2024-05-13,2024,True,False
CVE-2023-7028,GitLab,GitLab CE/EE,2024-01-12,2024-04-01,2024-05-01,80,80,high,,https://about.gitlab.com/releases/2024/01/11/security-release-gitlab-16-7-2-released/,GitLab Community Edition/Enterprise Edition account takeover via password reset email to attacker-controlled address; GitLab advisory Jan 11 2024; CISA KEV-added May 1 2024 noting active exploitation observed by Shadowserver from at least April,2024-05-01,2023,False,False
CVE-2024-29988,Microsoft,SmartScreen Prompt,2024-04-09,2024-04-09,2024-04-09,0,0,high,,https://www.zerodayinitiative.com/blog/2024/4/9/the-april-2024-security-update-review,Windows SmartScreen Prompt security feature bypass zero-day; April 2024 Patch Tuesday; bypass of CVE-2024-21412; ZDI Peter Girnus reported in-the-wild exploitation by Water Hydra and other actors via crafted internet shortcuts,2024-04-30,2024,True,False
CVE-2024-4040,CrushFTP,CrushFTP,2024-04-22,2024-04-19,2024-04-22,0,-3,high,,https://www.crowdstrike.com/blog/falcon-complete-discovers-crushftp-zero-day/,CrushFTP VFS sandbox escape zero-day; CrushFTP advisory Apr 19 2024; CrowdStrike attributed targeted intelligence-gathering exploitation by suspected nation-state since Apr 19; mass exploitation post-disclosure by ransomware affiliates,2024-04-24,2024,True,True
CVE-2024-20359,Cisco,Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD),2024-04-24,2023-11-01,2024-04-24,0,-175,high,,https://blog.talosintelligence.com/arcanedoor-new-espionage-attacks-target-perimeter-network-devices/,Cisco ASA/FTD persistent local code execution zero-day; ArcaneDoor companion to CVE-2024-20353; UAT4356/STORM-1849 exploitation since Nov 2023; Line Dancer persistent implant,2024-04-24,2024,True,True
CVE-2024-20353,Cisco,Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD),2024-04-24,2023-11-01,2024-04-24,0,-175,high,,https://blog.talosintelligence.com/arcanedoor-new-espionage-attacks-target-perimeter-network-devices/,Cisco ASA/FTD HTTPS DoS zero-day; part of ArcaneDoor campaign disclosed Apr 24 2024 by Cisco Talos; attributed to UAT4356/STORM-1849 (suspected China-nexus) exploitation since Nov 2023 (~5 months pre-disclosure) against government VPN appliances with Line Runner and Line Dancer implants,2024-04-24,2024,True,True
CVE-2022-38028,Microsoft,Windows,2022-10-11,2022-04-01,2024-04-23,0,-193,high,,https://www.microsoft.com/en-us/security/blog/2024/04/22/apt28-targets-cybersecurity-research-and-deploys-gooseegg-tool/,"Windows Print Spooler EoP via JavaScript constraint policy; Microsoft attributed APT28 (Forest Blizzard/STRONTIUM) exploitation since April 2022 deploying GooseEgg post-exploit tool against Ukraine, Western European, North American government targets",2024-04-23,2022,True,True
CVE-2024-3400,Palo Alto Networks,PAN-OS,2024-04-12,2024-03-26,2024-04-12,0,-17,high,,https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/,Palo Alto Networks PAN-OS GlobalProtect command injection zero-day; PAN advisory Apr 12 2024; Volexity attributed UTA0218 (Operation MidnightEclipse) exploitation since Mar 26 2024 (~2.5 weeks pre-disclosure) to deploy UPSTYLE Python backdoor on firewalls,2024-04-12,2024,True,True
CVE-2024-3273,D-Link,Multiple NAS Devices,2024-04-04,2024-04-08,2024-04-08,4,4,high,,https://www.greynoise.io/blog/cve-2024-3273-d-link-nas-rce-exploited-in-the-wild,D-Link NAS command injection via nas_sharing.cgi system parameter; netsecfish Mar 26 2024; GreyNoise observed first exploitation Apr 8 by botnet operators; chained with CVE-2024-3272 hardcoded creds,2024-04-11,2024,False,False
CVE-2024-3272,D-Link,Multiple NAS Devices,2024-04-04,2024-04-03,2024-04-04,0,-1,high,,https://censys.com/blog/cve-2024-3272-and-2024-3273,"D-Link multiple NAS devices hardcoded credentials; researcher netsecfish published exploit details Mar 26 2024 pre-vendor advisory; Censys observed mass scanning and exploitation from Apr 3; CISA KEV-added Apr 11; ~92,000 vulnerable EOL devices",2024-04-11,2024,True,True
CVE-2024-29748,Android,Pixel,2024-04-05,2024-04-02,2024-04-02,0,-3,high,,https://www.bleepingcomputer.com/news/security/google-fixes-two-pixel-zero-day-flaws-exploited-by-forensic-firms/,Pixel firmware persistent denial of service zero-day; Pixel April 2024 security bulletin; GrapheneOS identified exploitation by forensic firms (Cellebrite) chained with CVE-2024-29745 for device data extraction,2024-04-04,2024,True,True
CVE-2024-29745,Android,Pixel,2024-04-05,2024-04-02,2024-04-02,0,-3,high,,https://www.bleepingcomputer.com/news/security/google-fixes-two-pixel-zero-day-flaws-exploited-by-forensic-firms/,Pixel bootloader information disclosure zero-day; Pixel April 2024 security bulletin; GrapheneOS first identified exploitation by forensic firms (Cellebrite) to bypass full-disk encryption on locked devices,2024-04-04,2024,True,True
CVE-2023-24955,Microsoft,SharePoint Server,2023-05-09,2024-03-26,2024-03-26,322,322,medium,,https://starlabs.sg/blog/2023/06-sharepoint-pre-auth-rce-chain/,Microsoft SharePoint Server RCE; May 2023 Patch Tuesday; STAR Labs Pwn2Own Vancouver 2023 chain with CVE-2023-29357 for unauthenticated RCE; CISA KEV-added Mar 26 2024 with reports of active exploitation,2024-03-26,2023,False,False
CVE-2023-48788,Fortinet,FortiClient EMS,2024-03-12,2024-03-21,2024-03-21,9,9,high,,https://www.horizon3.ai/attack-research/red-team/fortinet-forticlient-ems-sql-injection-cve-2023-48788/,Fortinet FortiClient EMS SQL injection pre-auth RCE; FortiGuard PSIRT FG-IR-24-007 Mar 12 2024; Horizon3.ai PoC Mar 21; widespread exploitation observed by Forescout Vedere Labs and CrowdStrike from late March,2024-03-25,2023,False,False
CVE-2021-44529,Ivanti,Endpoint Manager Cloud Service Appliance (EPM CSA),2021-12-08,2024-03-25,2024-03-25,838,838,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44529,Ivanti Endpoint Manager Cloud Service Appliance (CSA) code injection RCE; Ivanti advisory SA-2021-12-02 Dec 8 2021; CISA KEV-added Mar 25 2024 (~2.5 years late) with no specific public exploitation attribution; KEV-fallback,2024-03-25,2021,False,False
CVE-2019-7256,Nice,Linear eMerge E3-Series,2019-07-02,2024-03-25,2024-03-25,1728,1728,high,,https://applied-risk.com/resources/ar-2019-005,Nice Linear eMerge E3-Series OS command injection; CISA/Volt Typhoon report,2024-03-25,2019,False,False
CVE-2024-27198,JetBrains,TeamCity,2024-03-04,2024-03-04,2024-03-04,0,0,high,,https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/,JetBrains TeamCity authentication bypass pre-auth RCE; Rapid7 disclosure Mar 4 2024 (early due to vendor communication breakdown); Shadowserver observed exploitation activity starting same day 22:00 UTC with widespread cryptominer and BianLian ransomware affiliate scanning,2024-03-07,2024,True,False
CVE-2024-23296,Apple,Multiple Products,2024-03-05,2024-03-05,2024-03-05,0,0,high,,https://support.apple.com/en-us/HT214081,Apple RTKit (Real-Time Kit) memory corruption zero-day; iOS 17.4 Mar 5 2024 with Apple ITW acknowledgement; reported anonymously,2024-03-06,2024,True,False
CVE-2024-23225,Apple,Multiple Products,2024-03-05,2024-03-05,2024-03-05,0,0,high,,https://support.apple.com/en-us/HT214081,"Apple iOS kernel memory corruption zero-day; iOS 17.4 Mar 5 2024 with Apple ""may have been actively exploited against versions of iOS before iOS 16.7.5""; reported anonymously",2024-03-06,2024,True,False
CVE-2023-21237,Android,Pixel,2023-06-28,2024-03-05,2024-03-05,251,251,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-21237,Pixel firmware information disclosure; Google June 2023 Pixel security bulletin; CISA KEV-added Mar 5 2024 with no specific public exploitation attribution; KEV-fallback,2024-03-05,2023,False,False
CVE-2021-36380,Sunhillo,SureLine,2021-08-13,2023-09-06,2023-10-09,754,754,high,,https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits,Sunhillo SureLine unauthenticated OS command injection (NCC Group advisory Jul 26 2021); FortiGuard Labs observed IZ1H9 Mirai-based DDoS campaign exploiting CVE-2021-36380 with peak exploitation Sep 6 2023; public report Oct 9 2023; CISA KEV-added Mar 5 2024,2024-03-05,2021,False,False
CVE-2024-21338,Microsoft,Windows,2024-02-13,2023-08-01,2024-02-13,0,-196,high,,https://decoded.avast.io/janrubin/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/,Microsoft Windows AppLocker EoP zero-day; Avast Threat Labs reported Lazarus Group exploitation since August 2023 (~6 months pre-disclosure) to deliver updated FudModule rootkit with admin-to-kernel direct kernel object manipulation,2024-03-04,2024,True,True
CVE-2023-29360,Microsoft,Streaming Service,2023-06-13,2024-02-29,2024-02-29,261,261,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-29360,Microsoft Streaming Service EoP; June 2023 Patch Tuesday; CISA KEV-added Feb 29 2024 with no specific public exploitation attribution; KEV-fallback,2024-02-29,2023,False,False
CVE-2024-1709,ConnectWise,ScreenConnect,2024-02-21,2024-02-20,2024-02-21,0,-1,high,,https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass,"ConnectWise ScreenConnect SlashAndGrab authentication bypass via setup wizard; ConnectWise advisory Feb 19 2024; Huntress disclosed Feb 21 attributing exploitation by multiple ransomware operators (Black Basta, Bl00dy) starting Feb 20 with mass MSP-customer compromise",2024-02-22,2024,True,True
CVE-2024-21410,Microsoft,Exchange Server,2024-02-13,2024-02-13,2024-02-13,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410,Microsoft Exchange Server NTLM relay EoP; Feb 13 2024 Patch Tuesday; Microsoft updated advisory Feb 14 confirming active exploitation; targets unpatched Exchange Servers with EPA disabled,2024-02-15,2024,True,False
CVE-2020-3259,Cisco,Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD),2020-05-06,2024-02-15,2024-02-15,1380,1380,high,,https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB,Cisco ASA/FTD information disclosure; KEV-added 2024-02-15; APT exploitation reports,2024-02-15,2020,False,False
CVE-2024-21412,Microsoft,Windows,2024-02-13,2023-12-01,2024-02-13,0,-74,high,,https://www.trendmicro.com/en_us/research/24/b/cve-2024-21412--water-hydra-targets-traders-with-windows-defende.html,Windows Internet Shortcut SmartScreen bypass zero-day; Trend Micro ZDI attributed Water Hydra (DarkCasino) APT exploitation since Dec 2023 (~2 months pre-disclosure) via Internet shortcut files in forex trader phishing campaigns,2024-02-13,2024,True,True
CVE-2024-21351,Microsoft,Windows,2024-02-13,2024-02-13,2024-02-13,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21351,"Windows SmartScreen security feature bypass zero-day; February 2024 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by Eric Lawrence/Andrew Oliveau",2024-02-13,2024,True,False
CVE-2023-43770,Roundcube,Webmail,2023-09-22,2024-02-12,2024-02-12,143,143,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-43770,Roundcube Webmail XSS in plain/text messages with link rewriting; Roundcube advisory Sep 15 2023; CISA KEV-added Feb 12 2024 with no specific public exploitation attribution at addition; KEV-fallback (later loosely tied to Winter Vivern reuse),2024-02-12,2023,False,False
CVE-2024-21762,Fortinet,FortiOS,2024-02-09,2024-02-08,2024-02-08,0,-1,high,,https://www.tenable.com/blog/cve-2024-21762-critical-fortinet-fortios-out-of-bound-write-ssl-vpn-vulnerability,Fortinet FortiOS SSL VPN out-of-bounds write pre-auth RCE; Fortinet PSIRT FG-IR-24-015 Feb 8 2024; CISA KEV-added Feb 9 with reports of in-the-wild exploitation; Mandiant later attributed to Chinese-nexus actors,2024-02-09,2024,True,True
CVE-2023-4762,Google,Chromium V8,2023-09-05,2023-08-26,2023-09-05,0,-10,high,,https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_5.html,Chrome V8 type confusion zero-day; Google Stable Channel update Sep 5 2023; later acknowledged in CISA KEV Sep 25 with TAG attribution to Cytrox Predator spyware vendor delivery chain,2024-02-06,2023,True,True
CVE-2024-21893,Ivanti,"Connect Secure, Policy Secure, and Neurons",2024-01-31,2024-01-31,2024-01-31,0,0,high,,https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation,Ivanti Connect Secure SAML SSRF zero-day; Ivanti advisory Jan 31 2024 acknowledged limited targeted exploitation; bypass of Jan 22 mitigation; mass exploitation observed by Mandiant/Volexity immediately,2024-01-31,2024,True,False
CVE-2022-48618,Apple,Multiple Products,2024-01-09,2024-01-31,2024-01-31,22,22,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-48618,Apple multiple products kernel arbitrary read/write; Apple disclosed Jan 9 2024 retroactively (issue addressed in iOS 16.2 Dec 2022); CISA KEV-added Jan 31 2024 with no specific public exploitation attribution; KEV-fallback,2024-01-31,2022,False,False
CVE-2023-22527,Atlassian,Confluence Data Center and Server,2024-01-16,2024-01-17,2024-01-17,1,1,high,,https://www.greynoise.io/blog/atlassian-confluence-cve-2023-22527-active-exploitation,"Atlassian Confluence Data Center/Server SSTI template injection RCE; Atlassian advisory Jan 16 2024; PoCs immediate; Shadowserver/GreyNoise observed mass exploitation Jan 17-20 from ~600 source IPs against ~11,000 Internet-exposed instances",2024-01-24,2023,False,False
CVE-2024-23222,Apple,Multiple Products,2024-01-23,2024-01-22,2024-01-22,0,-1,high,,https://support.apple.com/en-us/HT214055,Apple WebKit type confusion zero-day; iOS 17.3/Safari 17.3 Jan 22 2024 with Apple ITW acknowledgement; reported anonymously; later linked to Coruna iOS exploit kit (Kaspersky 2025),2024-01-23,2024,True,True
CVE-2023-34048,VMware,vCenter Server,2023-10-25,2021-01-01,2023-10-25,0,-1027,high,,https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations,VMware vCenter Server DCERPC protocol out-of-bounds write pre-auth RCE; VMSA-2023-0023 Oct 25 2023; Mandiant Jun 2024 disclosed UNC3886 (China-nexus) had been exploiting since late 2021 (~2 years pre-disclosure) with VIRTUALPITA/VIRTUALPIE backdoors,2024-01-22,2023,True,True
CVE-2023-35082,Ivanti,Endpoint Manager Mobile (EPMM) and MobileIron Core,2023-08-15,2024-01-18,2024-01-18,156,156,medium,,https://www.rapid7.com/blog/post/2023/08/15/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/,Ivanti EPMM/MobileIron Core authentication bypass; Rapid7 disclosed Aug 15 2023 noting it was a CVE-2023-35078 patch bypass; CISA KEV-added Jan 18 2024 citing active exploitation,2024-01-18,2023,False,False
CVE-2024-0519,Google,Chromium V8,2024-01-16,2024-01-16,2024-01-16,0,0,high,,https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop.html,Chrome V8 out-of-bounds memory access zero-day; Google Stable Channel update Jan 16 2024 acknowledged ITW exploitation; reported anonymously,2024-01-17,2024,True,False
CVE-2023-6549,Citrix,NetScaler ADC and NetScaler Gateway,2024-01-17,2024-01-17,2024-01-17,0,0,medium,,https://support.citrix.com/article/CTX584986,Citrix NetScaler ADC/Gateway buffer overflow DoS; Citrix CTX584986 Jan 17 2024 acknowledged limited targeted exploitation; companion to CVE-2023-6548,2024-01-17,2023,True,False
CVE-2023-6548,Citrix,NetScaler ADC and NetScaler Gateway,2024-01-17,2024-01-17,2024-01-17,0,0,high,,https://support.citrix.com/article/CTX584986,Citrix NetScaler ADC/Gateway authenticated RCE via Management Interface; Citrix CTX584986 Jan 17 2024 acknowledged limited targeted exploitation; CISA KEV-added Jan 17,2024-01-17,2023,True,False
CVE-2018-15133,Laravel,Laravel Framework,2018-08-09,2023-12-01,2024-01-16,1940,1940,high,,https://www.imperva.com/blog/imperva-uncovers-new-indicators-of-compromise-for-androxgh0st-botnet/,"Laravel deserialization RCE; AndroxGh0st botnet documented exploiting since late 2023; Imperva tracked 30,000+ sites targeted in 2024; KEV-added Jan 16 2024",2024-01-16,2018,False,False
CVE-2024-21887,Ivanti,Connect Secure and Policy Secure,2024-01-12,2023-12-03,2024-01-10,0,-40,high,,https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/,Ivanti Connect Secure/Policy Secure command injection zero-day; Volexity attributed UTA0178/UNC5221 (China-nexus) exploitation since Dec 3 2023; chained with CVE-2023-46805 for unauthenticated RCE; mass exploitation post-disclosure,2024-01-10,2024,True,True
CVE-2023-46805,Ivanti,Connect Secure and Policy Secure,2024-01-12,2023-12-03,2024-01-10,0,-40,high,,https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/,"Ivanti Connect Secure/Policy Secure authentication bypass zero-day; Ivanti advisory Jan 10 2024; Volexity attributed UTA0178 (China-nexus, likely UNC5221) exploitation since Dec 3 2023 chained with CVE-2024-21887 for unauthenticated RCE; mass exploitation post-disclosure",2024-01-10,2023,True,True
CVE-2023-29357,Microsoft,SharePoint Server,2023-06-13,2023-09-25,2023-09-25,104,104,high,,https://starlabs.sg/blog/2023/06-sharepoint-pre-auth-rce-chain/,Microsoft SharePoint Server elevation of privilege zero-day; June 2023 Patch Tuesday; STAR Labs Pwn2Own Vancouver 2023 chain with CVE-2023-24955; widely exploited from Sep 2023 by post-foothold attackers,2024-01-10,2023,False,False
CVE-2023-41990,Apple,Multiple Products,2023-09-11,2019-01-01,2023-12-27,0,-1714,high,,https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/,Apple TrueType font handling integer overflow; component of Operation Triangulation initial zero-click chain; Kaspersky GReAT 37C3 disclosure Dec 27 2023 revealed exploitation since at least 2019; Apple patched Jan 2023 in iOS 16.3 without acknowledgement,2024-01-08,2023,True,True
CVE-2023-38203,Adobe,ColdFusion,2023-07-20,2023-07-17,2023-07-17,0,-3,high,,https://www.rapid7.com/blog/post/2023/07/17/etr-cve-2023-29298-adobe-coldfusion-access-control-bypass/,Adobe ColdFusion deserialization RCE bypass of CVE-2023-29300 patch; Adobe APSB23-41 emergency out-of-band Jul 14 2023; Rapid7 observed exploitation by Jul 17,2024-01-08,2023,True,True
CVE-2023-29300,Adobe,ColdFusion,2023-07-12,2023-07-13,2023-07-13,1,1,medium,,https://www.rapid7.com/blog/post/2023/07/11/etr-adobe-coldfusion-cve-2023-29300/,Adobe ColdFusion WDDX deserialization pre-auth RCE; Adobe APSB23-40 Jul 11 2023; Rapid7 disclosed and observed exploitation against patched-but-vulnerable instances within days,2024-01-08,2023,False,False
CVE-2023-27524,Apache,Superset,2023-04-24,2023-04-24,2023-04-24,0,0,high,,https://horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/,"Apache Superset default SECRET_KEY authentication bypass; Horizon3.ai disclosed Apr 24 2023; widely exploited within hours; ~2,000+ instances vulnerable; CISA KEV-added Jan 8 2024",2024-01-08,2023,True,False
CVE-2023-23752,Joomla!,Joomla!,2023-02-16,2023-02-21,2023-02-21,5,5,high,,https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html,Joomla! improper access check API endpoint information disclosure; Joomla advisory Feb 16 2023; mass scanning observed within days; CISA KEV-added Jan 8 2024 with reports of credential theft from exposed sites,2024-01-08,2023,False,False
CVE-2023-7101,Spreadsheet::ParseExcel,Spreadsheet::ParseExcel,2023-12-24,2023-05-23,2023-12-24,0,-215,high,,https://www.barracuda.com/company/legal/esg-vulnerability,Perl Spreadsheet::ParseExcel arbitrary code execution via crafted .xls files; original CVE published Dec 24 2023; Barracuda Dec 24 disclosed UNC4841 (China-nexus) exploitation against ESG appliances chained with CVE-2023-2868 since May 2023,2024-01-02,2023,True,True
CVE-2023-7024,Google,Chromium WebRTC,2023-12-21,2023-12-19,2023-12-20,0,-2,high,,https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_20.html,Chrome WebRTC heap buffer overflow zero-day; Google Stable Channel update Dec 20 2023 acknowledged ITW exploitation; reported by Clement Lecigne and Vlad Stolyarov of Google TAG,2024-01-02,2023,True,True
CVE-2023-49897,FXC,"AE1021, AE1021PE",2023-12-06,2023-12-19,2023-12-19,13,13,medium,,https://www.akamai.com/blog/security-research/2023-zero-days-vulnerabilities-routers-nvr-mirai-botnet-infections,FXC AE1021/AE1021PE wireless LAN routers OS command injection; FXC advisory Dec 6 2023; JPCERT/CC observed Mirai variant InfectedSlurs botnet exploitation Dec 19 (with CVE-2023-47565 QNAP); CISA KEV-added Dec 21,2023-12-21,2023,False,False
CVE-2023-47565,QNAP,VioStor NVR,2023-12-08,2023-12-19,2023-12-19,11,11,high,,https://www.akamai.com/blog/security-research/2023-zero-days-vulnerabilities-routers-nvr-mirai-botnet-infections,QNAP VioStor NVR OS command injection; QNAP QSA-23-46 Dec 8 2023; Akamai observed InfectedSlurs Mirai variant exploitation from Dec 19 (with CVE-2023-49897 FXC) targeting NVR appliances,2023-12-21,2023,False,False
CVE-2023-6448,Unitronics,Vision PLC and HMI,2023-12-05,2023-11-25,2023-12-01,0,-10,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a,Unitronics Vision PLC and HMI default password; CISA AA23-335A Dec 1 2023; Iranian CyberAv3ngers (IRGC-affiliated) attributed exploitation against Aliquippa water utility and multiple US water/wastewater facilities Nov 25 2023 with defacement and operational disruption,2023-12-11,2023,True,True
CVE-2023-41266,Qlik,Sense,2023-08-29,2023-11-30,2023-11-30,93,93,high,,https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/,Qlik Sense Enterprise path traversal companion to CVE-2023-41265; Qlik advisory Aug 29 2023; Praetorian chain; Cactus ransomware exploitation reported by Arctic Wolf from late Nov 2023,2023-12-07,2023,False,False
CVE-2023-41265,Qlik,Sense,2023-08-29,2023-11-30,2023-11-30,93,93,high,,https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/,Qlik Sense Enterprise HTTP request tunneling path traversal pre-auth; Qlik advisory Aug 29 2023; Praetorian disclosed Sep 2023; Arctic Wolf attributed Cactus ransomware exploitation from late Nov 2023,2023-12-07,2023,False,False
CVE-2023-33107,Qualcomm,Multiple Chipsets,2023-12-05,2023-10-02,2023-10-02,0,-64,high,,https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2023-bulletin.html,Qualcomm multiple chipsets Graphics integer overflow zero-day; Qualcomm Oct 2 2023 bulletin acknowledged Google TAG indications of limited targeted exploitation,2023-12-05,2023,True,True
CVE-2023-33106,Qualcomm,Multiple Chipsets,2023-12-05,2023-10-02,2023-10-02,0,-64,high,,https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2023-bulletin.html,Qualcomm multiple chipsets Graphics use-after-free zero-day; Qualcomm Oct 2 2023 bulletin acknowledged Google TAG indications of limited targeted exploitation alongside CVE-2023-33063 and CVE-2023-33107,2023-12-05,2023,True,True
CVE-2023-33063,Qualcomm,Multiple Chipsets,2023-12-05,2023-10-02,2023-10-02,0,-64,high,,https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2023-bulletin.html,"Qualcomm multiple chipsets DSP use-after-free zero-day; Qualcomm Oct 2 2023 security bulletin acknowledged ""indications from Google TAG that CVE-2023-33063, CVE-2023-33106 and CVE-2023-33107 may be under limited, targeted exploitation""",2023-12-05,2023,True,True
CVE-2022-22071,Qualcomm,Multiple Chipsets,2022-06-14,2023-12-05,2023-12-05,539,539,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22071,Qualcomm multiple chipsets Bluetooth UAF; Qualcomm May 2022 security bulletin; CISA KEV-added Dec 5 2023 with no specific public exploitation attribution; KEV-fallback,2023-12-05,2022,False,False
CVE-2023-42917,Apple,Multiple Products,2023-11-30,2023-11-30,2023-11-30,0,0,high,,https://support.apple.com/en-us/HT214031,"Apple WebKit memory corruption zero-day; iOS 17.1.2 Nov 30 2023 with Apple ""may have been actively exploited against versions of iOS before iOS 16.7.1""; reported by Clement Lecigne of Google TAG; companion to CVE-2023-42916",2023-12-04,2023,True,False
CVE-2023-42916,Apple,Multiple Products,2023-11-30,2023-11-30,2023-11-30,0,0,high,,https://support.apple.com/en-us/HT214031,"Apple WebKit out-of-bounds read zero-day; iOS 17.1.2 Nov 30 2023 with Apple ""may have been actively exploited against versions of iOS before iOS 16.7.1""; reported by Clement Lecigne of Google TAG",2023-12-04,2023,True,False
CVE-2023-6345,Google,Chromium Skia,2023-11-29,2023-11-28,2023-11-28,0,-1,high,,https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html,Chrome Skia integer overflow zero-day; Google Stable Channel update Nov 28 2023 acknowledged ITW exploitation; reported by Benoit Sevens and Clement Lecigne of Google TAG,2023-11-30,2023,True,True
CVE-2023-49103,ownCloud,ownCloud graphapi,2023-11-21,2023-11-25,2023-11-25,4,4,high,,https://www.greynoise.io/blog/owncloud-cve-2023-49103-actively-exploited,ownCloud graphapi extension PHP environment variable disclosure exposing admin password and license key; ownCloud advisory Nov 21 2023; PoCs public Nov 22; GreyNoise/Shadowserver observed mass exploitation Nov 25 onwards,2023-11-30,2023,False,False
CVE-2023-4911,GNU,GNU C Library,2023-10-03,2023-10-03,2023-10-03,0,0,high,,https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so,"GNU C Library ld.so GLIBC_TUNABLES buffer overflow LPE ""Looney Tunables""; Qualys TRU disclosed Oct 3 2023; PoCs immediate; Aqua Nautilus observed Kinsing cryptominer exploitation Nov 2023; widely adopted by post-foothold attackers",2023-11-21,2023,True,False
CVE-2023-36584,Microsoft,Windows,2023-10-10,2023-07-01,2023-10-10,0,-101,high,,https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/,Windows Mark of the Web security feature bypass zero-day; October 2023 Patch Tuesday; Trellix observed APT-C-36 (Blind Eagle) exploitation since July 2023 targeting Colombian government and finance organizations,2023-11-16,2023,True,True
CVE-2023-1671,Sophos,Web Appliance,2023-04-04,2023-11-16,2023-11-16,226,226,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-1671,Sophos Web Appliance pre-auth command injection; Sophos advisory Apr 4 2023; CISA KEV-added Nov 16 2023 (~7 months late) with no specific public exploitation attribution; KEV-fallback (product was EoL),2023-11-16,2023,False,False
CVE-2020-2551,Oracle,Fusion Middleware,2020-01-15,2023-11-16,2023-11-16,1401,1401,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2551,Oracle WebLogic IIOP deserialization RCE; Oracle CPU January 2020; CISA KEV catalog the documented evidence of in-the-wild exploitation; CloudSEK and others confirm ongoing botnet activity 2026,2023-11-16,2020,False,False
CVE-2023-36036,Microsoft,Windows,2023-11-14,2023-11-14,2023-11-14,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36036,"Windows Cloud Files Mini Filter Driver EoP zero-day; November 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2023-11-14,2023,True,False
CVE-2023-36033,Microsoft,Windows,2023-11-14,2023-11-14,2023-11-14,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36033,"Windows DWM Core Library EoP zero-day; November 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; widely abused as Local Privilege Escalation by malware loaders",2023-11-14,2023,True,False
CVE-2023-36025,Microsoft,Windows,2023-11-14,2023-11-14,2023-11-14,0,0,high,,https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-stealer.html,"Windows SmartScreen security feature bypass zero-day via crafted .url file; November 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; widely abused by Phemedrone Stealer and DarkGate loader",2023-11-14,2023,True,False
CVE-2023-47246,SysAid,SysAid Server,2023-11-10,2023-11-02,2023-11-09,0,-8,high,,https://www.microsoft.com/en-us/security/blog/2023/11/08/cl0p-exploits-sysaid-zero-day-cve-2023-47246/,SysAid Server path traversal zero-day; SysAid advisory Nov 9 2023; Microsoft attributed Lace Tempest (Cl0p ransomware affiliate FIN11) exploitation since Nov 2 2023 to deploy GraceWire loader and exfiltrate data,2023-11-13,2023,True,True
CVE-2023-36851,Juniper,Junos OS,2023-09-26,2023-08-25,2023-08-25,0,-32,medium,,https://labs.watchtowr.com/we-need-to-talk-about-juniper-cve-2023-36844-explained/,Juniper Junos OS SRX J-Web missing authentication companion; same Aug 17 2023 advisory cluster,2023-11-13,2023,True,True
CVE-2023-36847,Juniper,Junos OS,2023-08-17,2023-08-25,2023-08-25,8,8,medium,,https://labs.watchtowr.com/we-need-to-talk-about-juniper-cve-2023-36844-explained/,Juniper Junos OS EX J-Web missing authentication companion; same Aug 17 2023 advisory cluster,2023-11-13,2023,False,False
CVE-2023-36846,Juniper,Junos OS,2023-08-17,2023-08-25,2023-08-25,8,8,medium,,https://labs.watchtowr.com/we-need-to-talk-about-juniper-cve-2023-36844-explained/,Juniper Junos OS SRX J-Web missing authentication for critical function; same Aug 17 2023 advisory; chained by watchTowr Aug 25 for full RCE,2023-11-13,2023,False,False
CVE-2023-36845,Juniper,Junos OS,2023-08-17,2023-08-25,2023-08-25,8,8,medium,,https://labs.watchtowr.com/we-need-to-talk-about-juniper-cve-2023-36844-explained/,Juniper Junos OS SRX/EX J-Web PHP env-var manipulation companion to CVE-2023-36844; same Aug 17 2023 advisory cluster; watchTowr chain published Aug 25,2023-11-13,2023,False,False
CVE-2023-36844,Juniper,Junos OS,2023-08-17,2023-08-25,2023-08-25,8,8,medium,,https://labs.watchtowr.com/we-need-to-talk-about-juniper-cve-2023-36844-explained/,Juniper Junos OS SRX/EX series J-Web PHP environment variable manipulation; Juniper Aug 17 2023 out-of-cycle advisory; watchTowr published PoC Aug 25 with exploitation observed by Shadowserver shortly after,2023-11-13,2023,False,False
CVE-2023-29552,IETF,Service Location Protocol (SLP),2023-04-25,2023-11-08,2023-11-08,197,197,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-29552,IETF SLPv2 reflective DDoS amplification (RFC 2608); BitSight/Curesec disclosed Apr 25 2023; CISA KEV-added Nov 8 2023 with no specific public DDoS campaign attribution at addition; KEV-fallback,2023-11-08,2023,False,False
CVE-2023-22518,Atlassian,Confluence Data Center and Server,2023-10-31,2023-11-03,2023-11-03,3,3,high,,https://www.rapid7.com/blog/post/2023/11/06/etr-cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server/,Atlassian Confluence Data Center/Server improper authorization; Atlassian advisory Oct 31 2023; Trend Micro/Rapid7 observed Cerber ransomware exploitation from Nov 3 onwards via mass scanning,2023-11-07,2023,False,False
CVE-2023-46604,Apache,ActiveMQ,2023-10-27,2023-10-27,2023-10-27,0,0,high,,https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/,Apache ActiveMQ OpenWire protocol marshaller deserialization pre-auth RCE; Apache advisory Oct 25 2023; Rapid7 and Huntress observed HelloKitty ransomware exploitation from Oct 27 onwards; massive scanning by Nov 1,2023-11-02,2023,True,False
CVE-2023-46748,F5,BIG-IP Configuration Utility,2023-10-26,2023-10-26,2023-10-26,0,0,high,,https://my.f5.com/manage/s/article/K000137365,F5 BIG-IP Configuration Utility authenticated SQL injection; F5 K000137365 Oct 26 2023; chained with CVE-2023-46747 for unauthenticated RCE; mass scanning and exploitation within days,2023-10-31,2023,True,False
CVE-2023-46747,F5,BIG-IP Configuration Utility,2023-10-26,2023-10-26,2023-10-26,0,0,high,,https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/,F5 BIG-IP Configuration Utility AJP request smuggling auth bypass zero-day; F5 K000137353 Oct 26 2023; Praetorian disclosed; Mandiant observed CL-STA-0240 China-nexus exploitation; mass scanning within days,2023-10-31,2023,True,False
CVE-2023-5631,Roundcube,Webmail,2023-10-18,2023-10-11,2023-10-25,0,-7,high,,https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/,Roundcube Webmail stored XSS via SVG attachments; Roundcube advisory Oct 16 2023; ESET attributed Winter Vivern (TA473) Russia-aligned APT exploitation since Oct 11 2023 targeting European government webmail,2023-10-26,2023,True,True
CVE-2023-20273,Cisco,Cisco IOS XE Web UI,2023-10-24,2023-10-12,2023-10-24,0,-12,high,,https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/,Cisco IOS XE Web UI privilege escalation companion zero-day chained with CVE-2023-20198; Cisco Talos identified Oct 17 as second-stage backdoor installation vector; mass implant deployment from Oct 12,2023-10-23,2023,True,True
CVE-2023-4966,Citrix,NetScaler ADC and NetScaler Gateway,2023-10-10,2023-08-15,2023-10-10,0,-56,high,,https://www.mandiant.com/resources/blog/session-hijacking-citrix-cve-2023-4966,"Citrix NetScaler ADC/Gateway ""Citrix Bleed"" session token disclosure via buffer overrun; Citrix CTX579459 Oct 10 2023; Mandiant traced exploitation to late August 2023 (~2 months pre-disclosure) attributed to suspected nation-state and LockBit ransomware affiliates targeting US/UK/Australia organizations",2023-10-18,2023,True,True
CVE-2023-20198,Cisco,IOS XE Web UI,2023-10-16,2023-09-18,2023-10-16,0,-28,high,,https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/,"Cisco IOS XE Web UI privilege escalation zero-day allowing creation of privilege 15 accounts; Cisco PSIRT Oct 16 2023; Cisco Talos traced exploitation back to Sep 18 with mass implant deployment; ~50,000 devices initially compromised",2023-10-16,2023,True,True
CVE-2023-44487,IETF,HTTP/2,2023-10-10,2023-08-25,2023-10-10,0,-46,high,,https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-attack/,"HTTP/2 protocol ""Rapid Reset"" DDoS amplification via RST_STREAM frame flood; coordinated disclosure Oct 10 2023; Google/Cloudflare/AWS observed exploitation since Aug 25 2023 reaching 398M rps (Google) and 201M rps (Cloudflare)",2023-10-10,2023,True,True
CVE-2023-41763,Microsoft,Skype for Business,2023-10-10,2023-10-10,2023-10-10,0,0,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763,Skype for Business EoP zero-day; October 2023 Patch Tuesday; Microsoft acknowledged public disclosure but unclear ITW status; commonly chained for NTLM relay,2023-10-10,2023,True,False
CVE-2023-36563,Microsoft,WordPad,2023-10-10,2023-10-10,2023-10-10,0,0,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36563,"Microsoft WordPad information disclosure (NTLM hash leak) zero-day; October 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""",2023-10-10,2023,True,False
CVE-2023-21608,Adobe,Acrobat and Reader,2023-01-18,2023-10-10,2023-10-10,265,265,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-21608,Adobe Acrobat and Reader use-after-free; Adobe APSB23-01 Jan 18 2023; CISA KEV-added Oct 10 2023 (~9 months late) with no specific public exploitation attribution; KEV-fallback,2023-10-10,2023,False,False
CVE-2023-20109,Cisco,IOS and IOS XE,2023-09-27,2023-09-27,2023-10-10,0,0,medium,,https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-getvpn-rJB7tFsd,Cisco IOS GET VPN GDOI/G-IKEv2 protocol out-of-bounds write RCE; Cisco PSIRT Sep 27 2023 acknowledged active exploitation attempts; CISA KEV-added Oct 10,2023-10-10,2023,True,False
CVE-2023-42824,Apple,iOS and iPadOS,2023-10-04,2023-10-04,2023-10-04,0,0,high,,https://support.apple.com/en-us/HT213972,"Apple XNU kernel local privilege escalation zero-day; iOS 17.0.3 Oct 4 2023 with Apple ""may have been actively exploited against versions of iOS before iOS 16.6""; reported anonymously",2023-10-05,2023,True,False
CVE-2023-40044,Progress,WS_FTP Server,2023-09-27,2023-10-02,2023-10-02,5,5,medium,,https://www.rapid7.com/blog/post/2023/10/02/etr-critical-vulnerabilities-in-ws_ftp-server/,Progress WS_FTP Server ASP.NET deserialization pre-auth RCE; Progress advisory Sep 27 2023; AssetNote PoC Oct 2; Rapid7 observed exploitation attempts beginning Oct 1-2,2023-10-05,2023,False,False
