The Known Exploited Vulnerabilities (KEV) Catalog is an authoritative source of vulnerabilities exploited in the wild maintained by the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Vulnerabilities in the KEV Catalog are contained in the Common Vulnerabilities and Exposures (CVE®) List, which identifies and defines publicly known cybersecurity vulnerabilities. These mappings use the behaviors described in MITRE ATT&CK® to connect known exploited CVEs to publicly reported methods and impacts of adversary exploitation. Mapped ATT&CK techniques enable defenders to take a threat-informed approach to vulnerability management. With knowledge of mapped adversary behaviors, defenders will better understand how a vulnerability can impact them, helping defenders integrate vulnerability information into their risk models and identify appropriate compensating security controls.
ATT&CK Versions: 15.1 ATT&CK Domain: Enterprise, Mobile
CVE Mapping Methodology | CISA Known Exploited Vulnerabilities Catalog
This is a very large mapping. To reduce the size, we have only downloaded the first 500 of 806 mappings. Load all data (2.0 MB)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2023-40044 | Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability | secondary_impact | T1202 | Indirect Command Execution |
Comments
Zero-day .NET deserialization vulnerability that allows an adversary to make an HTTP POST request to a vulnerable WS_FTP Server and execute commands.
References
|
| CVE-2023-40044 | Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability | primary_impact | T1071.002 | File Transfer Protocols |
Comments
Zero-day .NET deserialization vulnerability that allows an adversary to make an HTTP POST request to a vulnerable WS_FTP Server and execute commands.
References
|
| CVE-2022-36804 | Atlassian Bitbucket Server and Data Center Command Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
This vulnerability allows remote attackers with read permissions to a public or private Bitbucket repositories to execute arbitrary code by sending a malicious HTTP request.
References
|
| CVE-2021-26085 | Atlassian Confluence Server Pre-Authorization Arbitrary File Read Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
This vulnerability allows viewing of restricted resources via a pre-authorization arbitrary file read vulnerability.
References
|
| CVE-2015-3043 | Adobe Flash Player Memory Corruption Vulnerability | primary_impact | T1499.004 | Application or System Exploitation |
Comments
This vulnerability is exploited by a maliciously-crafted .swf file which can be run on a user system.
References
|
| CVE-2015-3043 | Adobe Flash Player Memory Corruption Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited by a maliciously-crafted .swf file which can be run on a user system.
References
|
| CVE-2023-26369 | Adobe Acrobat and Reader Out-of-Bounds Write Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is exploited through a user opening a malicious PDF file.
References
|
| CVE-2014-0546 | Adobe Acrobat and Reader Sandbox Bypass Vulnerability | primary_impact | T1068 | Exploitation for Privilege Escalation |
Comments
This vulnerability allows bypassing sandbox protection and run native code.
References
|
| CVE-2010-2883 | Adobe Acrobat and Reader Stack-Based Buffer Overflow Vulnerability | secondary_impact | T1059 | Command and Scripting Interpreter |
Comments
This vulnerability is exploited by the user opening a malicious pdf file to achieve arbitrary code execution.
References
|
| CVE-2010-2883 | Adobe Acrobat and Reader Stack-Based Buffer Overflow Vulnerability | primary_impact | T1027 | Obfuscated Files or Information |
Comments
This vulnerability is exploited by the user opening a malicious pdf file to achieve arbitrary code execution.
References
|
| CVE-2023-21608 | Adobe Acrobat and Reader Use-After-Free Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is exploited by having a user open a maliciously-crafted pdf file, which can result in arbitrary code execution.
References
|
| CVE-2023-26359 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
This vulnerability is utilized by exploiting a public-facing server.
References
|
| CVE-2013-0629 | Adobe ColdFusion Directory Traversal Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
This is an exploitation of a public-facing server due to password misconfiguration. Exploitation allows attackers to access restricted directories
References
|
| CVE-2013-0629 | Adobe ColdFusion Directory Traversal Vulnerability | primary_impact | T1202 | Indirect Command Execution |
Comments
This is an exploitation of a public-facing server due to password misconfiguration. Exploitation allows attackers to access restricted directories
References
|
| CVE-2022-24086 | Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability | secondary_impact | T1213 | Data from Information Repositories |
Comments
This vulnerability can be exploited via a public-facing e-commerce application in order to achieve remote code execution. To evade detection, the exploit segment responsible for downloading and executing the remote malicious PHP code is obfuscated.
References
|
| CVE-2022-24086 | Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability | primary_impact | T1027 | Obfuscated Files or Information |
Comments
This vulnerability can be exploited via a public-facing e-commerce application in order to achieve remote code execution. To evade detection, the exploit segment responsible for downloading and executing the remote malicious PHP code is obfuscated.
References
|
| CVE-2014-7169 | GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2014-7169 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request.
References
|
| CVE-2014-7169 | GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2014-7169 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request.
References
|
| CVE-2014-7169 | GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability | primary_impact | T1059.004 | Unix Shell |
Comments
CVE-2014-7169 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request.
References
|
| CVE-2014-6271 | GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2014-6271 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request.
References
|
| CVE-2014-6271 | GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2014-6271 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request.
References
|
| CVE-2014-6271 | GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability | primary_impact | T1059.004 | Unix Shell |
Comments
CVE-2014-6271 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request.
References
|
| CVE-2021-21206 | Google Chromium Blink Use-After-Free Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
CVE-2021-21206 allows an adversary to use JavaScript to exploit the Blink rendering engine of the Chromium Browser that allows for execution of arbitrary code.
References
|
| CVE-2021-21206 | Google Chromium Blink Use-After-Free Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
CVE-2021-21206 allows an adversary to use JavaScript to exploit the Blink rendering engine of the Chromium Browser that allows for execution of arbitrary code.
References
|
| CVE-2021-30554 | Google Chromium WebGL Use-After-Free Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
CVE-2021-30554 allows an adversary to use JavaScript to exploit WebGL component of the Chromium browser that allows for execution of arbitrary code.
References
|
| CVE-2021-30554 | Google Chromium WebGL Use-After-Free Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
CVE-2021-30554 allows an adversary to use JavaScript to exploit WebGL component of the Chromium browser that allows for execution of arbitrary code.
References
|
| CVE-2021-37975 | Google Chromium V8 Use-After-Free Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
CVE-2021-37975 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap.
References
|
| CVE-2021-37975 | Google Chromium V8 Use-After-Free Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
CVE-2021-37975 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap.
References
|
| CVE-2021-21148 | Google Chromium V8 Heap Buffer Overflow Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
CVE-2021-21148 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap.
References
|
| CVE-2021-21148 | Google Chromium V8 Heap Buffer Overflow Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
CVE-2021-21148 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap.
References
|
| CVE-2021-21166 | Google Chromium Race Condition Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
CVE-2021-21166 allows an adversary to use JavaScript to exploit the Chromium browser via the audio object using a race condition to write into the heap.
References
|
| CVE-2021-21166 | Google Chromium Race Condition Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
CVE-2021-21166 allows an adversary to use JavaScript to exploit the Chromium browser via the audio object using a race condition to write into the heap.
References
|
| CVE-2024-38080 | Microsoft Windows Hyper-V Privilege Escalation Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This zero-day vulnerability presents itself after an adversary has already infiltrated the victim's network and enables the adversary to obtain SYSTEM level privileges via Microsoft Windows Hyper-V product. As of now, details of how the attacker's methods to exploit this vulnerability are undisclosed.
References
|
| CVE-2022-47966 | Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability | primary_impact | T1136.001 | Local Account |
Comments
CVE-2022-47966 is a remote code execution vulnerability that affects many ManageEngine products due to misconfiguration of security features. Adversaries can utilized this vulnerability to run arbitrary java. APTs have been observed exploiting this vulnerability to gain access, to public-facing applications, establish persistence, and move laterally.
They've also been observed to create local user accounts with administrative privileges, use valid but disabled user accounts, delete logs, establish command and control communications, ... **the list goes on and on due to fantastic, detailed reporting**
References
|
| CVE-2022-47966 | Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability | primary_impact | T1068 | Exploitation for Privilege Escalation |
Comments
CVE-2022-47966 is a remote code execution vulnerability that affects many ManageEngine products due to misconfiguration of security features. Adversaries can utilized this vulnerability to run arbitrary java. APTs have been observed exploiting this vulnerability to gain access, to public-facing applications, establish persistence, and move laterally.
They've also been observed to create local user accounts with administrative privileges, use valid but disabled user accounts, delete logs, establish command and control communications, ... **the list goes on and on due to fantastic, detailed reporting**
References
|
| CVE-2021-29256 | Arm Mali GPU Kernel Driver Use-After-Free Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
This vulnerability is exploited by an unprivileged attacker by conducting malicious activity in GPU memory, gaining access to already freed memory. If successful, the threat actor could escalate their privileges to root as well as gain access to sensitive information. Detailed information about how adversaries exploit the GPU are not publicly available.
References
|
| CVE-2021-29256 | Arm Mali GPU Kernel Driver Use-After-Free Vulnerability | primary_impact | T1068 | Exploitation for Privilege Escalation |
Comments
This vulnerability is exploited by an unprivileged attacker by conducting malicious activity in GPU memory, gaining access to already freed memory. If successful, the threat actor could escalate their privileges to root as well as gain access to sensitive information. Detailed information about how adversaries exploit the GPU are not publicly available.
References
|
| CVE-2024-5274 | Google Chromium V8 Type Confusion Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is exploited by the hosting of malicious content on a website. Adversaries use this to deliver an information-stealing payload within Chrome.
References
|
| CVE-2020-0688 | Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability | primary_impact | T1114 | Email Collection |
Comments
CVE-2020-0688 is a remote code execution vulnerability exists in Microsoft Exchange Server. CISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks. Also, Threat actors used credentials in conjunction with known vulnerabilities on public-facing applications, such as virtual private networks (VPNs)—CVE-2020-0688 and CVE-2020-17144—to escalate privileges and gain remote code execution (RCE) on the exposed applications.
References
|
| CVE-2020-0688 | Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2020-0688 is a RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. A nation-state APT actor has been observed exploiting this vulnerability to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.
References
|
| CVE-2020-1472 | Microsoft Netlogon Privilege Escalation Vulnerability | secondary_impact | T1133 | External Remote Services |
Comments
CVE-2020-1472 is a privilege escalation vulnerability in Windows Netlogon. After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials.
