Home
ATT&CK Techniques
T1190 Exploit Public-Facing Application

T1190 Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve Exploitation for Stealth or Exploitation for Client Execution.

If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the Cloud Instance Metadata API), exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.

Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)

View in MITRE ATT&CK®

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
Action.Hacking.Variety.Soap array abuse	Soap array abuse. Child of 'Exploit vuln'.	related-to	T1190	Exploit Public-Facing Application
Action.Hacking.Variety.Path traversal	Path traversal. Child of 'Exploit vuln'.	related-to	T1190	Exploit Public-Facing Application
Action.Hacking.Variety.Reverse engineering	Reverse engineering. Child of 'Exploit vuln'.	related-to	T1190	Exploit Public-Facing Application
Action.Hacking.Variety.RFI	Remote file inclusion. Child of 'Exploit vuln'.	related-to	T1190	Exploit Public-Facing Application
Action.Hacking.Variety.Special element injection	Special element injection. Child of 'Exploit vuln'.	related-to	T1190	Exploit Public-Facing Application
Action.Hacking.Variety.SSI injection	SSI injection. Child of 'Exploit vuln'.	related-to	T1190	Exploit Public-Facing Application
Action.Hacking.Variety.URL redirector abuse	URL redirector abuse. Child of 'Exploit vuln'.	related-to	T1190	Exploit Public-Facing Application
Action.Hacking.Variety.XQuery injection	XQuery injection. Child of 'Exploit vuln'.	related-to	T1190	Exploit Public-Facing Application
Action.Hacking.Variety.XSS	Cross-site scripting. Child of 'Exploit vuln'.	related-to	T1190	Exploit Public-Facing Application
action.hacking.variety.Exploit misconfig	Exploit a misconfiguration (vs vuln or weakness)	related-to	T1190	Exploit Public-Facing Application
action.hacking.variety.SQLi	SQL injection. Child of 'Exploit vuln'.	related-to	T1190	Exploit Public-Facing Application