CVE-2023-22515,Atlassian,Confluence Data Center and Server,2023-10-04,2023-09-14,2023-10-04,0,-20,high,,https://www.microsoft.com/en-us/security/blog/2023/10/10/active-exploitation-of-cve-2023-22515-by-storm-0062/,Atlassian Confluence Data Center/Server broken access control privilege escalation zero-day; Atlassian advisory Oct 4 2023; Microsoft attributed exploitation to Storm-0062 (DarkShadow/Oro0lxy China-nexus) since Sep 14 2023 (~3 weeks pre-disclosure),2023-10-05,2023,True,True
CVE-2023-42793,JetBrains,TeamCity,2023-09-19,2023-09-26,2023-09-26,7,7,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a,JetBrains TeamCity authentication bypass pre-auth RCE; JetBrains advisory Sep 19 2023; FBI/NSA/SVR-related CSA Dec 13 2023 attributed Russian APT29 (Cozy Bear/Midnight Blizzard) exploitation since Sep 26 2023 targeting TeamCity-hosting organizations,2023-10-04,2023,False,False
CVE-2023-28229,Microsoft,Windows CNG Key Isolation Service,2023-04-11,2023-04-11,2023-04-11,0,0,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28229,"Windows CNG Key Isolation Service EoP zero-day; April 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported anonymously",2023-10-04,2023,True,False
CVE-2023-4211,Arm,Mali GPU Kernel Driver,2023-10-01,2023-09-01,2023-10-02,0,-30,high,,https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities,"Arm Mali GPU kernel driver use-after-free zero-day; Arm advisory Oct 2 2023 acknowledged ""evidence that this vulnerability may be under limited, targeted exploitation""; reported by Maddie Stone of Google TAG and Jann Horn of Project Zero",2023-10-03,2023,True,True
CVE-2023-5217,Google,Chromium libvpx,2023-09-28,2023-09-27,2023-09-27,0,-1,high,,https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html,Chrome libvpx VP8 heap buffer overflow zero-day; Google Stable Channel update Sep 27 2023 acknowledged ITW exploitation; reported by Clement Lecigne of Google TAG; likely commercial spyware vendor delivery,2023-10-02,2023,True,True
CVE-2018-14667,Red Hat,JBoss RichFaces Framework,2018-11-06,2023-09-28,2023-09-28,1787,1787,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-14667,JBoss RichFaces EL injection RCE; CISA KEV add 2023-09-28; no specific contemporary threat-intel report documenting in-the-wild exploitation found - SecurityWeek and SecurityAffairs only report on the KEV add,2023-09-28,2018,False,False
CVE-2023-41993,Apple,Multiple Products,2023-09-21,2023-09-21,2023-09-21,0,0,high,,https://citizenlab.ca/2023/09/predator-in-the-wires-ahmed-eltantawy-targeted-with-predator-spyware-after-announcing-presidential-ambitions/,Apple WebKit arbitrary code execution zero-day; iOS 16.7/17.0.1 Sep 21 2023; Citizen Lab Cytrox Predator exploit chain initial entry point against Eltantawy via SMS lure,2023-09-25,2023,True,False
CVE-2023-41992,Apple,Multiple Products,2023-09-21,2023-09-21,2023-09-21,0,0,high,,https://citizenlab.ca/2023/09/predator-in-the-wires-ahmed-eltantawy-targeted-with-predator-spyware-after-announcing-presidential-ambitions/,Apple kernel local privilege escalation zero-day; iOS 16.7/17.0.1 Sep 21 2023; Citizen Lab Cytrox Predator exploit chain against Eltantawy,2023-09-25,2023,True,False
CVE-2023-41991,Apple,Multiple Products,2023-09-21,2023-09-21,2023-09-21,0,0,high,,https://citizenlab.ca/2023/09/predator-in-the-wires-ahmed-eltantawy-targeted-with-predator-spyware-after-announcing-presidential-ambitions/,Apple Security framework certificate validation bypass zero-day; iOS 16.7/17.0.1 Sep 21 2023; Citizen Lab + Google TAG attributed Cytrox Predator commercial spyware exploitation chain targeting former Egyptian MP Ahmed Eltantawy,2023-09-25,2023,True,False
CVE-2023-41179,Trend Micro,Apex One and Worry-Free Business Security,2023-09-19,2023-09-19,2023-09-19,0,0,high,,https://success.trendmicro.com/dcx/s/solution/000294994,Trend Micro Apex One and Worry-Free Business Security third-party AV uninstaller module RCE zero-day; Trend Micro advisory Sep 19 2023 acknowledged limited targeted exploitation in the wild,2023-09-21,2023,True,False
CVE-2023-28434,MinIO,MinIO,2023-03-22,2023-09-19,2023-09-19,181,181,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28434,MinIO privilege escalation companion to CVE-2023-28432; MinIO advisory Mar 22 2023; CISA KEV-added Sep 19 2023 with no specific public exploitation attribution distinct from 28432; KEV-fallback,2023-09-19,2023,False,False
CVE-2022-22265,Samsung,Mobile Devices,2022-01-07,2022-01-01,2023-01-23,0,-6,medium,,https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-22265.html,Samsung mobile devices NPU device driver double-free EoP; Samsung patched January 2022; Project Zero retrospectively confirmed as 2022 in-the-wild zero-day in 0day-in-the-wild RCA published Jan 2023,2023-09-18,2022,True,True
CVE-2021-3129,Laravel,Ignition,2021-01-12,2021-01-13,2021-01-13,1,1,high,,https://www.ambionics.io/blog/laravel-debug-rce,Laravel debug mode Ignition Phar deserialization RCE; Ambionics disclosure Jan 12 2021; PoCs immediate; widespread exploitation often chained with leaked APP_KEYs; CISA KEV-added Nov 3 2021 initial bulk,2023-09-18,2021,False,False
CVE-2023-26369,Adobe,Acrobat and Reader,2023-09-13,2023-09-12,2023-09-12,0,-1,high,,https://helpx.adobe.com/security/products/acrobat/apsb23-44.html,Adobe Acrobat and Reader out-of-bounds write zero-day; Adobe APSB23-44 Sep 12 2023 acknowledged limited attacks in the wild targeting Adobe Acrobat Reader users on Windows,2023-09-14,2023,True,True
CVE-2023-4863,Google,Chromium WebP,2023-09-12,2023-09-06,2023-09-11,0,-6,high,,https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html,"Chrome libwebp heap buffer overflow zero-day; Google Stable Channel update Sep 11 2023; reported by Apple SEAR + Citizen Lab as part of NSO BLASTPASS chain (CVE-2023-41064) affecting any libwebp-using application including browsers, Electron, Signal, etc.",2023-09-13,2023,True,True
CVE-2023-35674,Android,Framework,2023-09-11,2023-09-05,2023-09-05,0,-6,high,,https://source.android.com/docs/security/bulletin/2023-09-01,"Android Framework EoP zero-day; Google September 2023 Android security bulletin acknowledged ""indications that CVE-2023-35674 may be under limited, targeted exploitation""",2023-09-13,2023,True,True
CVE-2023-20269,Cisco,ASA and FTD,2023-09-06,2023-08-01,2023-09-06,0,-36,high,,https://www.rapid7.com/blog/post/2023/09/06/cisco-asa-zero-day-exploited-by-akira-ransomware/,Cisco ASA/FTD VPN unauthorized brute-force attack; Cisco PSIRT Sep 6 2023 acknowledged active exploitation; Rapid7 observed Akira and LockBit ransomware affiliates exploiting from August 2023 to compromise VPN credentials,2023-09-13,2023,True,True
CVE-2023-36802,Microsoft,Streaming Service Proxy,2023-09-12,2023-09-12,2023-09-12,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36802,"Microsoft Streaming Service Proxy EoP zero-day; September 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by Quan Jin of DBAPPSecurity + Microsoft Threat Intelligence",2023-09-12,2023,True,False
CVE-2023-36761,Microsoft,Word,2023-09-12,2023-09-12,2023-09-12,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36761,"Microsoft Word information disclosure (NTLM hash leak) zero-day; September 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; preview pane attack vector",2023-09-12,2023,True,False
CVE-2023-41064,Apple,"iOS, iPadOS, and macOS",2023-09-07,2023-09-07,2023-09-07,0,0,high,,https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/,"Apple ImageIO buffer overflow zero-day ""BLASTPASS""; iOS 16.6.1 emergency update Sep 7 2023; Citizen Lab discovered NSO Group Pegasus exploitation against Washington DC-based civil society organization via malicious PassKit attachments",2023-09-11,2023,True,False
CVE-2023-41061,Apple,"iOS, iPadOS, and watchOS",2023-09-07,2023-09-07,2023-09-07,0,0,high,,https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/,"Apple Wallet PassKit malformed signature validation flaw ""BLASTPASS""; iOS 16.6.1 emergency update Sep 7 2023; Citizen Lab discovered NSO Group Pegasus exploitation against civil society target; zero-click chain with CVE-2023-41064",2023-09-11,2023,True,False
CVE-2023-33246,Apache,RocketMQ,2023-05-24,2023-06-01,2023-06-01,8,8,high,,https://blogs.juniper.net/en-us/security/dreambus-unleashes-new-modules-revives-old-tactics,Apache RocketMQ broker pre-auth RCE via update configuration; Apache advisory May 24 2023; PoCs immediate; DreamBus botnet observed exploitation by June 2023 (Juniper Threat Labs); CISA KEV-added Sept 6 2023,2023-09-06,2023,False,False
CVE-2023-38831,RARLAB,WinRAR,2023-08-23,2023-04-01,2023-08-23,0,-144,high,,https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/,"RARLAB WinRAR ZIP archive RCE via duplicate filenames in archive; RARLAB patched 6.23 Aug 2 2023; Group-IB disclosed Aug 23; Google TAG attributed exploitation to multiple actors including APT28, Sandworm, APT40 since April 2023 (~4 months pre-disclosure) targeting cryptocurrency traders and government",2023-08-24,2023,True,True
CVE-2023-32315,Ignite Realtime,Openfire,2023-05-26,2023-06-01,2023-08-24,6,6,high,,https://vulncheck.com/blog/openfire-cve-2023-32315-exploitation,Ignite Realtime Openfire admin console path traversal pre-auth; Openfire advisory May 26 2023; VulnCheck observed exploitation by Kinsing cryptominer and ShadowPad operators from June 2023; CISA KEV-added Aug 24,2023-08-24,2023,False,False
CVE-2023-38035,Ivanti,Sentry,2023-08-21,2023-08-18,2023-08-21,0,-3,high,,https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface,Ivanti Sentry (formerly MobileIron Sentry) API authentication bypass zero-day; Ivanti advisory Aug 21 2023 acknowledged limited targeted exploitation; reported by Norwegian NSM via mnemonic,2023-08-22,2023,True,True
CVE-2023-27532,Veeam,Backup & Replication,2023-03-10,2023-03-23,2023-03-23,13,13,high,,https://labs.withsecure.com/publications/fin7-flash-fin7-targets-veeam-servers,Veeam Backup & Replication credential exposure via Veeam.Backup.Service.exe; Veeam KB4424 Mar 7 2023; WithSecure Mar 23 attributed FIN7 (Carbanak) exploitation; Mandiant linked to Cuba ransomware operations,2023-08-22,2023,False,False
CVE-2023-26359,Adobe,ColdFusion,2023-03-23,2023-08-21,2023-08-21,151,151,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-26359,Adobe ColdFusion deserialization companion; Adobe APSB23-25 Mar 14 2023; CISA KEV-added Aug 21 2023 with no specific public attribution distinct from CVE-2023-26360; KEV-fallback,2023-08-21,2023,False,False
CVE-2023-24489,Citrix,Content Collaboration,2023-07-10,2023-08-16,2023-08-16,37,37,medium,,https://blog.assetnote.io/2023/07/24/citrix-sharefile-rce/,Citrix ShareFile storage zone controller improper resource control allowing arbitrary file write; Citrix CTX559517 Jun 13 2023; AssetNote published PoC late July; CISA KEV-added Aug 16 citing active exploitation; LockBit affiliate exploitation observed,2023-08-16,2023,False,False
CVE-2023-38180,Microsoft,.NET Core and Visual Studio,2023-08-08,2023-08-08,2023-08-08,0,0,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180,".NET Core/Visual Studio denial of service zero-day; August 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; affects Kestrel web server",2023-08-09,2023,True,False
CVE-2023-35081,Ivanti,Endpoint Manager Mobile (EPMM),2023-08-03,2023-07-28,2023-08-03,0,-6,high,,https://forums.ivanti.com/s/article/CVE-2023-35081-Arbitrary-File-Write,Ivanti EPMM path traversal allowing arbitrary file write zero-day; Ivanti advisory Aug 3 2023; chained with CVE-2023-35078 for full compromise in Norwegian government attacks,2023-07-31,2023,True,True
CVE-2023-37580,Synacor,Zimbra Collaboration Suite (ZCS),2023-07-31,2023-06-29,2023-11-16,0,-32,high,,https://blog.google/threat-analysis-group/winter-vivern-targets-roundcube-zero-day-russian-belarus-interests/,Zimbra Collaboration Suite reflected XSS zero-day in webmail client; Zimbra advisory Jul 13 2023; Google TAG Nov 16 2023 attributed exploitation to Winter Vivern (TA473) since Jun 29 2023 targeting government webmail; chain with credential phishing,2023-07-27,2023,True,True
CVE-2023-38606,Apple,Multiple Products,2023-07-26,2023-07-24,2023-07-24,0,-2,high,,https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/,"Apple kernel memory protection bypass zero-day; iOS 16.6/15.7.8 Jul 24 2023; Kaspersky GReAT Operation Triangulation final piece via undocumented MMIO registers; reported by Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin, Leonid Bezvershenko and Boris Larin of Kaspersky",2023-07-26,2023,True,True
CVE-2023-35078,Ivanti,Endpoint Manager Mobile (EPMM),2023-07-25,2023-04-01,2023-07-23,0,-115,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a,Ivanti Endpoint Manager Mobile (formerly MobileIron Core) authentication bypass zero-day; Ivanti advisory Jul 23 2023; Norwegian NSM attributed exploitation against 12 Norwegian government ministries since April 2023 (~3 months pre-disclosure); CISA AA23-213A confirmed,2023-07-25,2023,True,True
CVE-2023-38205,Adobe,ColdFusion,2023-09-14,2023-07-19,2023-08-21,0,-57,high,,https://helpx.adobe.com/security/products/coldfusion/apsb23-47.html,Adobe ColdFusion access control bypass; Adobe APSB23-47 Aug 8 2023 emergency patch; bypass of CVE-2023-29298; CISA KEV-added Aug 21 citing active exploitation by Project 1; observed since mid-July,2023-07-20,2023,True,True
CVE-2023-29298,Adobe,ColdFusion,2023-07-12,2023-07-13,2023-07-13,1,1,high,,https://www.rapid7.com/blog/post/2023/07/17/etr-cve-2023-29298-adobe-coldfusion-access-control-bypass/,Adobe ColdFusion access control bypass; Adobe APSB23-40 Jul 11 2023; Rapid7 disclosed and observed exploitation within days; chained with CVE-2023-38203 deserialization bypass,2023-07-20,2023,False,False
CVE-2023-3519,Citrix,NetScaler ADC and NetScaler Gateway,2023-07-19,2023-06-15,2023-07-18,0,-34,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a,Citrix NetScaler ADC/Gateway pre-auth RCE zero-day; Citrix CTX561482 Jul 18 2023; CISA AA23-201A confirmed exploitation against US critical infrastructure organization in June 2023 (~5 weeks pre-disclosure); Mandiant attributed to suspected China-nexus actor,2023-07-19,2023,True,True
CVE-2023-36884,Microsoft,Windows,2023-07-11,2023-06-01,2023-07-11,0,-40,high,,https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-intelligence-motivated-operations/,"Microsoft Office and Windows HTML RCE zero-day ""Storm-0978/RomCom""; July 2023 Patch Tuesday; Microsoft attributed Russia-aligned Storm-0978 (RomCom) exploitation via NATO Summit-themed lures since June 2023 targeting defense, government, telecom in Europe and North America",2023-07-17,2023,True,True
CVE-2023-37450,Apple,Multiple Products,2023-07-26,2023-07-10,2023-07-10,0,-16,high,,https://support.apple.com/en-us/HT213823,Apple WebKit type confusion zero-day; Rapid Security Response iOS 16.5.1(a)/macOS 13.4.1(a) Jul 10 2023 with Apple ITW acknowledgement; reported anonymously,2023-07-13,2023,True,True
CVE-2022-29303,SolarView,Compact,2022-05-12,2023-06-01,2023-07-13,385,385,high,,https://unit42.paloaltonetworks.com/mirai-variant-v3g4/,SolarView Compact OS command injection via conf_mail.php; Palo Alto Unit 42 Jul 13 2023 observed Mirai variant exploitation from June 2023 targeting renewable energy infrastructure,2023-07-13,2022,False,False
CVE-2023-36874,Microsoft,Windows,2023-07-11,2023-07-11,2023-07-11,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36874,"Windows Error Reporting Service EoP zero-day; July 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by Vlad Stolyarov and Maddie Stone of Google TAG",2023-07-11,2023,True,False
CVE-2023-35311,Microsoft,Outlook,2023-07-11,2023-07-11,2023-07-11,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35311,"Microsoft Outlook security feature bypass zero-day; July 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; preview pane attack vector",2023-07-11,2023,True,False
CVE-2023-32049,Microsoft,Windows,2023-07-11,2023-07-11,2023-07-11,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32049,"Windows SmartScreen security feature bypass zero-day; July 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; commonly chained by infostealer and ransomware operators",2023-07-11,2023,True,False
CVE-2023-32046,Microsoft,Windows,2023-07-11,2023-07-11,2023-07-11,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32046,"Windows MSHTML platform EoP zero-day; July 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by Microsoft Threat Intelligence Center",2023-07-11,2023,True,False
CVE-2022-31199,Netwrix,Auditor,2022-11-08,2022-10-01,2022-12-01,0,-38,high,,https://cloud.google.com/blog/topics/threat-intelligence/unc2596-cuba-ransomware,Netwrix Auditor InsecureBinaryFormatter deserialization RCE; Bishop Fox disclosed Nov 8 2022; Mandiant attributed exploitation to UNC2596 Cuba ransomware affiliate from Oct 2022 for initial access to internal Windows networks,2023-07-11,2022,True,True
CVE-2021-29256,Arm,Mali Graphics Processing Unit (GPU),2021-05-24,2023-07-07,2023-07-07,774,774,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-29256,Arm Mali GPU UAF; Arm advisory May 24 2021; CISA KEV-added Jul 7 2023 with no specific public exploitation campaign attribution; KEV-fallback,2023-07-07,2021,False,False
CVE-2021-25489,Samsung,Mobile Devices,2021-10-06,2023-06-29,2023-06-29,631,631,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25489,Samsung mobile devices improper input validation kernel panic; Samsung patched October 2021; CISA KEV-added Jun 29 2023 with no public exploitation report; KEV-fallback,2023-06-29,2021,False,False
CVE-2021-25487,Samsung,Mobile Devices,2021-10-06,2023-06-29,2023-06-29,631,631,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25487,Samsung mobile devices out-of-bounds read leading to arbitrary code execution; Samsung patched October 2021; CISA KEV-added Jun 29 2023 with no public exploitation report; KEV-fallback,2023-06-29,2021,False,False
CVE-2021-25395,Samsung,Mobile Devices,2021-06-11,2023-06-29,2023-06-29,748,748,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25395,Samsung MFC charger driver race condition signature bypass; Samsung patched May 2021; CISA KEV-added Jun 29 2023 with no public exploitation report; KEV-fallback,2023-06-29,2021,False,False
CVE-2021-25394,Samsung,Mobile Devices,2021-06-11,2023-06-29,2023-06-29,748,748,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25394,Samsung MFC charger driver race condition use-after-free; Samsung patched May 2021; CISA KEV-added Jun 29 2023 with no public exploitation report; KEV-fallback,2023-06-29,2021,False,False
CVE-2021-25372,Samsung,Mobile Devices,2021-03-26,2023-06-29,2023-06-29,825,825,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25372,Samsung DSP driver out-of-bounds access; Samsung patched March 2021; CISA KEV-added Jun 29 2023 with no public third-party exploitation report (SecurityWeek confirmed); KEV-fallback,2023-06-29,2021,False,False
CVE-2021-25371,Samsung,Mobile Devices,2021-03-26,2023-06-29,2023-06-29,825,825,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25371,"Samsung DSP driver arbitrary ELF library loading; Samsung patched March 2021 (SMR Mar-2021); CISA KEV-added Jun 29 2023; SecurityWeek noted no public exploitation reports though ""likely exploited by commercial spyware vendor""; KEV-fallback",2023-06-29,2021,False,False
CVE-2019-20500,D-Link,DWL-2600AP Access Point,2020-03-05,2023-04-11,2023-06-07,1132,1132,high,,https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/,D-Link DWL-2600AP authenticated OS command injection; Mirai botnet variant V3G4 exploitation detected by Palo Alto Unit 42 April 11 2023; published June 2023; CISA KEV-added 2023-06-29,2023-06-29,2019,False,False
CVE-2019-17621,D-Link,DIR-859 Router,2019-12-30,2019-12-13,2019-12-13,0,-17,high,,https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/,D-Link DIR-859 UPnP command injection; widely exploited by Mirai variants,2023-06-29,2019,True,True
CVE-2023-32439,Apple,Multiple Products,2023-06-23,2023-06-21,2023-06-21,0,-2,high,,https://support.apple.com/en-us/HT213811,Apple WebKit type confusion zero-day; iOS 16.5.1 Jun 21 2023 with Apple ITW acknowledgement; reported anonymously,2023-06-23,2023,True,True
CVE-2023-32435,Apple,Multiple Products,2023-06-23,2023-06-01,2023-06-21,0,-22,high,,https://securelist.com/operation-triangulation/109842/,Apple WebKit memory corruption zero-day; iOS 16.5.1 Jun 21 2023; Kaspersky Operation Triangulation iMessage zero-click chain (TriangleDB implant),2023-06-23,2023,True,True
CVE-2023-32434,Apple,Multiple Products,2023-06-23,2023-06-01,2023-06-21,0,-22,high,,https://securelist.com/operation-triangulation/109842/,Apple kernel integer overflow zero-day; iOS 16.5.1 Jun 21 2023; Kaspersky GReAT reported as Operation Triangulation exploitation chain targeting Kaspersky employees and others since 2019; iMessage zero-click delivery,2023-06-23,2023,True,True
CVE-2023-27992,Zyxel,Multiple Network-Attached Storage (NAS) Devices,2023-06-19,2023-06-23,2023-06-23,4,4,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27992,Zyxel multiple NAS devices pre-auth command injection; Zyxel advisory Jun 19 2023; CISA KEV-added Jun 23 with no specific public exploitation attribution distinct from broader Zyxel attack wave; KEV-fallback,2023-06-23,2023,False,False
CVE-2023-20867,VMware,Tools,2023-06-13,2023-06-13,2023-06-13,0,0,high,,https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass,VMware Tools authentication bypass in vgauth daemon; VMware VMSA-2023-0013 Jun 13 2023; Mandiant attributed UNC3886 (China-nexus) exploitation against ESXi hypervisors to enable lateral movement to guest VMs without authentication,2023-06-23,2023,True,False
CVE-2023-20887,VMware,Aria Operations for Networks,2023-06-07,2023-06-20,2023-06-20,13,13,high,,https://www.vmware.com/security/advisories/VMSA-2023-0012.html,VMware Aria Operations for Networks (vRealize Network Insight) command injection pre-auth RCE; VMSA-2023-0012 Jun 7 2023; PoCs public Jun 13; CISA KEV-added Jun 22 citing active exploitation observed by Shadowserver and others,2023-06-22,2023,False,False
CVE-2021-44026,Roundcube,Roundcube Webmail,2021-11-19,2023-06-22,2023-06-22,580,580,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44026,Roundcube Webmail SQL injection via search/search_params; Roundcube advisory Nov 11 2021; CISA KEV-added Jun 22 2023 with no specific public exploitation attribution at addition time (later linked to Winter Vivern APT); KEV-fallback,2023-06-22,2021,False,False
CVE-2020-35730,Roundcube,Roundcube Webmail,2020-12-28,2023-08-01,2023-10-25,946,946,high,,https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/,Roundcube XSS via crafted URL; Winter Vivern APT exploited in August-September 2023 against governmental entities; Sednit/APT28 also observed exploiting; reported by ESET,2023-06-22,2020,False,False
CVE-2020-12641,Roundcube,Roundcube Webmail,2020-05-04,2023-06-22,2023-06-22,1144,1144,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-12641,Roundcube Webmail Sieve scripting RCE via Email; CISA KEV catalog the documented evidence; no specific contemporary threat-intel report with date attribution found,2023-06-22,2020,False,False
CVE-2023-27997,Fortinet,FortiOS and FortiProxy SSL-VPN,2023-06-13,2023-05-01,2023-06-12,0,-43,high,,https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/,Fortinet FortiOS/FortiProxy SSL-VPN heap-based buffer overflow pre-auth RCE; FortiGuard PSIRT FG-IR-23-097 Jun 12 2023; Microsoft attributed Volt Typhoon China state-sponsored exploitation against US critical infrastructure; chained with CVE-2022-42475,2023-06-13,2023,True,True
CVE-2023-3079,Google,Chromium V8,2023-06-05,2023-06-05,2023-06-05,0,0,high,,https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop.html,Chrome V8 type confusion zero-day; Google Stable Channel update Jun 5 2023 acknowledged ITW exploitation; reported by Clement Lecigne of Google TAG,2023-06-07,2023,True,False
CVE-2023-33010,Zyxel,Multiple Firewalls,2023-05-24,2023-06-05,2023-06-05,12,12,medium,,https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls,Zyxel firewalls ID processing function buffer overflow companion to CVE-2023-33009; same May 24 2023 advisory; CISA KEV-added Jun 5,2023-06-05,2023,False,False
CVE-2023-33009,Zyxel,Multiple Firewalls,2023-05-24,2023-06-05,2023-06-05,12,12,medium,,https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls,Zyxel ATP/USG FLEX/VPN/ZyWALL firewalls notification function buffer overflow pre-auth RCE; Zyxel advisory May 24 2023; CISA KEV-added Jun 5 citing exploitation; chained with CVE-2023-33010,2023-06-05,2023,False,False
CVE-2023-34362,Progress,MOVEit Transfer,2023-06-02,2023-05-27,2023-06-01,0,-6,high,,https://cloud.google.com/blog/topics/threat-intelligence/zero-day-moveit-data-theft,"Progress MOVEit Transfer SQL injection pre-auth RCE zero-day; Progress advisory Jun 1 2023; Mandiant attributed Cl0p/Lace Tempest (FIN11) exploitation since May 27 2023 (Memorial Day weekend); ~2,700+ organizations breached including BBC, British Airways, US federal agencies in massive supply chain incident",2023-06-02,2023,True,True
CVE-2023-28771,Zyxel,Multiple Firewalls,2023-04-25,2023-05-26,2023-05-26,31,31,high,,https://www.rapid7.com/blog/post/2023/05/31/etr-widespread-exploitation-of-zyxel-network-device-vulnerabilities/,Zyxel ATP/USG FLEX/VPN multiple firewalls IKE packet command injection pre-auth RCE; Zyxel advisory Apr 25 2023; Rapid7 observed Mirai variant widespread exploitation from May 26 2023,2023-05-31,2023,False,False
CVE-2023-2868,Barracuda,ESG Appliance,2023-05-24,2022-10-10,2023-05-23,0,-226,high,,https://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally,Barracuda Email Security Gateway (ESG) appliance remote command injection zero-day; Barracuda disclosed May 23 2023; Mandiant attributed UNC4841 (China-nexus) exploitation since Oct 10 2022 (~7 months pre-disclosure) with SEASPY/SUBMARINE/SALTWATER implants; CISA recommended device replacement,2023-05-26,2023,True,True
CVE-2023-32409,Apple,Multiple Products,2023-06-23,2023-05-18,2023-05-18,0,-36,high,,https://support.apple.com/en-us/HT213757,Apple WebKit sandbox escape zero-day; iOS 16.5 May 18 2023 with Apple ITW acknowledgement; reported by Clement Lecigne of Google TAG and Donncha Ó Cearbhaill of Amnesty International,2023-05-22,2023,True,True
CVE-2023-32373,Apple,Multiple Products,2023-06-23,2023-05-18,2023-05-18,0,-36,high,,https://support.apple.com/en-us/HT213757,"Apple WebKit use-after-free zero-day; iOS 16.5/RSR 16.4.1(a) May 18 2023 with Apple ""may have been actively exploited"" acknowledgement; reported anonymously",2023-05-22,2023,True,True
CVE-2023-28204,Apple,Multiple Products,2023-06-23,2023-05-18,2023-05-18,0,-36,high,,https://support.apple.com/en-us/HT213757,"Apple WebKit out-of-bounds read zero-day; iOS 16.5/Rapid Security Response 16.4.1(a) May 18 2023 with Apple ""may have been actively exploited"" acknowledgement; reported anonymously",2023-05-22,2023,True,True
CVE-2023-21492,Samsung,Mobile Devices,2023-05-04,2023-01-17,2023-05-04,0,-107,high,,https://security.samsungmobile.com/securityUpdate.smsb,Samsung mobile devices kernel pointer information disclosure for ASLR bypass; reported privately Jan 17 2023; Samsung May 2023 SMR with acknowledgement of in-the-wild exploitation (commercial spyware chain),2023-05-19,2023,True,True
CVE-2023-25717,Ruckus,Wireless Admin,2023-02-13,2023-04-25,2023-04-25,71,71,high,,https://www.fortinet.com/blog/threat-research/andoryubot-new-botnet-campaign-targets-ruckus-wireless-admin,Ruckus Wireless Admin CSRF/RCE; Ruckus advisory Feb 8 2023; Fortinet FortiGuard observed AndoryuBot DDoS botnet exploitation from late Apr 2023,2023-05-12,2023,False,False
CVE-2021-3560,Red Hat,Polkit,2022-02-16,2023-05-12,2023-05-12,450,450,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3560,Polkit D-Bus authentication race condition LPE; disclosed by GitHub Security Lab (Kevin Backhouse) Jun 3 2021; CISA KEV-added May 12 2023 with no specific in-the-wild campaign attribution; popular post-foothold escalation; KEV-fallback,2023-05-12,2021,False,False
CVE-2023-29336,Microsoft,Win32k,2023-05-09,2023-05-09,2023-05-09,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29336,"Windows Win32k privilege escalation zero-day; May 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by Avast Threat Labs (Jan Vojtěšek, Milánek and Luigino Camastra)",2023-05-09,2023,True,False
CVE-2023-21839,Oracle,WebLogic Server,2023-01-17,2023-02-22,2023-02-22,36,36,high,,https://threatprotect.qualys.com/2023/02/23/oracle-weblogic-server-information-disclosure-vulnerability-cve-2023-21839-exploited-in-wild/,Oracle WebLogic Server unauthenticated information disclosure leading to RCE via IIOP/T3 protocols; Oracle CPU Jan 17 2023; PoCs late Feb; Qualys ThreatPROTECT observed exploitation Feb 22; CISA KEV-added May 1 2023,2023-05-01,2023,False,False
CVE-2023-1389,TP-Link,Archer AX-21,2023-03-15,2023-04-11,2023-04-11,27,27,high,,https://www.trendmicro.com/en_us/research/23/d/mirai-variant-v3g4-targets-iot-devices.html,TP-Link Archer AX-21 command injection in country form locale parameter; Pwn2Own Toronto 2022 disclosed; ZDI advisory Mar 15 2023; Trend Micro ZDI observed Mirai variant V3G4 botnet exploitation from Apr 11 2023; Fortinet/Palo Alto Unit 42 documented widespread IoT botnet adoption,2023-05-01,2023,False,False
CVE-2021-45046,Apache,Log4j2,2021-12-14,2021-12-14,2021-12-14,0,0,high,,https://logging.apache.org/log4j/2.x/security.html,Apache Log4j2 follow-up DoS/RCE flaw; incomplete fix for CVE-2021-44228 in 2.15.0; exploited alongside Log4Shell as defenders applied incomplete patches; Apache 2.16.0 fix,2023-05-01,2021,True,False
CVE-2023-28432,MinIO,Server,2023-03-22,2023-03-23,2023-03-23,1,1,high,,https://blog.min.io/security-advisory-stackedcves/,MinIO server information disclosure of environment variables including MINIO_SECRET_KEY/MINIO_ROOT_PASSWORD; MinIO patched Mar 20 2023; CVE published Mar 21; GreyNoise (Andrew Morris) observed exploitation Mar 23 with public PoCs,2023-04-21,2023,False,False
CVE-2023-27350,PaperCut,MF/NG,2023-04-20,2023-04-14,2023-04-19,0,-6,high,,https://www.trendmicro.com/en_us/research/23/d/papercut-vulnerability-cve-2023-27350.html,PaperCut MF/NG SetupCompleted authentication bypass pre-auth RCE; PaperCut patched Mar 8 2023; Horizon3.ai PoC Apr 18; Trend Micro/Huntress observed Cl0p and LockBit ransomware affiliate exploitation from Apr 14 (Bl00dy ransomware via Atera RMM); Microsoft attributed Lace Tempest (FIN11),2023-04-21,2023,True,True
CVE-2023-2136,Google,Chromium Skia,2023-04-19,2023-04-18,2023-04-18,0,-1,high,,https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html,Chrome Skia integer overflow zero-day; Google Stable Channel update Apr 18 2023 acknowledged ITW exploitation; reported by Clement Lecigne of Google TAG,2023-04-21,2023,True,True
CVE-2023-2033,Google,Chromium V8,2023-04-14,2023-04-14,2023-04-14,0,0,high,,https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop.html,Chrome V8 type confusion zero-day; Google Stable Channel update Apr 14 2023 acknowledged ITW exploitation; reported by Clement Lecigne of Google TAG; first Chrome zero-day of 2023,2023-04-17,2023,True,False
CVE-2019-8526,Apple,macOS,2019-12-18,2019-06-15,2019-07-01,0,-186,high,,https://www.sentinelone.com/blog/macos-malware-2019-first-six-months/,Apple macOS Core Data UAF EoP; exploited in the wild by OSX/Linker malware (Bundlore adware variant) starting mid-June 2019; SentinelOne reported July 2019; CISA added 2023-04-17,2023-04-17,2019,True,True
CVE-2023-29492,Novi Survey,Novi Survey,2023-04-11,2023-04-13,2023-04-13,2,2,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-29492,Novi Survey insecure deserialization RCE; Novi Survey advisory Apr 2023; CISA KEV-added Apr 13 citing in-the-wild exploitation but no specific public attribution; KEV-fallback,2023-04-13,2023,False,False
CVE-2023-20963,Google,Android,2023-03-24,2023-03-13,2023-03-24,0,-11,high,,https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2023/CVE-2023-20963.html,Android Framework parcel mismatch arbitrary code execution; Google March 2023 Android security bulletin Mar 13; Lookout disclosed Pinduoduo Chinese e-commerce app exploitation; Project Zero published RCA,2023-04-13,2023,True,True
CVE-2023-28252,Microsoft,Windows CLFS Driver,2023-04-11,2023-04-11,2023-04-11,0,0,high,,https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/,Windows CLFS driver privilege escalation zero-day; April 2023 Patch Tuesday; Kaspersky GReAT attributed exploitation to Nokoyawa ransomware operator (group leveraging similar CLFS bug pattern as five prior CLFS zero-days),2023-04-11,2023,True,False
CVE-2023-28206,Apple,Multiple Products,2023-04-10,2023-04-07,2023-04-07,0,-3,high,,https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/,Apple IOSurfaceAccelerator out-of-bounds write zero-day; iOS 16.4.1 emergency update Apr 7 2023; chained with CVE-2023-28205 for kernel RCE; reported by Google TAG + Amnesty Intl Security Lab; QuaDream ENDOFDAYS exploit chain,2023-04-10,2023,True,True
CVE-2023-28205,Apple,Multiple Products,2023-04-10,2023-04-07,2023-04-07,0,-3,high,,https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/,Apple WebKit use-after-free zero-day; iOS 16.4.1 emergency update Apr 7 2023 with Apple ITW acknowledgement; reported by Clement Lecigne of Google TAG and Donncha Ó Cearbhaill of Amnesty International Security Lab,2023-04-10,2023,True,True
CVE-2023-26083,Arm,Mali GPU Driver,2023-04-06,2022-12-01,2023-09-01,0,-126,high,,https://projectzero.google/2023/09/analyzing-modern-in-wild-android-exploit.html,Arm Mali GPU information disclosure zero-day; Arm advisory Mar 2023; Google TAG attributed exploitation to commercial spyware vendor Variston in Samsung Internet Browser chain discovered Dec 2022; published RCA Sep 2023,2023-04-07,2023,True,True
CVE-2021-27878,Veritas,Backup Exec Agent,2021-03-01,2022-10-01,2023-04-07,579,579,high,,https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup,Veritas Backup Exec Agent arbitrary command execution; same VTS21-002 advisory; chained by UNC4466 ALPHV/BlackCat affiliate from Oct 2022 for ransomware deployment,2023-04-07,2021,False,False
CVE-2021-27877,Veritas,Backup Exec Agent,2021-03-01,2022-10-01,2023-04-07,579,579,high,,https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup,Veritas Backup Exec Agent remote unauthorized access companion; same VTS21-002 advisory; chained by UNC4466 ALPHV/BlackCat from Oct 2022,2023-04-07,2021,False,False
CVE-2021-27876,Veritas,Backup Exec Agent,2021-03-01,2022-10-01,2023-04-07,579,579,high,,https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup,Veritas Backup Exec Agent SHA hash authentication bypass; Veritas advisory VTS21-002 Mar 1 2021; Mandiant attributed UNC4466 ALPHV/BlackCat ransomware affiliate exploitation from Oct 2022 chaining 27876/27877/27878 to achieve initial access,2023-04-07,2021,False,False