References
|
| CVE-2021-21972 | VMware vCenter Server Remote Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2021-21972 is a RCE vulnerability affecting VMware vCenter servers. An attacker with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
References
|
| CVE-2021-21972 | VMware vCenter Server Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2021-21972 is a RCE vulnerability affecting VMware vCenter servers. An attacker with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
References
|
| CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution Vulnerability | primary_impact | T1505.003 | Web Shell |
Comments
CVE-2021-26858, part of Proxy Logon, is a post-authentication arbitrary file write vulnerability in Exchange. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
References
|
| CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2021-26858, part of Proxy Logon, is a post-authentication arbitrary file write vulnerability in Exchange. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
References
|
| CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution Vulnerability | primary_impact | T1505.003 | Web Shell |
Comments
CVE-2021-26858, part of Proxy Logon, is a post-authentication arbitrary file write vulnerability in Exchange. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
References
|
| CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2021-26858, part of Proxy Logon, is a post-authentication arbitrary file write vulnerability in Exchange. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
References
|
| CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability | primary_impact | T1505.003 | Web Shell |
Comments
CVE-2021-26857, part of Proxy Logon, is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
References
|
| CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability | secondary_impact | T1133 | External Remote Services |
Comments
CVE-2021-26857, part of Proxy Logon, is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
References
|
| CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2021-26855, also known as ProxyLogon, allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
References
|
| CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability | secondary_impact | T1505.003 | Web Shell |
Comments
CVE-2021-26855, also known as ProxyLogon, allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
References
|
| CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability | primary_impact | T1090 | Proxy |
Comments
CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
References
|
| CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
References
|
| CVE-2021-34473 | Microsoft Exchange Server Remote Code Execution Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
CVE-2021-34473 is a part of the ProxyShell vulnerabilities in Microsoft Exchange and CVE-2021-34473 is a code execution vulnerability that requires no user action or privileges to exploit.
References
|
| CVE-2021-34473 | Microsoft Exchange Server Remote Code Execution Vulnerability | secondary_impact | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
CVE-2021-34473 is a part of the ProxyShell vulnerabilities in Microsoft Exchange and CVE-2021-34473 is a code execution vulnerability that requires no user action or privileges to exploit.
References
|
| CVE-2021-34473 | Microsoft Exchange Server Remote Code Execution Vulnerability | secondary_impact | T1136 | Create Account |
Comments
CVE-2021-34473 is a part of the ProxyShell vulnerabilities in Microsoft Exchange and CVE-2021-34473 is a code execution vulnerability that requires no user action or privileges to exploit.
References
|
| CVE-2021-34473 | Microsoft Exchange Server Remote Code Execution Vulnerability | primary_impact | T1053.005 | Scheduled Task |
Comments
CVE-2021-34473 is a part of the ProxyShell vulnerabilities in Microsoft Exchange and CVE-2021-34473 is a code execution vulnerability that requires no user action or privileges to exploit.
References
|
| CVE-2021-34473 | Microsoft Exchange Server Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This is a remote code execution vulnerability that is often chained with CVE-2021-34523, a privilege escalation vulnerability.
References
|
| CVE-2021-34523 | Microsoft Exchange Server Privilege Escalation Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This privilege escalation vulnerability can be exploited by sending a specially crafted HTTP request to the exchange server, is it often chained together with CVE-2021-34473, a remote code execution vulnerability.
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1573.001 | Symmetric Cryptography |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1560.001 | Archive via Utility |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1087.002 | Domain Account |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1070.004 | File Deletion |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1047 | Windows Management Instrumentation |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1003.003 | NTDS |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1136 | Create Account |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1218 | System Binary Proxy Execution |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1140 | Deobfuscate/Decode Files or Information |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1027 | Obfuscated Files or Information |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | primary_impact | T1505.003 | Web Shell |
Comments
CVE-2021-40539 is an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2021-44228 | Apache Log4j2 Remote Code Execution Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
CVE-2021-44228, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.
References
|
| CVE-2021-44228 | Apache Log4j2 Remote Code Execution Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2021-44228, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.
References
|
| CVE-2021-44228 | Apache Log4j2 Remote Code Execution Vulnerability | secondary_impact | T1608.001 | Upload Malware |
Comments
CVE-2021-44228, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.
References
|
| CVE-2021-44228 | Apache Log4j2 Remote Code Execution Vulnerability | secondary_impact | T1505.003 | Web Shell |
Comments
CVE-2021-44228, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.
References
|
| CVE-2021-44228 | Apache Log4j2 Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This remote code execution vulnerability is exploited through maliciously-crafted requests to a web application.
References
|
| CVE-2020-0688 | Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability | secondary_impact | T1505.003 | Web Shell |
Comments
CVE-2020-0688 is a RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. A nation-state APT actor has been observed exploiting this vulnerability to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.
References
|
| CVE-2020-0688 | Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability | primary_impact | T1110 | Brute Force |
Comments
CVE-2020-0688 is a RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. A nation-state APT actor has been observed exploiting this vulnerability to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.
References
|
| CVE-2020-1472 | Microsoft Netlogon Privilege Escalation Vulnerability | secondary_impact | T1087.002 | Domain Account |
Comments
CVE-2020-1472 is a privilege elevation vulnerability. The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.
References
|
| CVE-2020-1472 | Microsoft Netlogon Privilege Escalation Vulnerability | primary_impact | T1021 | Remote Services |
Comments
CVE-2020-1472 is a privilege elevation vulnerability. The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.
References
|
| CVE-2020-1472 | Microsoft Netlogon Privilege Escalation Vulnerability | exploitation_technique | T1110 | Brute Force |
Comments
CVE-2020-1472 is a privilege elevation vulnerability. The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.
References
|
| CVE-2020-0787 | Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2020-0787 is a privilege elevation vulnerability in the Windows Background Intelligent Transfer Service (BITS). An actor can exploit this vulnerability if it improperly handles symbolic links to execute arbitrary code with system-level privileges.
References
|
| CVE-2020-0787 | Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability | exploitation_technique | T1068 | Exploitation for Privilege Escalation |
Comments
CVE-2020-0787 is a privilege elevation vulnerability in the Windows Background Intelligent Transfer Service (BITS). An actor can exploit this vulnerability if it improperly handles symbolic links to execute arbitrary code with system-level privileges.
References
|
| CVE-2019-0604 | Microsoft SharePoint Remote Code Execution Vulnerability | primary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.
References
|
| CVE-2019-0604 | Microsoft SharePoint Remote Code Execution Vulnerability | primary_impact | T1608.001 | Upload Malware |
Comments
CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.
References
|
| CVE-2019-0604 | Microsoft SharePoint Remote Code Execution Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.
References
|
| CVE-2019-0604 | Microsoft SharePoint Remote Code Execution Vulnerability | primary_impact | T1505.003 | Web Shell |
Comments
CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.
References
|
| CVE-2019-0604 | Microsoft SharePoint Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.
References
|
| CVE-2019-18935 | Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability | primary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.
References
|
| CVE-2019-18935 | Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability | primary_impact | T1496 | Resource Hijacking |
Comments
CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.
References
|
| CVE-2019-18935 | Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability | primary_impact | T1505.003 | Web Shell |
Comments
CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.
References
|
| CVE-2019-18935 | Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.
References
|
| CVE-2017-11882 | Microsoft Office Memory Corruption Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2020-0688 exists in Microsoft Office, which is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code if unpatched, in the context of the current user, by failing to properly handle objects in memory. Cyber actors continued to exploit this vulnerability in Microsoft Office. The vulnerability is ideal for phasing campaigns, and it enables RCE on vulnerable systems.
References
|
| CVE-2017-11882 | Microsoft Office Memory Corruption Vulnerability | exploitation_technique | T1566.001 | Spearphishing Attachment |
Comments
CVE-2020-0688 exists in Microsoft Office, which is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code if unpatched, in the context of the current user, by failing to properly handle objects in memory. Cyber actors continued to exploit this vulnerability in Microsoft Office. The vulnerability is ideal for phishing campaigns, and it enables RCE on vulnerable systems.
References
|
| CVE-2020-15505 | Ivanti MobileIron Multiple Products Remote Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2020-15505 is an RCE vulnerability in MobileIron Core & Connector that allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.
Multiple APTs have been observed exploiting this vulnerability to gain unauthorized access.
References
|
| CVE-2020-15505 | Ivanti MobileIron Multiple Products Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2020-15505 is an RCE vulnerability in MobileIron Core & Connector that allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.
Multiple APTs have been observed exploiting this vulnerability to gain unauthorized access.
References
|
| CVE-2020-5902 | F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
CVE-2020-5902 is a RCE vulnerability in the Traffic Management User Interface (TMUI) that allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code.The Traffic Management User Interface (TMUI)
References
|
| CVE-2020-5902 | F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability | secondary_impact | T1562.001 | Disable or Modify Tools |
Comments
CVE-2020-5902 is a RCE vulnerability in the Traffic Management User Interface (TMUI) that allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code.The Traffic Management User Interface (TMUI)
References
|
| CVE-2020-5902 | F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability | secondary_impact | T1070.004 | File Deletion |
Comments
CVE-2020-5902 is a RCE vulnerability in the Traffic Management User Interface (TMUI) that allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code.The Traffic Management User Interface (TMUI)
References
|
| CVE-2020-5902 | F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2020-5902—an RCE vulnerability in the BIG-IP Traffic Management User Interface (TMUI)—to take control of victim systems. On June 30, F5 disclosed CVE-2020-5902, stating that it allows attackers to, “execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.” - CISA Advisory
References
|
| CVE-2020-5902 | F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2020-5902 is a RCE vulnerability in the Traffic Management User Interface (TMUI) that allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code.The Traffic Management User Interface (TMUI)
References
|
| CVE-2019-11510 | Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability | secondary_impact | T1083 | File and Directory Discovery |
Comments
CVE 2019-11510 Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials.
References
|
| CVE-2019-11510 | Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability | secondary_impact | T1552.001 | Credentials In Files |
Comments
CVE 2019-11510 Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials.
References
|
| CVE-2019-11510 | Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE 2019-11510 Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials.
References
|
| CVE-2019-11510 | Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE 2019-11510 Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials.
References
|
| CVE-2019-19781 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability | secondary_impact | T1083 | File and Directory Discovery |
Comments
CVE-2019-19781 is exploited through directory traversal, allowing an unauthenticated attacker to execute arbitrary code on affected Citrix Netscaler Application Delivery Control (ADC).
References
|
| CVE-2019-19781 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2019-19781 is exploited through directory traversal, allowing an unauthenticated attacker to execute arbitrary code on affected Citrix Netscaler Application Delivery Control (ADC).
References
|
| CVE-2019-19781 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2019-19781 is exploited through directory traversal, allowing an unauthenticated attacker to execute arbitrary code on affected Citrix Netscaler Application Delivery Control (ADC).
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1505.003 | Web Shell |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2018-13379 | Fortinet FortiOS SSL VPN Path Traversal Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This is a path traversal vulnerability that allows adversary to download system files through specially-crafted HTTP requests.
References
|
| CVE-2022-1388 | F5 BIG-IP Missing Authentication Vulnerability | exploitation_technique | T1548 | Abuse Elevation Control Mechanism |
Comments
This CVE is an authentication bypass vulnerability. Unauthenticated users with network access can execute arbitrary commands.
References
|
| CVE-2015-0313 | Adobe Flash Player Use-After-Free Vulnerability | exploitation_technique | T1189 | Drive-by Compromise |
Comments
This use-after-free vulnerability is exploited in-the-wild by drive-by-download.
References
|
| CVE-2021-31207 | Microsoft Exchange Server Security Feature Bypass Vulnerability | primary_impact | T1565 | Data Manipulation |
Comments
This vulnerability is exploited via authentication bypass, allowing the adversary to write to files.
References
|
| CVE-2015-5119 | Adobe Flash Player Use-After-Free Vulnerability | secondary_impact | T1071.001 | Web Protocols |
Comments
To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload.