CVE-2019-1388,Microsoft,Windows,2019-11-12,2019-11-12,2019-11-12,0,0,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-1388,Windows Certificate Dialog EoP; PoC widely available; KEV-added 2023-04-07,2023-04-07,2019,True,False
CVE-2022-27926,Synacor,Zimbra Collaboration Suite (ZCS),2022-04-20,2022-12-01,2023-03-15,225,225,high,,https://www.proofpoint.com/us/blog/threat-insight/exploitation-lifecycle-cve-2022-27926-aligned-zimbra-collaboration-suite,Zimbra Collaboration Suite XSS in zimbraFeatureGalAutoCompleteEnabled; Zimbra fix Apr 2022; Proofpoint Mar 15 2023 attributed exploitation to TA473/Winter Vivern Russia-aligned APT since Dec 2022 targeting NATO-aligned government webmail,2023-04-03,2022,False,False
CVE-2023-0266,Linux,Kernel,2023-01-30,2022-12-01,2023-09-01,0,-60,high,,https://projectzero.google/2023/09/analyzing-modern-in-wild-android-exploit.html,Linux Kernel ALSA PCM use-after-free; Project Zero RCA published Sep 2023; component of Samsung Internet Browser exploit chain attributed to Variston commercial spyware vendor (chained with CVE-2023-26083); discovered by Google TAG Dec 2022,2023-03-30,2023,True,True
CVE-2022-42948,Fortra,Cobalt Strike,2023-03-24,2022-11-14,2022-11-14,0,-130,medium,,https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-2/,Fortra Cobalt Strike Team Server XSS via Swing component crash on bookmarks/screenshots/note text; IBM XForce Red Nov 14 2022 patch; out-of-band update 4.7.2; companion to CVE-2022-39197 in cracked Cobalt Strike abuse,2023-03-30,2022,True,True
CVE-2022-39197,Fortra,Cobalt Strike,2022-09-22,2022-09-22,2022-09-22,0,0,medium,,https://www.helpsystems.com/cobalt-strike,Fortra Cobalt Strike Team Server cross-site scripting via web log viewer; HelpSystems/Fortra advisory Sep 20 2022; XForce Red disclosure; widely abused in cracked Cobalt Strike instances used by ransomware affiliates,2023-03-30,2022,True,False
CVE-2022-38181,Arm,Mali Graphics Processing Unit (GPU),2022-10-25,2022-11-01,2023-03-29,7,7,high,,https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/,Arm Mali GPU UAF; ARM patches Aug 2022 but not immediately picked up by Samsung; Google TAG attributed to commercial spyware campaign via Cytrox-like vendor; chained with Chrome zero-days for Samsung Galaxy targeting,2023-03-30,2022,False,False
CVE-2022-3038,Google,Chromium Network Service,2022-09-26,2022-08-01,2022-09-02,0,-56,medium,,https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop_2.html,Chromium Network Service use-after-free; Google Stable Channel update Sep 2 2022; reported by Sergei Glazunov of Google P0; CISA KEV-added Mar 30 2023 retroactively,2023-03-30,2022,True,True
CVE-2022-22706,Arm,Mali Graphics Processing Unit (GPU),2022-03-03,2022-11-01,2023-03-29,243,243,high,,https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/,Arm Mali GPU shader UAF; Arm patch Jan 2022 (marked exploited in wild); Google TAG attributed exploitation to commercial surveillance vendor in Samsung Internet Browser campaign Nov-Dec 2022 (Variston/Heliconia chain),2023-03-30,2022,False,False
CVE-2021-30900,Apple,"iOS, iPadOS, and macOS",2021-08-24,2022-12-01,2023-03-29,464,464,high,,https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/,Apple iOS/iPadOS/macOS AGXAccelerator sandbox escape; Apple patched October 2021 (iOS 15.1); Google TAG observed Variston-affiliated commercial spyware campaign in UAE December 2022 chaining CVE-2021-30900 with CVE-2022-42856 WebKit RCE,2023-03-30,2021,False,False
CVE-2023-26360,Adobe,ColdFusion,2023-03-23,2023-03-14,2023-03-15,0,-9,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a,"Adobe ColdFusion access control bypass deserialization RCE zero-day; Adobe APSB23-25 Mar 14 2023 acknowledged ""very limited attacks""; CISA AA23-339A Dec 2023 documented exploitation of a federal civilian agency in June 2023",2023-03-15,2023,True,True
CVE-2023-24880,Microsoft,Windows SmartScreen,2023-03-14,2023-03-14,2023-03-14,0,0,high,,https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/,Windows SmartScreen Mark-of-the-Web bypass zero-day via malformed Authenticode; March 2023 Patch Tuesday; Google TAG attributed Magniber ransomware operator exploitation; patch bypass of CVE-2022-44698,2023-03-14,2023,True,False
CVE-2023-23397,Microsoft,Outlook,2023-03-14,2022-04-01,2023-03-14,0,-347,high,,https://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/,"Microsoft Outlook NTLM credential theft via crafted appointment/reminder zero-day; March 2023 Patch Tuesday; CERT-UA + Microsoft Threat Intelligence attributed APT28 (Forest Blizzard/STRONTIUM) exploitation since April 2022 (~11 months pre-disclosure) targeting Ukrainian, Polish, Romanian government and military",2023-03-14,2023,True,True
CVE-2022-41328,Fortinet,FortiOS,2023-03-07,2022-10-01,2023-03-07,0,-157,high,,https://cloud.google.com/blog/topics/threat-intelligence/fortinet-zero-day-and-custom-malware-used-by-suspected-chinese-actor-in-espionage-operation,Fortinet FortiOS path traversal vulnerability in execute restore image command; chained by UNC3886 with CVE-2022-42475 for persistent FortiGate implants; Mandiant Mar 16 2023 disclosure traced exploitation to Oct 2022,2023-03-14,2022,True,True
CVE-2021-39144,XStream,XStream,2021-08-23,2023-03-10,2023-03-10,564,564,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39144,XStream pre-auth RCE via crafted stream deserialization; XStream advisory CVE-2021-39144 Aug 23 2021; CISA KEV-added Mar 10 2023 (~1.5 years late) with no specific public exploitation campaign attribution; KEV-fallback,2023-03-10,2021,False,False
CVE-2020-5741,Plex,Media Server,2020-05-08,2023-03-10,2023-03-10,1036,1036,medium,,https://www.tenable.com/security/research/tra-2020-32,Plex Media Server PrivEsc,2023-03-10,2020,False,False
CVE-2022-35914,Teclib,GLPI,2022-09-19,2022-10-15,2022-10-15,26,26,high,,https://github.com/glpi-project/glpi/security/advisories/GHSA-h5h4-4p47-c5jw,Teclib GLPI htmlawed PHP code injection RCE; GLPI advisory Sep 19 2022; Shadowserver observed mass exploitation from Oct 15 2022 by cryptominers and IZ1H9 botnet,2023-03-07,2022,False,False
CVE-2022-33891,Apache,Spark,2022-07-18,2022-09-01,2022-09-01,45,45,medium,,https://www.microsoft.com/en-us/security/blog/2022/09/22/exposed-vulnerable-spark/,Apache Spark UI doAs command injection RCE; Apache advisory Jul 18 2022; PoCs public same day; Microsoft Defender for Cloud and Trend Micro observed exploitation by cryptominers from Sept 2022,2023-03-07,2022,False,False
CVE-2022-28810,Zoho,ManageEngine,2022-04-18,2023-01-01,2023-03-07,258,258,high,,https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html,Zoho ManageEngine ADSelfService Plus authenticated RCE via password policy field; Zoho advisory Apr 18 2022; CISA KEV-added Mar 7 2023 with reports of active exploitation by APTs targeting government and enterprise environments from early 2023,2023-03-07,2022,False,False
CVE-2022-36537,ZK Framework,AuUploader,2022-08-26,2023-02-27,2023-02-27,185,185,high,,https://www.huntress.com/blog/critical-vulnerabilities-in-connectwise-r1soft-server-backup-manager,ZK Framework AuUploader servlet information disclosure leading to deserialization RCE; ZK Aug 26 2022 fix; Huntress Feb 27 2023 disclosed mass exploitation against ConnectWise R1Soft Server Backup Manager by suspected Chinese threat actor deploying R1Tunnel,2023-02-27,2022,False,False
CVE-2022-47986,IBM,Aspera Faspex,2023-02-17,2023-02-21,2023-02-21,4,4,high,,https://www.rapid7.com/blog/post/2023/02/21/rapid7-observed-exploitation-of-cve-2022-47986-ibm-aspera-faspex-yaml-deserialization-vulnerability/,IBM Aspera Faspex YAML deserialization pre-auth RCE; IBM advisory Jan 26 2023; Assetnote PoC Feb 13; Rapid7 and others observed Buhti/IceFire ransomware exploitation from Feb 21 2023,2023-02-21,2022,False,False
CVE-2022-41223,Mitel,MiVoice Connect,2022-11-22,2023-02-21,2023-02-21,91,91,medium,,https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0007,Mitel MiVoice Connect database command execution; Mitel advisory MISA-2022-0007 Nov 22 2022; companion to CVE-2022-40765 in chained exploitation by ransomware operators,2023-02-21,2022,False,False
CVE-2022-40765,Mitel,MiVoice Connect,2022-11-22,2023-02-21,2023-02-21,91,91,medium,,https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0006,Mitel MiVoice Connect command injection; Mitel advisory MISA-2022-0006 Nov 22 2022; CISA KEV-added Feb 21 2023; chained with CVE-2022-41223 in Lorenz ransomware exploitation per CrowdStrike telemetry,2023-02-21,2022,False,False
CVE-2022-46169,Cacti,Cacti,2022-12-05,2023-01-06,2023-01-06,32,32,high,,https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution/,Cacti command injection RCE via remote_agent.php; Cacti advisory GHSA-6p93-p743-35gf Dec 5 2022; SonarSource published PoC Jan 4 2023; Shadowserver observed mass scanning and exploitation Jan-Feb 2023; chained by IZ1H9 botnet,2023-02-16,2022,False,False
CVE-2023-23529,Apple,WebKit,2023-02-27,2023-02-13,2023-02-13,0,-14,high,,https://support.apple.com/en-us/HT213635,Apple WebKit type confusion zero-day; iOS 16.3.1 emergency update Feb 13 2023 with Apple ITW acknowledgement; reported anonymously and via the Citizen Lab + Google TAG,2023-02-14,2023,True,True
CVE-2023-23376,Microsoft,Windows CLFS Driver,2023-02-14,2023-02-14,2023-02-14,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23376,"Windows CLFS driver privilege escalation zero-day; February 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported anonymously",2023-02-14,2023,True,False
CVE-2023-21823,Microsoft,Windows Graphics Component,2023-02-14,2023-02-14,2023-02-14,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21823,"Windows Graphics Component RCE zero-day; February 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by Dhanesh Kizhakkinan, Genwei Jiang, John Simpson of Mandiant + Quan Jin of DBAPPSecurity",2023-02-14,2023,True,False
CVE-2023-21715,Microsoft,Office,2023-02-14,2023-02-14,2023-02-14,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21715,Microsoft Office macro security feature bypass zero-day; February 2023 Patch Tuesday; Microsoft acknowledged public disclosure with Publisher attack vector; CISA KEV-added Mar 30,2023-02-14,2023,True,False
CVE-2023-0669,Fortra,GoAnywhere MFT,2023-02-06,2023-01-18,2023-02-01,0,-19,high,,https://krebsonsecurity.com/2023/02/new-exploit-for-mass-ransomware-attack-on-fortra-goanywhere-mft/,Fortra GoAnywhere MFT pre-auth command injection zero-day via license response servlet; Fortra disclosed Feb 1 2023; Brian Krebs reported Cl0p ransomware exploitation since Jan 18 2023; over 130 organizations breached,2023-02-10,2023,True,True
CVE-2022-24990,TerraMaster,TerraMaster OS,2023-02-07,2023-02-10,2023-02-10,3,3,high,,https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/,TerraMaster TNAS information disclosure via api.php endpoint; Octagon Networks disclosed Mar 4 2022; ESET observed ALPHV/BlackCat ransomware exploitation against TerraMaster NAS devices from Feb 2023,2023-02-10,2022,False,False
CVE-2023-22952,SugarCRM,Multiple Products,2023-01-11,2023-01-05,2023-01-11,0,-6,high,,https://www.securityweek.com/recently-disclosed-vulnerability-exploited-hack-hundreds-sugarcrm-servers/,"SugarCRM unauthenticated PHP code injection pre-auth RCE; sw33t.0day exploit publicly disclosed Dec 28 2022; SugarCRM advisory Jan 4 2023; Censys observed mass exploitation Jan 5 2023 with ~3,000 SugarCRM instances compromised; CISA KEV-added Jan 23",2023-02-02,2023,True,True
CVE-2022-21587,Oracle,E-Business Suite,2022-10-18,2023-01-15,2023-02-02,89,89,high,,https://blog.viettelcybersecurity.com/cve-2022-21587/,Oracle E-Business Suite Web Applications Desktop Integrator unrestricted file upload pre-auth RCE; Oracle CPU October 2022; Viettel Cybersecurity published PoC Nov 2022; widespread exploitation observed from Jan 2023 by initial access brokers,2023-02-02,2022,False,False
CVE-2022-47966,Zoho,ManageEngine,2023-01-18,2023-01-19,2023-01-19,1,1,high,,https://horizon3.ai/cve-2022-47966-technical-deep-dive/,"Zoho ManageEngine multiple products SAML XXE deserialization pre-auth RCE; Zoho advisory Jan 10 2023; Horizon3.ai disclosed Jan 19; Shadowserver/Bitdefender/Rapid7 observed mass exploitation Jan 20-30 by IABs and APTs (Lazarus, MuddyWater)",2023-01-23,2022,False,False
CVE-2022-44877,CWP,Control Web Panel,2023-01-05,2023-01-06,2023-01-06,1,1,high,,https://gais.io/en/blog/2023/01/centos-web-panel-cve-2022-44877-vulnerability-analysis/,Control Web Panel (CWP) login/index.php OS command injection pre-auth RCE; Numan Türle disclosed Jan 5 2023; PoCs public Jan 6; Shadowserver observed mass exploitation Jan 7-10 by cryptominers and Mirai variants,2023-01-17,2022,False,False
CVE-2023-21674,Microsoft,Windows ALPC,2023-01-10,2023-01-10,2023-01-10,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21674,"Windows ALPC sandbox escape EoP zero-day; January 2023 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by Avast Threat Labs",2023-01-10,2023,True,False
CVE-2022-41080,Microsoft,Exchange Server,2022-11-09,2022-12-13,2022-12-21,34,34,high,,https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/,Microsoft Exchange Server OWASSRF EoP; CrowdStrike Dec 20 2022 disclosed Play ransomware chain with CVE-2022-41082 bypassing ProxyNotShell mitigations via Outlook Web Access,2023-01-10,2022,False,False
CVE-2018-5430,TIBCO,JasperReports,2018-04-17,2022-12-29,2022-12-29,1717,1717,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-5430,TIBCO JasperReports Server information disclosure; CISA KEV added Dec 29 2022; no specific contemporary threat-intel report documenting in-wild exploitation found; only news reports about the KEV addition,2022-12-29,2018,False,False
CVE-2018-18809,TIBCO,JasperReports,2019-03-07,2022-12-29,2022-12-29,1393,1393,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-18809,TIBCO JasperReports Library directory traversal; CISA KEV added Dec 29 2022; no specific contemporary threat-intel report documenting in-wild exploitation found; only news reports about the KEV addition,2022-12-29,2018,False,False
CVE-2022-42856,Apple,iOS,2022-12-15,2022-11-01,2022-12-13,0,-44,high,,https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/,Apple WebKit type confusion zero-day; Google TAG attributed exploitation to Variston commercial spyware campaign targeting UAE users since Nov 2022 via SMS bit.ly links; chained with CVE-2021-30900 for iOS sandbox escape; Apple patched iOS 15.7.2/16.1.2 Dec 13 2022,2022-12-14,2022,True,True
CVE-2022-44698,Microsoft,Defender,2022-12-13,2022-09-15,2022-12-13,0,-89,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44698,Windows SmartScreen Mark of the Web bypass via JavaScript-signed files; HP Wolf Security observed Magniber ransomware and Qbot operators abusing from Sept 2022 with malformed Authenticode signatures; December 2022 Patch Tuesday,2022-12-13,2022,True,True
CVE-2022-42475,Fortinet,FortiOS,2023-01-02,2022-10-01,2023-01-11,0,-93,high,,https://cloud.google.com/blog/topics/threat-intelligence/fortios-malware-analysis-custom-router-implant,Fortinet FortiOS SSL-VPN heap-based buffer overflow pre-auth RCE zero-day; Fortinet PSIRT FG-IR-22-398 Dec 12 2022; Mandiant attributed to UNC3886 Chinese state-nexus exploitation since Oct 2022 (~3 months pre-disclosure) targeting government and defense,2022-12-13,2022,True,True
CVE-2022-27518,Citrix,Application Delivery Controller (ADC) and Gateway,2022-12-13,2022-12-06,2022-12-13,0,-7,high,,https://media.defense.gov/2022/Dec/13/2003132073/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF,Citrix ADC/Gateway SAML authentication unauthenticated RCE zero-day; NSA disclosed Dec 13 2022 attributing exploitation to APT5/UNC2630 (China state-sponsored) targeting defense industrial base since early December,2022-12-13,2022,True,True
CVE-2022-26501,Veeam,Backup & Replication,2022-03-17,2022-10-01,2022-12-13,198,198,medium,,https://www.veeam.com/kb4288,Veeam Backup & Replication authentication bypass RCE companion to CVE-2022-26500; same KB4288 Mar 17 2022 advisory; CISA KEV-added Dec 13 2022 alongside CVE-2022-26500 citing ransomware exploitation,2022-12-13,2022,False,False
CVE-2022-26500,Veeam,Backup & Replication,2022-03-17,2022-10-01,2022-12-13,198,198,medium,,https://www.veeam.com/kb4288,Veeam Backup & Replication Distribution Service remote arbitrary file write/RCE; Veeam advisory KB4288 Mar 17 2022; CloudSEK observed Cuba ransomware (UNC2596) exploitation from Oct 2022 (pre-CISA KEV addition Dec 13); CISA KEV-added Dec 13,2022-12-13,2022,False,False
CVE-2022-4262,Google,Chromium V8,2022-12-02,2022-12-02,2022-12-02,0,0,high,,https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html,Chrome V8 type confusion zero-day; Google Stable Channel update Dec 2 2022 acknowledged ITW exploitation; reported by Clement Lecigne of Google TAG,2022-12-05,2022,True,False
CVE-2022-4135,Google,Chromium GPU,2022-11-25,2022-11-22,2022-11-24,0,-3,high,,https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html,Chrome GPU heap buffer overflow zero-day; Google Stable Channel update Nov 24 2022 acknowledged ITW exploitation; reported by Clement Lecigne of Google TAG; used by commercial spyware vendor chained with CVE-2022-3723,2022-11-28,2022,True,True
CVE-2021-35587,Oracle,Fusion Middleware,2022-01-19,2022-11-28,2022-12-22,313,313,high,,https://peterjson.medium.com/miracle-one-vulnerability-to-rule-them-all-c8c40a5ab9da,Oracle Access Manager (OpenSSO) pre-auth RCE; Oracle CPU October 2021 patched; Peterjson and Nguyen Jang published PoC Mar 2022; CISA KEV-added Dec 22 2022 noting active exploitation; multiple APT exploitation chains documented,2022-11-28,2021,False,False
CVE-2022-41049,Microsoft,Windows,2022-11-09,2022-09-01,2022-11-08,0,-69,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41049,Windows Mark of the Web bypass via .zip-based files; Will Dormann disclosed and Microsoft acknowledged Magniber ransomware abuse from Sept 2022; November 2022 Patch Tuesday,2022-11-14,2022,True,True
CVE-2022-41128,Microsoft,Windows,2022-11-09,2022-10-31,2022-11-08,0,-9,high,,https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/,Windows Scripting Languages JScript9 type confusion RCE zero-day; Google TAG attributed to North Korean APT37 ScarCruft via malicious Korean docx delivered Oct 31 2022 referencing Itaewon tragedy; November 2022 Patch Tuesday,2022-11-08,2022,True,True
CVE-2022-41125,Microsoft,Windows,2022-11-09,2022-11-08,2022-11-08,0,-1,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41125,"Windows CNG Key Isolation Service EoP zero-day; November 2022 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by MSTIC",2022-11-08,2022,True,True
CVE-2022-41091,Microsoft,Windows,2022-11-09,2022-09-01,2022-11-08,0,-69,high,,https://www.hp.com/wolf-security-threat-insights-report-q4-2022,Windows Mark of the Web (MOTW) bypass via ISO/IMG containers; HP Wolf Security observed Magniber ransomware abusing the bypass from Sept 2022 to bypass SmartScreen warnings; November 2022 Patch Tuesday,2022-11-08,2022,True,True
CVE-2022-41073,Microsoft,Windows,2022-11-09,2022-11-08,2022-11-08,0,-1,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41073,"Windows Print Spooler EoP zero-day; November 2022 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by MSTIC",2022-11-08,2022,True,True
CVE-2021-25370,Samsung,Mobile Devices,2021-03-26,2020-11-01,2022-11-10,0,-145,high,,https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html,"Samsung DPU/DECON driver use-after-free; Google P0 obtained exploit chain sample from Nov 2020, attributed to commercial surveillance vendor targeting Exynos S10/A50/A51; chained with CVE-2021-25337/25369; Samsung patched March 2021",2022-11-08,2021,True,True
CVE-2021-25369,Samsung,Mobile Devices,2021-03-26,2020-11-01,2022-11-10,0,-145,high,,https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html,"Samsung sec_log kernel info leak (task_struct/sys_call_table); Google P0 obtained exploit chain sample from Nov 2020, attributed to commercial surveillance vendor; chained with CVE-2021-25337/25370; Samsung patched March 2021",2022-11-08,2021,True,True
CVE-2021-25337,Samsung,Mobile Devices,2021-03-04,2020-11-01,2022-11-10,0,-123,high,,https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html,"Samsung clipboard provider arbitrary file read/write; Google P0 obtained exploit chain sample from at least November 2020, attributed to commercial surveillance vendor; chained with CVE-2021-25369/25370 targeting Exynos SoC Samsung phones; Samsung patched March 2021 (SMR Mar-2021)",2022-11-08,2021,True,True
CVE-2022-3723,Google,Chromium V8,2022-11-01,2022-10-27,2022-10-27,0,-5,high,,https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html,"Chrome V8 type confusion zero-day; Google Stable Channel update Oct 27 2022 acknowledged ITW exploitation; reported by Jan Vojtěšek, Milánek, Przemek Gmerek of Avast; Google TAG later attributed to commercial spyware vendor Variston in Heliconia campaign",2022-10-28,2022,True,True
CVE-2022-42827,Apple,iOS and iPadOS,2022-11-01,2022-10-24,2022-10-24,0,-8,high,,https://support.apple.com/en-us/HT213489,Apple kernel out-of-bounds write zero-day; iOS 16.1/iPadOS 16 Oct 24 2022 with Apple ITW acknowledgement; reported anonymously,2022-10-25,2022,True,True
CVE-2020-3433,Cisco,AnyConnect Secure,2020-08-17,2022-10-24,2022-10-24,798,798,medium,,https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-F26WwJW,Cisco AnyConnect DLL injection; KEV-added 2022-10-24,2022-10-24,2020,False,False
CVE-2020-3153,Cisco,AnyConnect Secure,2020-02-19,2022-10-24,2022-10-24,978,978,medium,,https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200219-anyconnect-path-traverse,Cisco AnyConnect privilege escalation; KEV-added 2022-10-24 retrospective,2022-10-24,2020,False,False
CVE-2018-19323,GIGABYTE,Multiple Products,2018-12-21,2020-02-06,2020-02-06,412,412,high,,https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/,GIGABYTE app center driver vulnerability (sibling of CVE-2018-19320); part of same disclosure series and RobbinHood BYOVD attack documented by Sophos Feb 6 2020,2022-10-24,2018,False,False
CVE-2018-19322,GIGABYTE,Multiple Products,2018-12-21,2020-02-06,2020-02-06,412,412,high,,https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/,GIGABYTE app center driver vulnerability (sibling of CVE-2018-19320); part of same disclosure series and RobbinHood BYOVD attack documented by Sophos Feb 6 2020,2022-10-24,2018,False,False
CVE-2018-19321,GIGABYTE,Multiple Products,2018-12-21,2020-02-06,2020-02-06,412,412,high,,https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/,GIGABYTE app center driver vulnerability (sibling of CVE-2018-19320); part of same disclosure series and RobbinHood BYOVD attack documented by Sophos Feb 6 2020,2022-10-24,2018,False,False
CVE-2018-19320,GIGABYTE,Multiple Products,2018-12-21,2020-02-06,2020-02-06,412,412,high,,https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/,GIGABYTE gdrv.sys vulnerable driver (BYOVD); Sophos documented RobbinHood ransomware using this driver Feb 6 2020 to disable AV/EDR (Bring Your Own Vulnerable Driver attack),2022-10-24,2018,False,False
CVE-2022-41352,Synacor,Zimbra Collaboration Suite (ZCS),2022-09-26,2022-09-07,2022-09-12,0,-19,high,,https://www.rapid7.com/blog/post/2022/10/06/cve-2022-41352-rapid7-observed-exploitation-of-zimbra-vulnerability/,Zimbra cpio Amavis component arbitrary file write RCE via tarball processing zero-day; Zimbra forum disclosure Sep 12 2022; Rapid7 observed exploitation from Sep 7; chained with CVE-2022-30333 UnRAR vulnerability,2022-10-20,2022,True,True
CVE-2021-3493,Linux,Kernel,2021-04-17,2022-10-20,2022-10-20,551,551,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3493,Ubuntu OverlayFS local privesc due to unprivileged overlay mounts patch carried in Ubuntu kernel; disclosed via SSD Secure Disclosure Apr 2021; CISA KEV-added Oct 20 2022 with no specific in-the-wild campaign attribution; commonly used in red team / pentesting; KEV-fallback,2022-10-20,2021,False,False
CVE-2022-41033,Microsoft,Windows COM+ Event System Service,2022-10-11,2022-10-11,2022-10-11,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41033,"Windows COM+ Event System Service EoP zero-day; October 2022 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported anonymously",2022-10-11,2022,True,False
CVE-2022-40684,Fortinet,Multiple Products,2022-10-18,2022-10-09,2022-10-09,0,-9,high,,https://horizon3.ai/cve-2022-40684-fortinet-authentication-bypass-technical-deep-dive/,Fortinet FortiOS/FortiProxy/FortiSwitchManager admin authentication bypass; Fortinet PSIRT FG-IR-22-377 Oct 7 2022; Horizon3.ai published PoC Oct 13; CISA observed mass exploitation from Oct 9 onwards; Chinese APT exploitation documented by Mandiant,2022-10-11,2022,True,True
CVE-2022-41082,Microsoft,Exchange Server,2022-10-03,2022-08-01,2022-09-29,0,-63,high,,https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html,Microsoft Exchange ProxyNotShell PowerShell remoting RCE zero-day; chained with CVE-2022-41040; GTSC observed exploitation since Aug 2022; widespread post-disclosure exploitation by ransomware operators,2022-09-30,2022,True,True
CVE-2022-41040,Microsoft,Exchange Server,2022-10-03,2022-08-01,2022-09-29,0,-63,high,,https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html,Microsoft Exchange ProxyNotShell SSRF zero-day; Vietnamese GTSC discovered exploitation Aug 2022 (~2 months pre-disclosure); ZDI advisory Sep 29; Microsoft confirmed limited targeted attacks; chained with CVE-2022-41082 for authenticated RCE,2022-09-30,2022,True,True
CVE-2022-36804,Atlassian,Bitbucket Server and Data Center,2022-08-25,2022-09-19,2022-09-19,25,25,high,,https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/,Atlassian Bitbucket Server/DC command injection RCE; Atlassian advisory Aug 25 2022; @TheGrandPew published PoC Sep 19; GreyNoise/Akamai observed mass exploitation within days,2022-09-30,2022,False,False
CVE-2022-3236,Sophos,Firewall,2022-09-23,2022-09-23,2022-09-23,0,0,high,,https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce,Sophos Firewall User Portal/Webadmin code injection zero-day; Sophos advisory Sep 23 2022 acknowledged active targeting of South Asian organizations; hotfix automatic deployment,2022-09-23,2022,True,False
CVE-2022-35405,Zoho,ManageEngine,2022-07-19,2022-09-22,2022-09-22,65,65,medium,,https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html,Zoho ManageEngine PAM360/Access Manager Plus/Password Manager Pro pre-auth RCE; Zoho advisory Jul 19 2022; Horizon3.ai PoC; CISA KEV-added Sep 22 citing exploitation; chained by APT actors targeting enterprise password vaults,2022-09-22,2022,False,False
CVE-2022-40139,Trend Micro,Apex One and Apex One as a Service,2022-09-19,2022-09-13,2022-09-19,0,-6,high,,https://success.trendmicro.com/dcx/s/solution/000291528,"Trend Micro Apex One/Apex One SaaS improper validation of rollback components RCE zero-day; Trend Micro advisory Sep 13 2022 acknowledged ""at least one active attempt of potential exploitation"" against Apex One On-Premise customers",2022-09-15,2022,True,True
CVE-2022-37969,Microsoft,Windows,2022-09-13,2022-09-13,2022-09-13,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969,"Windows CLFS driver EoP zero-day; September 2022 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by CrowdStrike, Mandiant, Zscaler ThreatLabz, DBAPPSecurity",2022-09-14,2022,True,False
CVE-2022-32917,Apple,"iOS, iPadOS, and macOS",2022-09-20,2022-09-12,2022-09-12,0,-8,high,,https://support.apple.com/en-us/HT213443,Apple kernel arbitrary code execution zero-day; iOS 16/15.7 Sep 12 2022 with Apple ITW acknowledgement; reported anonymously,2022-09-14,2022,True,True
CVE-2022-3075,Google,Chromium Mojo,2022-09-26,2022-09-02,2022-09-02,0,-24,high,,https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html,Chrome Mojo insufficient data validation zero-day; Google Stable Channel update Sep 2 2022 acknowledged ITW exploitation; reported anonymously,2022-09-08,2022,True,True
CVE-2022-27593,QNAP,Photo Station,2022-09-08,2022-09-03,2022-09-04,0,-5,high,,https://www.bleepingcomputer.com/news/security/qnap-says-deadbolt-ransomware-exploits-photo-station-vulnerability/,QNAP Photo Station external reference vulnerability zero-day; QNAP advisory QSA-22-24 Sep 4 2022; DeadBolt ransomware mass exploitation campaign against internet-exposed QNAP NAS devices from Sept 3 onwards,2022-09-08,2022,True,True
CVE-2022-26258,D-Link,DIR-820L,2022-03-27,2022-09-08,2022-09-08,165,165,high,,https://www.fortinet.com/blog/threat-research/beastmode-mirai-based-ddos-botnet,D-Link DIR-820L command injection in deviceInfo authentication; D-Link advisory SAP10239 Mar 27 2022; Fortinet observed Beastmode Mirai variant exploitation from Sept 8 2022; widespread IoT botnet adoption,2022-09-08,2022,False,False
CVE-2020-9934,Apple,"iOS, iPadOS, and macOS",2020-10-16,2022-09-08,2022-09-08,692,692,medium,,https://support.apple.com/en-us/HT211288,Apple iOS/iPadOS/macOS TCC bypass,2022-09-08,2020,False,False
CVE-2018-7445,MikroTik,RouterOS,2018-03-19,2021-12-01,2021-12-09,1353,1353,high,,https://www.bleepingcomputer.com/news/security/hundreds-of-thousands-of-mikrotik-devices-still-vulnerable-to-botnets/,"MikroTik RouterOS SMB buffer overflow RCE; Eclypsium reported widespread coin-miner botnet infections on MikroTik devices including via CVE-2018-7445; 20,000 devices observed mining cryptocurrency",2022-09-08,2018,False,False
CVE-2018-6530,D-Link,Multiple Routers,2018-03-06,2022-08-01,2022-09-06,1609,1609,high,,https://unit42.paloaltonetworks.com/moobot-d-link-devices/,D-Link SOAP interface RCE; Palo Alto Networks Unit 42 reported MooBot Mirai variant exploiting in August 2022 to build DDoS botnet on D-Link consumer routers,2022-09-08,2018,False,False
CVE-2018-2628,Oracle,WebLogic Server,2018-04-19,2018-04-26,2018-04-30,7,7,high,,https://www.exploit-db.com/exploits/44553,Oracle WebLogic T3 deserialization RCE; ExploitDB PoC published April 22 2018; Netlab 360 documented Luoxk malicious campaign exploiting this vulnerability shortly after,2022-09-08,2018,False,False
CVE-2018-13374,Fortinet,FortiOS and FortiADC,2019-01-22,2022-09-08,2022-09-08,1325,1325,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-13374,Fortinet FortiOS information disclosure (sibling of CVE-2018-13379); KEV-added 2022-09-08; no specific contemporary attribution found beyond CISA KEV,2022-09-08,2018,False,False
CVE-2022-26352,dotCMS,dotCMS,2022-07-17,2022-05-19,2022-05-19,0,-59,medium,,https://blog.assetnote.io/2022/05/03/dotcms-rce/,dotCMS file upload directory traversal pre-auth RCE; Assetnote disclosed May 4 2022; mid-May exploitation observed by cryptominers; CISA KEV-added Jul 17 2022,2022-08-25,2022,True,True
CVE-2022-24706,Apache,CouchDB,2022-04-26,2022-08-25,2022-08-25,121,121,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24706,Apache CouchDB privilege escalation via default credentials/Erlang cookie; Apache advisory Apr 26 2022; CISA KEV-added Aug 25 2022 with no specific public exploitation attribution; KEV-fallback,2022-08-25,2022,False,False
CVE-2022-24112,Apache,APISIX,2022-02-11,2022-08-25,2022-08-25,195,195,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112,Apache APISIX Batch Requests plugin IP restriction bypass RCE; Apache disclosed Feb 11 2022; CISA KEV-added Aug 25 2022 with no specific public exploitation attribution; KEV-fallback,2022-08-25,2022,False,False
CVE-2022-22963,VMware Tanzu,Spring Cloud,2022-04-01,2022-04-02,2022-04-02,1,1,high,,https://tanzu.vmware.com/security/cve-2022-22963,VMware Spring Cloud Function SpEL expression injection RCE; VMware Tanzu advisory Apr 1 2022; PoCs public Apr 1; mass scanning and exploitation within days by Mirai variants and cryptominers,2022-08-25,2022,False,False
CVE-2022-2294,WebRTC,WebRTC,2022-07-28,2022-07-04,2022-07-04,0,-24,high,,https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/,"WebRTC heap buffer overflow zero-day exploited in Chrome; Avast Threat Research attributed to Candiru commercial spyware vendor (DevilsTongue) targeting journalists in Lebanon, Turkey, Yemen, Palestine via watering hole attacks",2022-08-25,2022,True,True
CVE-2021-39226,Grafana Labs,Grafana,2021-10-05,2021-10-05,2021-10-05,0,0,high,,https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-moderate-severity-security-fixes/,Grafana snapshot endpoint auth bypass via /api/snapshots/:key; Grafana advisory Oct 5 2021; PoCs immediate; exploitation observed soon after,2022-08-25,2021,True,False
CVE-2021-38406,Delta Electronics,DOPSoft 2,2021-09-17,2022-08-25,2022-08-25,342,342,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38406,Delta Electronics DOPSoft 2 out-of-bounds write; CISA ICS advisory ICSA-21-217-04 Sep 16 2021; CISA KEV-added Aug 25 2022 with no specific public exploitation report; KEV-fallback,2022-08-25,2021,False,False
CVE-2021-31010,Apple,"iOS, macOS, watchOS",2021-08-24,2021-01-01,2022-08-25,0,-235,medium,,https://support.apple.com/en-us/HT212814,Apple Core Telephony sandbox escape; Citizen Lab found exploit used in 2021 Pegasus/Predator chains; Apple advisory updated Aug 25 2022 acknowledging Citizen Lab report of active exploitation,2022-08-25,2021,True,True
CVE-2020-36193,PEAR,Archive_Tar,2021-01-18,2022-08-25,2022-08-25,584,584,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-36193,PEAR Archive_Tar directory traversal via symbolic links; disclosed Jan 18 2021; Sonar reported Apr 2022 chained with PEAR account takeover for supply chain attack; CISA KEV catalog the documented evidence of in-the-wild exploitation; no specific contemporary threat-intel report with date attribution found,2022-08-25,2020,False,False
CVE-2020-28949,PEAR,Archive_Tar,2020-11-19,2022-08-25,2022-08-25,644,644,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-28949,PEAR Archive_Tar stream wrapper bypass for arbitrary file overwrite (chains with phar:// blocking from CVE-2020-28948); disclosed Nov 19 2020; Sonar reported Apr 2022 supply chain attack scenario chaining with PEAR account hijacking; CISA KEV catalog the documented evidence of in-the-wild exploitation; no specific contemporary threat-intel report with date attribution found,2022-08-25,2020,False,False
CVE-2022-0028,Palo Alto Networks,PAN-OS,2022-08-10,2022-08-22,2022-08-22,12,12,medium,,https://security.paloaltonetworks.com/CVE-2022-0028,Palo Alto Networks PAN-OS URL filtering reflected DoS amplification; PAN advisory PAN-SA-2022-0017 Aug 10 2022; CISA KEV-added Aug 22 citing active exploitation against unnamed service provider customer,2022-08-22,2022,False,False
CVE-2022-32894,Apple,iOS and macOS,2022-08-24,2022-08-17,2022-08-17,0,-7,high,,https://support.apple.com/en-us/HT213412,Apple kernel out-of-bounds write zero-day; iOS 15.6.1 emergency update Aug 17 2022 with Apple ITW acknowledgement; reported anonymously; chained with CVE-2022-32893 for sandbox escape,2022-08-18,2022,True,True
CVE-2022-32893,Apple,iOS and macOS,2022-08-24,2022-08-17,2022-08-17,0,-7,high,,https://support.apple.com/en-us/HT213412,Apple WebKit out-of-bounds write zero-day; iOS 15.6.1 emergency update Aug 17 2022 with Apple ITW acknowledgement; reported anonymously,2022-08-18,2022,True,True
CVE-2022-2856,Google,Chromium Intents,2022-09-26,2022-08-16,2022-08-16,0,-41,high,,https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html,Chrome Intents insufficient validation zero-day; Google Stable Channel update Aug 16 2022 acknowledged ITW exploitation; reported by Ashley Shen and Christian Resell of Google TAG,2022-08-18,2022,True,True
CVE-2022-26923,Microsoft,Active Directory,2022-05-10,2022-08-18,2022-08-18,100,100,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26923,"Active Directory Domain Services certificate impersonation EoP ""Certifried""; Oliver Lyak published technical writeup May 9 2022 with PoC; Microsoft May Patch Tuesday; CISA KEV-added Aug 18 2022 with no specific public exploitation campaign attribution; KEV-fallback",2022-08-18,2022,False,False
CVE-2022-22536,SAP,Multiple Products,2022-02-09,2022-08-18,2022-08-18,190,190,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22536,SAP NetWeaver ICMAD HTTP request smuggling; SAP Security Patch Day Feb 8 2022; Onapsis/SAP joint advisory; CISA KEV-added Aug 18 2022 with no specific public exploitation attribution; KEV-fallback,2022-08-18,2022,False,False
CVE-2022-21971,Microsoft,Windows,2022-02-09,2022-08-18,2022-08-18,190,190,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-21971,"Windows Runtime RCE; February 2022 Patch Tuesday; Microsoft rated ""Exploitation Less Likely"" at disclosure; CISA KEV-added Aug 18 2022 with no specific public attribution; KEV-fallback",2022-08-18,2022,False,False
CVE-2022-37042,Synacor,Zimbra Collaboration Suite (ZCS),2022-08-11,2022-06-01,2022-08-10,0,-71,high,,https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/,Zimbra Collaboration Suite mboximport authentication bypass zero-day; Volexity Aug 10 2022 disclosed unauthenticated RCE chain with CVE-2022-27925; observed in-the-wild exploitation since at least June 2022,2022-08-11,2022,True,True
CVE-2022-27925,Synacor,Zimbra Collaboration Suite (ZCS),2022-04-20,2022-08-10,2022-08-10,112,112,high,,https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/,Zimbra mboximport authenticated path traversal; Zimbra Apr 20 2022 fix; Volexity Aug 10 disclosed chain with CVE-2022-37042 enabling unauthenticated RCE; widespread exploitation observed,2022-08-11,2022,False,False
CVE-2022-34713,Microsoft,Windows,2022-08-09,2022-08-09,2022-08-09,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713,"Microsoft Windows Support Diagnostic Tool ""DogWalk"" RCE zero-day; August 2022 Patch Tuesday; PoC publicly known since 2019 (Imre Rad); CISA KEV-added Aug 9 citing active exploitation",2022-08-09,2022,True,False
CVE-2022-30333,RARLAB,UnRAR,2022-05-09,2022-08-09,2022-08-09,92,92,high,,https://www.sonarsource.com/blog/zimbra-pre-auth-rce-via-unrar-0day/,RARLAB UnRAR path traversal allowing arbitrary file write via symlink; SonarSource disclosed Jun 28 2022; Volexity/Rapid7 observed exploitation against Zimbra Collaboration Suite (CVE-2022-41352 chain) from Aug 2022,2022-08-09,2022,False,False
CVE-2022-27924,Synacor,Zimbra Collaboration Suite (ZCS),2022-04-20,2022-08-04,2022-08-04,106,106,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27924,Zimbra Memcached command injection cache poisoning to steal credentials; Sonarsource disclosed Jun 14 2022; CISA KEV-added Aug 4 2022 with no specific public exploitation attribution at addition; KEV-fallback,2022-08-04,2022,False,False
CVE-2022-26138,Atlassian,Confluence,2022-07-20,2022-07-20,2022-07-20,0,0,high,,https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446703.html,Atlassian Questions for Confluence hardcoded credentials; Atlassian advisory Jul 20 2022; PoC public within hours; CISA KEV-added Jul 29 citing active exploitation by cryptocurrency mining campaigns,2022-07-29,2022,True,False
CVE-2022-22047,Microsoft,Windows,2022-07-12,2022-07-12,2022-07-12,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047,"Windows CSRSS EoP zero-day; July 2022 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by MSTIC and Microsoft Offensive Security Research",2022-07-12,2022,True,False
CVE-2022-26925,Microsoft,Windows,2022-05-10,2022-05-10,2022-05-10,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925,"Windows LSA spoofing zero-day (PetitPotam variant); May 2022 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by Raphael John of Bertelsmann; chained with NTLM relay for AD CS takeover",2022-07-01,2022,True,False
CVE-2022-29499,Mitel,MiVoice Connect,2022-04-26,2022-04-01,2022-06-23,0,-25,high,,https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/,Mitel MiVoice Connect Service Appliance command injection RCE zero-day; CrowdStrike attributed Lorenz ransomware affiliate exploitation since April 2022 (~2 months pre-disclosure); Mitel advisory Apr 19 with limited details,2022-06-27,2022,True,True
CVE-2021-4034,Red Hat,Polkit,2022-01-28,2022-01-25,2022-01-25,0,-3,high,,https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034,"Polkit pkexec PwnKit out-of-bounds write LPE (12-year-old bug, present from initial 2009 commit); Qualys disclosed Jan 25 2022; public PoCs and mass red-team/attacker adoption within hours; CrowdStrike/Trend Micro published detection guidance within weeks",2022-06-27,2021,True,True
CVE-2021-30983,Apple,iOS and iPadOS,2021-08-24,2021-08-01,2022-06-27,0,-23,medium,,https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-predator/,Apple iOS/iPadOS IOMobileFrameBuffer integer overflow; Citizen Lab forensics on Catalan civil society and Egyptian opposition leader Ayman Nour found exploit deployed mid-2021 via Pegasus; Apple patched iOS 15.2 Dec 13 2021,2022-06-27,2021,True,True
CVE-2021-30533,Google,Chromium PopupBlocker,2021-06-07,2022-06-27,2022-06-27,385,385,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30533,"Chrome PopupBlocker policy bypass; patched in 91.0.4472.77 May 2021 as non-zero-day; CISA KEV-added Jun 27 2022 with no public third-party in-the-wild report, KEV-fallback",2022-06-27,2021,False,False
CVE-2020-9907,Apple,Multiple Products,2020-10-16,2020-09-24,2020-09-24,0,-22,low,,https://support.apple.com/en-us/HT211931,Apple iOS/macOS IOKit; KEV-added 2022-06-27; no specific contemporary attribution found,2022-06-27,2020,True,True
CVE-2020-3837,Apple,Multiple Products,2020-02-27,2022-06-27,2022-06-27,851,851,medium,,https://support.apple.com/en-us/HT210918,Apple multiple products kernel memory corruption,2022-06-27,2020,False,False
CVE-2019-8605,Apple,Multiple Products,2019-12-18,2019-07-22,2019-07-22,0,-149,high,,https://googleprojectzero.blogspot.com/2019/12/sockpuppet-walkthrough-of-kernel.html,iOS XNU kernel use-after-free 'SockPuppet'; Project Zero's Ned Williamson released working exploit July 2019; regression in iOS 12.4 allowed unc0ver jailbreak; Apple emergency-patched in iOS 12.4.1 Aug 26 2019,2022-06-27,2019,True,True
CVE-2018-4344,Apple,Multiple Products,2019-04-03,2022-06-27,2022-06-27,1181,1181,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-4344,Apple iOS/macOS LightSpeed kernel use-after-free; reported by UK NCSC; Project Zero/Synacktiv state it 'may possibly' be the LightSpeed vulnerability but in-the-wild attribution not firmly established beyond CISA KEV listing,2022-06-27,2018,False,False
CVE-2022-30190,Microsoft,Windows,2022-06-01,2022-04-12,2022-05-30,0,-50,high,,https://www.microsoft.com/en-us/security/blog/2022/06/14/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/,"Microsoft MSDT Follina diagnostic tool RCE zero-day; nao_sec researcher tweeted about malicious doc uploaded to VirusTotal from Belarus Apr 12 2022 (~7 weeks pre-disclosure); Microsoft acknowledgement May 30; widespread exploitation by TA413, Sandworm, and ransomware operators",2022-06-14,2022,True,True
CVE-2021-38163,SAP,NetWeaver,2021-09-14,2021-09-14,2021-09-14,0,0,medium,,https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=595594525,SAP NetWeaver Visual Composer unrestricted file upload via Storage Service; SAP Security Patch Day Sep 14 2021; Onapsis published exploitation guidance; CISA KEV-added Nov 3 2021,2022-06-09,2021,True,False
CVE-2019-7195,QNAP,Photo Station,2019-12-05,2020-09-08,2020-09-08,278,278,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-345a,QNAP Photo Station authentication issue; QSnatch (CISA AA20-345A),2022-06-08,2019,False,False
CVE-2019-7194,QNAP,Photo Station,2019-12-05,2020-09-08,2020-09-08,278,278,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-345a,QNAP Photo Station path traversal; QSnatch exploitation (CISA AA20-345A),2022-06-08,2019,False,False
CVE-2019-7193,QNAP,QTS,2019-12-05,2020-09-08,2020-09-08,278,278,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-345a,QNAP File Station improper input validation; QSnatch malware exploited (Finland NCSC and CISA AA20-345A),2022-06-08,2019,False,False
CVE-2019-7192,QNAP,Photo Station,2019-12-05,2020-09-08,2020-09-08,278,278,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-345a,QNAP Photo Station auth bypass; QSnatch (CISA AA20-345A),2022-06-08,2019,False,False
CVE-2019-5825,Google,Chromium V8,2019-11-25,2019-04-23,2019-04-23,0,-216,low,,https://chromereleases.googleblog.com/2019/04/stable-channel-update-for-desktop.html,Chrome V8 OOB write; KEV-added 2022-06-08,2022-06-08,2019,True,True
CVE-2019-15271,Cisco,RV Series Routers,2019-11-26,2019-11-06,2019-11-06,0,-20,low,,https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-injection,Cisco RV016/RV042/RV082/RV320 router web interface RCE; KEV-added 2022-06-08,2022-06-08,2019,True,True
CVE-2018-6065,Google,Chromium V8,2018-11-14,2022-06-08,2022-06-08,1302,1302,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-6065,Google Chrome V8 integer overflow; no specific contemporary threat-intel report documenting in-the-wild exploitation found; CISA KEV added 2022-06-08 is only documented evidence,2022-06-08,2018,False,False
CVE-2018-4990,Adobe,Acrobat and Reader,2018-07-09,2018-04-01,2018-05-15,0,-99,high,,https://helpx.adobe.com/security/products/acrobat/apsb18-09.html,Adobe Reader double-free in JPEG2000 handling; ESET discovered weaponized PDF on VirusTotal exploiting CVE-2018-4990 chained with Win32k CVE-2018-8120; Adobe APSB18-09 May 15 2018 confirms ITW exploit,2022-06-08,2018,True,True
CVE-2018-17480,Google,Chromium V8,2018-12-11,2022-06-08,2022-06-08,1275,1275,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-17480,Chrome V8 out-of-bounds write during array deserialization; no specific contemporary threat-intel report documenting in-wild exploitation found; CISA KEV is only documented evidence,2022-06-08,2018,False,False
CVE-2018-17463,Google,Chromium V8,2018-11-14,2022-06-08,2022-06-08,1302,1302,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-17463,Chrome V8 JIT type confusion; PoC published by SSD Disclosure June 2019; Metasploit module released March 2020; no specific contemporary threat-intel report documenting in-wild exploitation found; CISA KEV is only documented evidence,2022-06-08,2018,False,False
CVE-2022-26134,Atlassian,Confluence Server/Data Center,2022-06-03,2022-05-26,2022-06-02,0,-8,high,,https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/,Atlassian Confluence Server/DC OGNL injection pre-auth RCE zero-day; Volexity discovered exploitation against US-government customer May 26-28 2022; mass exploitation by Mirai/Kinsing/Hezb cryptominers within hours of Atlassian Jun 2 advisory,2022-06-02,2022,True,True
CVE-2019-3010,Oracle,Solaris,2019-10-16,2022-05-25,2022-05-25,952,952,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3010,Oracle Solaris XScreenSaver privilege escalation; PoC publicly available at packetstormsecurity since Oct 2019; CISA KEV add 2022-05-25; no specific contemporary threat-intel report documenting in-the-wild exploitation found,2022-05-25,2019,False,False
CVE-2018-8611,Microsoft,Windows,2018-12-12,2018-11-01,2018-12-12,0,-41,high,,https://www.kaspersky.com/about/press-releases/kaspersky-lab-uncovers-third-windows-zero-day-exploit-in-three-months,Windows Kernel Transaction Manager EoP zero-day (Jasmine); Kaspersky AEP detected exploitation in wild; used by SandCat APT and other groups targeting Middle East and Asia; can bypass Chrome/Edge sandbox,2022-05-24,2018,True,True
CVE-2018-19953,QNAP,Network Attached Storage (NAS),2020-10-28,2022-05-24,2022-05-24,573,573,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-19953,QNAP File Station vulnerabilities (XSS/command injection); no specific contemporary threat-intel report documenting in-wild exploitation found; CISA KEV is only documented evidence,2022-05-24,2018,False,False
CVE-2018-19949,QNAP,Network Attached Storage (NAS),2020-10-28,2022-05-24,2022-05-24,573,573,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-19949,QNAP File Station vulnerabilities (XSS/command injection); no specific contemporary threat-intel report documenting in-wild exploitation found; CISA KEV is only documented evidence,2022-05-24,2018,False,False
CVE-2018-19943,QNAP,Network Attached Storage (NAS),2020-10-28,2022-05-24,2022-05-24,573,573,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-19943,QNAP File Station vulnerabilities (XSS/command injection); no specific contemporary threat-intel report documenting in-wild exploitation found; CISA KEV is only documented evidence,2022-05-24,2018,False,False
CVE-2022-20821,Cisco,IOS XR,2022-05-26,2022-05-20,2022-05-26,0,-6,high,,https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK,Cisco IOS XR Health Check open port allows unauthenticated Redis instance access; Cisco PSIRT advisory May 26 2022; acknowledged active exploitation attempts in the wild from earlier May,2022-05-23,2022,True,True
CVE-2021-30883,Apple,Multiple Products,2021-08-24,2021-09-01,2021-10-11,8,8,high,,https://support.apple.com/en-us/HT212846,Apple iOS IOMobileFrameBuffer memory corruption EoP zero-day; Apple HT212846 acknowledged active in-wild exploitation when releasing iOS 15.0.2 Oct 11 2021; reported by anonymous researcher,2022-05-23,2021,False,False
CVE-2021-1048,Android,Kernel,2021-12-15,2021-10-01,2022-05-19,0,-75,high,,https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/,Android Kernel epoll race condition; Pixel/Android EoP chained with CVE-2021-38003 in Cytrox Campaign #3 (Oct 2021) full Android exploit chain to escape Chrome sandbox and deploy Predator spyware; Google TAG attribution May 19 2022,2022-05-23,2021,True,True
CVE-2021-0920,Android,Kernel,2021-12-15,2021-11-01,2021-12-15,0,-44,medium,,https://source.android.com/docs/security/bulletin/2021-12-01,Android Kernel Binder UAF; Android Dec 2021 security bulletin acknowledged limited targeted exploitation; CISA KEV added subsequently,2022-05-23,2021,True,True
CVE-2020-1027,Microsoft,Windows,2020-04-15,2020-04-14,2020-04-14,0,-1,high,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2020-1027,Windows Kernel EoP; reported by Google Project Zero as exploited in the wild,2022-05-23,2020,True,True
CVE-2020-0638,Microsoft,Update Notification Manager,2020-01-14,2020-01-14,2020-01-14,0,0,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2020-0638,Windows Update Notification Manager EoP; KEV-added 2022-05-23,2022-05-23,2020,True,False
CVE-2019-8720,WebKitGTK,WebKitGTK,2023-03-06,2019-09-26,2019-09-26,0,-1257,low,,https://webkitgtk.org/security/WSA-2019-0005.html,WebKitGTK / WPE WebKit RCE; KEV-added 2022-05-23,2022-05-23,2019,True,True
CVE-2019-7287,Apple,iOS,2019-12-18,2019-02-07,2019-02-07,0,-314,high,,https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-4.html,Apple iOS IOKit ProvInfoIOKitUserClient EoP; part of in-wild iOS exploit chains analyzed by Project Zero,2022-05-23,2019,True,True
CVE-2019-7286,Apple,Multiple Products,2019-12-18,2019-02-07,2019-02-07,0,-314,high,,https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-4.html,Apple iOS Foundation framework UAF; Google Project Zero documented in-wild exploit chains targeting iPhone users,2022-05-23,2019,True,True
CVE-2019-5786,Google,Chrome Blink,2019-06-27,2019-03-01,2019-03-01,0,-118,high,,https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html,Chrome FileReader UAF; chained with Windows CVE-2019-0808 by APT (Google TAG Clement Lecigne),2022-05-23,2019,True,True
CVE-2019-18426,Meta Platforms,WhatsApp,2020-01-21,2019-09-08,2020-01-22,0,-135,high,,https://www.fbi.gov/news/stories/national-statement-on-jamal-khashoggi-and-jeff-bezos-122220,WhatsApp Desktop XSS to local file read; Citizen Lab attributed to NSO Group Pegasus attack on Saudi journalist Jeff Bezos,2022-05-23,2019,True,True
CVE-2019-1385,Microsoft,Windows,2019-11-12,2019-11-12,2019-11-12,0,0,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-1385,Windows AppX EoP; KEV-added 2022-05-23,2022-05-23,2019,True,False
CVE-2019-13720,Google,Chrome WebAudio,2019-11-25,2019-10-31,2019-10-31,0,-25,high,,https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/,Chrome Audio UAF; reported by Kaspersky as exploited by Operation WizardOpium (DPRK Lazarus) targeting Korean-language news site,2022-05-23,2019,True,True
CVE-2019-11708,Mozilla,Firefox and Thunderbird,2019-07-23,2019-06-17,2019-06-20,0,-36,high,,https://www.coinbase.com/blog/responding-to-firefox-0-days-in-the-wild,Firefox Prompt:Open sandbox escape; chained with CVE-2019-11707 in CRYPTO-3/HYDSEVEN attacks on Coinbase employees; Mozilla patched June 20 2019 in Firefox 67.0.4,2022-05-23,2019,True,True
CVE-2019-11707,Mozilla,Firefox and Thunderbird,2019-07-23,2019-06-17,2019-06-18,0,-36,high,,https://www.coinbase.com/blog/responding-to-firefox-0-days-in-the-wild,"Firefox Array.pop type confusion zero-day; exploited by CRYPTO-3/HYDSEVEN group against Coinbase employees and other cryptocurrency firms (Coinbase reported June 17, Mozilla patched within 24h)",2022-05-23,2019,True,True
CVE-2019-1130,Microsoft,Windows,2019-07-29,2019-07-09,2019-07-09,0,-20,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-1130,Windows AppX Deployment Service EoP; KEV-added 2022-05-23; no specific contemporary attribution,2022-05-23,2019,True,True
CVE-2019-0880,Microsoft,Windows,2019-07-15,2019-07-09,2019-07-09,0,-6,high,,https://threatprotect.qualys.com/2019/07/15/microsoft-windows-privilege-escalation-vulnerabilities-cve-2019-1132-cve-2019-0880/,Microsoft splwow64 EoP; reported by Trend Micro ZDI; flagged as zero-day at July 2019 Patch Tuesday,2022-05-23,2019,True,True
CVE-2019-0703,Microsoft,Windows,2019-04-08,2019-03-12,2019-03-12,0,-27,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0703,Windows SMB info disclosure; KEV-added 2022-05-23; no specific contemporary attribution found,2022-05-23,2019,True,True
CVE-2019-0676,Microsoft,Internet Explorer,2019-03-06,2019-02-12,2019-02-12,0,-22,high,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0676,Microsoft Internet Explorer information disclosure; reported by Google as exploited in the wild before Feb 2019 Patch Tuesday,2022-05-23,2019,True,True
CVE-2018-8589,Microsoft,Win32k,2018-11-14,2018-10-17,2018-11-14,0,-28,high,,https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/,Windows Win32k race condition EoP zero-day (Alice); Kaspersky AEP detected exploitation October 17 2018; used by multiple APT groups targeting Middle East and Africa,2022-05-23,2018,True,True
CVE-2018-5002,Adobe,Flash Player,2018-07-09,2018-02-01,2018-06-07,0,-158,high,,https://blog.gigamon.com/2018/06/07/adobe-flash-zero-day-leveraged-for-targeted-attack-in-middle-east/,"Adobe Flash stack buffer overflow zero-day; ICEBRG, Qihoo 360 and Tencent reported limited targeted attacks in Middle East (likely Qatar); Qihoo 360 analysis says attack campaign was prepared since February 2018, exploiting diplomatic salary lure",2022-05-23,2018,True,True
CVE-2022-30525,Zyxel,Multiple Firewalls,2022-05-12,2022-05-13,2022-05-13,1,1,high,,https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/,Zyxel multiple firewalls OS command injection pre-auth RCE; silent fix Apr 28 2022; Rapid7 advisory + Metasploit module May 12; Shadowserver observed mass exploitation May 13 with Mirai variant adoption,2022-05-16,2022,False,False
CVE-2022-22947,VMware,Spring Cloud Gateway,2022-03-03,2022-03-03,2022-03-03,0,0,high,,https://tanzu.vmware.com/security/cve-2022-22947,VMware Spring Cloud Gateway Code Injection RCE; Spring advisory Mar 1 2022; Carlos Vieira public PoC Mar 3; widespread exploitation in days by cryptominers; CISA KEV-added May 16 2022,2022-05-16,2022,True,False
CVE-2022-1388,F5,BIG-IP,2022-05-05,2022-05-09,2022-05-09,4,4,high,,https://www.rapid7.com/blog/post/2022/05/09/cve-2022-1388-exploitation-of-f5-big-ip-icontrol-rest-vulnerability/,F5 BIG-IP iControl REST unauthenticated RCE; F5 advisory K23605346 May 4 2022; Horizon3.ai released PoC May 8; Eclypsium honeypot detected exploitation May 9; widespread by May 11 with cryptominer and wiper deployment,2022-05-10,2022,False,False
CVE-2021-1789,Apple,Multiple Products,2021-04-02,2021-11-03,2021-11-03,215,215,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-1789,Apple WebKit type confusion; patched in iOS 14.4 Jan 26 2021 but Apple advisory did not acknowledge ITW exploitation for this specific CVE; CISA KEV-added Nov 3 2021 in initial bulk catalog with no specific public exploitation attribution; KEV-fallback,2022-05-04,2021,False,False
CVE-2019-8506,Apple,Multiple Products,2019-12-18,2019-03-25,2019-03-25,0,-268,high,,https://support.apple.com/en-us/HT209601,Apple WebKit JSC type confusion; chained with iOS sandbox escape; Citizen Lab documented use,2022-05-04,2019,True,True
CVE-2022-29464,WSO2,Multiple Products,2022-04-18,2022-04-21,2022-04-21,3,3,high,,https://www.trendmicro.com/en_us/research/22/e/patch-your-wso2-cve-2022-29464-exploited-to-deploy-coinminers.html,WSO2 multiple products arbitrary file upload pre-auth RCE; WSO2 advisory Apr 18 2022; hakivvi PoC Apr 20; Trend Micro/Rapid7 observed mass exploitation Apr 21-22 by cryptominers (XMRig) and Cobalt Strike loaders,2022-04-25,2022,False,False
CVE-2022-26904,Microsoft,Windows,2022-04-15,2022-04-25,2022-04-25,10,10,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26904,Windows User Profile Service EoP; April 2022 Patch Tuesday; PoC and Metasploit module immediate; CISA KEV-added Apr 25 with no specific public attribution; KEV-fallback,2022-04-25,2022,False,False
CVE-2022-21919,Microsoft,Windows,2022-01-11,2022-04-25,2022-04-25,104,104,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-21919,"Windows User Profile Service EoP; January 2022 Patch Tuesday; Microsoft rated ""Exploitation Less Likely"" with no ITW at disclosure; CISA KEV-added Apr 25 2022 in bulk batch with no specific public attribution; KEV-fallback",2022-04-25,2022,False,False
CVE-2022-0847,Linux,Kernel,2022-03-07,2022-03-07,2022-03-07,0,0,high,,https://dirtypipe.cm4all.com/,Dirty Pipe Linux Kernel pipe buffer flag improper initialization LPE; Max Kellermann disclosed Mar 7 2022 with PoC; CISA KEV-added Apr 25 with active exploitation by post-foothold attackers; commonly seen in red-team and crypto-mining campaigns,2022-04-25,2022,True,False
CVE-2021-41357,Microsoft,Win32k,2021-10-13,2021-11-03,2021-11-03,21,21,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-41357,"Windows Win32k EoP; Microsoft rated ""Exploitation More Likely"" in Oct 2021 Patch Tuesday but no public in-the-wild report (CVE-2021-40449 was the actually-exploited Win32k that month, MysterySnail); CISA KEV-added Nov 3 2021 in initial bulk catalog; KEV-fallback",2022-04-25,2021,False,False
CVE-2021-40450,Microsoft,Win32k,2021-10-13,2021-10-12,2021-10-12,0,-1,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40450,Windows Win32k EoP; October 2021 Patch Tuesday; not the actually-exploited Win32k zero-day that month (CVE-2021-40449 was MysterySnail); no specific ITW attribution; CISA KEV added Nov 3 2021; KEV-fallback,2022-04-25,2021,True,True
CVE-2019-1003029,Jenkins,Script Security Plugin,2019-03-08,2019-01-22,2019-01-22,0,-45,high,,https://www.trendmicro.com/en_us/research/19/c/monero-mining-malware-pcastle-zombieboy-resurfaces-now-attacks-china-based-systems.html,"Jenkins Groovy sandbox bypass RCE; widely exploited for cryptomining (Kerberods, JenkinsMiner)",2022-04-25,2019,True,True
CVE-2022-22718,Microsoft,Windows,2022-02-09,2022-04-19,2022-04-19,69,69,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22718,"Windows Print Spooler EoP; February 2022 Patch Tuesday rated ""Exploitation More Likely""; CISA KEV-added Apr 19 2022 with no specific public attribution distinct from broader PrintNightmare-era cluster; KEV-fallback",2022-04-19,2022,False,False
CVE-2019-3568,Meta Platforms,WhatsApp,2019-05-14,2019-05-01,2019-05-13,0,-13,high,,https://citizenlab.ca/2019/10/whatsapp-issues-include-pegasus-spyware/,WhatsApp VOIP stack buffer overflow; exploited by NSO Group Pegasus spyware against human rights activists; reported by Citizen Lab,2022-04-19,2019,True,True
CVE-2018-6882,Synacor,Zimbra Collaboration Suite (ZCS),2018-03-27,2022-04-01,2022-04-15,1466,1466,high,,https://socprime.com/blog/cve-2018-6882-xss-vulnerability-in-zimbra-collaboration-suite-leveraged-to-target-ukrainian-government-cert-ua-warns/,"Zimbra Collaboration Suite XSS via Content-Location header; CERT-UA reported UAC-0097 targeted campaign against Ukrainian state institutions for cyber-espionage, auto-forwarding compromised emails to external addresses",2022-04-19,2018,False,False
CVE-2022-22960,VMware,Multiple Products,2022-04-13,2022-04-12,2022-04-12,0,-1,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b,VMware Workspace ONE Access/Identity Manager privilege escalation; same VMSA-2022-0011 cluster as CVE-2022-22954; chained for full system compromise; CISA AA22-138B joint advisory documented mass exploitation,2022-04-15,2022,True,True
CVE-2022-1364,Google,Chromium V8,2022-07-26,2022-04-14,2022-04-14,0,-103,high,,https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html,Chrome V8 type confusion zero-day; Google Stable Channel update Apr 14 2022 acknowledged ITW exploitation; reported by Clement Lecigne of Google TAG,2022-04-15,2022,True,True
CVE-2019-3929,Crestron,Multiple Products,2019-04-30,2019-04-30,2019-04-30,0,0,medium,,https://www.tenable.com/security/research/tra-2019-22,Crestron AirMedia AM-100/200 command injection; KEV-added 2022-04-15,2022-04-15,2019,True,False
CVE-2019-16057,D-Link,DNS-320 Storage Device,2019-09-16,2022-04-15,2022-04-15,942,942,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-16057,D-Link DNS-320 login_mgr.cgi command injection; CyStack/Trung Nguyen disclosed Sep 2019; CISA KEV add 2022-04-15; no specific contemporary threat-intel report documenting in-the-wild exploitation found,2022-04-15,2019,False,False
CVE-2018-7841,Schneider Electric,U.motion Builder,2019-05-22,2019-12-01,2020-01-01,193,193,high,,https://feedly.com/cve/CVE-2018-7841,Schneider Electric U.motion Builder SQL injection RCE; Mirai variant incorporated 71 unique exploits including CVE-2018-7841 around late 2019; first ITW exploitation observed in Mirai variant,2022-04-15,2018,False,False
CVE-2022-22954,VMware,Workspace ONE Access and Identity Manager,2022-04-11,2022-04-12,2022-04-12,1,1,high,,https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/,"VMware Workspace ONE Access/Identity Manager server-side template injection pre-auth RCE; VMSA-2022-0011 Apr 6 2022; PoCs public Apr 11; Unit 42 observed mass exploitation Apr 12-13 by cryptominers (RAR1Ransom, GuardMiner) and APT35/Rocket Kitten",2022-04-14,2022,False,False
CVE-2022-24521,Microsoft,Windows,2022-04-15,2022-04-12,2022-04-12,0,-3,high,,https://www.tenable.com/blog/microsofts-april-2022-patch-tuesday-addresses-117-cves-cve-2022-24521,"Windows CLFS driver EoP zero-day; April 2022 Patch Tuesday; reported by CrowdStrike and NSA; Microsoft acknowledged ""Exploitation Detected"" with active in-wild exploitation",2022-04-13,2022,True,True
CVE-2018-7602,Drupal,Core,2018-07-19,2018-04-25,2018-06-21,0,-85,high,,https://blog.trendmicro.com/trendlabs-security-intelligence/drupal-vulnerability-cve-2018-7602-exploited-to-deliver-monero-mining-malware/,Drupal core RCE (Drupalgeddon 3); Drupal security team confirmed actively exploited in the wild; Trend Micro documented Monero cryptomining campaign deploying ELF_DLOADR backdoor,2022-04-13,2018,True,True
CVE-2018-20753,Kaseya,Virtual System/Server Administrator (VSA),2019-02-05,2018-01-01,2019-02-05,0,-400,high,,https://nvd.nist.gov/vuln/detail/CVE-2018-20753,"Kaseya VSA RMM PowerShell payload execution; NVD description and CISA KEV confirm 'In January 2018, attackers actively exploited this vulnerability in the wild'",2022-04-13,2018,True,True
CVE-2022-23176,WatchGuard,Firebox and XTM,2022-02-24,2021-11-30,2022-02-23,0,-86,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-054a,WatchGuard Firebox and XTM appliances privileged user authentication bypass; silent fix May 2021; FBI/CISA/NCSC/NSA joint advisory Feb 23 2022 attributing Sandworm/Voodoo Bear (GRU Unit 74455) Cyclops Blink botnet exploitation since at least Nov 2021,2022-04-11,2022,True,True
CVE-2021-42287,Microsoft,Active Directory,2021-11-10,2021-12-21,2021-12-21,41,41,high,,https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html,"Microsoft AD KDC security feature bypass; chained with CVE-2021-42278 as ""Certifried/noPac"" allowing domain user to escalate to DA; PoC published Dec 21 2021",2022-04-11,2021,False,False
CVE-2021-42278,Microsoft,Active Directory,2021-11-10,2021-12-21,2021-12-21,41,41,high,,https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html,"Microsoft AD computer account spoofing security feature bypass; chained with CVE-2021-42287 as ""Certifried/noPac"" by Charlie Clark/SpecterOps; PoC tool noPac.exe published Dec 21 2021 triggering widespread exploitation",2022-04-11,2021,False,False
CVE-2021-39793,Google,Pixel,2022-03-16,2022-04-04,2022-04-04,19,19,high,,https://source.android.com/docs/security/bulletin/pixel/2022-04-01,"Pixel firmware EoP zero-day; Google March 2022 Pixel security bulletin acknowledged ""may be under limited, targeted exploitation""; CISA KEV-added Apr 6 2022",2022-04-11,2021,False,False
CVE-2021-27852,Checkbox,Checkbox Survey,2021-05-27,2021-12-22,2021-12-22,209,209,medium,,https://www.rapid7.com/blog/post/2021/12/15/cve-2021-27852-checkbox-survey-unsafe-deserialization-rce/,Checkbox Survey ASP.NET ViewState deserialization RCE; CTO Realm of Rapid7 reported in coordination with Checkbox Dec 22 2021; widely exploited shortly after public disclosure,2022-04-11,2021,False,False
CVE-2021-22600,Linux,Kernel,2022-01-26,2022-01-26,2022-01-26,0,0,medium,,https://www.zerodayinitiative.com/advisories/ZDI-22-110/,Linux Kernel net/packet/af_packet.c double-free EoP; Patch via Jan 10 2022 lkml posting; ZDI advisory ZDI-22-110; widely tested in Pwn2Own training kits; CISA KEV-added Feb 28 2024 with no specific public exploitation campaign,2022-04-11,2021,True,False
CVE-2020-2509,QNAP,QNAP Network-Attached Storage (NAS),2021-04-17,2022-04-11,2022-04-11,359,359,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2509,QNAP NAS command injection; QNAP advisory Apr 16 2021; listed in CISA 2021 Top Routinely Exploited Vulnerabilities; QNAP NAS devices subject of Qlocker/DeadBolt/Checkmate ransomware campaigns 2021-2022; CISA KEV add 2022-04-11; Rapid7 noted mystery surrounding specific CVE attribution,2022-04-11,2020,False,False
CVE-2021-3156,Sudo,Sudo,2021-01-26,2021-01-26,2021-01-26,0,0,high,,https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit,"sudo sudoedit heap-based buffer overflow ""Baron Samedit""; Qualys disclosed Jan 26 2021 with bug present 10 years; PoCs immediate; widely used in post-exploitation including by ransomware operators and APTs; affects nearly all Linux distros",2022-04-06,2021,True,False
CVE-2021-31166,Microsoft,HTTP Protocol Stack,2021-05-11,2021-05-11,2021-05-11,0,0,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31166,Windows HTTP Protocol Stack (http.sys) wormable RCE; May 2021 Patch Tuesday; PoC public May 16 2021 (Axel Souchet) demonstrating BSOD; no confirmed mass exploitation campaign though wormable potential drove urgent patching,2022-04-06,2021,True,False
CVE-2022-22965,VMware,Spring Framework,2022-04-01,2022-03-31,2022-03-31,0,-1,high,,https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulnerability.html,"Spring Framework Spring4Shell data binding RCE in JDK 9+ apps using Tomcat; Trend Micro IPS triggers Mar 30 2022; Spring patch Mar 31; mass exploitation observed by Apr 1 via honeypots (Trend Micro, Cisco Talos, Cloudflare); Mirai botnet adoption immediate",2022-04-04,2022,True,True
CVE-2022-22675,Apple,macOS,2022-05-26,2022-03-31,2022-03-31,0,-56,high,,https://support.apple.com/en-us/HT213219,Apple AppleAVD audio/video decoder kernel RCE zero-day; macOS Monterey 12.3.1 + iOS 15.4.1 Mar 31 2022 with Apple ITW acknowledgement; reported anonymously,2022-04-04,2022,True,True
CVE-2022-22674,Apple,macOS,2022-05-26,2022-03-31,2022-03-31,0,-56,high,,https://support.apple.com/en-us/HT213220,Apple Intel Graphics Driver kernel memory disclosure zero-day; macOS Monterey 12.3.1 Mar 31 2022 with Apple ITW acknowledgement; reported anonymously,2022-04-04,2022,True,True
CVE-2021-45382,D-Link,Multiple Routers,2022-02-17,2022-04-04,2022-04-04,46,46,high,,https://www.fortinet.com/blog/threat-research/beastmode-mirai-based-ddos-botnet,"D-Link multiple router models RCE via ""ddns"" parameter; D-Link advisory SAP10248 Feb 17 2022; FortiGuard observed Beastmode Mirai variant exploitation from Apr 2022",2022-04-04,2021,False,False
CVE-2022-26871,Trend Micro,Apex Central,2022-03-29,2022-03-22,2022-03-29,0,-7,high,,https://success.trendmicro.com/dcx/s/solution/000290678,Trend Micro Apex Central improper input validation file upload RCE zero-day; Trend Micro advisory Mar 29 2022 acknowledged limited in-the-wild exploitation in targeted attacks,2022-03-31,2022,True,True
CVE-2022-1040,Sophos,Firewall,2022-03-25,2022-03-05,2022-03-25,0,-20,high,,https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation/,Sophos Firewall User Portal/Webadmin authentication bypass RCE zero-day; Sophos advisory Mar 25 2022; Volexity Jun 15 2022 attributed exploitation to Chinese APT DriftingCloud since Mar 5 targeting South Asian entities with custom webshells and post-compromise tooling,2022-03-31,2022,True,True
CVE-2021-34484,Microsoft,Windows,2021-08-12,2021-11-03,2021-11-03,83,83,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-34484,Windows User Profile Service LPE found by Naceri; Microsoft Aug 2021 patch bypassed (CVE-2022-21919 follow-up Jan 2022); public PoC available but no in-the-wild exploitation reported (HivePro and Neowin confirmed); CISA KEV-added Nov 3 2021 in initial bulk catalog; KEV-fallback,2022-03-31,2021,False,False