References
|
| CVE-2015-5119 | Adobe Flash Player Use-After-Free Vulnerability | secondary_impact | T1055.001 | Dynamic-link Library Injection |
Comments
This vulnerability has been exploited in the wild by multiple different threat actors. Threat groups send phishing emails with URLs where maliciously-crafted javascript is hosted. This CVE has many mappable exploitation techniques and impacts.
These adversaries using this exploit to deliver malicious payloads to the target machines establish DLL backdoors.
References
|
| CVE-2015-5119 | Adobe Flash Player Use-After-Free Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload.
References
|
| CVE-2015-5119 | Adobe Flash Player Use-After-Free Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
This vulnerability has been exploited in the wild by multiple different threat actors. Threat groups send phishing emails with URLs where maliciously-crafted javascript is hosted. This CVE has many mappable exploitation techniques and impacts.
These adversaries using this exploit to deliver malicious payloads to the target machines establish DLL backdoors.
References
|
| CVE-2015-5119 | Adobe Flash Player Use-After-Free Vulnerability | exploitation_technique | T1204.001 | Malicious Link |
Comments
To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload.
References
|
| CVE-2015-5119 | Adobe Flash Player Use-After-Free Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload.
References
|
| CVE-2015-5119 | Adobe Flash Player Use-After-Free Vulnerability | exploitation_technique | T1566.002 | Spearphishing Link |
Comments
To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload.
References
|
| CVE-2021-31207 | Microsoft Exchange Server Security Feature Bypass Vulnerability | exploitation_technique | T1548.002 | Bypass User Account Control |
Comments
This vulnerability is exploited via authentication bypass, allowing the adversary to write to files.
References
|
| CVE-2022-22954 | VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability | primary_impact | T1505.003 | Web Shell |
Comments
This vulnerability is exploited via server-side template injection to achieve remote code execution. This access is then used to establish backdoors. Adversaries have been observed chaining this with CVE-2022-22960 in order to escalate privileges to root.
References
|
| CVE-2022-22960 | VMware Multiple Products Privilege Escalation Vulnerability | exploitation_technique | T1222 | File and Directory Permissions Modification |
Comments
This vulnerability allows adversaries with local access to escalate privileges to root. Adversaries have been observed chaining this following exploit of CVE-2022-22954.
References
|
| CVE-2024-5274 | Google Chromium V8 Type Confusion Vulnerability | exploitation_technique | T1189 | Drive-by Compromise |
Comments
This vulnerability is exploited by the hosting of malicious content on a website. Adversaries use this to deliver an information-stealing payload within Chrome.
References
|
| CVE-2022-22954 | VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability | exploitation_technique | T1221 | Template Injection |
Comments
This vulnerability is exploited via server-side template injection to achieve remote code execution. This access is then used to establish backdoors. Adversaries have been observed chaining this with CVE-2022-22960 in order to escalate privileges to root.
References
|
| CVE-2012-0767 | Adobe Flash Player Cross-Site Scripting (XSS) Vulnerability | secondary_impact | T1114.002 | Remote Email Collection |
Comments
This cross-site scripting vulnerability has been exploited in the wild by enticing a user to click on a link to a malicious website. The attacker
can then impersonate the user and perform actions such as changing the user's settings on the website or accessing the user's webmail.
References
|
| CVE-2012-0767 | Adobe Flash Player Cross-Site Scripting (XSS) Vulnerability | secondary_impact | T1098 | Account Manipulation |
Comments
This cross-site scripting vulnerability has been exploited in the wild by enticing a user to click on a link to a malicious website. The attacker
can then impersonate the user and perform actions such as changing the user's settings on the website or accessing the user's webmail.
References
|
| CVE-2012-0767 | Adobe Flash Player Cross-Site Scripting (XSS) Vulnerability | primary_impact | T1185 | Browser Session Hijacking |
Comments
This cross-site scripting vulnerability has been exploited in the wild by enticing a user to click on a link to a malicious website. The attacker
can then impersonate the user and perform actions such as changing the user's settings on the website or accessing the user's webmail.
References
|
| CVE-2019-1653 | Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2019-1653 is a critical information disclosure vulnerability affecting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. This vulnerability allows unauthenticated, remote attackers to access sensitive information from affected devices.
References
|
| CVE-2023-26360 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | secondary_impact | T1071.001 | Web Protocols |
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
|
| CVE-2023-26360 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
|
| CVE-2023-26360 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | secondary_impact | T1046 | Network Service Discovery |
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
|
| CVE-2023-26360 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | secondary_impact | T1003.001 | LSASS Memory |
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
|
| CVE-2023-26360 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | secondary_impact | T1036.005 | Match Legitimate Name or Location |
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
|
| CVE-2023-26360 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | secondary_impact | T1484.001 | Group Policy Modification |
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
|
| CVE-2023-26360 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | secondary_impact | T1505.003 | Web Shell |
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
|
| CVE-2023-26360 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | primary_impact | T1059.007 | JavaScript |
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
|
| CVE-2016-4437 | Apache Shiro Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2016-4437 is a code execution vulnerability in Apache Shiro that allows remote attackers to execute code or bypass access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature.
References
|
| CVE-2016-4437 | Apache Shiro Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2016-4437 is a code execution vulnerability in Apache Shiro that allows remote attackers to execute code or bypass access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature.
References
|
| CVE-2021-42013 | Apache HTTP Server Path Traversal Vulnerability | exploitation_technique | T1210 | Exploitation of Remote Services |
Comments
CVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50. CVE-2021-42013 is a path traversal vulnerability in Apache HTTP Server 2.4.49 that allows an attacker to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied," these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.
References
|
| CVE-2021-42013 | Apache HTTP Server Path Traversal Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50. CVE-2021-42013 is a path traversal vulnerability in Apache HTTP Server 2.4.49 that allows an attacker to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied," these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.
References
|
| CVE-2021-41773 | Apache HTTP Server Path Traversal Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2021-41773 is a path traversal vulnerability in Apache HTTP Server 2.4.49 that allows an attacker to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied," these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.
References
|
| CVE-2021-41773 | Apache HTTP Server Path Traversal Vulnerability | exploitation_technique | T1210 | Exploitation of Remote Services |
Comments
CVE-2021-41773 is a path traversal vulnerability in Apache HTTP Server 2.4.49 that allows an attacker to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied," these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.
References
|
| CVE-2020-0069 | Mediatek Multiple Chipsets Insufficient Input Validation Vulnerability | exploitation_technique | T1068 | Exploitation for Privilege Escalation |
Comments
CVE-2020-0069 is an insufficient input validation vulnerability in multiple MediaTek chipsets that, combined with missing SELinux restrictions in the Command Queue drivers' ioctl handlers, allows an adversary to perform an out-of-bounds write leading to privilege escalation.
References
|
| CVE-2020-5735 | Amcrest Cameras and NVR Stack-based Buffer Overflow Vulnerability | primary_impact | T1574 | Hijack Execution Flow |
Comments
CVE-2020-5735 is a stack-based buffer overflow vulnerability in Amcrest cameras and NVR that allows an authenticated remote attacker to possibly execute unauthorized code over port 37777 and crash the device.
References
|
| CVE-2020-5735 | Amcrest Cameras and NVR Stack-based Buffer Overflow Vulnerability | secondary_impact | T1499 | Endpoint Denial of Service |
Comments
CVE-2020-5735 is a stack-based buffer overflow vulnerability in Amcrest cameras and NVR that allows an authenticated remote attacker to possibly execute unauthorized code over port 37777 and crash the device.
References
|
| CVE-2019-1653 | Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability | secondary_impact | T1007 | System Service Discovery |
Comments
CVE-2019-1653 is a critical information disclosure vulnerability affecting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. This vulnerability allows unauthenticated, remote attackers to access sensitive information from affected devices.
References
|
| CVE-2019-1653 | Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability | primary_impact | T1082 | System Information Discovery |
Comments
CVE-2019-1653 is a critical information disclosure vulnerability affecting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. This vulnerability allows unauthenticated, remote attackers to access sensitive information from affected devices.
References
|
| CVE-2019-1653 | Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2019-1653 is a critical information disclosure vulnerability affecting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. This vulnerability allows unauthenticated, remote attackers to access sensitive information from affected devices.
References
|
| CVE-2023-26360 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
|
| CVE-2013-0625 | Adobe ColdFusion Authentication Bypass Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited because of password misconfiguration.
References
|
| CVE-2013-0632 | Adobe ColdFusion Authentication Bypass Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited by logging in with an empty password on a misconfigured system.
References
|
| CVE-2009-3960 | Adobe BlazeDS Information Disclosure Vulnerability | primary_impact | T1486 | Data Encrypted for Impact |
Comments
This vulnerability is exploited through an XML injection or XML external entity injection. In-the-wild reporting indicates adversaries have used this exploit to establish a web shell on a victim machine.
This adversary took actions to cover their tracks, establish persistence, exfiltrate Registry data, escalated privileges, moved laterally, disabled security software, installed and ran ransomware.
References
|
| CVE-2009-3960 | Adobe BlazeDS Information Disclosure Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited through an XML injection or XML external entity injection. In-the-wild reporting indicates adversaries have used this exploit to establish a web shell on a victim machine.
This adversary took actions to cover their tracks, establish persistence, exfiltrate Registry data, escalated privileges, moved laterally, disabled security software, installed and ran ransomware.
References
|
| CVE-2012-0767 | Adobe Flash Player Cross-Site Scripting (XSS) Vulnerability | exploitation_technique | T1204.001 | Malicious Link |
Comments
This cross-site scripting vulnerability has been exploited in the wild by enticing a user to click on a link to a malicious website. The attacker
can then impersonate the user and perform actions such as changing the user's settings on the website or accessing the user's webmail.
References
|
| CVE-2016-1019 | Adobe Flash Player Arbitrary Code Execution Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
This vulnerability is exploited by taking advantage of a flaw of Adobe Flash embedded within browsers. In the wild, threat actors have been seen using a browser-based exploit kit to initiate a drive-by compromise of the exploit. After exploit, adversaries can install their own malware or specifically ransomware.
References
|
| CVE-2016-1019 | Adobe Flash Player Arbitrary Code Execution Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited by taking advantage of a flaw of Adobe Flash embedded within browsers. In the wild, threat actors have been seen using a browser-based exploit kit to initiate a drive-by compromise of the exploit. After exploit, adversaries can install their own malware or specifically ransomware.
References
|
| CVE-2016-1019 | Adobe Flash Player Arbitrary Code Execution Vulnerability | exploitation_technique | T1189 | Drive-by Compromise |
Comments
This vulnerability is exploited by taking advantage of a flaw of Adobe Flash embedded within browsers. In the wild, threat actors have been seen using a browser-based exploit kit to initiate a drive-by compromise of the exploit. After exploit, adversaries can install their own malware or specifically ransomware.
References
|
| CVE-2021-29256 | Arm Mali GPU Kernel Driver Use-After-Free Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is exploited by an unprivileged attacker by conducting malicious activity in GPU memory, gaining access to already freed memory. If successful, the threat actor could escalate their privileges to root as well as gain access to sensitive information. Detailed information about how adversaries exploit the GPU are not publicly available.