CVE-2021-28799,QNAP,Network Attached Storage (NAS),2021-05-13,2021-04-19,2021-05-13,0,-24,high,,https://www.bleepingcomputer.com/news/security/qnap-warns-nas-users-of-new-qlocker-ransomware-campaign/,"QNAP NAS HBS3 Hybrid Backup Sync improper authorization; QNAP advisory QSA-21-13 May 13 2021; Qlocker ransomware mass exploitation campaign began April 19 2021 (~3 weeks pre-disclosure), encrypting NAS contents into 7zip archives",2022-03-31,2021,True,True
CVE-2021-21551,Dell,dbutil Driver,2021-05-04,2021-05-04,2021-05-04,0,0,high,,https://www.sentinelone.com/labs/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/,"Dell dbutil_2_3.sys driver privilege escalation; reported by SentinelLabs May 4 2021 noting bug present 12 years; widely abused for BYOVD by ransomware groups (BlackByte, Lazarus AppleJeus campaign) and red team toolkits",2022-03-31,2021,True,False
CVE-2018-10562,Dasan,Gigabit Passive Optical Network (GPON) Routers,2018-05-04,2018-05-04,2018-05-10,0,0,high,,https://thehackernews.com/2018/05/botnet-malware-hacking.html,Dasan GPON router RCE; chained with CVE-2018-10561; Netlab 360 reported 5 botnets exploiting within 10 days; Trend Micro confirmed Mirai-like scanning activity May 21 2018,2022-03-31,2018,True,False
CVE-2018-10561,Dasan,Gigabit Passive Optical Network (GPON) Routers,2018-05-04,2018-05-04,2018-05-10,0,0,high,,https://thehackernews.com/2018/05/botnet-malware-hacking.html,"Dasan GPON router auth bypass; Netlab 360 reported 5 botnets (Mettle, Muhstik, Mirai, Hajime, Satori) exploiting within 10 days of disclosure",2022-03-31,2018,True,False
CVE-2022-1096,Google,Chromium V8,2022-07-22,2022-03-25,2022-03-25,0,-119,high,,https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html,Chrome V8 type confusion zero-day; Google Stable Channel update Mar 25 2022 acknowledged ITW exploitation; reported anonymously,2022-03-28,2022,True,True
CVE-2022-0543,Redis,Debian-specific Redis Servers,2022-02-18,2022-03-11,2022-03-11,21,21,high,,https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers,Debian/Ubuntu-specific Redis Lua sandbox escape allowing RCE; Reginaldo Silva disclosed Jan 2022; PoC public Mar 10 2022; Juniper Threat Labs observed Muhstik botnet exploitation Mar 11; widespread cryptominer and DDoS botnet adoption,2022-03-28,2022,False,False
CVE-2021-38646,Microsoft,Office,2021-09-15,2021-11-03,2021-11-03,49,49,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38646,Microsoft Office EoP; September 2021 Patch Tuesday; no specific public exploitation report; CISA KEV added Nov 3 2021 in initial bulk catalog; KEV-fallback,2022-03-28,2021,False,False
CVE-2021-34486,Microsoft,Windows,2021-08-12,2021-11-03,2021-11-03,83,83,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-34486,Windows Event Tracing EoP; patched in August 2021 Patch Tuesday; CISA KEV-added Nov 3 2021 in initial bulk catalog; no public in-the-wild exploitation report; KEV-fallback,2022-03-28,2021,False,False
CVE-2021-26085,Atlassian,Confluence Server,2021-08-03,2021-08-03,2021-08-03,0,0,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26085,Atlassian Confluence Server pre-auth file read; Atlassian advisory Aug 3 2021; CISA KEV added 2021-11-03 in initial bulk catalog with no specific public exploitation attribution; KEV-fallback,2022-03-28,2021,True,False
CVE-2021-20028,SonicWall,Secure Remote Access (SRA),2021-08-04,2021-07-14,2021-08-04,0,-21,high,,https://www.sonicwall.com/blog/2021/07/sonicwall-issues-urgent-security-notice-about-threat-actors-targeting-eol-sma-100-series-and-sra-products,SonicWall Secure Remote Access (SRA) blind SQL injection; SonicWall PSIRT advisory SNWLID-2021-0007; CrowdStrike and Mandiant observed HelloKitty/FiveHands ransomware exploitation from Jul 2021; SonicWall confirmed targeting July 14 2021,2022-03-28,2021,True,True
CVE-2019-7483,SonicWall,SMA100,2019-12-19,2019-02-22,2019-02-22,0,-300,low,,https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0001,SonicWall Global Management System auth bypass; KEV-added 2022-03-28,2022-03-28,2019,True,True
CVE-2018-8440,Microsoft,Windows,2018-09-13,2018-08-29,2018-09-05,0,-15,high,,https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/,Windows Task Scheduler ALPC EoP zero-day; SandboxEscaper publicly disclosed Aug 27 2018 without coordination; ESET observed PowerPool group exploiting within 2 days for info-stealing campaign,2022-03-28,2018,True,True
CVE-2018-8406,Microsoft,DirectX Graphics Kernel (DXGKRNL),2018-08-15,2022-03-28,2022-03-28,1321,1321,low,Yes,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-8406,Windows DirectX kernel EoP (sibling of CVE-2018-8405); ZDI disclosed Dec 4 2018; no specific contemporary threat-intel report documenting in-the-wild exploitation found,2022-03-28,2018,False,False
CVE-2018-8405,Microsoft,DirectX Graphics Kernel (DXGKRNL),2018-08-15,2022-03-28,2022-03-28,1321,1321,low,Yes,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-8405,Windows DirectX kernel type confusion EoP; ZDI disclosed Dec 4 2018; no specific contemporary threat-intel report documenting in-the-wild exploitation found,2022-03-28,2018,False,False
CVE-2022-26318,WatchGuard,Firebox and XTM Appliances,2022-03-04,2022-02-27,2022-03-04,0,-5,high,,https://www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-tips,WatchGuard Firebox and XTM unauthenticated RCE via integer overflow; NVD Mar 4 2022; GreyNoise observed mass scanning and exploitation from Feb 27 (Mirai variant adoption),2022-03-25,2022,True,True
CVE-2022-26143,Mitel,"MiCollab, MiVoice Business Express",2022-03-09,2022-02-18,2022-03-08,0,-19,high,,https://blog.cloudflare.com/cve-2022-26143-amplification-attack/,Mitel MiCollab/MiVoice Business Express TP-240 audio gateway DDoS amplification (TP240PhoneHome); Cloudflare/Akamai/LumenBlack Lotus Labs observed exploitation from Feb 18 2022 reaching 4.3 Tbps amplification factor of ~4 billion-to-1; Mitel advisory Mar 8,2022-03-25,2022,True,True
CVE-2022-21999,Microsoft,Windows,2022-02-09,2022-02-08,2022-02-08,0,-1,high,,https://github.com/ly4k/SpoolFool,SpoolFool Windows Print Spooler EoP; Oliver Lyak (Ionsec.io) published advisory and PoC Feb 8 2022 same day as patch; widely adopted in post-foothold escalation; CISA KEV-added Mar 25 2022,2022-03-25,2022,True,True
CVE-2021-42237,Sitecore,XP,2021-11-05,2021-11-02,2021-11-05,0,-3,high,,https://blog.assetnote.io/2021/11/02/sitecore-rce/,Sitecore XP Report.ashx .NET BinaryFormatter insecure deserialization pre-auth RCE; Sitecore KB0998451 Oct 8 2021; AssetNote/Sam Curry published technical writeup Nov 2; mass exploitation observed immediately,2022-03-25,2021,True,True
CVE-2021-22941,Citrix,ShareFile,2021-09-23,2022-01-01,2022-03-15,100,100,high,,https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-citrix-sharefile/,Citrix ShareFile Storage Zones Controller relative path traversal RCE via NeatUpload; Citrix advisory CTX328123 Sep 14 2021; CrowdStrike observed PROPHET SPIDER (IAB) exploiting starting Jan 2022 to compromise Microsoft IIS web servers and drop webshells,2022-03-25,2021,False,False
CVE-2020-9377,D-Link,DIR-610 Devices,2020-07-09,2020-02-28,2020-02-28,0,-132,high,,https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/,D-Link DIR-610 RCE; Mirai exploitation,2022-03-25,2020,True,True
CVE-2020-9054,Zyxel,Multiple Network-Attached Storage (NAS) Devices,2020-03-04,2020-02-24,2020-02-24,0,-9,high,,https://www.kb.cert.org/vuls/id/498544,Zyxel NAS/firewall command injection; exploited by Mukashi Mirai variant,2022-03-25,2020,True,True
CVE-2020-7247,OpenBSD,OpenSMTPD,2020-01-29,2022-03-25,2022-03-25,786,786,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-7247,OpenSMTPD smtp_mailaddr command injection (Qualys disclosed Jan 28 2020); Metasploit module published shortly after; CISA KEV catalog the documented evidence of in-the-wild exploitation; no specific contemporary threat-intel report with date attribution found,2022-03-25,2020,False,False
CVE-2020-5410,VMware Tanzu,Spring Cloud Configuration (Config) Server,2020-06-02,2022-03-25,2022-03-25,661,661,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5410,Spring Cloud Config Server directory traversal; disclosed Jun 2 2020 (VMware/Tanzu); PoC publicly available; CISA KEV catalog the documented evidence of in-the-wild exploitation; no specific contemporary threat-intel report with date attribution found,2022-03-25,2020,False,False
CVE-2020-25223,Sophos,SG UTM,2020-09-25,2020-09-23,2020-09-23,0,-2,high,,https://community.sophos.com/sophos-utm/b/blog/posts/utm-up2date-9-705,Sophos UTM WebAdmin RCE; Sophos issued hotfix; exploited,2022-03-25,2020,True,True
CVE-2020-2506,QNAP Systems,Helpdesk,2021-02-03,2022-03-25,2022-03-25,415,415,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2506,QNAP NAS Helpdesk app improper access control; QNAP advisory Jan 7 2021; CISA KEV catalog the documented evidence; no specific contemporary threat-intel report with date attribution found,2022-03-25,2020,False,False
CVE-2020-2021,Palo Alto Networks,PAN-OS,2020-06-29,2020-06-29,2020-06-29,0,0,high,,https://security.paloaltonetworks.com/CVE-2020-2021,Palo Alto Networks PAN-OS GlobalProtect SAML auth bypass; CVSS 10; NSA alerted within hours; widely exploited,2022-03-25,2020,True,False
CVE-2020-1956,Apache,Kylin,2020-05-22,2022-03-25,2022-03-25,672,672,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1956,Apache Kylin REST API OS command injection; disclosed May 20 2020; public PoC by Sonar; CISA KEV catalog the documented evidence; no specific contemporary threat-intel report with date attribution found,2022-03-25,2020,False,False
CVE-2020-1631,Juniper,Junos OS,2020-05-04,2020-05-04,2020-05-04,0,0,medium,,https://supportportal.juniper.net/s/article/2020-04-Out-of-Cycle-Security-Bulletin-Junos-OS-Multiple-products-affected-by-HTTP-HTTPS-service-vulnerability-CVE-2020-1631,Juniper Junos OS path traversal in HTTP/HTTPS service; Juniper SIRT confirmed at least one report of this vulnerability being exploited in the wild at disclosure May 4 2020,2022-03-25,2020,True,False
CVE-2019-6340,Drupal,Core,2019-02-21,2019-02-22,2019-02-22,1,1,high,,https://www.imperva.com/blog/cve-2019-6340-drupal-rest-rce-exploited-in-the-wild/,Drupal core REST module deserialization RCE; exploited within days of disclosure for cryptomining,2022-03-25,2019,False,False
CVE-2019-2616,Oracle,BI Publisher (Formerly XML Publisher),2019-04-23,2022-03-25,2022-03-25,1067,1067,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-2616,Oracle BI Publisher authentication bypass; Oracle CPU April 2019; no specific contemporary threat-intel report documenting in-the-wild exploitation found; only CISA KEV catalog entry confirms exploitation,2022-03-25,2019,False,False
CVE-2019-16920,D-Link,Multiple Routers,2019-09-27,2019-09-26,2019-09-26,0,-1,high,,https://www.fortinet.com/blog/threat-research/d-link-d-iy-rce,D-Link DIR-655 unauthenticated RCE; widely exploited by Mirai botnet variants from 2019,2022-03-25,2019,True,True
CVE-2019-15107,Webmin,Webmin,2019-08-16,2019-08-17,2019-08-17,1,1,high,,https://www.webmin.com/exploit.html,Webmin password reset module command injection; widely scanned and exploited by Mirai variants immediately after disclosure,2022-03-25,2019,False,False
CVE-2019-12991,Citrix,SD-WAN and NetScaler,2019-07-16,2019-08-22,2019-08-22,37,37,low,,https://support.citrix.com/article/CTX251987,Citrix SD-WAN authenticated command injection (sibling of 12989); KEV-added 2022-03-25,2022-03-25,2019,False,False
CVE-2019-12989,Citrix,SD-WAN and NetScaler,2019-07-16,2019-08-22,2019-08-22,37,37,low,,https://support.citrix.com/article/CTX251987,Citrix SD-WAN command injection; KEV-added 2022-03-25,2022-03-25,2019,False,False
CVE-2019-11043,PHP,FastCGI Process Manager (FPM),2019-10-28,2019-10-23,2019-10-28,0,-5,high,,https://www.helpnetsecurity.com/2019/10/28/cve-2019-11043/,PHP-FPM env_path_info buffer underflow RCE in Nginx; PoC released Oct 22-23 2019; Bad Packets confirmed actively exploited attacking NGINX servers by Oct 28 2019,2022-03-25,2019,True,True
CVE-2019-10068,Kentico,Xperience,2019-03-26,2022-03-25,2022-03-25,1095,1095,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10068,Kentico CMS staging service .NET deserialization RCE; disclosed by Aon Apr 2019; CISA KEV add 2022-03-25; watchTowr referenced ITW exploitation but no specific contemporary threat-intel report with attribution found,2022-03-25,2019,False,False
CVE-2019-1003030,Jenkins,Matrix Project Plugin,2019-03-08,2019-02-06,2019-02-06,0,-30,high,,https://www.jenkins.io/security/advisory/2019-01-08/#SECURITY-1266,Jenkins Pipeline Groovy plugin sandbox bypass RCE; widely exploited,2022-03-25,2019,True,True
CVE-2019-0903,Microsoft,Graphics Device Interface (GDI),2019-05-16,2019-05-14,2019-05-14,0,-2,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0903,Windows GDI+ RCE; KEV-added 2022-03-25; no specific contemporary attribution,2022-03-25,2019,True,True
CVE-2018-8414,Microsoft,Windows,2018-08-15,2018-07-31,2018-08-14,0,-15,high,,https://enigma0x3.net/2018/10/23/cve-2018-8414-a-case-study-in-responsible-disclosure/,Windows Shell SettingContent-ms RCE; Matt Nelson (enigma0x3) confirmed in-the-wild exploitation prior to disclosure; weaponized PoC code observed in spam/phishing campaigns; Microsoft Patch Tuesday Aug 14 2018,2022-03-25,2018,True,True
CVE-2018-8373,Microsoft,Internet Explorer Scripting Engine,2018-08-15,2018-07-11,2018-08-15,0,-35,high,,https://www.trendmicro.com/en_us/research/18/h/use-after-free-uaf-vulnerability-cve-2018-8373-in-vbscript-engine-affects-internet-explorer-to-run-shellcode.html,VBScript Engine use-after-free RCE; Trend Micro discovered exploit in wild July 11 2018 (day after July patch Tuesday); Qihoo 360 attributed to DarkHotel APT (APT-C-06) - same actor as CVE-2018-8174,2022-03-25,2018,True,True
CVE-2018-6961,VMware,SD-WAN Edge,2018-06-11,2022-03-25,2022-03-25,1383,1383,low,Yes,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-6961,VMware NSX SD-WAN Edge by VeloCloud command injection; CISA KEV added 2022-03-25; no specific contemporary threat-intel report documenting in-wild exploitation found,2022-03-25,2018,False,False
CVE-2018-14839,LG,N1A1 NAS,2019-05-14,2022-03-25,2022-03-25,1046,1046,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-14839,LG N1A1 NAS remote command execution; no specific threat-intel report documenting in-the-wild exploitation found; only CISA KEV catalog confirms,2022-03-25,2018,False,False
CVE-2018-1273,VMware Tanzu,Spring Data Commons,2018-04-11,2022-03-25,2022-03-25,1444,1444,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1273,Spring Data Commons property binder RCE; CISA KEV marks as 'Known' for ransomware use but no specific contemporary threat-intel report found documenting exploitation,2022-03-25,2018,False,False
CVE-2018-11138,Quest,KACE System Management Appliance,2018-05-31,2022-03-25,2022-03-25,1394,1394,low,Yes,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-11138,Quest KACE Systems Management Appliance command injection; no contemporary threat-intel report found; only CISA KEV catalog confirms exploitation,2022-03-25,2018,False,False
CVE-2018-0147,Cisco,Secure Access Control System (ACS),2018-03-08,2022-03-01,2022-03-25,1454,1454,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180307-acs2.html,Cisco ACS Java deserialization RCE; Cisco PSIRT advisory states they became aware of attempted exploitation in March 2022,2022-03-25,2018,False,False
CVE-2018-0125,Cisco,VPN Routers,2018-02-08,2022-03-01,2022-03-25,1482,1482,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180207-rv13x.html,Cisco RV132W/RV134W router RCE; Cisco PSIRT advisory states they became aware of attempted exploitation in March 2022,2022-03-25,2018,False,False
CVE-2020-5135,SonicWall,SonicOS,2020-10-12,2020-10-14,2020-10-14,2,2,high,,https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010,SonicWall NSA buffer overflow; PoC release led to widespread scanning,2022-03-15,2020,False,False
CVE-2019-1405,Microsoft,Windows,2019-11-12,2019-11-12,2019-11-12,0,0,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-1405,Windows UPnP service EoP; KEV-added 2022-03-15,2022-03-15,2019,True,False
CVE-2019-1322,Microsoft,Windows,2019-10-10,2019-10-08,2019-10-08,0,-2,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-1322,Windows Update Assistant EoP; KEV-added 2022-03-15,2022-03-15,2019,True,True
CVE-2019-1315,Microsoft,Windows,2019-10-10,2019-10-08,2019-10-08,0,-2,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-1315,Windows Error Reporting Manager EoP; KEV-added 2022-03-15,2022-03-15,2019,True,True
CVE-2019-1253,Microsoft,Windows,2019-09-11,2019-09-10,2019-09-10,0,-1,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-1253,Windows EoP; KEV-added 2022-03-15,2022-03-15,2019,True,True
CVE-2019-1132,Microsoft,Win32k,2019-07-29,2019-07-09,2019-07-09,0,-20,high,,https://www.welivesecurity.com/2019/07/10/windows-zero-day-cve-2019-1132-exploit/,Windows Win32k EoP NULL pointer deref; reported by ESET as exploited by Buhtrap APT (Russian-speaking),2022-03-15,2019,True,True
CVE-2019-1129,Microsoft,Windows,2019-07-29,2019-07-09,2019-07-09,0,-20,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-1129,Windows AppX Deployment Service EoP (sibling of CVE-2019-1130); KEV-added 2022-03-15,2022-03-15,2019,True,True
CVE-2019-1069,Microsoft,Task Scheduler,2019-06-12,2019-06-11,2019-06-11,0,-1,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-1069,Task Scheduler EoP; KEV-added 2022-03-15,2022-03-15,2019,True,True
CVE-2019-1064,Microsoft,Windows,2019-06-12,2019-06-11,2019-06-11,0,-1,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-1064,Windows EoP; KEV-added 2022-03-15,2022-03-15,2019,True,True
CVE-2019-0841,Microsoft,Windows,2019-04-09,2019-04-09,2019-04-09,0,0,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0841,Windows AppX Deployment Service EoP; KEV-added 2022-03-15; no specific contemporary attribution,2022-03-15,2019,True,False
CVE-2019-0543,Microsoft,Windows,2019-01-08,2019-01-08,2019-01-08,0,0,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0543,Windows Secure Kernel Mode EoP; KEV-added 2022-03-15; no specific contemporary attribution,2022-03-15,2019,True,False
CVE-2018-8120,Microsoft,Win32k,2018-05-09,2018-04-01,2018-05-08,0,-38,high,,https://www.techtarget.com/searchsecurity/news/252440839/Microsoft-patches-Internet-Explorer-zero-day-Double-Kill,Microsoft Win32K EoP exploited in the wild prior to May 2018 Patch Tuesday; discovered by ESET; affects Windows 7 / Server 2008,2022-03-15,2018,True,True
CVE-2022-26486,Mozilla,Firefox,2022-12-22,2022-03-05,2022-03-05,0,-292,high,,https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/,Firefox WebGPU IPC sandbox escape zero-day; Mozilla emergency Firefox 97.0.2 Mar 5 2022 acknowledged active in-wild exploitation; chained with CVE-2022-26485 by 360 ATA-reported attacker,2022-03-07,2022,True,True
CVE-2022-26485,Mozilla,Firefox,2022-12-22,2022-03-05,2022-03-05,0,-292,high,,https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/,Firefox XSLT use-after-free zero-day; Mozilla emergency Firefox 97.0.2/91.6.1 update Mar 5 2022 acknowledged active in-wild exploitation; reported by Wang Gang and Liu Jialei of 360 ATA team and Nils,2022-03-07,2022,True,True
CVE-2021-21973,VMware,vCenter Server and Cloud Foundation,2021-02-24,2021-11-03,2021-11-03,252,252,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21973,VMware vCenter Server vSphere Client SSRF (not the headline RCE - that was CVE-2021-21972); VMSA-2021-0002 Feb 23 2021; no public mass-exploitation attribution for this specific SSRF (CVE-2021-21972 RCE took the spotlight); CISA KEV added Nov 3 2021 in initial bulk catalog; KEV-fallback,2022-03-07,2021,False,False
CVE-2020-8218,Pulse Secure,Pulse Connect Secure,2020-07-30,2020-09-09,2020-09-09,41,41,high,,https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516,Pulse Secure VPN code injection; widely exploited by APTs after disclosure,2022-03-07,2020,False,False
CVE-2019-11581,Atlassian,Jira Server and Data Center,2019-08-09,2019-07-22,2019-07-25,0,-18,high,,https://www.bleepingcomputer.com/news/security/hackers-exploit-jira-exim-linux-servers-to-keep-the-internet-safe/,Jira template injection RCE; disclosed July 10 2019; Intezer's polarply identified Watchbog Linux Trojan exploiting CVE-2019-11581 + CVE-2019-10149 for Monero cryptomining 12 days after disclosure,2022-03-07,2019,True,True
CVE-2022-20708,Cisco,Small Business RV Series Routers,2022-02-10,2022-03-03,2022-03-03,21,21,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-20708,Cisco Small Business RV Series command injection companion; same Feb 2 2022 advisory cluster; CISA KEV-added Mar 3; KEV-fallback,2022-03-03,2022,False,False
CVE-2022-20703,Cisco,Small Business RV Series Routers,2022-02-10,2022-03-03,2022-03-03,21,21,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-20703,Cisco Small Business RV Series digital signature verification bypass; same Feb 2 2022 advisory cluster; CISA KEV-added Mar 3; KEV-fallback,2022-03-03,2022,False,False
CVE-2022-20701,Cisco,Small Business RV Series Routers,2022-02-10,2022-03-03,2022-03-03,21,21,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-20701,Cisco Small Business RV Series privilege escalation companion; same Feb 2 2022 advisory cluster; CISA KEV-added Mar 3 with no specific public attribution; KEV-fallback,2022-03-03,2022,False,False
CVE-2022-20700,Cisco,Small Business RV Series Routers,2022-02-10,2022-03-03,2022-03-03,21,21,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-20700,Cisco Small Business RV Series privilege escalation companion; same Feb 2 2022 advisory cluster; CISA KEV-added Mar 3 with no specific public exploitation attribution distinct from cluster; KEV-fallback,2022-03-03,2022,False,False
CVE-2022-20699,Cisco,Small Business RV Series Routers,2022-02-10,2022-03-03,2022-03-03,21,21,medium,,https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-mult-vuln-KA9PK6D,Cisco Small Business RV Series Routers SSL VPN buffer overflow RCE; Cisco PSIRT advisory Feb 2 2022; Pwn2Own Austin 2021 PoC; CISA KEV-added Mar 3 citing active exploitation though no specific campaign attribution,2022-03-03,2022,False,False
CVE-2021-41379,Microsoft,Windows,2021-11-10,2021-11-22,2021-11-22,12,12,high,,https://www.bleepingcomputer.com/news/security/researcher-drops-new-windows-zero-day-after-microsoft-failed-patch/,"Windows Installer EoP zero-day; Abdelhamid Naceri published bypass PoC on GitHub Nov 22 2021; ""InstallerFileTakeOver"" weaponized publicly; ransomware actors adopted within weeks",2022-03-03,2021,False,False
CVE-2020-1938,Apache,Tomcat,2020-02-24,2020-02-25,2020-02-25,1,1,high,,https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487,Apache Tomcat AJP file inclusion 'Ghostcat'; CNVD published advisory Feb 20 2020; multiple PoC exploits released Feb 24-25 2020; Tenable documented active exploitation; Trend Micro analysis March 2020,2022-03-03,2020,False,False
CVE-2020-11899,Treck TCP/IP stack,IPv6,2020-06-17,2020-06-16,2020-06-16,0,-1,high,,https://www.jsof-tech.com/disclosures/ripple20/,Treck TCP/IP stack OOB read 'Ripple20'; JSOF disclosed June 16 2020; impacts billions of IoT devices,2022-03-03,2020,True,True
CVE-2019-16928,Exim,Exim Internet Mailer,2019-09-27,2022-03-03,2022-03-03,888,888,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-16928,Exim heap-based buffer overflow via long EHLO; CVE assigned Sep 27 2019; PoC available; Trend Micro detailed exploit Oct 10 2019; CISA KEV add as KEV catalog only documented evidence,2022-03-03,2019,False,False
CVE-2019-1652,Cisco,Small Business RV320 and RV325 Dual Gigabit WAN,2019-01-24,2019-01-23,2019-01-23,0,-1,high,,https://blog.talosintelligence.com/cisco-coverage-for-cisco-rv320-and-rv325/,Cisco RV320/RV325 router command injection; exploited via Botenago and Mirai variants from January 2019,2022-03-03,2019,True,True
CVE-2019-1297,Microsoft,Excel,2019-09-11,2019-09-10,2019-09-10,0,-1,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-1297,Microsoft Excel RCE; KEV-added 2022-03-03,2022-03-03,2019,True,True
CVE-2018-8581,Microsoft,Exchange Server,2018-11-14,2018-11-13,2019-01-29,0,-1,medium,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2018-8581,Microsoft Exchange NTLM relay privilege escalation; Microsoft MSRC noted exploit detected at disclosure Nov 13 2018; SANS ISC and CERT-EU confirmed public exploitation by Jan 29 2019,2022-03-03,2018,True,True
CVE-2018-8298,ChakraCore,ChakraCore scripting engine,2018-07-11,2022-03-03,2022-03-03,1331,1331,low,Yes,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-8298,IE memory corruption RCE; no specific contemporary threat-intel report documenting in-wild exploitation found; CISA KEV listing is only documented evidence,2022-03-03,2018,False,False
CVE-2018-0180,Cisco,IOS Software,2018-03-28,2022-03-01,2022-03-03,1434,1434,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-slogin.html,Cisco IOS Login Block DoS - sibling; Cisco PSIRT advisory states they became aware of attempted exploitation in March 2022,2022-03-03,2018,False,False
CVE-2018-0179,Cisco,IOS Software,2018-03-28,2022-03-01,2022-03-03,1434,1434,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-slogin.html,Cisco IOS Login Block DoS; Cisco PSIRT advisory states they became aware of attempted exploitation in March 2022,2022-03-03,2018,False,False
CVE-2018-0175,Cisco,"IOS, XR, and XE Software",2018-03-28,2022-03-01,2022-03-03,1434,1434,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-lldp.html,Cisco IOS LLDP buffer overflow (sibling of CVE-2018-0167); Cisco PSIRT advisory states March 2022 awareness of attempted exploitation,2022-03-03,2018,False,False
CVE-2018-0174,Cisco,IOS XE Software,2018-03-28,2022-03-01,2022-03-03,1434,1434,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-lldp.html,Cisco IOS LLDP buffer overflow (sibling of CVE-2018-0167); Cisco PSIRT advisory states March 2022 awareness of attempted exploitation,2022-03-03,2018,False,False
CVE-2018-0173,Cisco,IOS and IOS XE Software,2018-03-28,2022-03-01,2022-03-03,1434,1434,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-lldp.html,Cisco IOS LLDP buffer overflow (sibling of CVE-2018-0167); Cisco PSIRT advisory states March 2022 awareness of attempted exploitation,2022-03-03,2018,False,False
CVE-2018-0172,Cisco,IOS and IOS XE Software,2018-03-28,2022-03-01,2022-03-03,1434,1434,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-bfd.html,Cisco IOS BFD DoS; Cisco PSIRT advisory states they became aware of attempted exploitation in March 2022,2022-03-03,2018,False,False
CVE-2018-0167,Cisco,"IOS, XR, and XE Software",2018-03-28,2022-03-01,2022-03-03,1434,1434,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-lldp.html,Cisco IOS LLDP buffer overflow; Cisco PSIRT advisory states they became aware of attempted exploitation in March 2022,2022-03-03,2018,False,False
CVE-2018-0161,Cisco,IOS Software,2018-03-28,2022-03-01,2022-03-03,1434,1434,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-dhcpr3.html,Cisco IOS DHCPv4 relay DoS; Cisco PSIRT advisory states they became aware of attempted exploitation in March 2022,2022-03-03,2018,False,False
CVE-2018-0159,Cisco,IOS Software and Cisco IOS XE Software,2018-03-28,2022-03-01,2022-03-03,1434,1434,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-ike-dos.html,Cisco IOS IKEv1 DoS; Cisco PSIRT advisory states they became aware of attempted exploitation in March 2022,2022-03-03,2018,False,False
CVE-2018-0158,Cisco,IOS Software and Cisco IOS XE Software,2018-03-28,2022-03-01,2022-03-03,1434,1434,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-ike.html,Cisco IOS IKEv2 memory leak; Cisco PSIRT advisory states they became aware of attempted exploitation in March 2022,2022-03-03,2018,False,False
CVE-2018-0156,Cisco,IOS Software and Cisco IOS XE Software,2018-03-28,2022-03-01,2022-03-03,1434,1434,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-smi.html,Cisco IOS Smart Install DoS; Cisco PSIRT advisory states they became aware of attempted exploitation in March 2022,2022-03-03,2018,False,False
CVE-2018-0155,Cisco,Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches,2018-03-28,2022-03-01,2022-03-03,1434,1434,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-dos.html,Cisco IOS DoS bundle - sibling of 0154; Cisco PSIRT advisory states they became aware of attempted exploitation in March 2022,2022-03-03,2018,False,False
CVE-2018-0154,Cisco,IOS Software,2018-03-28,2022-03-01,2022-03-03,1434,1434,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-dos.html,Cisco IOS ISM-VPN crypto engine DoS; Cisco PSIRT advisory states they became aware of attempted exploitation in March 2022,2022-03-03,2018,False,False
CVE-2018-0151,Cisco,IOS and IOS XE Software,2018-03-28,2022-03-03,2022-03-03,1436,1436,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-0151,Cisco IOS QoS RCE; Cisco PSIRT advisory explicitly states they are not aware of any public announcements or malicious use; only CISA KEV catalog confirms exploitation,2022-03-03,2018,False,False
CVE-2022-24682,Synacor,Zimbra Collaborate Suite (ZCS),2022-02-09,2021-12-14,2022-02-03,0,-57,high,,https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/,Zimbra Calendar XSS zero-day; Volexity disclosed Feb 3 2022 attributing TEMP_Heretic Chinese APT exploitation since Dec 14 2021 (~7 weeks pre-disclosure) targeting European government and media,2022-02-25,2022,True,True
CVE-2022-23134,Zabbix,Frontend,2022-01-13,2022-02-22,2022-02-22,40,40,medium,,https://support.zabbix.com/browse/ZBX-20351,Zabbix Frontend setup file insufficient access control; Zabbix advisory Jan 13 2022; CISA KEV-added Feb 22 alongside CVE-2022-23131 citing active exploitation,2022-02-22,2022,False,False
CVE-2022-23131,Zabbix,Frontend,2022-01-13,2022-02-22,2022-02-22,40,40,medium,,https://support.zabbix.com/browse/ZBX-20350,Zabbix Frontend SAML SSO authentication bypass; Zabbix advisory Jan 13 2022; Specto Labs published technical writeup; CISA KEV-added Feb 22 2022 citing active exploitation though no specific named threat group attribution,2022-02-22,2022,False,False
CVE-2022-24086,Adobe,Commerce and Magento Open Source,2022-02-16,2022-01-25,2022-02-13,0,-22,high,,https://sansec.io/research/magento-2-cve-2022-24086,Adobe Commerce/Magento Open Source improper input validation; Adobe emergency APSB22-12 Feb 13 2022 acknowledged limited targeted exploitation; Sansec observed mass exploitation by Feb 21 with TrojanOrders skimmer campaigns through 2022,2022-02-15,2022,True,True
CVE-2022-0609,Google,Chromium Animation,2022-04-04,2022-01-04,2022-02-14,0,-90,high,,https://blog.google/threat-analysis-group/countering-threats-north-korea/,Chrome Animation use-after-free zero-day; Google TAG (Adam Weidemann) attributed to North Korean DPRK groups (Lazarus AppleJeus campaign + Operation Dream Job/Operation AppleJeus) exploiting from Jan 4 2022 via fake job postings and compromised crypto sites,2022-02-15,2022,True,True
CVE-2019-0752,Microsoft,Internet Explorer,2019-04-09,2019-04-09,2019-04-09,0,0,low,,https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0752,Internet Explorer scripting engine RCE; KEV-added 2022-02-15; no specific attribution,2022-02-15,2019,True,False
CVE-2018-8174,Microsoft,Windows,2018-05-09,2018-04-18,2018-05-08,0,-21,high,,https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/,Microsoft VBScript Engine RCE (Double Kill); Qihoo 360 Core Security detected APT-C-06 group exploitation April 18 2018; patched May 8 2018,2022-02-15,2018,True,True
CVE-2018-20250,RARLAB,WinRAR,2019-02-05,2019-02-22,2019-02-25,17,17,high,,https://www.bleepingcomputer.com/news/security/jneca-ransomware-spread-by-winrar-ace-exploit/,WinRAR ACE absolute path traversal RCE; 360 Threat Intelligence Center observed first in-wild malspam exploitation Feb 25 2019 (5 days after Check Point disclosure Feb 20); JNEC.a ransomware delivered via WinRAR exploit Mar 18 2019,2022-02-15,2018,False,False
CVE-2018-15982,Adobe,Flash Player,2019-01-18,2018-11-29,2018-12-05,0,-50,high,,https://securityaffairs.com/78712/hacking/cve-2018-15982-flash-zero-day.html,Adobe Flash use-after-free zero-day; Operation Poison Needle - targeted attack on Russian FSBI Polyclinic #2 with Hacking Team Scout RAT variant; Gigamon/Qihoo 360 reported Nov 29 2018 - patched Dec 5,2022-02-15,2018,True,True
CVE-2022-22620,Apple,"iOS, iPadOS, and macOS",2022-03-18,2022-02-10,2022-02-10,0,-36,high,,https://support.apple.com/en-us/HT213093,Apple WebKit use-after-free zero-day; iOS 15.3.1 emergency update Feb 10 2022 with Apple ITW acknowledgement; reported anonymously; Project Zero later detailed in Feb 2022 RCA,2022-02-11,2022,True,True
CVE-2021-36934,Microsoft,Windows,2021-07-22,2021-07-19,2021-07-20,0,-3,high,,https://www.kb.cert.org/vuls/id/506989,Windows SAM/SYSTEM hive ACL HiveNightmare/SeriousSAM; Jonas Lyk reported July 19 2021; Microsoft advisory July 20; widespread PoC use for credential dumping requires VSC snapshot,2022-02-10,2021,True,True
CVE-2020-0796,Microsoft,SMBv3,2020-03-12,2020-06-05,2020-06-05,85,85,high,,https://www.securityweek.com/smbghost-attacks-spotted-following-release-code-execution-poc/,SMBv3 buffer overflow SMBGhost; Microsoft out-of-band patch Mar 12 2020; CISA published alert about active exploitation June 5 2020 after working RCE PoC by Chompie was released; later observed in ransomware,2022-02-10,2020,False,False
CVE-2018-1000861,Jenkins,Jenkins Stapler Web Framework,2018-12-10,2019-03-01,2019-05-07,81,81,high,,https://isc.sans.edu/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916,Jenkins Stapler RCE; PoC released early March 2019; SANS handler Renato Marinho observed honeypot attack delivering Kerberods cryptominer; Watchbog campaign May 12 2019,2022-02-10,2018,False,False
CVE-2022-21882,Microsoft,Win32k,2022-01-11,2022-01-11,2022-01-11,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882,"Windows Win32k EoP zero-day; January 2022 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; patch bypass of CVE-2021-1732 (BITTER APT); widely abused by malware loaders",2022-02-04,2022,True,False
CVE-2022-22587,Apple,iOS and macOS,2022-03-18,2022-01-26,2022-01-26,0,-51,high,,https://support.apple.com/en-us/HT213053,Apple IOMobileFrameBuffer kernel memory corruption zero-day; iOS 15.3 emergency update Jan 26 2022 with Apple ITW acknowledgement; reported anonymously and by Meysam Firouzi/Siddharth Aeri,2022-01-28,2022,True,True
CVE-2021-20038,SonicWall,SMA 100 Appliances,2021-12-08,2021-12-07,2021-12-08,0,-1,high,,https://www.rapid7.com/blog/post/2021/12/08/cve-2021-20038-44-sonicwall-sma-100-multiple-vulnerabilities/,SonicWall SMA 100 series stack-based buffer overflow pre-auth RCE; Rapid7 disclosure Dec 7 2021; SonicWall advisory SNWLID-2021-0019 Dec 8; observed in targeted attacks shortly after disclosure,2022-01-28,2021,True,True
CVE-2020-5722,Grandstream,UCM6200,2020-03-23,2020-06-29,2020-06-29,98,98,medium,,https://www.tenable.com/security/research/tra-2020-25,Grandstream UCM6200 SQL injection; KEV-added 2022-01-28,2022-01-28,2020,False,False
CVE-2020-0787,Microsoft,Windows,2020-03-12,2022-01-28,2022-01-28,687,687,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0787,Windows BITS arbitrary file move LPE via symbolic link abuse; Microsoft Mar 10 2020 patch; PoC by itm4n + Metasploit module available; CISA KEV catalog the documented evidence of exploitation; no specific contemporary threat-intel report with date attribution found,2022-01-28,2020,False,False
CVE-2021-35247,SolarWinds,Serv-U,2022-01-07,2022-01-21,2022-01-21,14,14,medium,,https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3_hotfix_2_release_notes.htm,SolarWinds Serv-U LDAP improper input validation; SolarWinds disclosed Jan 7 2022; CISA KEV added Jan 21 2022; observed in attempts to exploit Log4j on Serv-U LDAP,2022-01-21,2021,False,False
CVE-2018-8453,Microsoft,Win32k,2018-10-10,2018-08-17,2018-10-10,0,-54,high,,https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/,Windows Win32k privilege escalation zero-day; Kaspersky detected exploitation August 17 2018; attributed to FruityArmor APT targeting Middle East; later included in Sodinokibi/REvil ransomware,2022-01-21,2018,True,True
CVE-2021-40870,Aviatrix,Aviatrix Controller,2021-09-13,2021-09-17,2021-09-17,4,4,high,,https://docs.aviatrix.com/HowTos/security-bulletin-CVE-2021-40870.html,Aviatrix Controller path traversal RCE; Aviatrix advisory Sep 13 2021; Greynoise observed mass scanning and exploitation Sep 17 onwards,2022-01-18,2021,False,False
CVE-2021-33766,Microsoft,Exchange Server,2021-07-14,2021-08-08,2021-08-27,25,25,medium,,https://www.thezdi.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server,Exchange ProxyToken authentication bypass; Le Xuan Tuyen (VNPT-ISC) via ZDI ZDI-21-846 published Aug 30 2021; PoCs and scanning following ProxyShell wave in Aug 2021,2022-01-18,2021,False,False
CVE-2021-32648,October CMS,October CMS,2021-08-26,2021-08-26,2021-08-26,0,0,medium,,https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc8r-cf3g,October CMS account takeover via password reset token leak in admin login form; October CMS GHSA-mxr5-mc8r-cf3g Aug 26 2021; CISA KEV-added Nov 3 2021 initial bulk catalog,2022-01-18,2021,True,False
CVE-2021-25298,Nagios,Nagios XI,2021-02-15,2021-11-03,2021-11-03,261,261,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25298,Nagios XI command injection companion to CVE-2021-25296; CISA KEV-added Nov 3 2021 initial bulk catalog; KEV-fallback,2022-01-18,2021,False,False
CVE-2021-25297,Nagios,Nagios XI,2021-02-15,2021-11-03,2021-11-03,261,261,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25297,Nagios XI command injection companion to CVE-2021-25296; CISA KEV-added Nov 3 2021 initial bulk catalog; KEV-fallback,2022-01-18,2021,False,False
CVE-2021-25296,Nagios,Nagios XI,2021-02-15,2021-11-03,2021-11-03,261,261,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25296,Nagios XI command injection RCE via host search; SkyLined published PoC March 2021; CISA KEV-added Nov 3 2021 initial bulk catalog with no specific public exploitation campaign attribution; KEV-fallback,2022-01-18,2021,False,False
CVE-2021-22991,F5,BIG-IP Traffic Management Microkernel,2021-03-31,2021-03-10,2021-03-10,0,-21,medium,,https://support.f5.com/csp/article/K56715231,F5 BIG-IP Traffic Management Microkernel (TMM) buffer overflow; F5 advisory K56715231 Mar 10 2021; companion to CVE-2021-22986; PoCs and exploitation attempts observed shortly after disclosure,2022-01-18,2021,True,True
CVE-2021-21975,VMware,vRealize Operations Manager API,2021-03-31,2021-04-01,2021-04-01,1,1,medium,,https://www.vmware.com/security/advisories/VMSA-2021-0004.html,VMware vRealize Operations Manager API SSRF; VMSA-2021-0004 Mar 30 2021; PoCs publicly available within days; chained with CVE-2021-21983 for RCE; CISA KEV-added Nov 3 2021,2022-01-18,2021,False,False
CVE-2021-21315,Npm package,System Information Library for Node.JS,2021-02-16,2021-02-22,2021-02-22,6,6,medium,,https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-2x67-r3h2-8gj2,Node.js systeminformation library v5.3.0 command injection via getServiceCheckByOptions; Sebhildebrandt advisory Feb 16 2021; PoCs immediate; CISA KEV-added Nov 3 2021,2022-01-18,2021,False,False
CVE-2020-14864,Oracle,Intelligence Enterprise Edition,2020-10-21,2022-01-18,2022-01-18,454,454,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-14864,Oracle Solaris Common Desktop Environment unspecified vulnerability; Oracle CPU Oct 2020; CISA KEV catalog the documented evidence of in-the-wild exploitation; no specific contemporary threat-intel report with date attribution found (distinct from CVE-2020-14871 which was UNC1945/EVILSUN),2022-01-18,2020,False,False
CVE-2020-13927,Apache,Airflow's Experimental API,2020-11-10,2022-01-18,2022-01-18,434,434,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13927,Apache Airflow Experimental API unauthenticated access (default config); chained with CVE-2020-11978 for unauthenticated RCE; PoC published Jun 2021; CISA KEV add Jan 18 2022; no specific contemporary threat-intel report with exploitation date attribution found,2022-01-18,2020,False,False
CVE-2020-13671,Drupal,Drupal core,2020-11-20,2022-01-18,2022-01-18,424,424,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671,Drupal core unrestricted file upload due to improper filename sanitization; Drupal SA-CORE-2020-012 Nov 18 2020; CISA KEV add 2022-01-18; no specific contemporary threat-intel report with date attribution found,2022-01-18,2020,False,False
CVE-2020-11978,Apache,Airflow,2020-07-16,2022-01-18,2022-01-18,551,551,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11978,Apache Airflow command injection in example_trigger_target_dag; disclosed Jul 13 2020; PoC published Jun 2021 by Pepe Berba (chains with CVE-2020-13927 for unauthenticated RCE); CISA KEV add Jan 18 2022; no specific contemporary threat-intel report with exploitation date attribution found,2022-01-18,2020,False,False
CVE-2021-36260,Hikvision,Security cameras web server,2021-09-22,2021-10-12,2021-10-12,20,20,high,,https://www.fortinet.com/blog/threat-research/moobot-strikes-again-targeting-hikvision-vulnerability,Hikvision web server command injection in Hikvision IP camera firmware; reported by Watchful_IP; Hikvision advisory Sep 19 2021; CISA KEV added Jan 10 2022; mass exploitation by Moobot/Mirai variants from October 2021,2022-01-10,2021,False,False
CVE-2021-27860,FatPipe,"WARP, IPVPN, and MPVPN software",2021-12-08,2021-05-01,2021-11-17,0,-221,high,,https://www.ic3.gov/Media/News/2021/211117.pdf,FatPipe WARP/IPVPN/MPVPN unrestricted file upload; FBI FLASH alert MU-000154-MW Nov 17 2021 reported APT exploitation since at least May 2021 (~6 months pre-disclosure) to deploy webshells for persistence,2022-01-10,2021,True,True
CVE-2021-22017,VMware,vCenter Server,2021-09-23,2021-09-23,2021-09-23,0,0,medium,,https://www.vmware.com/security/advisories/VMSA-2021-0020.html,VMware vCenter Server rhttpproxy reverse-proxy bypass; VMSA-2021-0020 Sep 21 2021; included in the broader VMware vCenter bug cluster mass-exploited Sep 2021; CISA KEV-added Nov 3 2021,2022-01-10,2021,True,False
CVE-2020-6572,Google,Chrome Media,2021-01-14,2020-03-23,2020-03-23,0,-297,low,,https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop.html,Chrome Media UAF; KEV-added 2022-01-10,2022-01-10,2020,True,True
CVE-2019-9670,Synacor,Zimbra Collaboration Suite (ZCS),2019-05-29,2023-06-01,2023-09-18,1464,1464,high,,https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html,Zimbra mailboxd autodiscover XXE; exploited by China-linked Earth Lusca alongside CVE-2019-9621 for web shells and Cobalt Strike; Trend Micro Sep 18 2023; earlier (Mar 2019) included PoC publishing and some cryptominer exploitation reports,2022-01-10,2019,False,False
CVE-2019-7609,Elastic,Kibana,2019-03-25,2019-03-25,2019-03-25,0,0,high,,https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077,Kibana Timelion RCE; exploited for cryptocurrency mining shortly after disclosure; CISA added in 2022 batch,2022-01-10,2019,True,False
CVE-2019-2725,Oracle,WebLogic Server,2019-04-26,2019-04-26,2019-04-26,0,0,high,,https://www.oracle.com/security-alerts/alert-cve-2019-2725.html,Oracle WebLogic Server RCE (XMLDecoder); widely exploited for cryptomining (Sodinokibi/REvil ransomware) within days of disclosure,2022-01-10,2019,True,False
CVE-2019-1579,Palo Alto Networks,PAN-OS,2019-07-19,2019-07-17,2019-07-17,0,-2,high,,https://devco.re/blog/2019/07/17/attacking-ssl-vpn-part-1-PreAuth-RCE-on-Palo-Alto-GlobalProtect-with-Uber-as-case-study/,Palo Alto Networks PAN-OS SSL VPN RCE; Devcore disclosed at Black Hat; widely exploited as initial access vector,2022-01-10,2019,True,True
CVE-2019-1458,Microsoft,Win32k,2019-12-10,2019-12-10,2019-12-10,0,0,high,,https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/,Windows Win32k EoP; reported by Kaspersky as exploited by Operation WizardOpium,2022-01-10,2019,True,False
CVE-2019-10149,Exim,Mail Transfer Agent (MTA),2019-06-05,2019-06-09,2019-06-09,4,4,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-073a,Exim MTA RCE 'Return of the WIZard'; CISA AA20-073A documented active exploitation by Russian Sandworm APT; widely scanned,2022-01-10,2019,False,False
CVE-2018-13383,Fortinet,FortiOS and FortiProxy,2019-05-29,2022-01-10,2022-01-10,957,957,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-13383,Fortinet FortiOS SSL VPN heap buffer overflow (DEVCORE/Orange Tsai research); KEV-added 2022-01-10; no specific contemporary attribution found,2022-01-10,2018,False,False
CVE-2018-13382,Fortinet,FortiOS and FortiProxy,2019-06-04,2022-01-10,2022-01-10,951,951,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-13382,Fortinet FortiOS SSL VPN improper authorization (DEVCORE/Orange Tsai research); KEV-added 2022-01-10; no specific contemporary attribution found documenting exploitation,2022-01-10,2018,False,False
CVE-2021-43890,Microsoft,Windows,2021-12-15,2021-11-15,2021-12-15,0,-30,high,,https://www.bleepingcomputer.com/news/security/emotet-now-spreading-via-malicious-windows-app-installer-packages/,Windows AppX Installer spoofing; Emotet operators began exploitation Nov 15 2021 distributing Emotet/TrickBot via malicious .appinstaller files; Microsoft December 2021 Patch Tuesday,2021-12-15,2021,True,True
CVE-2021-4102,Google,Chromium V8,2022-02-11,2021-12-13,2021-12-13,0,-60,high,,https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop_13.html,Chromium V8 use-after-free zero-day; Google Stable Channel update Dec 13 2021 acknowledged ITW exploitation; reported anonymously,2021-12-15,2021,True,True
CVE-2021-44515,Zoho,Desktop Central,2021-12-12,2021-12-03,2021-12-03,0,-9,high,,https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html,"Zoho ManageEngine Desktop Central auth bypass zero-day; Zoho disclosed Dec 3 2021 with acknowledgement that ""indicators of exploit"" had been observed; targeted APT exploitation followed FBI/CISA advisory",2021-12-10,2021,True,True
CVE-2021-44228,Apache,Log4j2,2021-12-10,2021-12-01,2021-12-09,0,-9,high,,https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/,Apache Log4j2 JNDI Log4Shell pre-auth RCE zero-day; Cloudflare logs show exploitation attempts began Dec 1 2021 (~9 days pre-disclosure); Chen Zhaojun Alibaba reported to Apache Nov 24; public disclosure Dec 9; mass exploitation within hours by Mirai/Muhstik/Kinsing cryptominers and state-backed APT groups including HAFNIUM/PHOSPHORUS,2021-12-10,2021,True,True
CVE-2021-44168,Fortinet,FortiOS,2022-01-04,2021-12-09,2022-01-04,0,-26,medium,,https://www.fortiguard.com/psirt/FG-IR-21-200,Fortinet FortiOS execute restore src-vis command arbitrary file download (CWE-494); Fortinet PSIRT FG-IR-21-201 Dec 7 2021; Bishop Fox later disclosed Dec 2022 they had been investigating compromised FortiGate firewall where this CVE was used as local root,2021-12-10,2021,True,True
CVE-2021-35394,Realtek,Jungle Software Development Kit (SDK),2021-08-16,2021-08-18,2021-08-18,2,2,high,,https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/,Realtek Jungle SDK UDPServer command injection; IoT Inspector disclosed Aug 16 2021; Mirai variant exploitation began Aug 18 within 48 hours per SAM Seamless Network telemetry; affected ~65 vendors with millions of devices,2021-12-10,2021,False,False
CVE-2020-8816,Pi-hole,AdminLTE,2020-05-29,2021-12-10,2021-12-10,560,560,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8816,Pi-hole Web AdminLTE authenticated RCE via DHCP static lease MAC address command injection; disclosed Feb 10 2020 by François Renaud-Philippon; public PoC March 28 2020; Metasploit module available; CISA KEV add 2021-12-10; no specific contemporary threat-intel report with date attribution found,2021-12-10,2020,False,False
CVE-2020-17463,Fuel CMS,Fuel CMS,2020-08-13,2021-12-10,2021-12-10,484,484,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17463,FUEL CMS 1.4.7 SQL injection via col parameter; published Aug 13 2020 with public PoC on exploit-db; FortiGuard signature for exploitation attempts; CISA KEV catalog the documented evidence of in-the-wild exploitation; no specific contemporary threat-intel report with date attribution found,2021-12-10,2020,False,False
CVE-2019-7238,Sonatype,Nexus Repository Manager,2019-03-21,2019-02-22,2019-02-22,0,-27,high,,https://support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-Nexus-Repository-Manager-2-and-3-Missing-Access-Controls-and-Remote-Code-Execution-2019-02-05,Sonatype Nexus Repository Manager RCE; widely exploited for cryptomining shortly after disclosure,2021-12-10,2019,True,True
CVE-2019-13272,Linux,Kernel,2019-07-17,2021-12-10,2021-12-10,877,877,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-13272,"Linux kernel PTRACE_TRACEME local privilege escalation (Jann Horn, Project Zero, July 2019); multiple public Metasploit modules and PoCs available; CISA KEV catalog the only contemporary documented evidence of in-the-wild exploitation",2021-12-10,2019,False,False
CVE-2019-10758,MongoDB,mongo-express,2019-12-24,2020-12-01,2021-12-10,343,343,high,,https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence,mongo-express toBSON RCE; Juniper Threat Labs and other research identified Sysrv cryptominer botnet exploiting this alongside CVE-2019-0193; CISA KEV add Dec 10 2021,2021-12-10,2019,False,False
CVE-2019-0193,Apache,Solr,2019-08-01,2020-12-01,2021-12-10,488,488,high,,https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence,Apache Solr DataImportHandler RCE; Juniper Threat Labs documented Sysrv cryptominer botnet exploiting CVE-2019-0193; CISA KEV add Dec 10 2021,2021-12-10,2019,False,False
CVE-2021-44077,Zoho,ManageEngine ServiceDesk Plus (SDP) / SupportCenter,2021-11-29,2021-11-22,2021-11-29,0,-7,high,,https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/,Zoho ManageEngine ServiceDesk Plus pre-auth RCE zero-day; Palo Alto Unit42 TiltedTemple campaign (suspected APT27/Emissary Panda) exploitation from Nov 22 2021 (a week pre-disclosure); Zoho patched Nov 29,2021-12-01,2021,True,True
CVE-2021-40438,Apache,Apache,2021-09-16,2021-10-09,2021-10-09,23,23,high,,https://blog.talosintelligence.com/apache-vulnerabilities-cve-2021-40438/,Apache HTTP Server 2.4.48 mod_proxy SSRF; Apache advisory Sep 16 2021; multiple PoCs and Cisco Talos observed mass exploitation in October; CISA KEV-added Dec 2021,2021-12-01,2021,False,False
CVE-2021-37415,Zoho,ManageEngine ServiceDesk Plus (SDP),2021-09-01,2021-12-01,2021-12-01,91,91,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-37415,Zoho ManageEngine ServiceDesk Plus REST API auth bypass; Zoho patched Sep 1 2021; CISA KEV added Dec 1 2021 with no specific public exploitation attribution; KEV-fallback,2021-12-01,2021,False,False
CVE-2020-11261,Qualcomm,"Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables",2021-06-09,2021-01-01,2021-03-18,0,-159,high,,https://www.securityweek.com/recently-patched-android-vulnerability-exploited-attacks/,"Qualcomm Snapdragon GPU/Graphics improper input validation; reported by Google Android Security to Qualcomm Jul 20 2020; patched Jan 2021; Google updated Android bulletin Mar 18 2021 to confirm 'limited, targeted exploitation' (note by Ben Hawkes of Project Zero)",2021-12-01,2020,True,True
CVE-2018-14847,MikroTik,RouterOS,2018-08-02,2018-09-04,2018-09-04,33,33,high,,https://www.tenable.com/blog/mikrotik-routeros-vulnerabilities-there-s-more-to-cve-2018-14847,"MikroTik RouterOS WinBox directory traversal; Talos found VPNFilter malware using this exploit; 360Netlab reported 7,500+ MikroTik routers compromised September 2018",2021-12-01,2018,False,False
CVE-2021-42321,Microsoft,Exchange,2021-11-10,2021-11-09,2021-11-09,0,-1,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321,"Exchange Server RCE post-auth deserialization zero-day; November 2021 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected"" in limited targeted attacks; Pwn2Own 2021 demonstration also",2021-11-17,2021,True,True
CVE-2021-42292,Microsoft,Office,2021-11-10,2021-11-09,2021-11-09,0,-1,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292,"Microsoft Excel security feature bypass zero-day; November 2021 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected"" in limited targeted attacks",2021-11-17,2021,True,True
CVE-2021-40449,Microsoft,Windows,2021-10-13,2021-08-01,2021-10-12,0,-73,high,,https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/,"Windows Win32k UAF EoP zero-day; Kaspersky reported MysterySnail RAT exploitation from Aug 2021 targeting IT companies, military/defense contractors, diplomatic entities; October 2021 Patch Tuesday; patch bypass of CVE-2016-3309",2021-11-17,2021,True,True
CVE-2021-22204,Perl,Exiftool,2021-04-23,2021-06-01,2021-06-01,39,39,high,,https://hackerone.com/reports/1154542,Perl ExifTool DjVu ann_chunk shell injection via image upload; HackerOne report 1154542 by William Bowling Apr 23 2021; chained with GitLab CVE-2021-22205 (June 2021 mass exploitation); standalone exploitation also observed,2021-11-17,2021,False,False
CVE-2021-42258,BQE,BillQuick Web Suite,2021-10-22,2021-05-01,2021-10-21,0,-174,high,,https://www.huntress.com/blog/hackers-compromise-bqe-billquick-to-deploy-ransomware,BQE BillQuick Web Suite SQL injection pre-auth RCE; Huntress disclosed Oct 21 2021 after observing Microsoft IIS server compromises since May 2021 leading to ransomware deployment,2021-11-03,2021,True,True
CVE-2021-42013,Apache,HTTP Server,2021-10-07,2021-10-07,2021-10-07,0,0,high,,https://blog.talosintelligence.com/apache-2-4-49-and-2-4-50-vulnerabilities/,Apache HTTP Server 2.4.50 path traversal incomplete fix for CVE-2021-41773; published Oct 7 2021; PoCs and mass exploitation same day; widely scanned with Mirai variant adoption,2021-11-03,2021,True,False
CVE-2021-41773,Apache,HTTP Server,2021-10-05,2021-10-05,2021-10-05,0,0,high,,https://blog.talosintelligence.com/apache-2-4-49-and-2-4-50-vulnerabilities/,Apache HTTP Server 2.4.49 path traversal pre-auth zero-day; Ash Daulton via Apache security mailing list Oct 5 2021; PoCs and mass scanning within hours; Cisco Talos observed exploitation same-day,2021-11-03,2021,True,False
CVE-2021-40539,Zoho,ManageEngine,2021-09-07,2021-08-04,2021-09-06,0,-34,high,,https://unit42.paloaltonetworks.com/threat-assessment-godzilla-webshells/,Zoho ManageEngine ADSelfService Plus auth bypass RCE zero-day; CISA/FBI/CGCYBER joint advisory AA21-259A; Palo Alto Unit42 observed targeted exploitation from Aug 4 2021 by APT group (TiltedTemple); Zoho patched Sept 6 2021,2021-11-03,2021,True,True
CVE-2021-40444,Microsoft,MSHTML,2021-09-15,2021-08-21,2021-09-07,0,-25,high,,https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/,"Microsoft MSHTML ActiveX RCE zero-day; Microsoft Sept 7 2021 advisory noting targeted attacks observed since Aug 21 2021 against Office users via malicious docs; reported by EXPMON, Mandiant, Microsoft; later abused by ransomware including Conti",2021-11-03,2021,True,True
CVE-2021-38649,Microsoft,Open Management Infrastructure (OMI),2021-09-15,2021-09-16,2021-09-16,1,1,medium,,https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution,Microsoft OMI privilege escalation OMIGOD; Wiz disclosure Sep 14 2021; companion LPE in OMIGOD cluster,2021-11-03,2021,False,False
CVE-2021-38648,Microsoft,Open Management Infrastructure (OMI),2021-09-15,2021-09-16,2021-09-16,1,1,medium,,https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution,Microsoft OMI privilege escalation OMIGOD; Wiz disclosure Sep 14 2021; companion LPE to CVE-2021-38647 RCE,2021-11-03,2021,False,False
CVE-2021-38647,Microsoft,Open Management Infrastructure (OMI),2021-09-15,2021-09-16,2021-09-16,1,1,high,,https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution,Microsoft OMI RCE OMIGOD zero-day; Wiz disclosed Sep 14 2021; Mirai botnet variant began exploitation within 24-48 hours; affects Azure Linux VMs with OMI agent,2021-11-03,2021,False,False
CVE-2021-38645,Microsoft,Open Management Infrastructure (OMI),2021-09-15,2021-09-16,2021-09-16,1,1,medium,,https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution,Microsoft OMI EoP OMIGOD; Wiz disclosure Sep 14 2021; companion LPE in OMIGOD cluster,2021-11-03,2021,False,False
CVE-2021-38003,Google,Chromium V8,2021-11-23,2021-10-01,2022-05-19,0,-53,high,,https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/,Chromium V8 zero-day; chained with CVE-2021-1048 (Android Pixel kernel) in Cytrox Campaign #3 (Oct 2021) full Android exploit chain to deploy Predator spyware on up-to-date Samsung phone running latest Chrome; Google TAG attribution May 19 2022,2021-11-03,2021,True,True
CVE-2021-38000,Google,Chromium Intents,2021-11-23,2021-08-01,2022-05-19,0,-114,high,,https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/,Chromium Intents validation zero-day; Cytrox Campaign #1 (Aug 2021) targeted Samsung Galaxy S21 forcing Chrome to load attacker URL in Samsung Internet without user interaction to deploy Predator spyware; Google TAG attribution May 19 2022,2021-11-03,2021,True,True
CVE-2021-37976,Google,Chromium,2021-10-08,2021-09-01,2022-05-19,0,-37,high,,https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/,Chromium Core info leak zero-day; chained with CVE-2021-37973 in Cytrox Campaign #2 (Sept 2021) for Chrome sandbox escape on Samsung Galaxy S10 to deploy Predator spyware; Google TAG attribution May 19 2022,2021-11-03,2021,True,True
CVE-2021-37975,Google,Chromium V8,2021-10-08,2021-09-30,2021-09-30,0,-8,high,,https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html,Chromium V8 use-after-free zero-day; Google Stable Channel update Sep 30 2021 acknowledged ITW exploitation; reported by anonymous of Google TAG,2021-11-03,2021,True,True
CVE-2021-37973,Google,Chromium Portals,2021-10-08,2021-09-01,2022-05-19,0,-37,high,,https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/,Chromium Portals UAF zero-day; Google TAG attributed exploit chain to commercial surveillance vendor Cytrox; Campaign #2 (Sept 2021) targeted up-to-date Samsung Galaxy S10 with CVE-2021-37973+CVE-2021-37976 chain to escape Chrome sandbox and deploy Predator spyware,2021-11-03,2021,True,True
CVE-2021-36955,Microsoft,Windows,2021-09-15,2021-11-03,2021-11-03,49,49,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-36955,Windows CLFS EoP; September 2021 Patch Tuesday; no specific public exploitation attribution; CISA KEV added Nov 3 2021 in initial bulk catalog; KEV-fallback,2021-11-03,2021,False,False
CVE-2021-36948,Microsoft,Windows,2021-08-12,2021-08-10,2021-08-10,0,-2,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948,"Windows Update Medic Service EoP zero-day; August 2021 Patch Tuesday with ""Exploitation Detected"" rating; no specific threat group publicly attributed",2021-11-03,2021,True,True
CVE-2021-36942,Microsoft,Windows,2021-08-12,2021-07-23,2021-08-10,0,-20,high,,https://www.tenable.com/blog/petitpotam-windows-domain-take-over-via-mitm-attack-cve-2021-36942,"Windows LSA EFSRPC PetitPotam NTLM relay forced auth; Lionel Gilles published PoC July 23 2021; Microsoft August 2021 Patch Tuesday; chained with AD CS for full domain takeover; subsequently abused by ransomware (LockFile, Conti)",2021-11-03,2021,True,True
CVE-2021-36742,Trend Micro,Apex One,2021-07-29,2021-09-01,2021-09-01,34,34,high,,https://success.trendmicro.com/dcx/s/solution/000287819,Trend Micro Apex One privilege escalation companion to CVE-2021-36741; Trend Micro Aug 4 2021 advisory acknowledged active exploitation attempts,2021-11-03,2021,False,False
CVE-2021-36741,Trend Micro,Apex One,2021-07-29,2021-09-01,2021-09-01,34,34,high,,https://success.trendmicro.com/dcx/s/solution/000287819,"Trend Micro Apex One unrestricted file upload; Trend Micro advisory Aug 4 2021 acknowledged ""at least one active attempt of potential exploitation against a small subset of Apex One SaaS customers""",2021-11-03,2021,False,False
CVE-2021-35464,ForgeRock,Access Management (AM),2021-07-22,2021-10-26,2021-10-26,96,96,high,,https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464,ForgeRock Access Manager (formerly Sun OpenSSO) Jato framework Java deserialization pre-auth RCE; ForgeRock advisory Jun 29 2021; Michael Stepankin published technical write-up Jul 22; mass exploitation Oct 2021 by cryptominers and ransomware,2021-11-03,2021,False,False
CVE-2021-35395,Realtek,AP-Router SDK,2021-08-16,2021-08-18,2021-08-18,2,2,high,,https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/,Realtek AP-Router HTTP server command injection; IoT Inspector advisory Aug 16 2021; companion to CVE-2021-35394; immediate Mirai botnet exploitation,2021-11-03,2021,False,False
CVE-2021-35211,SolarWinds,Serv-U,2021-07-14,2021-07-13,2021-07-14,0,-1,high,,https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/,SolarWinds Serv-U Remote Memory Escape RCE zero-day; Microsoft MSTIC attributed to DEV-0322 (China-based) targeted exploitation; SolarWinds patched Jul 14 2021; targeted defense industrial base,2021-11-03,2021,True,True
CVE-2021-34527,Microsoft,Windows,2021-07-02,2021-06-29,2021-07-01,0,-3,high,,https://www.tenable.com/blog/cve-2021-34527-microsoft-releases-out-of-band-patch-for-printnightmare,Print Spooler PrintNightmare RCE zero-day; emergency CVE assigned July 1 2021 after CVE-2021-1675 PoC leak; out-of-band patch July 6 2021; widely exploited by ransomware including Vice Society and Magniber,2021-11-03,2021,True,True
CVE-2021-34523,Microsoft,Exchange Server,2021-07-14,2021-08-05,2021-08-05,22,22,high,,https://www.tenable.com/blog/cve-2021-34473-cve-2021-34523-cve-2021-31207-proxyshell,Exchange ProxyShell EoP; chained with CVE-2021-34473/CVE-2021-31207 in ProxyShell pre-auth RCE; mass exploitation post Black Hat USA Aug 5 2021,2021-11-03,2021,False,False
CVE-2021-34473,Microsoft,Exchange Server,2021-07-14,2021-08-05,2021-08-05,22,22,high,,https://www.tenable.com/blog/cve-2021-34473-cve-2021-34523-cve-2021-31207-proxyshell,Exchange ProxyShell pre-auth SSRF; quietly patched April 2021 then publicly disclosed July 13 2021 Patch Tuesday; Orange Tsai Black Hat USA presentation Aug 5 2021 triggered mass exploitation by Conti and LockFile ransomware,2021-11-03,2021,False,False
CVE-2021-34448,Microsoft,Windows,2021-07-16,2021-07-13,2021-07-13,0,-3,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448,"Windows Scripting Engine memory corruption zero-day; July 2021 Patch Tuesday with Microsoft ""Exploitation Detected"" rating; no specific threat group publicly attributed",2021-11-03,2021,True,True
CVE-2021-33771,Microsoft,Windows,2021-07-14,2021-07-13,2021-07-13,0,-1,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771,"Windows Kernel EoP zero-day; July 2021 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; companion to CVE-2021-31979",2021-11-03,2021,True,True
CVE-2021-33742,Microsoft,Windows,2021-06-08,2021-06-08,2021-06-08,0,0,high,,https://www.tenable.com/blog/microsoft-s-june-2021-patch-tuesday-addresses-49-cves-cve-2021-33742,"Windows MSHTML RCE zero-day; June 2021 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected"" with ITW exploitation; reported by Clement Lecigne of Google TAG",2021-11-03,2021,True,False
CVE-2021-33739,Microsoft,Windows,2021-06-08,2021-06-08,2021-06-08,0,0,high,,https://www.tenable.com/blog/microsoft-s-june-2021-patch-tuesday-addresses-49-cves-cve-2021-33742,"Microsoft DWM Core Library EoP zero-day; June 2021 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; reported by DBAPPSecurity",2021-11-03,2021,True,False
CVE-2021-31979,Microsoft,Windows,2021-07-14,2021-07-13,2021-07-13,0,-1,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979,"Windows Kernel EoP zero-day; July 2021 Patch Tuesday; Microsoft acknowledged ""Exploitation Detected""; companion to CVE-2021-33771; no specific threat group attribution publicly",2021-11-03,2021,True,True
CVE-2021-31956,Microsoft,Windows,2021-06-08,2021-04-01,2021-06-08,0,-68,high,,https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/,Windows NTFS EoP zero-day; Kaspersky PuzzleMaker chain April 2021 chained with CVE-2021-31955 for Chrome sandbox escape on Windows 10; June 2021 Patch Tuesday,2021-11-03,2021,True,True
CVE-2021-31955,Microsoft,Windows,2021-06-08,2021-04-01,2021-06-08,0,-68,high,,https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/,Windows Kernel info disclosure zero-day; Kaspersky observed targeted PuzzleMaker chain April 2021 using Chrome zero-day + Windows kernel chain (CVE-2021-31955 + CVE-2021-31956); June 2021 Patch Tuesday,2021-11-03,2021,True,True
CVE-2021-31755,Tenda,AC11 Router,2021-05-07,2021-11-03,2021-11-03,180,180,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-31755,Tenda AC11 stack-based buffer overflow; Tenda did not release public advisory; CISA KEV-added Nov 3 2021 initial bulk catalog with no specific public exploitation campaign attribution; KEV-fallback,2021-11-03,2021,False,False
CVE-2021-31207,Microsoft,Exchange Server,2021-05-11,2021-08-05,2021-08-05,86,86,high,,https://www.tenable.com/blog/cve-2021-34473-cve-2021-34523-cve-2021-31207-proxyshell,Exchange ProxyShell post-auth arbitrary file write; chained with CVE-2021-34473/CVE-2021-34523; mass exploitation post Orange Tsai Black Hat USA Aug 5 2021 (LockFile/Conti ransomware),2021-11-03,2021,False,False
CVE-2021-31201,Microsoft,Enhanced Cryptographic Provider,2021-06-08,2021-06-08,2021-06-08,0,0,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201,Windows Enhanced Cryptographic Provider info disclosure zero-day; June 2021 Patch Tuesday companion to CVE-2021-31199; both used to escape Adobe Reader sandbox post CVE-2021-28550,2021-11-03,2021,True,False
CVE-2021-31199,Microsoft,Enhanced Cryptographic Provider,2021-06-08,2021-06-08,2021-06-08,0,0,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199,Windows Enhanced Cryptographic Provider info disclosure zero-day; June 2021 Patch Tuesday with Microsoft ITW acknowledgement; companion to CVE-2021-31201 in Adobe Reader exploit chain (CVE-2021-28550),2021-11-03,2021,True,False
CVE-2021-30869,Apple,"iOS, iPadOS, and macOS",2021-08-24,2021-09-01,2021-09-23,8,8,high,,https://support.apple.com/en-us/HT212804,Apple XNU kernel type confusion zero-day; Google TAG reported exploitation in chain with WebKit RCE targeting macOS users via watering hole attacks; Apple Security Update 2021-006 Catalina Sept 23 2021,2021-11-03,2021,False,False
CVE-2021-30860,Apple,Multiple Products,2021-08-24,2021-02-01,2021-09-13,0,-204,high,,https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/,Apple CoreGraphics FORCEDENTRY JBIG2 integer overflow zero-click zero-day; Citizen Lab forensics found exploits on Bahraini activists from Feb 2021; NSO Group Pegasus deployment via iMessage; Apple emergency patch iOS 14.8 Sept 13 2021,2021-11-03,2021,True,True
CVE-2021-30858,Apple,"iOS, iPadOS, and macOS",2021-08-24,2021-09-01,2021-09-13,8,8,medium,,https://support.apple.com/en-us/HT212807,Apple WebKit UAF zero-day patched alongside FORCEDENTRY in iOS 14.8 emergency release; Apple acknowledged active in-wild exploitation; co-disclosed with CVE-2021-30860,2021-11-03,2021,False,False
CVE-2021-30807,Apple,Multiple Products,2021-10-19,2021-07-26,2021-07-26,0,-85,medium,,https://support.apple.com/en-us/HT212623,Apple IOMobileFrameBuffer memory corruption zero-day; iOS 14.7.1/iPadOS 14.7.1 July 26 2021 with Apple ITW acknowledgement; reported anonymously; precursor to CVE-2021-30883,2021-11-03,2021,True,True
CVE-2021-30762,Apple,iOS,2021-09-08,2021-06-14,2021-06-14,0,-86,high,,https://support.apple.com/en-us/HT212548,Apple WebKit UAF zero-day; iOS 12.5.4 emergency update June 14 2021 with Apple ITW acknowledgement; reported anonymously,2021-11-03,2021,True,True
CVE-2021-30761,Apple,iOS,2021-09-08,2021-06-14,2021-06-14,0,-86,high,,https://support.apple.com/en-us/HT212548,Apple WebKit memory corruption zero-day; iOS 12.5.4 emergency update June 14 2021 with Apple ITW acknowledgement; reported anonymously,2021-11-03,2021,True,True
CVE-2021-30713,Apple,macOS,2021-09-08,2021-05-01,2021-05-24,0,-130,high,,https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/,macOS TCC framework bypass zero-day exploited by XCSSET malware variant to take screenshots without user permission prompt; reported by Jamf; Apple patched macOS 11.4 May 24 2021,2021-11-03,2021,True,True
CVE-2021-30666,Apple,iOS,2021-09-08,2021-05-03,2021-05-03,0,-128,high,,https://support.apple.com/en-us/HT212341,Apple WebKit buffer overflow zero-day affecting older devices; iOS 12.5.3 emergency update May 3 2021 with Apple acknowledgement of ITW exploitation,2021-11-03,2021,True,True
CVE-2021-30665,Apple,Multiple Products,2021-09-08,2021-05-03,2021-05-03,0,-128,high,,https://support.apple.com/en-us/HT212336,Apple WebKit memory corruption zero-day; reported by Qihoo 360 ATA; iOS 14.5.1 emergency update May 3 2021 with Apple ITW acknowledgement,2021-11-03,2021,True,True
CVE-2021-30663,Apple,Multiple Products,2021-09-08,2021-05-03,2021-05-03,0,-128,high,,https://support.apple.com/en-us/HT212336,Apple WebKit integer overflow zero-day; iOS 14.5.1/macOS 11.3.1/Safari 14.1 emergency update May 3 2021 with Apple acknowledgement of active in-wild exploitation; reported anonymously,2021-11-03,2021,True,True
CVE-2021-30661,Apple,Multiple Products,2021-09-08,2021-05-03,2021-05-03,0,-128,high,,https://support.apple.com/en-us/HT212336,Apple WebKit use-after-free zero-day; iOS 14.5.1 May 3 2021 advisory with Apple ITW acknowledgement; reported by yangkang of 360 ATA,2021-11-03,2021,True,True
CVE-2021-30657,Apple,macOS,2021-09-08,2021-03-01,2021-04-26,0,-191,high,,https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/,macOS Gatekeeper/quarantine bypass zero-day; reported by Cedric Owens; Jamf observed Shlayer adware variant abusing the flaw in the wild months before disclosure (early 2021); Apple patched macOS 11.3 Apr 26 2021,2021-11-03,2021,True,True