References
|
| CVE-2024-38080 | Microsoft Windows Hyper-V Privilege Escalation Vulnerability | primary_impact | T1068 | Exploitation for Privilege Escalation |
Comments
This zero-day vulnerability presents itself after an adversary has already infiltrated the victim's network and enables the adversary to obtain SYSTEM level privileges via Microsoft Windows Hyper-V product. As of now, details of how the attacker's methods to exploit this vulnerability are undisclosed.
References
|
| CVE-2022-47966 | Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2022-47966 is a remote code execution vulnerability that affects many ManageEngine products due to misconfiguration of security features. Adversaries can utilized this vulnerability to run arbitrary java. APTs have been observed exploiting this vulnerability to gain access, to public-facing applications, establish persistence, and move laterally.
They've also been observed to create local user accounts with administrative privileges, use valid but disabled user accounts, delete logs, establish command and control communications, ... **the list goes on and on due to fantastic, detailed reporting**
References
|
| CVE-2018-11776 | Apache Struts Remote Code Execution Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2018-11776 is a remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers when alwaysSelectFullNamespace is true and then results are used with no namespace. Volexity also reports active scanning and attempts to exploit CVE-2018-11776 in order to deploy cryptocurrency miners.
References
|
| CVE-2018-11776 | Apache Struts Remote Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2018-11776 is a remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers when alwaysSelectFullNamespace is true and then results are used with no namespace.
References
|
| CVE-2018-11776 | Apache Struts Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2018-11776 is a remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers when alwaysSelectFullNamespace is true and then results are used with no namespace.
References
|
| CVE-2017-5638 | Apache Struts Remote Code Execution Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2017-5638 is a remote code execution vulnerability in Apache Struts Jakarta Multipart versions that allows for malicious file upload using Content-Type, Content-Disposition, or Content-Length HTTP headers during file-upload attempts leading to an attacker to execute arbitrary commands. This CVE was known to be exploited during the Equifax breach.
References
|
| CVE-2017-5638 | Apache Struts Remote Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2017-5638 is a remote code execution vulnerability in Apache Struts Jakarta Multipart versions that allows for malicious file upload using Content-Type, Content-Disposition, or Content-Length HTTP headers during file-upload attempts leading to an attacker to execute arbitrary commands. This CVE was known to be exploited during the Equifax breach.
References
|
| CVE-2017-5638 | Apache Struts Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2017-5638 is a remote code execution vulnerability in Apache Struts Jakarta Multipart versions that allows for malicious file upload using Content-Type, Content-Disposition, or Content-Length HTTP headers during file-upload attempts leading to an attacker to execute arbitrary commands. This CVE was known to be exploited during the Equifax breach.
References
|
| CVE-2020-17530 | Apache Struts Remote Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2020-17530 is a remote code execution vulnerability in Apache Struts versions 2.0.0 - 2.5.25 allows an attacker to execute code via forced Object Graph Navigational Language (OGNL).
References
|
| CVE-2020-17530 | Apache Struts Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2020-17530 is a remote code execution vulnerability in Apache Struts versions 2.0.0 - 2.5.25 allows an attacker to execute arbitrary code via forced Object Graph Navigational Language (OGNL) evaluation on raw user input in tag attributes.
References
|
| CVE-2019-17558 | Apache Solr VelocityResponseWriter Plug-In Remote Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2019-17558 is a vulnerability in Apache Solr that allows for Remote Code Execution (RCE) through the VelocityResponseWriter.
References
|
| CVE-2019-17558 | Apache Solr VelocityResponseWriter Plug-In Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2019-17558 is a vulnerability in Apache Solr that allows for Remote Code Execution (RCE) through the VelocityResponseWriter.
References
|
| CVE-2019-0211 | Apache HTTP Server Privilege Escalation Vulnerability | exploitation_technique | T1068 | Exploitation for Privilege Escalation |
Comments
CVE-2019-0211 is a privilege escalation vulnerability in Apache HTTP Server with MPM event, worker, or prefork that allows an attacker to execute code with the privileges of that parent process (usually root).
References
|
| CVE-2017-9805 | Apache Struts Deserialization of Untrusted Data Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2017-9805 is a deserialization vulnerability in the Apache Struts REST Plugin that could allow an attacker to execute arbitrary commands remotely on the affected systems by sending a specially crafted web request to the application.
References
|
| CVE-2017-9805 | Apache Struts Deserialization of Untrusted Data Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2017-9805 is a deserialization vulnerability in the Apache Struts REST Plugin that could allow an attacker to execute arbitrary commands remotely on the affected systems by sending a specially crafted web request to the application.
References
|
| CVE-2021-27104 | Accellion FTA OS Command Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2021-27104 is an operating system command injection vulnerability in Accellion File Transfer Appliance in that allows an adversary to execute commands by sending a specially crafted POST request to the product's administrative endpoint.
References
|
| CVE-2021-27104 | Accellion FTA OS Command Injection Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2021-27104 is an operating system command injection vulnerability in Accellion File Transfer Appliance in that allows an adversary to execute commands by sending a specially crafted POST request to the product's administrative endpoint.
References
|
| CVE-2021-27101 | Accellion FTA SQL Injection Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2021-27101 is a SQL injection vulnerability in Accellion File Transfer Appliance that allows an adversary to execute SQL commands.
References
|
| CVE-2021-27103 | Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2021-27103 is a server-side request forgery vulnerability in Accellion File Transfer Appliance in Accellion that allows an adversary to manipulate server requests via a crafted POST request.
References
|
| CVE-2021-27102 | Accellion FTA OS Command Injection Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2021-27102 is an operating system command execution vulnerability in Accellion File Transfer Appliance that allows an adversary to execute arbitrary commands via a local web service call.
References
|
| CVE-2021-27102 | Accellion FTA OS Command Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2021-27102 is an operating system command execution vulnerability in Accellion File Transfer Appliance that allows an adversary to execute arbitrary commands via a local web service call.
References
|
| CVE-2021-27103 | Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2021-27103 is a server-side request forgery vulnerability in Accellion File Transfer Appliance in Accellion that allows an adversary to manipulate server requests via a crafted POST request.
References
|
| CVE-2021-27102 | Accellion FTA OS Command Injection Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2021-27102 is an operating system command execution vulnerability in Accellion File Transfer Appliance that allows an adversary to execute arbitrary commands via a local web service call.
References
|
| CVE-2021-27101 | Accellion FTA SQL Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2021-27101 is a SQL injection vulnerability in Accellion File Transfer Appliance that allows an adversary to execute SQL commands.
References
|
| CVE-2021-27104 | Accellion FTA OS Command Injection Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2021-27104 is an operating system command injection vulnerability in Accellion File Transfer Appliance in that allows an adversary to execute commands by sending a specially crafted POST request to the product's administrative endpoint.
References
|
| CVE-2018-4990 | Adobe Acrobat and Reader Double Free Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
This vulnerability is exploited via embedded javascript within a user-executed malicious pdf. There are two mapped exploitation_technqiues for this CVE.
References
|
| CVE-2018-4990 | Adobe Acrobat and Reader Double Free Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited via embedded javascript within a user-executed malicious pdf. There are two mapped exploitation_technqiues for this CVE.
References
|
| CVE-2007-5659 | Adobe Acrobat and Reader Buffer Overflow Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited via a malicious PDF file in order to execute arbitrary code.
References
|
| CVE-2018-4878 | Adobe Flash Player Use-After-Free Vulnerability | secondary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
The exploitation technique for this vulnerability is based on a vulnerability in Client software. In the wild, this was seen to be exploited by a malicious excel file.
The observed goals of this exploit from Group 123 are remote access and data exfiltration.
References
|
| CVE-2018-4878 | Adobe Flash Player Use-After-Free Vulnerability | primary_impact | T1219 | Remote Access Software |
Comments
The exploitation technique for this vulnerability is based on a vulnerability in Client software. In the wild, this was seen to be exploited by a malicious excel file.
The observed goals of this exploit from Group 123 are remote access and data exfiltration.
Installation of the remote access software could allow for a number of different secondary impacts. See the MITRE ATT&CK reference on the DOGCALL software for more information.
References
|
| CVE-2018-4878 | Adobe Flash Player Use-After-Free Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
The exploitation technique for this vulnerability is based on a vulnerability in Client software. In the wild, this was seen to be exploited by a malicious excel file.
The observed goals of this exploit from Group 123 are remote access and data exfiltration.
References
|
| CVE-2018-15961 | Adobe ColdFusion Unrestricted File Upload Vulnerability | primary_impact | T1491.002 | External Defacement |
Comments
In the wild, this CVE was seen to result in defacement.
References
|
| CVE-2018-15961 | Adobe ColdFusion Unrestricted File Upload Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited by uploading a file to a public-facing ColdFusion server.
References
|
| CVE-2018-4939 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | primary_impact | T1190 | Exploit Public-Facing Application |
Comments
As referenced in the attached report, T1190 is a known impact of this exploit.
References
|
| CVE-2018-4939 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | primary_impact | T1133 | External Remote Services |
Comments
As referenced in the attached report, T1133 is a known impact of this exploit.
References
|
| CVE-2018-4939 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
This deserialization vulnerability allows adversaries to insert their own objects into client software for potential execution.
References
|
| CVE-2021-28550 | Adobe Acrobat and Reader Use-After-Free Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This exploit requires a user to open a malicious file. It can then result in execution of arbitrary code which could have any number of impacts.
References
|
| CVE-2021-21017 | Adobe Acrobat and Reader Heap-based Buffer Overflow Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This exploit requires a user to open a malicious file. It can then result in execution of arbitrary code which could have any number of impacts.
References
|
| CVE-2021-33739 | Microsoft Desktop Window Manager (DWM) Core Library Privilege Escalation Vulnerability | exploitation_technique | T1598.002 | Spearphishing Attachment |
Comments
Local escalation of privilege attack. Attacker would most likely gain access through an executable or script on the local computer sent to the user via an email attachment.
References
|
| CVE-2021-33739 | Microsoft Desktop Window Manager (DWM) Core Library Privilege Escalation Vulnerability | primary_impact | T1068 | Exploitation for Privilege Escalation |
Comments
Local escalation of privilege attack. Attacker would most likely gain access through an executable or script on the local computer sent to the user via an email attachment.
References
|
| CVE-2021-22205 | GitLab Community and Enterprise Editions Remote Code Execution Vulnerability | primary_impact | T1498 | Network Denial of Service |
Comments
CVE-2021-22205 is a Remote Code Execution Vulnerability on GitLab Community and Enterprise Editions where threat actors have been reported to actively exploit the security flaw to co-opt unpatched GitLab servers into a botnet and launch distributed denial of service (DDoS) attacks
References
|
| CVE-2021-22205 | GitLab Community and Enterprise Editions Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2021-22205 is a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands on affected systems. The vulnerability was reported to be actively exploited for o assemble botnets and launch gigantic distributed denial of service (DDoS) attacks.
References
|
| CVE-2019-11634 | Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2019-11634 is a remote code execution vulnerability for Citrix Workspace Application and Receiver for Windows
References
|
| CVE-2019-11634 | Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability | secondary_impact | T1046 | Network Service Discovery |
Comments
CVE-2019-11634 is a remote code execution vulnerability for Citrix Workspace Application and Receiver for Windows
References
|
| CVE-2019-13608 | Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.