CVE-2021-30633,Google,Chromium Indexed DB API,2021-10-08,2021-09-13,2021-09-13,0,-25,high,,https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_13.html,Chromium IndexedDB UAF zero-day; Google Stable Channel update Sep 13 2021 acknowledged ITW exploitation; reported anonymously,2021-11-03,2021,True,True
CVE-2021-30632,Google,Chromium V8,2021-10-08,2021-09-13,2021-09-13,0,-25,high,,https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_13.html,Chromium V8 OOB write zero-day; Google Stable Channel update Sep 13 2021 acknowledged ITW exploitation; reported anonymously,2021-11-03,2021,True,True
CVE-2021-30563,Google,Chromium V8,2021-08-03,2021-07-15,2021-07-15,0,-19,high,,https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html,Chromium V8 type confusion zero-day; Google Stable Channel update Jul 15 2021 acknowledged ITW exploitation; reported anonymously,2021-11-03,2021,True,True
CVE-2021-30554,Google,Chromium WebGL,2021-07-02,2021-06-17,2021-06-17,0,-15,high,,https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html,Chromium WebGL use-after-free zero-day; Google Stable Channel update Jun 17 2021 acknowledged ITW exploitation; reported anonymously,2021-11-03,2021,True,True
CVE-2021-30551,Google,Chromium V8,2021-06-15,2021-06-09,2021-06-09,0,-6,high,,https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_9.html,Chromium V8 type confusion zero-day; Google Stable Channel update Jun 9 2021 acknowledged ITW exploitation; reported by Sergei Glazunov of Project Zero,2021-11-03,2021,True,True
CVE-2021-30116,Kaseya,Virtual System/Server Administrator (VSA),2021-07-09,2021-07-02,2021-07-02,0,-7,high,,https://www.tenable.com/blog/cve-2021-30116-multiple-zero-day-vulnerabilities-in-kaseya-vsa-exploited-to-distribute-ransomware,Kaseya VSA credentials leak zero-day; REvil exploited Jul 2 2021 pre-patch in mass supply-chain attack against ~1500 organizations through ~60 MSPs; DIVD CSIRT had reported to Kaseya in coordinated disclosure; patch released Jul 11,2021-11-03,2021,True,True
CVE-2021-28664,Arm,Mali Graphics Processing Unit (GPU),2021-05-10,2021-05-04,2021-05-10,0,-6,high,,https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities,Arm Mali GPU kernel driver integer overflow zero-day; Arm advisory May 10 2021 acknowledged limited targeted exploitation; companion to CVE-2021-28663,2021-11-03,2021,True,True
CVE-2021-28663,Arm,Mali Graphics Processing Unit (GPU),2021-05-10,2021-05-04,2021-05-10,0,-6,high,,https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities,"Arm Mali GPU kernel driver UAF zero-day; Arm advisory May 10 2021 acknowledged ""evidence that this vulnerability may be under limited, targeted exploitation""; reported by Man Yue Mo of GitHub Security Lab",2021-11-03,2021,True,True
CVE-2021-28550,Adobe,Acrobat and Reader,2021-09-02,2021-05-11,2021-05-11,0,-114,high,,https://helpx.adobe.com/security/products/acrobat/apsb21-29.html,Adobe Acrobat/Reader use-after-free zero-day; APSB21-29 May 11 2021 acknowledged limited targeted attacks; chained with Windows CVE-2021-31199/CVE-2021-31201 for sandbox escape; reported anonymously,2021-11-03,2021,True,True
CVE-2021-28310,Microsoft,Win32k,2021-04-13,2021-04-13,2021-04-13,0,0,high,,https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/,Windows Desktop Window Manager EoP zero-day; reported by Kaspersky (Boris Larin oct0xor); exploited by BITTER APT against South Asian targets; April 2021 Patch Tuesday,2021-11-03,2021,True,False
CVE-2021-27562,Arm,Trusted Firmware,2021-05-25,2021-02-23,2021-03-15,0,-91,high,,https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/,Arm Trusted Firmware-M boundary check DoS/leak; NVD assesses Yealink Device Management exploitation uses affected Arm firmware; Palo Alto Unit 42 observed Mirai variant exploiting Yealink DM (CVE-2021-27561/27562) on Feb 23 2021 within hours of disclosure; CISA KEV-added Nov 3 2021,2021-11-03,2021,True,True
CVE-2021-27561,Yealink,Device Management,2021-10-15,2021-02-23,2021-03-15,0,-234,high,,https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/,Yealink Device Management pre-auth SSRF/RCE; Palo Alto Unit 42 observed Mirai variant exploiting within hours of Feb 23 2021 disclosure; ZHtrap botnet also picked it up; CISA KEV-added Nov 3 2021,2021-11-03,2021,True,True
CVE-2021-27104,Accellion,FTA,2021-02-16,2020-12-16,2021-02-22,0,-62,high,,https://cloud.google.com/blog/topics/threat-intelligence/accellion-fta-extortion-unc2546,Accellion FTA SQL injection zero-day; UNC2546 exploitation chain from Dec 2020; Mandiant attribution to Clop/FIN11 extortion campaign,2021-11-03,2021,True,True
CVE-2021-27103,Accellion,FTA,2021-02-16,2020-12-16,2021-02-22,0,-62,high,,https://cloud.google.com/blog/topics/threat-intelligence/accellion-fta-extortion-unc2546,Accellion FTA SSRF zero-day; UNC2546 exploitation chain from Dec 2020; Mandiant attribution to Clop/FIN11 extortion campaign,2021-11-03,2021,True,True
CVE-2021-27102,Accellion,FTA,2021-02-16,2020-12-16,2021-02-22,0,-62,high,,https://cloud.google.com/blog/topics/threat-intelligence/accellion-fta-extortion-unc2546,Accellion FTA OS command execution zero-day; UNC2546 Clop ransomware-linked exploitation chain from Dec 2020; Mandiant attribution,2021-11-03,2021,True,True
CVE-2021-27101,Accellion,FTA,2021-02-16,2020-12-16,2021-02-22,0,-62,high,,https://cloud.google.com/blog/topics/threat-intelligence/accellion-fta-extortion-unc2546,"Accellion FTA SQL injection zero-day; Mandiant attributed UNC2546 (Clop/FIN11 affiliate) exploitation from Dec 16 2020 against Accellion FTA customers; data theft and extortion targeting Shell, Singtel, Kroger, U Colorado",2021-11-03,2021,True,True
CVE-2021-27085,Microsoft,Internet Explorer,2021-03-11,2021-03-09,2021-03-09,0,-2,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27085,"Internet Explorer library RCE; March 2021 Patch Tuesday; Microsoft rated ""Exploitation More Likely"" but no specific public ITW attribution; CISA KEV added Nov 3 2021 in initial bulk catalog; KEV-fallback",2021-11-03,2021,True,True
CVE-2021-27065,Microsoft,Exchange Server,2021-03-02,2021-01-03,2021-03-02,0,-58,high,,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/,Exchange ProxyLogon post-auth arbitrary file write zero-day; HAFNIUM exploitation chain from Jan 3 2021; Microsoft emergency patch Mar 2 2021,2021-11-03,2021,True,True
CVE-2021-27059,Microsoft,Office,2021-03-11,2021-11-03,2021-11-03,237,237,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27059,"Microsoft Office RCE patched March 2021 Patch Tuesday; CISA KEV-added Nov 3 2021 in initial bulk catalog of known-exploited CVEs; no public third-party in-the-wild report, KEV-fallback",2021-11-03,2021,False,False
CVE-2021-26858,Microsoft,Exchange Server,2021-03-02,2021-01-03,2021-03-02,0,-58,high,,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/,Exchange ProxyLogon post-auth arbitrary file write zero-day; chained with CVE-2021-26855 by HAFNIUM from Jan 3 2021 to write webshells; Microsoft emergency patch Mar 2 2021,2021-11-03,2021,True,True
CVE-2021-26857,Microsoft,Exchange Server,2021-03-02,2021-01-03,2021-03-02,0,-58,high,,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/,Exchange ProxyLogon Unified Messaging insecure deserialization zero-day; chained with CVE-2021-26855 in HAFNIUM exploitation from Jan 3 2021 to drop webshells; Microsoft emergency patch Mar 2 2021,2021-11-03,2021,True,True
CVE-2021-26855,Microsoft,Exchange Server,2021-03-02,2021-01-03,2021-03-02,0,-58,high,,https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/,Exchange ProxyLogon SSRF zero-day; Volexity observed HAFNIUM (PRC state-sponsored) exploitation from Jan 3 2021 (60 days pre-disclosure); Microsoft emergency out-of-band patch Mar 2 2021; mass exploitation Feb 26 onwards,2021-11-03,2021,True,True
CVE-2021-26411,Microsoft,Internet Explorer,2021-03-11,2021-01-01,2021-03-09,0,-69,high,,https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/,Internet Explorer memory corruption zero-day; ENKI/Google TAG reported Lazarus group exploitation since January 2021 targeting security researchers via malicious MHT files; March 2021 Patch Tuesday,2021-11-03,2021,True,True
CVE-2021-26084,Atlassian,Confluence Server and Data Center,2021-08-30,2021-09-03,2021-09-03,4,4,high,,https://www.tenable.com/blog/cve-2021-26084-atlassian-confluence-ognl-injection-vulnerability-exploited-in-the-wild,"Atlassian Confluence OGNL injection pre-auth RCE; Atlassian advisory Aug 25 2021; PoC public Aug 31; mass exploitation Sept 3 onwards by cryptominers (z0Miner, Kinsing, Watchdog) and ransomware operators",2021-11-03,2021,False,False
CVE-2021-23874,McAfee,McAfee Total Protection (MTP),2021-02-10,2021-11-03,2021-11-03,266,266,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-23874,"McAfee Total Protection local privilege escalation (COM-object bypass); McAfee patched Feb 2021, researcher walkthrough May 2021; CISA KEV-added Nov 3 2021 in initial bulk catalog; no malware report, KEV-fallback",2021-11-03,2021,False,False
CVE-2021-22986,F5,BIG-IP and BIG-IQ Centralized Management,2021-03-31,2021-03-18,2021-03-18,0,-13,high,,https://research.nccgroup.com/2021/03/19/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/,F5 BIG-IP iControl REST unauthenticated RCE; F5 advisory K03009991 Mar 10 2021; NCC Group observed mass exploitation attempts from Mar 18; Palo Alto Unit42 reported widespread scanning and Mirai variant adoption Mar 20-22,2021-11-03,2021,True,True
CVE-2021-22900,Ivanti,Pulse Connect Secure,2021-05-27,2020-08-01,2021-05-27,0,-299,medium,,https://cloud.google.com/blog/topics/threat-intelligence/check-your-pulse-suspected-apt-actors-leverage-authentication-bypass-techniques-pulse-secure-zero-day/,Pulse Connect Secure arbitrary file write; companion CVE in UNC2630/UNC2717 chains traced to Aug 2020; Pulse Secure patched May 3 2021 PSE-2021-04,2021-11-03,2021,True,True
CVE-2021-22899,Ivanti,Pulse Connect Secure,2021-05-27,2020-08-01,2021-05-27,0,-299,medium,,https://cloud.google.com/blog/topics/threat-intelligence/check-your-pulse-suspected-apt-actors-leverage-authentication-bypass-techniques-pulse-secure-zero-day/,Pulse Connect Secure command injection; companion CVE in UNC2630/UNC2717 chains traced to Aug 2020; Pulse Secure patched May 3 2021 PSE-2021-04,2021-11-03,2021,True,True
CVE-2021-22894,Ivanti,Pulse Connect Secure,2021-05-27,2020-08-01,2021-05-27,0,-299,medium,,https://cloud.google.com/blog/topics/threat-intelligence/check-your-pulse-suspected-apt-actors-leverage-authentication-bypass-techniques-pulse-secure-zero-day/,Pulse Connect Secure buffer overflow; companion CVE in UNC2630/UNC2717 chains traced to Aug 2020; Pulse Secure patched May 3 2021 PSE-2021-04,2021-11-03,2021,True,True
CVE-2021-22893,Ivanti,Pulse Connect Secure,2021-04-23,2020-08-01,2021-04-20,0,-265,high,,https://cloud.google.com/blog/topics/threat-intelligence/check-your-pulse-suspected-apt-actors-leverage-authentication-bypass-techniques-pulse-secure-zero-day/,Pulse Connect Secure auth bypass zero-day; Mandiant attributed to UNC2630 (APT5/Chinese) and UNC2717 exploitation traced back to August 2020 (~9 months pre-disclosure); targeted US defense industrial base and EU government,2021-11-03,2021,True,True
CVE-2021-22506,Micro Focus,Micro Focus Access Manager,2021-03-26,2021-11-03,2021-11-03,222,222,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22506,"Micro Focus Access Manager SAML SSRF/info-leak; CISA KEV-added Nov 3 2021 in initial catalog bulk-listing of known-exploited CVEs; no third-party in-the-wild report found, KEV-fallback",2021-11-03,2021,False,False
CVE-2021-22502,Micro Focus,Operation Bridge Reporter (OBR),2021-02-08,2021-03-03,2021-03-15,23,23,high,,https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/,Micro Focus Operations Bridge Reporter unauthenticated RCE via LogonResource (ZDI-21-153/154); Palo Alto Unit 42 observed Mirai variant adding CVE-2021-22502 exploit Mar 3 2021; ZHtrap botnet also incorporated; CISA KEV-added Nov 3 2021,2021-11-03,2021,False,False
CVE-2021-22205,GitLab,Community and Enterprise Editions,2021-04-23,2021-06-01,2021-11-04,39,39,high,,https://www.rapid7.com/blog/post/2021/11/04/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/,"GitLab CE/EE ExifTool DjVu pre-auth RCE via image upload; GitLab advisory Apr 14 2021; HN5DJ William Bowling write-up; Rapid7 observed exploitation from June 2021 by cryptominer botnets, persistent campaign through 2021-2022",2021-11-03,2021,False,False
CVE-2021-22005,VMware,vCenter Server,2021-09-23,2021-09-24,2021-09-24,1,1,high,,https://www.tenable.com/blog/cve-2021-22005-vmware-patches-critical-rce-in-vcenter-server,VMware vCenter Server arbitrary file upload pre-auth RCE; VMSA-2021-0020 Sep 21 2021; PoCs public Sept 23; mass exploitation within 72 hours by ransomware operators and cryptominers,2021-11-03,2021,False,False
CVE-2021-21985,VMware,vCenter Server,2021-05-26,2021-06-01,2021-06-01,6,6,high,,https://www.tenable.com/blog/cve-2021-21985-critical-vmware-vcenter-server-remote-code-execution,VMware vCenter Server vSphere Client RCE via vSAN Health plugin; VMSA-2021-0010 May 25 2021; Radware detected mass scanning by Jun 1 2021; CVSS 9.8 enabled cryptominer and ransomware exploitation,2021-11-03,2021,False,False
CVE-2021-21972,VMware,vCenter Server,2021-02-24,2021-02-24,2021-02-24,0,0,high,,https://www.tenable.com/blog/cve-2021-21972-vmware-vcenter-server-remote-code-execution-vulnerability,VMware vCenter Server vSphere Client unauthenticated RCE; VMSA-2021-0002 Feb 23 2021; mass scanning by Feb 24 per multiple researchers; Necro Python botnet adopted May 2021; widely exploited by ransomware,2021-11-03,2021,True,False
CVE-2021-21224,Google,Chromium V8,2021-04-26,2021-04-20,2021-04-20,0,-6,high,,https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html,Chrome V8 type confusion zero-day; Google Stable Channel update Apr 20 2021 acknowledged active ITW exploitation; reported by Jose Martinez,2021-11-03,2021,True,True
CVE-2021-21220,Google,Chromium V8,2021-04-26,2021-04-13,2021-04-13,0,-13,high,,https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html,Chrome V8 type confusion zero-day; Bruno Keith and Niklas Baumstark demonstrated at Pwn2Own April 6 2021; PoC public within days; Google Stable Channel update Apr 13 2021,2021-11-03,2021,True,True
CVE-2021-21206,Google,Chromium Blink,2021-04-26,2021-04-13,2021-04-13,0,-13,high,,https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html,"Chrome Blink use-after-free zero-day; demonstrated at Pwn2Own April 2021 (Bruno Keith, Niklas Baumstark of Dataflow Security); Google patched Apr 13 2021 with ITW acknowledgement",2021-11-03,2021,True,True
CVE-2021-21193,Google,Chromium Blink,2021-03-16,2021-03-12,2021-03-12,0,-4,high,,https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html,Chrome Blink use-after-free zero-day; Google Stable Channel update Mar 12 2021 acknowledged active ITW exploitation; reported anonymously,2021-11-03,2021,True,True
CVE-2021-21166,Google,Chromium,2021-03-09,2021-03-02,2021-03-02,0,-7,high,,https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html,Chrome audio component object lifecycle zero-day; Google Stable Channel update Mar 2 2021 acknowledged active ITW exploitation; reported by Alison Huffman of Microsoft Browser Vulnerability Research,2021-11-03,2021,True,True
CVE-2021-21148,Google,Chromium V8,2021-02-09,2021-02-04,2021-02-04,0,-5,high,,https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop.html,Chrome V8 heap buffer overflow zero-day; Google Stable Channel update Feb 4 2021 acknowledged active in-wild exploitation; reported by Mattias Buelens; later attributed to Lazarus social engineering campaign against security researchers,2021-11-03,2021,True,True
CVE-2021-21017,Adobe,Acrobat and Reader,2021-02-11,2021-02-09,2021-02-09,0,-2,high,,https://helpx.adobe.com/security/products/acrobat/apsb21-09.html,Adobe Acrobat/Reader heap-based buffer overflow zero-day; APSB21-09 Feb 9 2021 acknowledged limited targeted attacks against Adobe Reader users on Windows; reported by Anonymous,2021-11-03,2021,True,True
CVE-2021-20090,Arcadyan,Buffalo Firmware,2021-04-29,2021-08-03,2021-08-03,96,96,high,,https://blogs.juniper.net/en-us/threat-research/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild,Arcadyan Buffalo router firmware path traversal auth bypass; Tenable TRA-2021-13 Aug 3 2021; Juniper Networks observed Mirai variant scanning and exploitation within 2 days of disclosure,2021-11-03,2021,False,False
CVE-2021-20023,SonicWall,SonicWall Email Security,2021-04-20,2021-03-01,2021-04-20,0,-50,high,,https://cloud.google.com/blog/topics/threat-intelligence/abusing-replication-stealing-ad-fs-secrets-over-the-network,SonicWall Email Security post-auth arbitrary file read zero-day; chained with CVE-2021-20021/20022 in UNC2447 (HelloKitty/FiveHands) attacks from March 2021,2021-11-03,2021,True,True
CVE-2021-20022,SonicWall,SonicWall Email Security,2021-04-09,2021-03-01,2021-04-20,0,-39,high,,https://cloud.google.com/blog/topics/threat-intelligence/abusing-replication-stealing-ad-fs-secrets-over-the-network,SonicWall Email Security post-auth file upload zero-day; chained with CVE-2021-20021/20023 in UNC2447 attacks from March 2021,2021-11-03,2021,True,True
CVE-2021-20021,SonicWall,SonicWall Email Security,2021-04-09,2021-03-01,2021-04-20,0,-39,high,,https://cloud.google.com/blog/topics/threat-intelligence/abusing-replication-stealing-ad-fs-secrets-over-the-network,SonicWall Email Security pre-auth admin auth bypass zero-day; Mandiant attributed UNC2447 (HelloKitty/FiveHands) exploitation chain from March 2021 with CVE-2021-20022/20023,2021-11-03,2021,True,True
CVE-2021-20016,SonicWall,SSLVPN SMA100,2021-02-03,2021-01-22,2021-02-03,0,-12,high,,https://www.crowdstrike.com/blog/exploitation-of-sonicwall-sma-100-series-cve-2021-20016/,SonicWall SMA100 SQL injection zero-day; SonicWall disclosed Jan 23 2021 coordinated attack on its own internal systems Jan 22; UNC2447 (HelloKitty) ransomware exploitation observed; widespread attacks Feb 2021,2021-11-03,2021,True,True
CVE-2021-1906,Qualcomm,Multiple Chipsets,2021-05-07,2021-05-03,2021-05-03,0,-4,high,,https://source.android.com/docs/security/bulletin/2021-05-01,Qualcomm Adreno GPU detection of error condition without action; Android May 2021 bulletin acknowledged limited targeted exploitation; companion to CVE-2021-1905,2021-11-03,2021,True,True
CVE-2021-1905,Qualcomm,Multiple Chipsets,2021-05-07,2021-05-03,2021-05-03,0,-4,high,,https://source.android.com/docs/security/bulletin/2021-05-01,"Qualcomm Adreno GPU use-after-free EoP zero-day; Android May 2021 security bulletin acknowledged ""may be under limited, targeted exploitation""; reported by Man Yue Mo of GitHub Security Lab",2021-11-03,2021,True,True
CVE-2021-1879,Apple,"iOS, iPadOS, and watchOS",2021-04-02,2021-03-26,2021-07-14,0,-7,high,,https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/,Apple WebKit Quicklook UXSS zero-day; Google TAG (Clement Lecigne and Maddie Stone) reported in-wild exploitation by likely Russian government-backed actor targeting Western European government officials via LinkedIn messages; Apple patched March 26 2021,2021-11-03,2021,True,True
CVE-2021-1871,Apple,"iOS, iPadOS, and macOS",2021-04-02,2021-01-26,2021-01-26,0,-66,high,,https://support.apple.com/en-us/HT212147,Apple WebKit logic issue zero-day; companion to CVE-2021-1870 in iOS 14.4 Jan 26 2021 release; both anonymously reported with ITW exploitation acknowledged,2021-11-03,2021,True,True
CVE-2021-1870,Apple,"iOS, iPadOS, and macOS",2021-04-02,2021-01-26,2021-01-26,0,-66,high,,https://support.apple.com/en-us/HT212147,Apple WebKit logic issue zero-day; iOS 14.4 advisory Jan 26 2021 acknowledged anonymous reporter and Apple aware of active exploitation report,2021-11-03,2021,True,True
CVE-2021-1782,Apple,Multiple Products,2021-04-02,2021-01-26,2021-01-26,0,-66,high,,https://support.apple.com/en-us/HT212146,Apple kernel race condition zero-day; iOS 14.4 advisory Jan 26 2021 acknowledged Apple was aware of report that this may have been actively exploited,2021-11-03,2021,True,True
CVE-2021-1732,Microsoft,Win32k,2021-02-25,2021-02-09,2021-02-09,0,-16,high,,https://www.tenable.com/blog/microsofts-february-2021-patch-tuesday-addresses-56-cves-cve-2021-24074,Windows Win32k EoP zero-day; February 2021 Patch Tuesday; reported by DBAPPSecurity Threat Intelligence Center; exploited by BITTER APT in targeted attacks; later patch-bypassed by CVE-2022-21882,2021-11-03,2021,True,True
CVE-2021-1675,Microsoft,Windows,2021-06-08,2021-06-29,2021-06-29,21,21,high,,https://www.tenable.com/blog/cve-2021-1675-proof-of-concept-leaked-for-critical-windows-print-spooler-vulnerability,Print Spooler EoP/RCE initial PrintNightmare patch; June 2021 Patch Tuesday with EoP rating; Sangfor researchers accidentally published PoC June 29 thinking it was already patched; reclassified RCE by Microsoft and mass exploitation followed,2021-11-03,2021,False,False
CVE-2021-1647,Microsoft,Defender,2021-01-12,2021-01-12,2021-01-12,0,0,high,,https://www.tenable.com/blog/microsofts-january-2021-patch-tuesday-addresses-83-cves-cve-2021-1647,"Microsoft Defender (MpEngine) RCE zero-day; January 2021 Patch Tuesday with Microsoft acknowledging ""Exploitation Detected"" before disclosure; emergency MMPC update pushed prior",2021-11-03,2021,True,False
CVE-2021-1498,Cisco,HyperFlex HX,2021-05-06,2021-05-12,2021-05-12,6,6,medium,,https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkp,Cisco HyperFlex HX command injection companion to CVE-2021-1497; same advisory May 5 2021; PoCs and scanning within days,2021-11-03,2021,False,False
CVE-2021-1497,Cisco,HyperFlex HX,2021-05-06,2021-05-12,2021-05-12,6,6,medium,,https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkp,Cisco HyperFlex HX Installer command injection RCE; Cisco PSIRT advisory May 5 2021; PoCs publicly available within days; Tenable observed mass scanning May 11-12,2021-11-03,2021,False,False
CVE-2020-9859,Apple,Multiple Products,2020-06-05,2020-05-26,2020-06-05,0,-10,high,,https://support.apple.com/en-us/HT211214,Apple iOS kernel zero-day; unc0ver jailbreak,2021-11-03,2020,True,True
CVE-2020-9819,Apple,"iOS, iPadOS, and watchOS",2020-06-09,2020-04-20,2020-06-09,0,-50,high,,https://www.tenable.com/blog/cve-2020-9818-cve-2020-9819-multiple-zero-day-vulnerabilities-in-ios-mail-app-exploited-in-wild,Companion to CVE-2020-9818; ZecOps disclosed Apple iOS Mail zero-day with DFIR-confirmed in-wild exploitation,2021-11-03,2020,True,True
CVE-2020-9818,Apple,"iOS, iPadOS, and watchOS",2020-06-09,2020-04-20,2020-06-09,0,-50,high,,https://www.tenable.com/blog/cve-2020-9818-cve-2020-9819-multiple-zero-day-vulnerabilities-in-ios-mail-app-exploited-in-wild,ZecOps disclosed iOS Mail app zero-days April 20 with DFIR evidence of in-wild exploitation pre-disclosure,2021-11-03,2020,True,True
CVE-2020-8657,EyesOfNetwork,EyesOfNetwork,2020-02-06,2021-11-03,2021-11-03,636,636,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8657,Acronis True Image insecure folder permissions LPE; disclosed Feb 6 2020; CISA KEV catalog the documented evidence of in-the-wild exploitation; no specific contemporary threat-intel report with date attribution found,2021-11-03,2020,False,False
CVE-2020-8655,EyesOfNetwork,EyesOfNetwork,2020-02-06,2021-11-03,2021-11-03,636,636,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8655,Acronis True Image insecure RPC LPE; disclosed Feb 6 2020; CISA KEV catalog the documented evidence of in-the-wild exploitation; no specific contemporary threat-intel report with date attribution found,2021-11-03,2020,False,False
CVE-2020-8644,PlaySMS,PlaySMS,2020-02-05,2021-11-03,2021-11-03,637,637,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8644,PlaySMS pre-auth server-side template injection RCE in TPL engine; NCC Group disclosure Feb 11 2020; Metasploit module available; CISA KEV catalog the documented evidence of in-the-wild exploitation; no specific contemporary threat-intel report with date attribution found,2021-11-03,2020,False,False
CVE-2020-8599,Trend Micro,Apex One and OfficeScan,2020-03-18,2020-03-17,2020-03-18,0,-1,medium,,https://success.trendmicro.com/dcx/s/solution/000245571,Trend Micro Apex One auth bypass zero-day,2021-11-03,2020,True,True
CVE-2020-8515,DrayTek,Multiple Vigor Routers,2020-02-01,2020-03-31,2020-04-01,59,59,high,,https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/,DrayTek Vigor command injection; Palo Alto Unit 42 documented Hoaxcalls DDoS botnet exploitation by 2020-03-31 (PoC made public early March); later reused by Mirai V3G4 (Unit 42 July-Dec 2022) and FBI botnet takedown Sep 2024,2021-11-03,2020,False,False
CVE-2020-8468,Trend Micro,"Apex One, OfficeScan and Worry-Free Business Security Agents",2020-03-18,2020-03-16,2020-03-18,0,-2,high,,https://success.trendmicro.com/en-US/solution/KA-0010281,Trend Micro security bulletin acknowledged 'at least one active attempt' of in-wild exploitation,2021-11-03,2020,True,True
CVE-2020-8467,Trend Micro,Apex One and OfficeScan,2020-03-18,2020-03-16,2020-03-18,0,-2,high,,https://success.trendmicro.com/en-US/solution/KA-0010281,Trend Micro security bulletin acknowledged 'at least one active attempt' of in-wild exploitation,2021-11-03,2020,True,True
CVE-2020-8260,Ivanti,Pulse Connect Secure,2020-10-28,2020-10-26,2020-10-28,0,-2,medium,,https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601,Pulse Connect Secure command injection,2021-11-03,2020,True,True
CVE-2020-8243,Ivanti,Pulse Connect Secure,2020-09-29,2020-10-26,2020-10-26,27,27,medium,,https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/,Pulse Connect Secure template injection,2021-11-03,2020,False,False
CVE-2020-8196,Citrix,"Application Delivery Controller (ADC), Gateway",2020-07-10,2020-07-09,2020-07-09,0,-1,medium,,https://support.citrix.com/article/CTX276688,Citrix ADC/Gateway info disclosure; companion,2021-11-03,2020,True,True
CVE-2020-8195,Citrix,"Application Delivery Controller (ADC), Gateway",2020-07-10,2020-07-09,2020-07-09,0,-1,medium,,https://support.citrix.com/article/CTX276688,Citrix ADC/Gateway info disclosure; companion,2021-11-03,2020,True,True
CVE-2020-8193,Citrix,"Application Delivery Controller (ADC), Gateway",2020-07-10,2020-07-09,2020-07-09,0,-1,medium,,https://support.citrix.com/article/CTX276688,Citrix ADC/Gateway directory traversal info disclosure; PoCs and exploitation within days,2021-11-03,2020,True,True
CVE-2020-7961,Liferay,Liferay Portal,2020-03-20,2020-04-17,2020-04-17,28,28,high,,https://www.cert.europa.eu/publications/security-advisories/2020-022/pdf,Liferay Portal JSON deserialization RCE; PoC released by Code White Mar 20 2020 + Synacktiv Mar 30; CERT-EU advisory Apr 17 confirmed mass exploitation in ongoing campaigns; later used in FreakOut campaign and cryptominer deployments,2021-11-03,2020,False,False
CVE-2020-6820,Mozilla,Firefox and Thunderbird,2020-04-24,2020-04-03,2020-04-03,0,-21,high,,https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2020/CVE-2020-6820.html,Firefox ReadableStream use-after-free zero-day sandbox escape; Mozilla advisory 2020-11 Apr 3 2020 confirmed targeted attacks; chained with CVE-2020-6819 (renderer exploit) per Google Project Zero analysis - URL affiliated with known threat actor,2021-11-03,2020,True,True
CVE-2020-6819,Mozilla,Firefox and Thunderbird,2020-04-24,2020-04-03,2020-04-03,0,-21,high,,https://www.tenable.com/blog/cve-2020-6819-cve-2020-6820-critical-mozilla-firefox-zero-day-vulnerabilities-exploited-in-wild,"Firefox nsDocShell destructor use-after-free zero-day; Mozilla advisory 2020-11 Apr 3 2020 confirmed targeted attacks in the wild; chained with CVE-2020-6820 (6819 = renderer exploit, 6820 = sandbox escape) per Google Project Zero",2021-11-03,2020,True,True
CVE-2020-6418,Google,Chromium V8,2020-02-27,2020-02-24,2020-02-27,0,-3,high,,https://www.tenable.com/blog/cve-2020-6418-google-chrome-type-confusion-vulnerability-exploited-in-the-wild,Chrome 80.0.3987.122 disclosed type confusion in V8; Google TAG acknowledged in-wild exploitation at disclosure,2021-11-03,2020,True,True
CVE-2020-6287,SAP,NetWeaver,2020-07-14,2020-07-16,2020-07-16,2,2,high,,https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java,SAP NetWeaver RECON unauthenticated user creation; SAP HotNews/Onapsis disclosure July 13 2020; CISA alert July 14; PoC code surfaced GitHub July 16 with reports of public exploits being used to compromise vulnerable SAP systems per Rapid7 AttackerKB; Onapsis confirmed ongoing exploitation since then,2021-11-03,2020,False,False
CVE-2020-6207,SAP,Solution Manager,2020-03-10,2021-01-22,2021-01-22,318,318,high,,https://www.tenable.com/blog/cve-2020-6207-proof-of-concept-missing-authentication-check-sap-solution-manager,SAP Solution Manager EEM missing authentication RCE; SAP patch March 2020; PoC published GitHub Jan 14 2021; researchers reported active scanning attempts Jan 22 2021; CISA KEV catalog confirms exploitation,2021-11-03,2020,False,False
CVE-2020-5902,F5,BIG-IP,2020-07-01,2020-07-03,2020-07-03,2,2,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a,F5 BIG-IP TMUI RCE; disclosed June 30; NCC/SANS observed exploitation July 3,2021-11-03,2020,False,False
CVE-2020-5849,Unraid,Unraid,2020-03-16,2021-11-03,2021-11-03,597,597,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5849,Unraid 6.8.0 authentication bypass (chained with CVE-2020-5847 for unauthenticated RCE as root); Sysdream Feb 6 2020 disclosure with PoC by Nicolas Chatelain; Metasploit module released Apr 2020; CISA KEV add Nov 3 2021; no specific contemporary threat-intel report with date attribution found,2021-11-03,2020,False,False
CVE-2020-5847,Unraid,Unraid,2020-03-16,2021-11-03,2021-11-03,597,597,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5847,Unraid 6.8.0 PHP code execution via extract() function abuse (chained with CVE-2020-5849 auth bypass for unauthenticated RCE); Sysdream Feb 6 2020 disclosure; Metasploit module released Apr 2020; CISA KEV add Nov 3 2021; no specific contemporary threat-intel report with date attribution found,2021-11-03,2020,False,False
CVE-2020-5735,Amcrest,Cameras and Network Video Recorder (NVR),2020-04-08,2021-11-03,2021-11-03,574,574,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5735,Amcrest cameras/NVR stack-based buffer overflow on port 37777; Tenable research TRA-2020-20 Apr 8 2020; public PoC; CISA KEV add 2021-11-03; no specific contemporary threat-intel report with date attribution found,2021-11-03,2020,False,False
CVE-2020-4430,IBM,Data Risk Manager,2020-05-07,2020-04-21,2020-05-07,0,-16,high,,https://www.ibm.com/support/pages/security-bulletin-ibm-data-risk-manager-affected-multiple-vulnerabilities,IBM Data Risk Manager file download,2021-11-03,2020,True,True
CVE-2020-4428,IBM,Data Risk Manager,2020-05-07,2020-04-21,2020-05-07,0,-16,high,,https://www.ibm.com/support/pages/security-bulletin-ibm-data-risk-manager-affected-multiple-vulnerabilities,IBM Data Risk Manager command injection,2021-11-03,2020,True,True
CVE-2020-4427,IBM,Data Risk Manager,2020-05-07,2020-04-21,2020-05-07,0,-16,high,,https://www.ibm.com/support/pages/security-bulletin-ibm-data-risk-manager-affected-multiple-vulnerabilities,IBM Data Risk Manager auth bypass; PoC at disclosure with active exploitation,2021-11-03,2020,True,True
CVE-2020-4006,VMware,Multiple Products,2020-11-23,2020-11-23,2020-12-07,0,0,high,,https://www.tenable.com/blog/cve-2020-4006-vmware-command-injection-flaw-exploited-by-russian-state-sponsored-threat-actors,VMware Workspace ONE Access/Identity Manager command injection; VMware advisory Nov 23 2020; NSA disclosed Dec 7 2020 that Russian state-sponsored actors (later attributed to SVR) were actively exploiting; patch released Dec 3 2020,2021-11-03,2020,True,False
CVE-2020-3992,VMware,ESXi,2020-10-20,2020-11-06,2020-11-06,17,17,high,,https://www.rapid7.com/blog/post/2020/11/11/vmware-esxi-openslp-remote-code-execution-vulnerability-cve-2020-3992-and-cve-2019-5544-what-you-need-to-know/,"VMware ESXi OpenSLP use-after-free RCE; VMware patch Oct 20 2020 was incomplete, full patch Nov 4 2020; Microsoft's Kevin Beaumont alerted Nov 6 2020 to active exploitation by ransomware groups (RansomExx, later also Babuk Locker) shutting down VMs and encrypting VMDKs directly on hypervisor",2021-11-03,2020,False,False
CVE-2020-3952,VMware,vCenter Server,2020-04-10,2021-11-03,2021-11-03,572,572,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3952,VMware vCenter Server vmdir LDAP access control bypass; disclosed April 2020; Guardicore (now Akamai) published PoC same month; widely exploitable but no specific contemporary threat-intel report with date attribution; CISA KEV add 2021-11-03,2021-11-03,2020,False,False
CVE-2020-3950,VMware,Multiple Products,2020-03-17,2021-11-03,2021-11-03,596,596,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3950,VMware Fusion / VMRC / Horizon Client for Mac setuid LPE; VMSA-2020-0005 Mar 17 2020; reported by Jeffball of GRIMM and Rich Mirch; public PoC released; multiple incomplete patches; CISA KEV catalog the documented evidence; no specific contemporary threat-intel report with date attribution found,2021-11-03,2020,False,False
CVE-2020-3580,Cisco,Adaptive Security Appliance (ASA) and Firepower TD,2020-10-21,2020-06-25,2020-10-21,0,-118,medium,,https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe,Cisco ASA/FTD XSS; CISA confirmed exploitation observed,2021-11-03,2020,True,True
CVE-2020-3569,Cisco,IOS XR,2020-09-23,2020-08-29,2020-09-23,0,-25,high,,https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-rL5EZA8h,Cisco IOS XR DVMRP companion zero-day,2021-11-03,2020,True,True
CVE-2020-3566,Cisco,IOS XR,2020-08-29,2020-08-29,2020-08-29,0,0,high,,https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-rL5EZA8h,Cisco IOS XR DVMRP memory exhaustion zero-day,2021-11-03,2020,True,False
CVE-2020-3452,Cisco,Adaptive Security Appliance (ASA) and Firepower TD,2020-07-22,2020-07-23,2020-07-23,1,1,high,,https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86,Cisco ASA/FTD directory traversal; PoCs and exploitation reported within 24 hours,2021-11-03,2020,False,False
CVE-2020-3161,Cisco,Cisco IP Phones,2020-04-15,2020-04-15,2020-04-15,0,0,medium,,https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-XAuoTRQc,Cisco IP Phones RCE,2021-11-03,2020,True,False
CVE-2020-3118,Cisco,IOS XR,2020-02-05,2020-02-05,2020-02-05,0,0,medium,,https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce,Cisco IOS XR Cisco Discovery Protocol RCE,2021-11-03,2020,True,False
CVE-2020-29583,Zyxel,Multiple Products,2020-12-22,2021-01-06,2021-01-06,15,15,high,,https://www.securityweek.com/hackers-start-exploiting-recently-disclosed-zyxel-vulnerability/,Zyxel firewalls/WLAN controllers hardcoded backdoor 'zyfwp' account; Zyxel patch Dec 23 2020; SANS ISC and GreyNoise observed opportunistic SSH exploitation starting Jan 6 2021,2021-11-03,2020,False,False
CVE-2020-29557,D-Link,DIR-825 R1 Devices,2021-01-29,2021-11-03,2021-11-03,278,278,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-29557,D-Link DIR-825 R1 buffer overflow in web interface; disclosed Nov 20 2020 by shaqed (shaqed.github.io); CISA KEV catalog the documented evidence of in-the-wild exploitation; no specific contemporary threat-intel report with date attribution found,2021-11-03,2020,False,False
CVE-2020-27950,Apple,Multiple Products,2020-12-08,2020-11-05,2020-12-08,0,-33,high,,https://support.apple.com/en-us/HT211931,Apple XNU kernel memory disclosure zero-day,2021-11-03,2020,True,True
CVE-2020-27932,Apple,Multiple Products,2020-12-08,2020-11-05,2020-12-08,0,-33,high,,https://support.apple.com/en-us/HT211931,Apple XNU kernel type confusion zero-day,2021-11-03,2020,True,True
CVE-2020-27930,Apple,Multiple Products,2020-12-08,2020-11-05,2020-12-08,0,-33,high,,https://support.apple.com/en-us/HT211931,Apple FontParser memory corruption zero-day; Google Project Zero,2021-11-03,2020,True,True
CVE-2020-26919,NETGEAR,JGS516PE Devices,2020-10-09,2021-03-13,2021-03-15,155,155,high,,https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/,"NetGear ProSAFE Plus auth bypass; Palo Alto Unit 42 documented Mirai variant incorporating exploit by March 13 2021, ongoing attacks at time of writing",2021-11-03,2020,False,False
CVE-2020-2555,Oracle,Multiple Products,2020-01-15,2020-04-29,2020-05-01,105,105,high,,https://www.tenable.com/blog/cve-2020-2883-oracle-weblogic-deserialization-vulnerability-exploited-in-the-wild,Oracle WebLogic Coherence deserialization (chained with/bypassed via CVE-2020-2883); Oracle CPU January 2020; same active exploitation per CISA May 1 2020 alert,2021-11-03,2020,False,False
CVE-2020-25506,D-Link,DNS-320 Device,2021-02-02,2021-02-15,2021-02-23,13,13,high,,https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/,D-Link DNS-320 firewall RCE; Palo Alto Unit 42 documented Mirai variant exploiting in attacks Feb 2021 (along with VisualDoor SonicWall and CVE-2020-26919),2021-11-03,2020,False,False
CVE-2020-25213,WordPress,File Manager Plugin,2020-09-09,2020-09-09,2020-09-09,0,0,medium,,https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/,WordPress File Manager plugin RCE; mass exploitation observed,2021-11-03,2020,True,False
CVE-2020-24557,Trend Micro,"Apex One, OfficeScan, and Worry-Free Business",2020-09-01,2020-09-17,2020-09-17,16,16,medium,,https://success.trendmicro.com/solution/000274106,Trend Micro Apex One/OfficeScan EoP zero-day,2021-11-03,2020,False,False
CVE-2020-17530,Apache,Struts,2020-12-11,2020-12-22,2020-12-22,11,11,high,,https://0x00sec.org/t/the-s2-061-struts-remote-code-execution-vulnerability-cve-2020-17530-in-the-wild/24324,Apache Struts 2 S2-061 OGNL double evaluation RCE; published Dec 8 2020; in-the-wild exploitation attempts (Unicode_Potats0 payload) documented on server logs Dec 22 2020; later observed widespread scanning,2021-11-03,2020,False,False
CVE-2020-17496,vBulletin,vBulletin,2020-08-12,2020-08-12,2020-08-12,0,0,medium,,https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-security-patch-released-for-vbulletin-5-6-0-5-6-1-and-5-6-2,vBulletin pre-auth RCE zero-day; widespread exploitation immediately,2021-11-03,2020,True,False
CVE-2020-17144,Microsoft,Exchange Server,2020-12-09,2020-12-08,2020-12-09,0,-1,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17144,Microsoft Exchange Server RCE,2021-11-03,2020,True,True
CVE-2020-17087,Microsoft,Windows,2020-11-11,2020-10-30,2020-11-11,0,-12,high,,https://googleprojectzero.blogspot.com/p/0day.html,Windows Kernel Cryptography Driver CLFS EoP zero-day; Google Project Zero exploitation observed,2021-11-03,2020,True,True
CVE-2020-16846,SaltStack,Salt,2020-11-06,2021-10-14,2021-10-14,342,342,high,,https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence,SaltStack Salt API shell injection via SSH client (chains with CVE-2020-25592 for unauthenticated RCE); disclosed Nov 3 2020; Juniper Threat Labs reported Sysrv-hello botnet exploiting it Oct 14 2021,2021-11-03,2020,False,False
CVE-2020-16017,Google,Chrome,2021-01-08,2020-11-12,2021-01-08,0,-57,high,,https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_11.html,Chrome use-after-free zero-day,2021-11-03,2020,True,True
CVE-2020-16013,Google,Chromium V8,2021-01-08,2020-11-12,2021-01-08,0,-57,high,,https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_11.html,Chrome V8 type confusion zero-day; Google TAG,2021-11-03,2020,True,True
CVE-2020-16010,Google,Chrome for Android UI,2020-11-03,2020-11-03,2020-11-03,0,0,high,,https://chromereleases.googleblog.com/2020/11/chrome-for-android-update.html,Chrome Android UI heap overflow zero-day; Google TAG,2021-11-03,2020,True,False
CVE-2020-16009,Google,Chromium V8,2020-11-03,2020-11-02,2020-11-03,0,-1,high,,https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_2.html,Chrome V8 type confusion zero-day; Google TAG,2021-11-03,2020,True,True
CVE-2020-15999,Google,Chrome FreeType,2020-11-03,2020-10-20,2020-11-03,0,-14,high,,https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html,Chrome FreeType heap overflow zero-day; Google TAG,2021-11-03,2020,True,True
CVE-2020-15505,Ivanti,MobileIron Multiple Products,2020-07-07,2020-09-07,2020-09-07,62,62,medium,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-275a,Ivanti MobileIron MDM RCE; disclosed July; mass exploitation in September attributed to APT,2021-11-03,2020,False,False
CVE-2020-14883,Oracle,WebLogic Server,2020-10-21,2020-10-28,2020-11-02,7,7,high,,https://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability,Oracle WebLogic Console RCE (chained with CVE-2020-14882 auth bypass); Oracle CPU Oct 20 2020; same exploitation timeline as 14882 - the auth bypass + RCE chain was the actual attack vector used by DarkIRC and 5 other campaigns,2021-11-03,2020,False,False
CVE-2020-14882,Oracle,WebLogic Server,2020-10-21,2020-10-28,2020-11-02,7,7,high,,https://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability,"Oracle WebLogic Console auth bypass; Oracle CPU Oct 20 2020; SANS honeypots caught attacks shortly after PoC release Oct 28; CISA/Oracle joint alert Nov 2; Juniper Threat Labs Dec 1 documented DarkIRC botnet + 5 attack variants including Cobalt Strike, Mirai",2021-11-03,2020,False,False
CVE-2020-14871,Oracle,Solaris and Zettabyte File System (ZFS),2020-10-21,2018-12-01,2020-11-02,0,-690,high,,https://cloud.google.com/blog/topics/threat-intelligence/critical-buffer-overflow-vulnerability-in-solaris-can-allow-remote-takeover,"Oracle Solaris PAM stack buffer overflow; UNC1945 deployed EVILSUN exploit tool against Solaris 9; FireEye/Mandiant reports late 2018 initial Solaris compromise by group, mid-2020 active zero-day exploitation; Oracle CPU October 2020; black-market 'Oracle Solaris SSHD Remote Root Exploit' for sale April 2020",2021-11-03,2020,True,True
CVE-2020-14750,Oracle,WebLogic Server,2020-11-01,2020-11-01,2020-11-02,0,0,high,,https://thehackernews.com/2020/12/multiple-botnets-exploiting-critical.html,Oracle WebLogic Console - bypass of 14882 patch; Oracle out-of-band security alert Nov 1 2020; exploitation observed contemporaneously alongside CVE-2020-14882/14883,2021-11-03,2020,True,False
CVE-2020-1472,Microsoft,Netlogon,2020-08-17,2020-09-13,2020-09-13,27,27,high,,https://www.tenable.com/blog/cve-2020-1472-zerologon-vulnerability-in-netlogon-could-allow-attackers-to-hijack-windows,Netlogon Zerologon EoP; patched August; Secura disclosed PoC Sept 11; mass exploitation from Sept 13,2021-11-03,2020,False,False
CVE-2020-1464,Microsoft,Windows,2020-08-17,2020-08-11,2020-08-17,0,-6,medium,,https://www.tenable.com/blog/microsofts-august-2020-patch-tuesday-addresses-120-cves,Windows spoofing zero-day; August Patch Tuesday,2021-11-03,2020,True,True
CVE-2020-1380,Microsoft,Internet Explorer,2020-08-17,2020-08-11,2020-08-17,0,-6,high,,https://securelist.com/cve-2020-1380-a-zero-day-vulnerability-in-internet-explorer/97970/,Internet Explorer scripting engine zero-day; DarkHotel exploitation,2021-11-03,2020,True,True
CVE-2020-1350,Microsoft,Windows,2020-07-14,2020-07-14,2020-07-14,0,0,high,,https://www.tenable.com/blog/cve-2020-1350-critical-wormable-vulnerability-in-windows-dns-server-sigred,Windows DNS Server SIGRed RCE wormable zero-day; July Patch Tuesday,2021-11-03,2020,True,False
CVE-2020-12812,Fortinet,FortiOS,2020-07-24,2021-04-02,2021-04-02,252,252,high,,https://www.fortiguard.com/psirt/FG-IR-19-283,Fortinet FortiOS SSL VPN improper authentication; CISA/FBI joint advisory APT exploitation,2021-11-03,2020,False,False
CVE-2020-12271,Sophos,SFOS,2020-04-27,2020-04-22,2020-04-27,0,-5,high,,https://news.sophos.com/en-us/2020/04/26/asnarok/,Asnarök zero-day SQL injection; Sophos became aware April 22 from customer report; CVE issued April 27; in-wild attacks pre-disclosure,2021-11-03,2020,True,True
CVE-2020-11738,WordPress,Snap Creek Duplicator Plugin,2020-04-13,2020-02-19,2020-04-13,0,-54,medium,,https://www.wordfence.com/blog/2020/02/critical-vulnerability-in-duplicator-plugin/,WordPress Snap Creek Duplicator plugin path traversal,2021-11-03,2020,True,True
CVE-2020-11652,SaltStack,Salt,2020-04-30,2020-05-02,2020-05-02,2,2,high,,https://www.tenable.com/blog/cve-2020-11651-cve-2020-11652-critical-salt-framework-vulnerabilities-exploited-in-the-wild,Companion to CVE-2020-11651; F-Secure SaltStack directory traversal; chained in May 2-3 mass exploitation,2021-11-03,2020,False,False
CVE-2020-11651,SaltStack,Salt,2020-04-30,2020-05-02,2020-05-02,2,2,high,,https://www.tenable.com/blog/cve-2020-11651-cve-2020-11652-critical-salt-framework-vulnerabilities-exploited-in-the-wild,"F-Secure disclosed April 30 (patches April 29); mass exploitation May 2-3 (Ghost, LineageOS, Xen Orchestra, DigiCert breached)",2021-11-03,2020,False,False
CVE-2020-1147,Microsoft,".NET Framework, SharePoint, Visual Studio",2020-07-14,2020-07-14,2020-07-14,0,0,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1147,.NET Framework/SharePoint/Visual Studio XML deserialization RCE,2021-11-03,2020,True,False
CVE-2020-10987,Tenda,AC1900 Router AC15 Model,2020-07-13,2020-08-28,2020-10-05,46,46,high,,https://threatpost.com/tenda-router-zero-days-spyware-botnet/159834/,Tenda AC15 AC1900 router goform/setUsbUnload command injection; published July 13 2020 by Independent Security Evaluators; 360Netlab observed Ttint Mirai variant exploiting it as 0-day on Aug 28 2020 reported to Tenda; Threatpost coverage Oct 5 2020,2021-11-03,2020,False,False
CVE-2020-1054,Microsoft,Win32k,2020-05-21,2020-05-12,2020-05-21,0,-9,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1054,Windows Win32k EoP zero-day; May Patch Tuesday,2021-11-03,2020,True,True
CVE-2020-1040,Microsoft,Hyper-V RemoteFX,2020-07-14,2020-07-14,2020-07-14,0,0,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1040,Hyper-V RemoteFX vGPU RCE,2021-11-03,2020,True,False
CVE-2020-10221,rConfig,rConfig,2020-03-08,2021-11-03,2021-11-03,605,605,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10221,rConfig ajaxAddTemplate.php OS command injection in fileName parameter; disclosed Mar 2020; chainable with CVE-2020-10220 SQL injection for unauthenticated RCE; multiple public PoCs; CISA KEV catalog the documented evidence; no specific contemporary threat-intel report with date attribution found,2021-11-03,2020,False,False
CVE-2020-1020,Microsoft,Windows,2020-04-15,2020-03-23,2020-04-15,0,-23,high,,https://www.tenable.com/blog/microsoft-april-2020-patch-tuesday-addresses-113-cves-including-adobe-type-manager-library,Same as CVE-2020-0938; Adobe Type 1 PostScript font parsing chain; exploited in wild prior to April patch,2021-11-03,2020,True,True
CVE-2020-10199,Sonatype,Nexus Repository,2020-04-01,2020-04-02,2020-04-02,1,1,medium,,https://support.sonatype.com/hc/en-us/articles/360044356533,Sonatype Nexus Repository EL injection RCE,2021-11-03,2020,False,False
CVE-2020-10189,Zoho,ManageEngine,2020-03-06,2020-03-08,2020-03-25,2,2,high,,https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/,Zoho ManageEngine Desktop Central deserialization RCE; PoC published Mar 5 2020 by Steven Seeley; APT41 began exploiting March 8 2020 against 12+ FireEye customers (compromised 5+) per FireEye/Mandiant report Mar 25 2020,2021-11-03,2020,False,False
CVE-2020-10181,Sumavision,Enhanced Multimedia Router (EMR),2020-03-11,2021-11-03,2021-11-03,602,602,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10181,Symantec Messaging Gateway unspecified RCE; CISA description marks as 'unspecified vulnerability which can allow for remote code execution'; CISA KEV add 2021-11-03; no specific contemporary threat-intel report with date attribution found,2021-11-03,2020,False,False
CVE-2020-10148,SolarWinds,Orion,2020-12-29,2019-09-04,2020-12-29,0,-482,high,,https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a,SolarWinds Orion auth bypass; UNC2452/Nobelium SUNBURST supply chain; exploited from Sept 2019,2021-11-03,2020,True,True
CVE-2020-0986,Microsoft,Windows,2020-06-09,2020-06-09,2020-06-09,0,0,high,,https://www.kaspersky.com/about/press-releases/operation-powerfall-kaspersky-prevents-attack-on-south-korean-company,Windows GDI EoP zero-day; June Patch Tuesday; Operation PowerFall,2021-11-03,2020,True,False
CVE-2020-0968,Microsoft,Internet Explorer,2020-04-15,2020-04-14,2020-04-15,0,-1,high,,https://www.tenable.com/blog/microsofts-april-2020-patch-tuesday-addresses-113-cves,Internet Explorer scripting engine memory corruption zero-day; April Patch Tuesday,2021-11-03,2020,True,True
CVE-2020-0938,Microsoft,Windows,2020-04-15,2020-03-23,2020-04-15,0,-23,high,,https://www.tenable.com/blog/microsoft-april-2020-patch-tuesday-addresses-113-cves-including-adobe-type-manager-library,Adobe Type Manager Font Driver; ADV200006 March 23 advisory acknowledged in-wild exploitation; patch April 14 (counted as 0 days since exploited at/before disclosure),2021-11-03,2020,True,True
CVE-2020-0878,Microsoft,Edge and Internet Explorer,2020-09-11,2020-09-08,2020-09-11,0,-3,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0878,Microsoft Edge and IE memory corruption RCE,2021-11-03,2020,True,True
CVE-2020-0688,Microsoft,Exchange Server,2020-02-11,2020-03-06,2020-03-06,24,24,high,,https://www.volexity.com/blog/2020/03/06/microsoft-exchange-control-panel-ecp-vulnerability-cve-2020-0688-exploited/,February 11 Patch Tuesday disclosure; mass scanning Feb 25 (Beaumont); Volexity confirmed in-wild exploitation March 6 with backdoor placement,2021-11-03,2020,False,False
CVE-2020-0683,Microsoft,Windows,2020-02-11,2020-02-11,2020-02-11,0,0,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0683,Windows Installer EoP,2021-11-03,2020,True,False
CVE-2020-0674,Microsoft,Internet Explorer,2020-02-11,2020-01-17,2020-02-11,0,-25,high,,https://www.tenable.com/blog/cve-2020-0674-internet-explorer-remote-code-execution-vulnerability-exploited-in-the-wild,Microsoft ADV200001 advisory acknowledged in-wild exploitation by DarkHotel/APT-C-06 at January 17 announcement,2021-11-03,2020,True,True
CVE-2020-0646,Microsoft,.NET Framework,2020-01-14,2020-01-14,2020-01-14,0,0,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0646,Microsoft .NET Framework RCE; January Patch Tuesday,2021-11-03,2020,True,False
CVE-2020-0601,Microsoft,Windows,2020-01-14,2020-01-14,2020-01-14,0,0,high,,https://www.tenable.com/blog/cve-2020-0601-nsa-reported-spoofing-vulnerability-in-windows-cryptoapi,Windows CryptoAPI CurveBall ECC validation flaw; NSA-reported zero-day at disclosure,2021-11-03,2020,True,False
CVE-2020-0069,MediaTek,Multiple Chipsets,2020-03-10,2019-04-01,2020-03-02,0,-344,high,,https://www.androidpolice.com/2020/03/02/mediatek-security-vulnerability-allowed-root-access-on-devices-from-nokia-amazon-blu-sony-zte-and-others/,MediaTek Command Queue driver LPE 'MediaTek-SU'; XDA exploit (mtk-su) released April 2019; TrendMicro reported Jan 2020 removed Play Store apps exploiting MediaTek-su or CVE-2019-2215 in the wild; Google Android Security Bulletin March 2020; later weaponized by AbstractEmu trojan (Lookout Oct 2021),2021-11-03,2020,True,True
CVE-2020-0041,Android,Android Kernel,2020-03-10,2021-10-28,2021-10-28,597,597,high,,https://www.lookout.com/threat-intelligence/article/abstractemu-mobile-rooting-malware,Android privilege escalation in Binder; previously not seen exploited; Lookout published Oct 28 2021 details of AbstractEmu rooting malware that exploited CVE-2020-0041 + CVE-2020-0069 + CVE-2019-2215 to root Android devices via trojanized Play Store apps,2021-11-03,2020,False,False
CVE-2019-9978,WordPress,Social Warfare Plugin,2019-03-24,2019-03-25,2019-03-25,1,1,medium,,https://www.wordfence.com/blog/2019/03/recently-patched-easy-wp-smtp-plugin-vulnerability-being-attacked/,WordPress Social Warfare plugin XSS/RCE; immediate mass exploitation,2021-11-03,2019,False,False
CVE-2019-9082,ThinkPHP,ThinkPHP,2019-02-24,2019-02-25,2020-04-24,1,1,high,,https://threatprotect.qualys.com/2020/04/24/thinkphp-remote-code-execution-vulnerabilitycve-2018-20062cve-2019-9082/,"ThinkPHP RCE; Qualys ThreatProtect documented active exploitation by GoLang malware, Mirai botnet, and cryptominers; widely exploited since 2019 disclosure",2021-11-03,2019,False,False
CVE-2019-8394,Zoho,ManageEngine,2019-02-17,2019-02-17,2019-02-17,0,0,medium,,https://www.manageengine.com/products/service-desk/security-updates/cve-2019-8394.html,Zoho ManageEngine ServiceDesk Plus arbitrary file upload,2021-11-03,2019,True,False
CVE-2019-7481,SonicWall,SMA100,2019-12-17,2019-02-22,2019-12-17,0,-298,medium,,https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0007,SonicWall SMA100 SQL injection,2021-11-03,2019,True,True
CVE-2019-6223,Apple,iOS and macOS,2019-03-05,2019-01-29,2019-03-05,0,-35,high,,https://support.apple.com/en-us/HT209520,Apple FaceTime group call eavesdropping zero-day; widely-reported privacy flaw,2021-11-03,2019,True,True
CVE-2019-5591,Fortinet,FortiOS,2020-08-14,2020-08-14,2020-08-14,0,0,medium,,https://www.fortiguard.com/psirt/FG-IR-19-037,Fortinet FortiOS default config LDAP MITM,2021-11-03,2019,True,False
CVE-2019-5544,VMware,VMware ESXi and Horizon DaaS,2019-12-06,2020-10-01,2021-02-02,300,300,high,,https://securityaffairs.com/114124/malware/ransomware-attack-vmware-esxi.html,VMware ESXi OpenSLP heap overflow; RansomExx ransomware gang exploited starting October 2020 to encrypt virtual hard disks; later used in ESXiArgs ransomware campaign Feb 2023,2021-11-03,2019,False,False
CVE-2019-4716,IBM,Planning Analytics,2019-12-18,2019-12-17,2019-12-18,0,-1,low,,https://www.ibm.com/support/pages/security-bulletin,IBM Planning Analytics admin auth bypass,2021-11-03,2019,True,True
CVE-2019-3398,Atlassian,Confluence Data Center,2019-04-18,2019-04-22,2019-04-22,4,4,medium,,https://confluence.atlassian.com/doc/confluence-security-advisory-2019-04-17-968660855.html,Atlassian Confluence path traversal via download attachments; PoCs and exploitation,2021-11-03,2019,False,False
CVE-2019-3396,Atlassian,Confluence Server and Data Server,2019-03-25,2019-03-25,2019-03-25,0,0,high,,https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html,Atlassian Confluence Widget Connector path traversal; PoCs and exploitation within days,2021-11-03,2019,True,False
CVE-2019-2215,Android,Android Kernel,2019-10-11,2019-08-01,2019-10-03,0,-71,high,,https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html,Android Binder UAF kernel zero-day ('Bad Binder'); Google TAG attributed to NSO Group as part of Pegasus spyware chain targeting Android in late summer 2019; Project Zero Maddie Stone disclosed Oct 3 2019,2021-11-03,2019,True,True
CVE-2019-20085,TVT,NVMS-1000,2019-12-30,2021-11-03,2021-11-03,674,674,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-20085,TVT NVMS-1000 directory traversal; no specific contemporary threat-intel report documenting in-the-wild exploitation found,2021-11-03,2019,False,False
CVE-2019-19781,Citrix,"Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP Appliance",2019-12-27,2020-01-09,2020-01-09,13,13,high,,https://support.citrix.com/article/CTX267027,Citrix ADC/Gateway path traversal RCE; disclosed Dec 17 2019; mass exploitation Jan 9 2020,2021-11-03,2019,False,False
CVE-2019-19356,Netis,WF2419 Devices,2020-02-07,2021-03-01,2021-03-17,388,388,high,,https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/,Netis WF2419 router RCE; Palo Alto Unit 42 documented Mirai botnet variant actively exploiting in March 2021 along with other IoT vulnerabilities,2021-11-03,2019,False,False
CVE-2019-18988,TeamViewer,Desktop,2020-02-07,2021-11-03,2021-11-03,635,635,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-18988,TeamViewer Desktop hardcoded AES key disclosure; no specific contemporary threat-intel report documenting in-the-wild exploitation found,2021-11-03,2019,False,False
CVE-2019-18935,Progress,Telerik UI for ASP.NET AJAX,2019-12-11,2019-12-11,2019-12-11,0,0,high,,https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization,Progress Telerik UI for ASP.NET AJAX insecure deserialization; PoCs immediately,2021-11-03,2019,True,False
CVE-2019-18187,Trend Micro,OfficeScan,2019-10-28,2019-10-29,2019-10-29,1,1,high,,https://success.trendmicro.com/dcx/s/solution/000151730,Trend Micro OfficeScan path traversal zero-day; targeted attacks reported,2021-11-03,2019,False,False
CVE-2019-17558,Apache,Solr,2019-12-30,2019-10-29,2019-10-30,0,-62,high,,https://www.tenable.com/blog/cve-2019-17558-apache-solr-vulnerable-to-remote-code-execution-zero-day-vulnerability,"Apache Solr VelocityResponseWriter RCE; PoC published as GitHub Gist Oct 29 2019; Tenable documented as zero-day, exploit scripts publicly available; Apache Solr 8.3.1 attempted fix Dec 3 2019 (incomplete), full fix in 8.4",2021-11-03,2019,True,True
CVE-2019-17026,Mozilla,Firefox and Thunderbird,2020-03-02,2020-01-08,2020-01-08,0,-54,high,,https://www.tenable.com/blog/cve-2019-17026-zero-day-vulnerability-in-mozilla-firefox-exploited-in-targeted-attacks,Firefox IonMonkey JIT type confusion zero-day; reported by Qihoo 360; DarkHotel/APT-C-06 chained with CVE-2020-0674 in 'Double Star' campaign targeting Chinese government and Japanese entities; Mozilla patched Jan 8 2020,2021-11-03,2019,True,True
CVE-2019-16759,vBulletin,vBulletin,2019-09-24,2019-09-23,2019-09-24,0,-1,high,,https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4423646-vbulletin-5-x-x-pre-auth-rce-vulnerability,vBulletin pre-auth RCE zero-day; immediate mass exploitation,2021-11-03,2019,True,True
CVE-2019-1653,Cisco,Small Business RV320 and RV325 Routers,2019-01-24,2019-01-23,2019-01-24,0,-1,medium,,https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info,Cisco Small Business RV320/RV325 info disclosure; companion to 1652,2021-11-03,2019,True,True
CVE-2019-16256,SIMalliance,Toolbox Browser,2019-09-12,2019-09-12,2019-09-12,0,0,high,,https://simjacker.com/,SIMalliance S@T Browser Simjacker SMS spying; AdaptiveMobile reported exploitation,2021-11-03,2019,True,False
CVE-2019-15949,Nagios,Nagios XI,2019-09-05,2021-11-03,2021-11-03,790,790,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-15949,Nagios XI authenticated RCE; Jak Gibb PoC public since Sep 2019; CISA KEV add 2021-11-03; no specific contemporary threat-intel report with attribution found,2021-11-03,2019,False,False
CVE-2019-15752,Docker,Desktop Community Edition,2019-08-28,2019-08-30,2019-08-30,2,2,low,,https://docs.docker.com/desktop/release-notes/,Docker Desktop Community Edition local privilege escalation,2021-11-03,2019,False,False
CVE-2019-1429,Microsoft,Internet Explorer,2019-11-12,2019-11-12,2019-11-12,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-1429,Internet Explorer scripting engine memory corruption zero-day; November Patch Tuesday,2021-11-03,2019,True,False
CVE-2019-1367,Microsoft,Internet Explorer,2019-09-23,2019-09-23,2019-09-23,0,0,high,,https://www.tenable.com/blog/microsoft-issues-out-of-band-patch-for-internet-explorer-cve-2019-1367-actively-exploited,Internet Explorer scripting engine memory corruption zero-day; out-of-band fix; Google TAG,2021-11-03,2019,True,False
CVE-2019-13608,Citrix,StoreFront Server,2019-08-29,2019-08-22,2019-08-29,0,-7,low,,https://support.citrix.com/article/CTX256632,Citrix StoreFront Server XXE,2021-11-03,2019,True,True
CVE-2019-1215,Microsoft,Windows,2019-09-11,2019-09-10,2019-09-11,0,-1,high,,https://www.tenable.com/blog/microsofts-september-2019-patch-tuesday-fixes-79-cves-2-actively-exploited,Windows ws2ifsl.sys EoP zero-day; September Patch Tuesday,2021-11-03,2019,True,True
CVE-2019-1214,Microsoft,Windows,2019-09-11,2019-09-10,2019-09-11,0,-1,high,,https://www.tenable.com/blog/microsofts-september-2019-patch-tuesday-fixes-79-cves-2-actively-exploited,Windows CLFS driver EoP zero-day; September Patch Tuesday,2021-11-03,2019,True,True
CVE-2019-11634,Citrix,Workspace Application and Receiver for Windows,2019-05-22,2019-07-12,2019-07-12,51,51,low,,https://support.citrix.com/article/CTX251986,Citrix Workspace Application/Receiver local file write RCE,2021-11-03,2019,False,False
CVE-2019-11580,Atlassian,Crowd and Crowd Data Center,2019-06-03,2021-11-03,2021-11-03,884,884,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11580,Atlassian Crowd pdkinstall RCE; disclosed May 2019; Metasploit module and public exploits; CISA KEV lists as known to be used in ransomware campaigns but no specific contemporary threat-intel report with attribution found,2021-11-03,2019,False,False
CVE-2019-11539,Ivanti,Pulse Connect Secure and Pulse Policy Secure,2019-04-26,2019-08-25,2019-08-25,121,121,medium,,https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/,Pulse Connect Secure command injection; companion to 11510,2021-11-03,2019,False,False
CVE-2019-11510,Ivanti,Pulse Connect Secure,2019-05-08,2019-08-21,2019-08-21,105,105,high,,https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware,"Pulse Connect Secure arbitrary file disclosure; PoC public Aug 21; mass exploitation, REvil/Sodinokibi",2021-11-03,2019,False,False
CVE-2019-0863,Microsoft,Windows,2019-05-16,2019-05-14,2019-05-16,0,-2,high,,https://www.tenable.com/blog/microsoft-may-2019-patch-tuesday-fixes-79-cves-including-zero-day,Windows Error Reporting EoP zero-day; May Patch Tuesday; CrowdStrike reported active exploitation,2021-11-03,2019,True,True
CVE-2019-0859,Microsoft,Win32k,2019-04-09,2019-04-09,2019-04-09,0,0,high,,https://www.tenable.com/blog/microsoft-april-2019-patch-tuesday-fixes-74-cves-including-zero-day-cve-2019-0859,Windows Win32k EoP zero-day; April Patch Tuesday; Kaspersky reported active exploitation,2021-11-03,2019,True,False
CVE-2019-0808,Microsoft,Win32k,2019-04-09,2019-03-12,2019-03-12,0,-28,high,,https://www.helpnetsecurity.com/2019/03/13/march-2019-patch-tuesday/,Windows Win32k EoP; chained with Chrome zero-day CVE-2019-5786; reported by Google TAG (Clement Lecigne); used by APT in March 2019,2021-11-03,2019,True,True
CVE-2019-0803,Microsoft,Win32k,2019-04-09,2019-04-09,2019-04-09,0,0,high,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0803,Windows Win32k EoP; April Patch Tuesday,2021-11-03,2019,True,False
CVE-2019-0797,Microsoft,Win32k,2019-04-09,2019-03-12,2019-04-09,0,-28,high,,https://www.tenable.com/blog/microsoft-march-2019-patch-tuesday-fixes-64-cves-two-zero-day-vulnerabilities-actively,Windows Win32k EoP zero-day; FruityArmor and SandCat APT exploitation,2021-11-03,2019,True,True
CVE-2019-0708,Microsoft,Remote Desktop Services,2019-05-16,2019-05-14,2019-05-16,0,-2,medium,,https://www.tenable.com/blog/cve-2019-0708-bluekeep-critical-remote-code-execution-vulnerability-in-microsoft-rdp,Microsoft Windows BlueKeep RDS RCE; May Patch Tuesday; wormable; CISA-confirmed exploitation evidence,2021-11-03,2019,True,True
CVE-2019-0604,Microsoft,SharePoint,2019-03-06,2019-04-26,2019-04-26,51,51,high,,https://www.tenable.com/blog/cve-2019-0604-microsoft-sharepoint-remote-code-execution-vulnerability-being-actively-exploited,Microsoft SharePoint deserialization RCE; mass exploitation reported by Saudi NCSC in late April,2021-11-03,2019,False,False
CVE-2019-0541,Microsoft,MSHTML,2019-01-08,2019-01-08,2019-01-08,0,0,medium,,https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0541,Microsoft MSHTML improper input validation RCE,2021-11-03,2019,True,False
CVE-2019-0211,Apache,HTTP Server,2019-04-08,2021-11-03,2021-11-03,940,940,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0211,Apache HTTP Server 'CARPE DIEM' local privilege escalation; disclosed Apr 1 2019; public PoC by Charles Fol Apr 9; eweek noted limited public detection of active attacks at the time; CISA KEV catalog the documented evidence,2021-11-03,2019,False,False
CVE-2018-8653,Microsoft,Internet Explorer,2018-12-20,2018-12-01,2018-12-19,0,-19,high,,https://krebsonsecurity.com/2018/12/microsoft-issues-emergency-fix-for-ie-zero-day/,IE Scripting Engine RCE zero-day; reported by Google TAG to Microsoft after observation in targeted attacks in the wild; Microsoft issued emergency out-of-band patch December 19 2018,2021-11-03,2018,True,True
CVE-2018-7600,Drupal,Drupal Core,2018-03-29,2018-04-13,2018-04-13,15,15,high,,https://unit42.paloaltonetworks.com/unit42-exploit-wild-drupalgeddon2-analysis-cve-2018-7600/,"Drupal core RCE (Drupalgeddon 2); PoC released April 12 2018, immediately weaponized in the wild for cryptomining and webshell deployment; Palo Alto Unit 42 documented exploit in wild",2021-11-03,2018,False,False
CVE-2018-6789,Exim,Exim,2018-02-08,2021-11-03,2021-11-03,1364,1364,low,Yes,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-6789,Exim SMTP base64 buffer overflow RCE; DEVCORE PoC published March 2018; CISA KEV notes ransomware use but no specific contemporary threat-intel report documenting in-wild exploitation found,2021-11-03,2018,False,False
CVE-2018-4939,Adobe,ColdFusion,2018-05-19,2018-04-01,2021-10-20,0,-48,high,,https://www.bleepingcomputer.com/news/security/critical-code-execution-vulnerability-fixed-in-adobe-coldfusion/,Adobe ColdFusion deserialization RCE; NSA listed CVE-2018-4939 among top 25 vulnerabilities exploited by China-backed/financially-motivated state hackers; Bleeping Computer March 2021 report,2021-11-03,2018,True,True
CVE-2018-4878,Adobe,Flash Player,2018-02-06,2017-11-01,2018-01-31,0,-97,high,,https://cloud.google.com/blog/topics/threat-intelligence/attacks-leveraging-adobe-zero-day-cve-2018-4878-threat-attribution-attack-scenario-and-recommendations,Adobe Flash use-after-free RCE; KISA disclosed Jan 31 2018; FireEye attributed exploitation to TEMP.Reaper/APT37 (North Korea) targeting South Korean entities with DOGCALL malware; attacks observed since mid-November 2017,2021-11-03,2018,True,True
CVE-2018-2380,SAP,Customer Relationship Management (CRM),2018-03-01,2021-11-03,2021-11-03,1343,1343,low,Yes,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-2380,SAP CRM insufficient validation - SAP web shells drop; Onapsis/SAP joint April 2021 paper listed as actively exploited but no specific contemporary report; CISA KEV is documented evidence,2021-11-03,2018,False,False
CVE-2018-20062,ThinkPHP,noneCms,2018-12-11,2018-12-15,2018-12-20,4,4,high,,https://www.tenable.com/blog/thinkphp-remote-code-execution-vulnerability-used-to-deploy-variety-of-malware-cve-2018-20062,"ThinkPHP framework RCE; patched Dec 9 2018; PoC ExploitDB Dec 11; Trend Micro reported Miori IoT botnet exploitation Dec 20 2018; later IZ1H9, APEP, Hakai, Yowai, Lucifer malware also exploited",2021-11-03,2018,False,False
CVE-2018-18325,DotNetNuke (DNN),DotNetNuke (DNN),2019-07-03,2021-11-03,2021-11-03,854,854,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-18325,DotNetNuke cookie deserialization (bypass of CVE-2018-15811 patch); Metasploit module released; no specific contemporary in-wild attribution found; CISA KEV is only documented evidence,2021-11-03,2018,False,False
CVE-2018-15961,Adobe,ColdFusion,2018-09-25,2018-09-25,2018-11-08,0,0,high,,https://www.volexity.com/blog/2018/11/08/active-exploitation-of-newly-patched-coldfusion-vulnerability-cve-2018-15961/,Adobe ColdFusion unrestricted file upload RCE; Volexity observed Chinese APT group uploading China Chopper webshell ~2 weeks after Sep 11 2018 patch; Adobe elevated to Priority 1 Sep 28 2018,2021-11-03,2018,True,False
CVE-2018-15811,DotNetNuke (DNN),DotNetNuke (DNN),2019-07-03,2021-11-03,2021-11-03,854,854,low,,https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-15811,DotNetNuke weak encryption (cookie deserialization chain); Metasploit module released; no specific contemporary threat-intel report documenting in-wild exploitation found; CISA KEV is only documented evidence,2021-11-03,2018,False,False
CVE-2018-14558,Tenda,"AC7, AC9, and AC10 Routers",2018-10-30,2019-11-01,2020-10-05,367,367,high,,https://threatpost.com/tenda-router-zero-days-spyware-botnet/159834/,Tenda router command injection; 360Netlab reported Ttint Mirai-variant botnet exploiting since at least November 2019; disclosed July 2020; published Oct 2020,2021-11-03,2018,False,False
CVE-2018-13379,Fortinet,FortiOS,2019-06-04,2019-08-22,2019-08-22,79,79,high,,https://www.tenable.com/blog/cve-2018-13379-cve-2019-11510-fortigate-and-pulse-connect-secure-vulnerabilities-exploited-in,Fortinet FortiOS SSL VPN path traversal; Kevin Beaumont and Bad_Packets observed mass exploitation August 22 2019; later FBI/CISA AA21-092A confirmed APT actors actively exploiting,2021-11-03,2018,False,False
CVE-2018-11776,Apache,Struts,2018-08-22,2018-08-27,2018-08-27,5,5,high,,https://www.volexity.com/blog/2018/08/27/active-exploitation-of-new-apache-struts-vulnerability-cve-2018-11776-deploys-cryptocurrency-miner/,Apache Struts 2 OGNL expression injection RCE; Volexity observed active exploitation August 27 2018 deploying CNRig cryptocurrency miner; 5 days after Apache patch,2021-11-03,2018,False,False
CVE-2018-0802,Microsoft,Office,2018-01-10,2018-01-03,2018-01-09,0,-7,high,,https://unit42.paloaltonetworks.com/unit42-traps-prevents-microsoft-office-equation-editor-zero-day-cve-2017-11882/,"Microsoft Office Equation Editor RCE; Palo Alto Networks Unit 42 first observed exploitation sample on January 3 2018, prior to Microsoft's Jan 9 2018 patch",2021-11-03,2018,True,True
CVE-2018-0798,Microsoft,Office,2018-01-10,2018-10-23,2019-05-10,286,286,high,,https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018,"Microsoft Office Equation Editor RCE; Anomali documented earliest ITW exploitation October 23 2018; used by multiple Chinese APT groups (Conimes, KeyBoy, etc); Anomali blog May 2019",2021-11-03,2018,False,False
CVE-2018-0296,Cisco,Adaptive Security Appliance (ASA),2018-06-07,2018-06-22,2018-06-22,15,15,high,Yes,https://blogs.cisco.com/security/cve-2018-0296,Cisco ASA Web Services DoS; Cisco PSIRT blog June 22 2018 explicitly announced public exploitation observed,2021-11-03,2018,False,False
CVE-2018-0171,Cisco,IOS and IOS XE,2018-03-28,2021-11-01,2021-11-03,1314,1314,medium,,https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20180328-smi2.html,Cisco IOS Smart Install RCE; Cisco PSIRT advisory states they became aware of attempted exploitation in November 2021,2021-11-03,2018,False,False