References
|
| CVE-2019-11634 | Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
CVE-2019-11634 is a remote code execution vulnerability for Citrix Workspace Application and Receiver for Windows
References
|
| CVE-2019-11634 | Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability | secondary_impact | T1078 | Valid Accounts |
Comments
CVE-2019-11634 is a remote code execution vulnerability for Citrix Workspace Application and Receiver for Windows
References
|
| CVE-2019-13608 | Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability | secondary_impact | T1078 | Valid Accounts |
Comments
CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.
References
|
| CVE-2019-11634 | Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
Vulnerability in Citrix Receiver for Windows may allows attacker to gain read/write access to the client's local drives, potentially enabling code execution on the client device, such as deploying ransomware
References
|
| CVE-2019-13608 | Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability | secondary_impact | T1046 | Network Service Discovery |
Comments
CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.
References
|
| CVE-2019-13608 | Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.
References
|
| CVE-2019-13608 | Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.
References
|
| CVE-2018-0296 | Cisco Adaptive Security Appliance (ASA) Denial-of-Service Vulnerability | exploitation_technique | T1202 | Indirect Command Execution |
Comments
CVE-2018-0296 is a critical vulnerability in the web interface of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to perform directory traversal attacks and access sensitive system information.
References
|
| CVE-2018-0296 | Cisco Adaptive Security Appliance (ASA) Denial-of-Service Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
CVE-2018-0296 is a critical vulnerability in the web interface of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to perform directory traversal attacks and access sensitive system information.
References
|
| CVE-2021-1498 | Cisco HyperFlex HX Data Platform Command Injection Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2021-1498 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device
References
|
| CVE-2021-1498 | Cisco HyperFlex HX Data Platform Command Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2021-1498 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device
References
|
| CVE-2021-1497 | Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2021-1497 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Installer Virtual Machine. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device
References
|
| CVE-2021-1497 | Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2021-1497 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Installer Virtual Machine. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device
References
|
| CVE-2016-4117 | Adobe Flash Player Arbitrary Code Execution Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
The vulnerability is exploited by a user opening a maliciously-crafted file. Reporting on in-the-wild exploitation indicates threat actor utilize this vulnerability to install command and control software on the target system. Adversaries seen exploiting this vulnerability were also observed to do a version check on the target software before attempting the exploitation.
References
|
| CVE-2016-4117 | Adobe Flash Player Arbitrary Code Execution Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
The vulnerability is exploited by a user opening a maliciously-crafted file. Reporting on in-the-wild exploitation indicates threat actor utilize this vulnerability to install command and control software on the target system. Adversaries seen exploiting this vulnerability were also observed to do a version check on the target software before attempting the exploitation.
References
|
| CVE-2016-0984 | Adobe Flash Player and AIR Use-After-Free Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This use-after-free vulnerability is exploited by having the user open a maliciously-crafted file.
This CVE was observed to be exploited by the threat actor known as BlackOasis. The threat actor then installs command and control tools.
References
|
| CVE-2016-0984 | Adobe Flash Player and AIR Use-After-Free Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This use-after-free vulnerability is exploited by having the user open a maliciously-crafted file.
This CVE was observed to be exploited by the threat actor known as BlackOasis.
References
|
| CVE-2016-1010 | Adobe Flash Player and AIR Integer Overflow Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
This vulnerability is exploited via an integer overflow.
References
|
| CVE-2024-34102 | Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
This vulnerability is exploited by sending a crafted XML document that references external entities with the likely goal of accessing local data.
References
|
| CVE-2024-34102 | Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
This vulnerability is exploited by sending a crafted XML document that references external entities with the likely goal of accessing local data.
References
|
| CVE-2024-34102 | Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited by sending a crafted XML document that references external entities with the likely goal of accessing local data.
References
|
| CVE-2022-24086 | Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability can be exploited via a public-facing e-commerce application in order to achieve remote code execution. To evade detection, the exploit segment responsible for downloading and executing the remote malicious PHP code is obfuscated.
References
|
| CVE-2013-0631 | Adobe ColdFusion Information Disclosure Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited via a public-facing application. The adversary can use this vulnerability to gain access to victim host information.
References
|
| CVE-2013-0631 | Adobe ColdFusion Information Disclosure Vulnerability | primary_impact | T1592 | Gather Victim Host Information |
Comments
This vulnerability is exploited via a public-facing application. The adversary can use this vulnerability to gain access to victim host information.
References
|
| CVE-2023-38205 | Adobe ColdFusion Improper Access Control Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2023-38205 is a vulnerability that is the result of an incomplete patch of CVE-2023-29298. An adversary remains able to exploit the public-facing application as a result of this vulnerability.
References
|
| CVE-2023-29298 | Adobe ColdFusion Improper Access Control Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is used by exploited a public-facing application by exploiting a flaw in URL path validation.
References
|
| CVE-2020-3580 | Cisco ASA and FTD Cross-Site Scripting (XSS) Vulnerability | secondary_impact | T1217 | Browser Information Discovery |
Comments
CVE-2020-3580 is a vulnerability affecting the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link to to execute arbitrary script code within the interface
or access sensitive browser-based information.
References
|
| CVE-2020-3580 | Cisco ASA and FTD Cross-Site Scripting (XSS) Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2020-3580 is a vulnerability affecting the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link to to execute arbitrary script code within the interface
or access sensitive browser-based information.
References
|
| CVE-2020-3580 | Cisco ASA and FTD Cross-Site Scripting (XSS) Vulnerability | exploitation_technique | T1204.001 | Malicious Link |
Comments
CVE-2020-3580 is a vulnerability affecting the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link to to execute arbitrary script code within the interface
or access sensitive browser-based information.
References
|
| CVE-2020-3452 | Cisco ASA and FTD Read-Only Path Traversal Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
CVE-2020-3452 is a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system.
References
|
| CVE-2020-3452 | Cisco ASA and FTD Read-Only Path Traversal Vulnerability | exploitation_technique | T1202 | Indirect Command Execution |
Comments
CVE-2020-3452 is a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system.
References
|
| CVE-2021-42258 | BQE BillQuick Web Suite SQL Injection Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
CVE-2021-42258 is a SQL injection vulnerability in BillQuick Web Suite that allows attackers to execute arbitrary SQL commands on the database server
References
|
| CVE-2021-42258 | BQE BillQuick Web Suite SQL Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2021-42258 is a SQL injection vulnerability in BillQuick Web Suite that allows attackers to execute arbitrary SQL commands on the database server
References
|
| CVE-2019-3396 | Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability | secondary_impact | T1202 | Indirect Command Execution |
Comments
CVE-2019-3396 is a critical server-side template injection vulnerability in Atlassian Confluence Server and Data Center that could lead to remote code execution.
References
|
| CVE-2019-3396 | Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability | primary_impact | T1090 | Proxy |
Comments
CVE-2019-3396 is a critical server-side template injection vulnerability in Atlassian Confluence Server and Data Center that could lead to remote code execution.
References
|
| CVE-2019-3396 | Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2019-3396 is a critical server-side template injection vulnerability in Atlassian Confluence Server and Data Center that could lead to remote code execution.
References
|
| CVE-2019-11580 | Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2019-11580 is a critical vulnerability affecting Atlassian Crowd and Crowd Data Center that allows attackers remote code execution to send specially crafted requests to install malicious plugins on vulnerable Crowd instances.
References
|
| CVE-2021-26084 | Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2021-26084 is a critical vulnerability affecting Atlassian Confluence Server and Data Center that allows unauthenticated remote code execution. This Object-Graph Navigation Language (OGNL) injection vulnerability enables attackers to execute arbitrary code on vulnerable Confluence instances
References
|
| CVE-2021-26084 | Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2021-26084 is a critical vulnerability affecting Atlassian Confluence Server and Data Center that allows unauthenticated remote code execution. This Object-Graph Navigation Language (OGNL) injection vulnerability enables attackers to execute arbitrary code on vulnerable Confluence instances
References
|
| CVE-2019-3398 | Atlassian Confluence Server and Data Center Path Traversal Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2019-3398 is a path traversal vulnerability in Atlassian Confluence Server and Data Center that allows an authenticated attacker to write files to arbitrary locations, potentially leading to remote code execution
References
|
| CVE-2019-3398 | Atlassian Confluence Server and Data Center Path Traversal Vulnerability | exploitation_technique | T1202 | Indirect Command Execution |
Comments
CVE-2019-3398 is a path traversal vulnerability in Atlassian Confluence Server and Data Center that allows an authenticated attacker to write files to arbitrary locations, potentially leading to remote code execution
References
|
| CVE-2010-2861 | Adobe ColdFusion Directory Traversal Vulnerability | secondary_impact | T1119 | Automated Collection |
Comments
This is the exploitation of a public facing server. In-the-wild reporting documents that exploitation of this vulnerability was used to install a webshell on the victim machine, and then captured and exfiltrated client credit card information.
References
|
| CVE-2010-2861 | Adobe ColdFusion Directory Traversal Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This is the exploitation of a public facing server. In-the-wild reporting documents that exploitation of this vulnerability was used to install a webshell on the victim machine, and then captured and exfiltrated client credit card information.
References
|
| CVE-2010-2861 | Adobe ColdFusion Directory Traversal Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This is the exploitation of a public facing server. In-the-wild reporting documents that exploitation of this vulnerability was used to install a webshell on the victim machine, and then captured and exfiltrated client credit card information.
References
|
| CVE-2013-0629 | Adobe ColdFusion Directory Traversal Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This is an exploitation of a public-facing server due to password misconfiguration. Exploitation allows attackers to access restricted directories.
References
|
| CVE-2023-38203 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.
References
|
| CVE-2023-38203 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.
References
|
| CVE-2023-29300 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.
References
|
| CVE-2023-29300 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.
References
|
| CVE-2023-26359 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is utilized by exploiting a public-facing server.
References
|
| CVE-2009-1862 | Adobe Acrobat and Reader, Flash Player Unspecified Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited through a user opening a maliciously-crafted pdf file or swf file.
References
|
| CVE-2023-21608 | Adobe Acrobat and Reader Use-After-Free Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited by having a user open a maliciously-crafted pdf file, which can result in arbitrary code execution.
References
|
| CVE-2009-4324 | Adobe Acrobat and Reader Use-After-Free Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited by having the user open a maliciously-crafted pdf file. In the wild, this has been observed to result in a malicious actor installing a custom executable on the victim's machine, and establishing communications.
References
|
| CVE-2009-4324 | Adobe Acrobat and Reader Use-After-Free Vulnerability | primary_impact | T1071.001 | Web Protocols |
Comments
This vulnerability is exploited by having the user open a maliciously-crafted pdf file. In the wild, this has been observed to result in a malicious actor installing a custom executable on the victim's machine, and establishing communications.
References
|
| CVE-2008-0655 | Adobe Acrobat and Reader Unspecified Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited by having a user open a maliciously-crafted pdf file.
References
|
| CVE-2009-3953 | Adobe Acrobat and Reader Universal 3D Remote Code Execution Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited by having a user open a maliciously-crafted pdf file.
References
|
| CVE-2011-2462 | Adobe Acrobat and Reader Universal 3D Memory Corruption Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited by having the user open a malicious pdf file to achieve arbitrary code execution.
References
|
| CVE-2010-2883 | Adobe Acrobat and Reader Stack-Based Buffer Overflow Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited by the user opening a malicious pdf file to achieve arbitrary code execution.
References
|
| CVE-2014-0546 | Adobe Acrobat and Reader Sandbox Bypass Vulnerability | primary_impact | T1497 | Virtualization/Sandbox Evasion |
Comments
This vulnerability allows bypassing sandbox protection and run native code.
References
|
| CVE-2023-26369 | Adobe Acrobat and Reader Out-of-Bounds Write Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited through a user opening a malicious PDF file.
References
|
| CVE-2022-26134 | Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited by placing a payload in the URI of an HTTP request to a public-facing server.
References
|
| CVE-2022-30190 | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploit through a maliciously crafted Word document, which downloads html that then runs commands on the target machine and has been seen to download additional payloads on target machines.
References
|
| CVE-2022-30190 | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploit through a maliciously crafted Word document, which downloads html that then runs commands on the target machine and has been seen to download additional payloads on target machines.
References
|
| CVE-2008-2992 | Adobe Reader and Acrobat Input Validation Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited via a maliciously-crafted pdf file.
References
|
| CVE-2010-0188 | Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited via drive-by download. Malicious software is this downloaded on the target machine.
References
|
| CVE-2010-0188 | Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability | exploitation_technique | T1189 | Drive-by Compromise |
Comments
This vulnerability is exploited via drive-by download. Malicious software is this downloaded on the target machine.
References
|
| CVE-2013-0640 | Adobe Reader and Acrobat Memory Corruption Vulnerability | exploitation_technique | T1566.001 | Spearphishing Attachment |
Comments
This vulnerability is exploited via a maliciously-crafted pdf delivered as an email attachment.
References
|
| CVE-2013-0641 | Adobe Reader Buffer Overflow Vulnerability | secondary_impact | T1048 | Exfiltration Over Alternative Protocol |
Comments
This buffer overflow vulnerability is exploited via malicious-crafted pdf files delivered via targeted emails. Adversaries use this exploit to deliver a remote administration tool with the goal of data exfiltration.
References
|
| CVE-2013-0641 | Adobe Reader Buffer Overflow Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This buffer overflow vulnerability is exploited via malicious-crafted pdf files delivered via targeted emails. Adversaries use this exploit to deliver a remote administration tool with the goal of data exfiltration.
References
|
| CVE-2013-0641 | Adobe Reader Buffer Overflow Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This buffer overflow vulnerability is exploited via malicious-crafted pdf files delivered via targeted emails. Adversaries use this exploit to deliver a remote administration tool with the goal of data exfiltration.
References
|
| CVE-2013-3346 | Adobe Reader and Acrobat Memory Corruption Vulnerability | exploitation_technique | T1059.007 | JavaScript |
Comments
This vulnerability is exploited via maliciously-crafted javascript.
References
|
| CVE-2014-0496 | Adobe Reader and Acrobat Use-After-Free Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited via a maliciously-crafted file.
References
|
| CVE-2016-7855 | Adobe Flash Player Use-After-Free Vulnerability | exploitation_technique | T1189 | Drive-by Compromise |
Comments
This vulnerability is exploited by having users visit a maliciously website.
References
|
| CVE-2017-11292 | Adobe Flash Player Type Confusion Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems.
References
|
| CVE-2017-11292 | Adobe Flash Player Type Confusion Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems.
References
|
| CVE-2017-11292 | Adobe Flash Player Type Confusion Vulnerability | exploitation_technique | T1566.001 | Spearphishing Attachment |
Comments
This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems.
References
|
| CVE-2017-11292 | Adobe Flash Player Type Confusion Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems.
References
|
| CVE-2018-15982 | Adobe Flash Player Use-After-Free Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited via a maliciously-crafted Word document, which then extracts the adversary's RAT tool.
References
|
| CVE-2018-15982 | Adobe Flash Player Use-After-Free Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited via a maliciously-crafted Word document, which then extracts the adversary's RAT tool.
References
|
| CVE-2010-1297 | Adobe Flash Player Memory Corruption Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited by crafted swf content via drive-by compromise when a user visits a malicious website.
This vulnerability is also exploited via user execution of a maliciously crafted pdf file.
In the wild, threat actors have used this to download malicious software onto the target system.
References
|
| CVE-2010-1297 | Adobe Flash Player Memory Corruption Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited by crafted swf content via drive-by compromise when a user visits a malicious website.
This vulnerability is also exploited via user execution of a maliciously crafted pdf file.
In the wild, threat actors have used this to download malicious software onto the target system.
References
|
| CVE-2010-1297 | Adobe Flash Player Memory Corruption Vulnerability | exploitation_technique | T1189 | Drive-by Compromise |
Comments
This vulnerability is exploited by crafted swf content via drive-by compromise when a user visits a malicious website.
This vulnerability is also exploited via user execution of a maliciously crafted pdf file.
In the wild, threat actors have used this to download malicious software onto the target system.
References
|
| CVE-2012-5054 | Adobe Flash Player Integer Overflow Vulnerability | exploitation_technique | T1189 | Drive-by Compromise |
Comments
This vulnerability can be exploited by a malicioiusly-crafted webpage via drive-by compromise.
References
|
| CVE-2014-8439 | Adobe Flash Player Dereferenced Pointer Vulnerability | exploitation_technique | T1189 | Drive-by Compromise |
Comments
This vulnerability is exploited with maliciously-crafted code hosted on a webpage via drive-by compromise.
References
|
| CVE-2015-8651 | Adobe Flash Player Integer Overflow Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits whose goal is frequently to load ransomware onto the target machine.
References
|
| CVE-2015-8651 | Adobe Flash Player Integer Overflow Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits whose goal is frequently to load ransomware onto the target machine.
References
|
| CVE-2015-8651 | Adobe Flash Player Integer Overflow Vulnerability | exploitation_technique | T1189 | Drive-by Compromise |
Comments
This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits whose goal is frequently to load ransomware onto the target machine.
References
|
| CVE-2015-0310 | Adobe Flash Player ASLR Bypass Vulnerability | exploitation_technique | T1189 | Drive-by Compromise |
Comments
This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits.
References
|
| CVE-2015-3113 | Adobe Flash Player Heap-Based Buffer Overflow Vulnerability | secondary_impact | T1622 | Debugger Evasion |
Comments
This heap-based buffer overflow vulnerability is exploited by having a user open a maliciously-crafted file.
In the wild, this exploitation has been used in order to establish command and control (over HTTP) with a target system. The command and control functionality has also been seen to employ debugging/sandboxing evasion.
References
|
| CVE-2015-3113 | Adobe Flash Player Heap-Based Buffer Overflow Vulnerability | secondary_impact | T1497 | Virtualization/Sandbox Evasion |
Comments
This heap-based buffer overflow vulnerability is exploited by having a user open a maliciously-crafted file.
In the wild, this exploitation has been used in order to establish command and control (over HTTP) with a target system. The command and control functionality has also been seen to employ debugging/sandboxing evasion.
References
|
| CVE-2015-3113 | Adobe Flash Player Heap-Based Buffer Overflow Vulnerability | primary_impact | T1071.001 | Web Protocols |
Comments
This heap-based buffer overflow vulnerability is exploited by having a user open a maliciously-crafted file.
In the wild, this exploitation has been used in order to establish command and control (over HTTP) with a target system. The command and control functionality has also been seen to employ debugging/sandboxing evasion.
References
|
| CVE-2015-3113 | Adobe Flash Player Heap-Based Buffer Overflow Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This heap-based buffer overflow vulnerability is exploited by having a user open a maliciously-crafted file.
In the wild, this exploitation has been used in order to establish command and control (over HTTP) with a target system. The command and control functionality has also been seen to employ debugging/sandboxing evasion.
References
|
| CVE-2012-2034 | Adobe Flash Player Memory Corruption Vulnerability | exploitation_technique | T1189 | Drive-by Compromise |
Comments
This vulnerability is exploited by a maliciously-crafted .swf via drive-by compromise.
References
|
| CVE-2011-0611 | Adobe Flash Player Remote Code Execution Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited by having a user execute a maliciously-crafted word document or pdf file that has embedded swf. The malicious code then downloads another payload to the target machine.
References
|
| CVE-2011-0611 | Adobe Flash Player Remote Code Execution Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited by having a user execute a maliciously-crafted word document or pdf file that has embedded swf. The malicious code then downloads another payload to the target machine.
References
|
| CVE-2012-1535 | Adobe Flash Player Arbitrary Code Execution Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability is exploited by having a user execute a maliciously-crafted word document that has embedded swf. The embedded swf can download additional malicious software from the web.
References
|
| CVE-2012-1535 | Adobe Flash Player Arbitrary Code Execution Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited by having a user execute a maliciously-crafted word document that has embedded swf. The embedded swf can download additional malicious software from the web.
References
|
| CVE-2015-3043 | Adobe Flash Player Memory Corruption Vulnerability | exploitation_technique | T1189 | Drive-by Compromise |
Comments
This vulnerability is exploited by a maliciously-crafted .swf file which can be run on a user system via drive-by compromise.
References
|
| CVE-2015-7645 | Adobe Flash Player Arbitrary Code Execution Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
This vulnerability is exploited by the user opening a maliciously-crafted .swf file.
References
|
| CVE-2020-12812 | Fortinet FortiOS SSL VPN Improper Authentication Vulnerability | primary_impact | T1556 | Modify Authentication Process |
Comments
CVE-2020-12812 is an improper authentication vulnerability in Fortinet's FortiOS, specifically affecting the SSL VPN feature. This vulnerability allows attackers to bypass two-factor authentication under certain conditions, potentially leading to unauthorized access to sensitive systems.
References
|
| CVE-2020-12812 | Fortinet FortiOS SSL VPN Improper Authentication Vulnerability | exploitation_technique | T1556 | Modify Authentication Process |
Comments
CVE-2020-12812 is an improper authentication vulnerability in Fortinet's FortiOS, specifically affecting the SSL VPN feature. This vulnerability allows attackers to bypass two-factor authentication under certain conditions, potentially leading to unauthorized access to sensitive systems.
References
|
| CVE-2019-5591 | Fortinet FortiOS Default Configuration Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2019-5591 is a default configuration vulnerability in Fortinet's FortiOS, specifically affecting the FortiGate SSL VPN. This vulnerability allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating a Lightweight Directory Access Protocol (LDAP) server.
References
|
| CVE-2019-5591 | Fortinet FortiOS Default Configuration Vulnerability | primary_impact | T1557 | Adversary-in-the-Middle |
Comments
CVE-2019-5591 is a default configuration vulnerability in Fortinet's FortiOS, specifically affecting the FortiGate SSL VPN. This vulnerability allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating a Lightweight Directory Access Protocol (LDAP) server.
References
|
| CVE-2019-5591 | Fortinet FortiOS Default Configuration Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2019-5591 is a default configuration vulnerability in Fortinet's FortiOS, specifically affecting the FortiGate SSL VPN. This vulnerability allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating a Lightweight Directory Access Protocol (LDAP) server.
References
|
| CVE-2021-35464 | ForgeRock Access Management (AM) Core Server Remote Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2021-35464, a pre-auth remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management software. ForgeRock front-ends web applications and remote access solutions in many enterprises.
References
|
| CVE-2021-35464 | ForgeRock Access Management (AM) Core Server Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2021-35464, a pre-auth remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management software. ForgeRock front-ends web applications and remote access solutions in many enterprises.
References
|
| CVE-2021-22986 | F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability | secondary_impact | T1485 | Data Destruction |
Comments
CVE-2021-22986 is a remote command execution vulnerability occurring on the iControl REST interface. Impact reported by the F5 security advisory "This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. "
References
|
| CVE-2021-22986 | F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2021-22986 is a remote command execution vulnerability occurring on the iControl REST interface. Impact reported by the F5 security advisory "This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. "
References
|
| CVE-2021-22986 | F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2021-22986 is a remote command execution vulnerability occurring on the iControl REST interface. Impact reported by the F5 security advisory "This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. "
References
|
| CVE-2020-5902 | F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability | secondary_impact | T1552 | Unsecured Credentials |
Comments
CVE-2020-5902—an RCE vulnerability in the BIG-IP Traffic Management User Interface (TMUI)—to take control of victim systems. On June 30, F5 disclosed CVE-2020-5902, stating that it allows attackers to, “execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.” - CISA Advisory
References
|
| CVE-2020-5902 | F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2020-5902—an RCE vulnerability in the BIG-IP Traffic Management User Interface (TMUI)—to take control of victim systems. On June 30, F5 disclosed CVE-2020-5902, stating that it allows attackers to, “execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.” - CISA Advisory
References
|
| CVE-2020-5902 | F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2020-5902—an RCE vulnerability in the BIG-IP Traffic Management User Interface (TMUI)—to take control of victim systems. On June 30, F5 disclosed CVE-2020-5902, stating that it allows attackers to, “execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.” - CISA Advisory
References
|
| CVE-2020-8657 | EyesOfNetwork Use of Hard-Coded Credentials Vulnerability | exploitation_technique | T1106 | Native API |
Comments
CVE-2020-8657 identifies a security issue in EyesOfNetwork 5.3 that exposes a vulnerability in the API key implementation.
References
|
| CVE-2018-6789 | Exim Buffer Overflow Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2018-6789 is a vulnerability in Exim, an open-source mail transfer agent. This vulnerability, identified as an off-by-one buffer overflow, allows attackers to execute arbitrary code remotely by sending specially crafted messages to the SMTP listener.
References
|
| CVE-2018-6789 | Exim Buffer Overflow Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2018-6789 is a vulnerability in Exim, an open-source mail transfer agent. This vulnerability, identified as an off-by-one buffer overflow, allows attackers to execute arbitrary code remotely by sending specially crafted messages to the SMTP listener.
References
|
| CVE-2021-22205 | GitLab Community and Enterprise Editions Remote Code Execution Vulnerability | secondary_impact | T1498 | Network Denial of Service |
Comments
CVE-2021-22205 is a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands on affected systems. The vulnerability was reported to be actively exploited for o assemble botnets and launch gigantic distributed denial of service (DDoS) attacks.
References
|
| CVE-2021-22205 | GitLab Community and Enterprise Editions Remote Code Execution Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2021-22205 is a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands on affected systems. The vulnerability was reported to be actively exploited for o assemble botnets and launch gigantic distributed denial of service (DDoS) attacks.
References
|
| CVE-2021-22205 | GitLab Community and Enterprise Editions Remote Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2021-22205 is a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands on affected systems. The vulnerability was reported to be actively exploited for o assemble botnets and launch gigantic distributed denial of service (DDoS) attacks.
References
|
| CVE-2018-7600 | Drupal Core Remote Code Execution Vulnerability | secondary_impact | T1485 | Data Destruction |
Comments
CVE-2018-7602 is a remote code execution (RCE) vulnerability affecting Drupal’s versions 7 and 8. According to reports, successfully exploiting the vulnerability entails elevating the permission to modify or delete the content of a Drupal-run site and crypto-jacking campaigns.
References
|
| CVE-2018-7600 | Drupal Core Remote Code Execution Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2018-7602 is a remote code execution (RCE) vulnerability affecting Drupal’s versions 7 and 8. According to reports, successfully exploiting the vulnerability entails elevating the permission to modify or delete the content of a Drupal-run site and crypto-jacking campaigns.
References
|
| CVE-2018-7600 | Drupal Core Remote Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2018-7602 is a remote code execution (RCE) vulnerability affecting Drupal’s versions 7 and 8. According to reports, successfully exploiting the vulnerability entails elevating the permission to modify or delete the content of a Drupal-run site and crypto-jacking campaigns.
References
|
| CVE-2018-7600 | Drupal Core Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2018-7602 is a remote code execution (RCE) vulnerability affecting Drupal’s versions 7 and 8. According to reports, successfully exploiting the vulnerability entails elevating the permission to modify or delete the content of a Drupal-run site and crypto-jacking campaigns.
References
|
| CVE-2020-8515 | Multiple DrayTek Vigor Routers Web Management Page Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2020-8515 is a command injection vulnerability affecting certain DrayTek devices, This vulnerability allows an attacker to make arbitrary commands on the affected devices without authentication. Successful exploitation has been reported leading to resource hijacking for botnet use.
References
|
| CVE-2020-8515 | Multiple DrayTek Vigor Routers Web Management Page Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2020-8515 is a command injection vulnerability affecting certain DrayTek devices, This vulnerability allows an attacker to make arbitrary commands on the affected devices without authentication. Successful exploitation has been reported leading to resource hijacking for botnet use.
References
|
| CVE-2020-8515 | Multiple DrayTek Vigor Routers Web Management Page Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2020-8515 is a command injection vulnerability affecting certain DrayTek devices, This vulnerability allows an attacker to make arbitrary commands on the affected devices without authentication. Successful exploitation has been reported leading to resource hijacking for botnet use.
References
|
| CVE-2017-9822 | DotNetNuke (DNN) Remote Code Execution Vulnerability | secondary_impact | T1496 | Resource Hijacking |
Comments
CVE-2017-9822 is a vulnerability allows an attacker to exploit cookie deserialization, leading to remote code execution (RCE). It has been noted for its potential impact on various web applications
References
|
| CVE-2017-9822 | DotNetNuke (DNN) Remote Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2017-9822 is a vulnerability allows an attacker to exploit cookie deserialization, leading to remote code execution (RCE). It has been noted for its potential impact on various web applications
References
|
| CVE-2017-9822 | DotNetNuke (DNN) Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2017-9822 is a vulnerability allows an attacker to exploit cookie deserialization, leading to remote code execution (RCE). It has been noted for its potential impact on various web applications
References
|
| CVE-2020-25506 | D-Link DNS-320 Device Command Injection Vulnerability | secondary_impact | T1584.005 | Botnet |
Comments
CVE-2020-25506 is a command injection vulnerability in the D-Link DNS-320 FW v2.06B01 Revision Ax system_mgr.cgi component, which can lead to remote arbitrary code execution.
References
|
| CVE-2020-25506 | D-Link DNS-320 Device Command Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2020-25506 is a command injection vulnerability in the D-Link DNS-320 FW v2.06B01 Revision Ax system_mgr.cgi component, which can lead to remote arbitrary code execution.
References
|
| CVE-2020-25506 | D-Link DNS-320 Device Command Injection Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2020-25506 is a command injection vulnerability in the D-Link DNS-320 FW v2.06B01 Revision Ax system_mgr.cgi component, which can lead to remote arbitrary code execution.
References
|
| CVE-2020-29557 | D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability | secondary_impact | T1584.005 | Botnet |
Comments
CVE-2020-29557 is a buffer overflow vulnerability in the web interface allows attackers to achieve pre-authentication remote code execution. Unidentified threat actors are reported to have been actively exploiting it to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure.
References
|
| CVE-2020-29557 | D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2020-29557 is a buffer overflow vulnerability in the web interface allows attackers to achieve pre-authentication remote code execution. Unidentified threat actors are reported to have been actively exploiting it to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure.
References
|
| CVE-2020-29557 | D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2020-29557 is a buffer overflow vulnerability in the web interface allows attackers to achieve pre-authentication remote code execution. Unidentified threat actors are reported to have been actively exploiting it to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure.
References
|
| CVE-2019-11634 | Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
Vulnerability in Citrix Receiver for Windows may allows attacker to gain read/write access to the client's local drives, potentially enabling code execution on the client device, such as deploying ransomware
References
|
| CVE-2019-11634 | Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
Vulnerability in Citrix Receiver for Windows may allows attacker to gain read/write access to the client's local drives, potentially enabling code execution on the client device, such as deploying ransomware
References
|
| CVE-2020-8193 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Authorization Bypass Vulnerability | exploitation_technique | T1556 | Modify Authentication Process |
Comments
CVE-2020-8193 is an Authorization Bypass vulnerability in Citrix ADC, Gateway, and SD-WAN WANOP Appliance in various versions allows attacker to bypass authentication mechanisms via crafted requests.
References
|
| CVE-2020-8193 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Authorization Bypass Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
CVE-2020-8193 is an Authorization Bypass vulnerability in Citrix ADC, Gateway, and SD-WAN WANOP Appliance in various versions allows attacker to bypass authentication mechanisms via crafted requests.
References
|
| CVE-2020-8195 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability | exploitation_technique | T1056 | Input Capture |
Comments
CVE-2020-8195 is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests.
References
|
| CVE-2020-8195 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability | primary_impact | T1082 | System Information Discovery |
Comments
CVE-2020-8195 is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests.
References
|
| CVE-2020-8195 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
CVE-2020-8195 is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests.
References
|
| CVE-2020-8196 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability | exploitation_technique | T1056 | Input Capture |
Comments
CVE-2020-8196
is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests.
References
|
| CVE-2020-8196 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability | primary_impact | T1082 | System Information Discovery |
Comments
CVE-2020-8196
is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests.
References
|
| CVE-2020-8196 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2020-8196
is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests.
References
|
| CVE-2024-26169 | Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
This vulnerability is a zero-day exploit that "manipulates the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges." This vulnerability has been exploited by the Black Basta ransomware group.
References
|
| CVE-2024-26169 | Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability | exploitation_technique | T1112 | Modify Registry |
Comments
This vulnerability is a zero-day exploit that "manipulates the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges." This vulnerability has been exploited by the Black Basta ransomware group.
References
|
| CVE-2024-38112 | Microsoft Windows MSHTML Platform Spoofing Vulnerability | exploitation_technique | T1189 | Drive-by Compromise |
Comments
This vulnerability is exploited through a victim visiting a malicious Web page or to clicking on an unsafe link. After visiting the website or clicking on the link, an adversary would gain the ability to execute arbitrary code on the victim system.
References
|
| CVE-2024-38112 | Microsoft Windows MSHTML Platform Spoofing Vulnerability | exploitation_technique | T1204.001 | Malicious Link |
Comments
This vulnerability is exploited through a victim visiting a malicious Web page or to clicking on an unsafe link. After visiting the website or clicking on the link, an adversary would gain the ability to execute arbitrary code on the victim system.
References
|
| CVE-2021-3129 | Laravel Ignition File Upload Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited when a remote unauthorized user sends a malicious payload to a server using an insecure version of Ignition. The payload targets the MakeViewVariableOptionalSolution.php module, leveraging insecure PHP functions file_get_contents and file_put_contents to specify a file path for executing arbitrary code.
References
|
| CVE-2021-3129 | Laravel Ignition File Upload Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
This vulnerability is exploited when a remote unauthorized user sends a malicious payload to a server using an insecure version of Ignition. The payload targets the MakeViewVariableOptionalSolution.php module, leveraging insecure PHP functions file_get_contents and file_put_contents to specify a file path for executing arbitrary code.
References
|
| CVE-2021-44529 | Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability | primary_impact | T1195.002 | Compromise Software Supply Chain |
Comments
This vulnerability is exploited after an adversary sends a maliciously crafted cookie to the client endpoint (/client/index.php) to exploit Ivanti systems that utilized a malicious version of the "csrf-magic", which creates a backdoor into an Ivanti system. An unauthorized user can then execute malicious code stored in the cookie via Ivanti's "nobody" user account.
References
|
| CVE-2021-44529 | Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited after an adversary sends a maliciously crafted cookie to the client endpoint (/client/index.php) to exploit Ivanti systems that utilized a malicious version of the "csrf-magic", which creates a backdoor into an Ivanti system. An unauthorized user can then execute malicious code stored in the cookie via Ivanti's "nobody" user account.
References
|
| CVE-2021-40655 | D-Link DIR-605 Router Information Disclosure Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited when an adversary forges a post request to the / get cfg.php page. The POST request could enable the adversary to obtain username and password information on the router.
References
|
| CVE-2021-36380 | Sunhillo SureLine OS Command Injection Vulnerablity | primary_impact | T1059.004 | Unix Shell |
Comments
To trigger this vulnerability, an attacker sends a specially crafted POST request to the webserver at the URL /cgi/networkDiag.cgi . Within this request, the attacker inserts a Linux command as part of the ipAddr or dnsAddr POST parameters. When the webserver processes the POST request, the command the attacker has inserted into the parameter will be executed.
References
|
| CVE-2021-36380 | Sunhillo SureLine OS Command Injection Vulnerablity | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
To trigger this vulnerability, an attacker sends a specially crafted POST request to the webserver at the URL /cgi/networkDiag.cgi . Within this request, the attacker inserts a Linux command as part of the ipAddr or dnsAddr POST parameters. When the webserver processes the POST request, the command the attacker has inserted into the parameter will be executed.
References
|
| CVE-2024-26169 | Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is a zero-day exploit that "manipulates the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges." This vulnerability has been exploited by the Black Basta ransomware group.
References
|
| CVE-2024-30051 | Microsoft DWM Core Library Privilege Escalation Vulnerability | primary_impact | T1068 | Exploitation for Privilege Escalation |
Comments
This vulnerability is a zero-day exploit that is believed to still be utilized by various adversarial groups leading to limited publicly available exploitation information. The vulnerability is a "heap-based protector flood susceptibility impacting the Windows DWM Core Library" enabling an adversary to gain SYSTEM privileges.
References
|
| CVE-2023-29492 | Novi Survey Insecure Deserialization Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2023-29492 is an insecure deserialization vulnerability. Exploitation of this vulnerability gives remote attackers arbitrary code execution in the context of the service account.
References
|
| CVE-2021-26085 | Atlassian Confluence Server Pre-Authorization Arbitrary File Read Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability allows viewing of restricted resources via a pre-authorization arbitrary file read vulnerability.
References
|
| CVE-2022-26138 | Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability | exploitation_technique | T1552.001 | Credentials In Files |
Comments
CVE-2022-26138 is a hard-coded credentials vulnerability in the "Questions for Confluence" app.
References
|
| CVE-2022-36804 | Atlassian Bitbucket Server and Data Center Command Injection Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability allows remote attackers with read permissions to a public or private Bitbucket repositories to execute arbitrary code by sending a malicious HTTP request.
References
|
| CVE-2023-22527 | Atlassian Confluence Data Center and Server Template Injection Vulnerability | primary_impact | T1496 | Resource Hijacking |
Comments
CVE-2023-22527 is a template injection vulnerability that allows an unauthenticated adversary to achieve remote code execution. Adversaries have been observed exploiting this vulnerability for cryptomining purposes.
References
|
| CVE-2023-22527 | Atlassian Confluence Data Center and Server Template Injection Vulnerability | exploitation_technique | T1221 | Template Injection |
Comments
CVE-2023-22527 is a template injection vulnerability that allows an unauthenticated adversary to achieve remote code execution. Adversaries have been observed exploiting this vulnerability for cryptomining purposes.
References
|
| CVE-2023-22518 | Atlassian Confluence Data Center and Server Improper Authorization Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
CVE-2023-22518 is an improper authorization vulnerability. Adversaries have been seen using HTTP POST requests to upload maliciously-crafted zip files to Confluence WebServers to exploit this vulnerability. After exploitation, adversaries were observed doing local system information discovery, downloading malicious payloads,
References
|
| CVE-2023-22518 | Atlassian Confluence Data Center and Server Improper Authorization Vulnerability | primary_impact | T1033 | System Owner/User Discovery |
Comments
CVE-2023-22518 is an improper authorization vulnerability. Adversaries have been seen using HTTP POST requests to upload maliciously-crafted zip files to Confluence WebServers to exploit this vulnerability. After exploitation, adversaries were observed doing local system information discovery, downloading malicious payloads,
References
|
| CVE-2023-22518 | Atlassian Confluence Data Center and Server Improper Authorization Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2023-22518 is an improper authorization vulnerability. Adversaries have been seen using HTTP POST requests to upload maliciously-crafted zip files to Confluence WebServers to exploit this vulnerability. After exploitation, adversaries were observed doing local system information discovery and downloading malicious payloads.
References
|
| CVE-2021-27059 | Microsoft Office Remote Code Execution Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
The vulnerability allows a remote user to execute arbitrary code on the target system due to improper input validation in Microsoft Office.
References
|
| CVE-2023-21715 | Microsoft Office Publisher Security Feature Bypass Vulnerability | exploitation_technique | T1204.002 | Malicious File |
Comments
CVE-2023-21715 is a security feature bypass vulnerability exploitable when a user opens a specially-crafted file bypassing macro policies.
References
|
| CVE-2023-23397 | Microsoft Office Outlook Privilege Escalation Vulnerability | secondary_impact | T1078 | Valid Accounts |
Comments
This vulnerability is exploited when an adversary sends a specially-crafted email which can result in the disclosure of authentication information that an adversary can replay to gain access to systems.
References
|
| CVE-2023-23397 | Microsoft Office Outlook Privilege Escalation Vulnerability | primary_impact | T1550.002 | Pass the Hash |
Comments
This vulnerability is exploited when an adversary sends a specially-crafted email which can result in the disclosure of authentication information that an adversary can replay to gain access to systems.
References
|
| CVE-2023-23397 | Microsoft Office Outlook Privilege Escalation Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is exploited when an adversary sends a specially-crafted email which can result in the disclosure of authentication information that an adversary can replay to gain access to systems.
References
|
| CVE-2023-27350 | PaperCut MF/NG Improper Access Control Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
CVE-2023-27350 allows an unauthenticated actor to execute malicious code remotely without credentials. Threat actors have been observed exploiting this software through its print scripting interface and installed command and control software on target machines.
References
|
| CVE-2023-27350 | PaperCut MF/NG Improper Access Control Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2023-27350 allows an unauthenticated actor to execute malicious code remotely without credentials. Threat actors have been observed exploiting this software through its print scripting interface and installed command and control software on target machines.
References
|
| CVE-2023-27350 | PaperCut MF/NG Improper Access Control Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2023-27350 allows an unauthenticated actor to execute malicious code remotely without credentials. Threat actors have been observed exploiting this software through its print scripting interface and installed command and control software on target machines.
References
|
| CVE-2021-37415 | Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability allows a few REST-API URLs without authentication.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1573.001 | Symmetric Cryptography |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1560.001 | Archive via Utility |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1087.002 | Domain Account |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1070.004 | File Deletion |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1047 | Windows Management Instrumentation |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1003.003 | NTDS |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1136 | Create Account |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1218 | System Binary Proxy Execution |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1140 | Deobfuscate/Decode Files or Information |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1027 | Obfuscated Files or Information |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | primary_impact | T1505.003 | Web Shell |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2021-44515 | Zoho Desktop Central Authentication Bypass Vulnerability | secondary_impact | T1003 | OS Credential Dumping |
Comments
CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating
domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.
References
|
| CVE-2021-44515 | Zoho Desktop Central Authentication Bypass Vulnerability | secondary_impact | T1069 | Permission Groups Discovery |
Comments
CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating
domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.
References
|
| CVE-2021-44515 | Zoho Desktop Central Authentication Bypass Vulnerability | secondary_impact | T1087 | Account Discovery |
Comments
CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating
domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.
References
|
| CVE-2021-44515 | Zoho Desktop Central Authentication Bypass Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating
domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.
References
|
| CVE-2021-44515 | Zoho Desktop Central Authentication Bypass Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating
domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.
References
|
| CVE-2022-28810 | Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2022-28810 is a vulnerability that exists when custom password sync scripts are enabled when an adversary passes commands in the password field that can lead to remote code execution.
References
|
| CVE-2022-35405 | Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability | exploitation_technique | T1059 | Command and Scripting Interpreter |
Comments
CVE-2022-35405 is an unauthenticated remote code execution vulnerability as a result of deserialization.
References
|
| CVE-2024-4358 | Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2024-4358 is an authentication bypass vulnerability. This has been seen to be chained with CVE-2024-1800 in order to achieve remote code execution.
References
|
| CVE-2023-40044 | Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability | exploitation_technique | T1059 | Command and Scripting Interpreter |
Comments
Zero-day .NET deserialization vulnerability that allows an adversary to make an HTTP POST request to a vulnerable WS_FTP Server and execute commands.
References
|
| CVE-2023-34362 | Progress MOVEit Transfer SQL Injection Vulnerability | secondary_impact | T1531 | Account Access Removal |
Comments
CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.
References
|
| CVE-2023-34362 | Progress MOVEit Transfer SQL Injection Vulnerability | secondary_impact | T1136 | Create Account |
Comments
CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.
References
|
| CVE-2023-34362 | Progress MOVEit Transfer SQL Injection Vulnerability | secondary_impact | T1005 | Data from Local System |
Comments
CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.
References
|
| CVE-2023-34362 | Progress MOVEit Transfer SQL Injection Vulnerability | secondary_impact | T1082 | System Information Discovery |
Comments
CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.
References
|
| CVE-2023-34362 | Progress MOVEit Transfer SQL Injection Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.
References
|
| CVE-2023-34362 | Progress MOVEit Transfer SQL Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.
References
|
| CVE-2023-34362 | Progress MOVEit Transfer SQL Injection Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.
References
|
| CVE-2021-44168 | Fortinet FortiOS Arbitrary File Download | primary_impact | T1601 | Modify System Image |
Comments
CVE-2021-44168 is an unverified update download vulnerability that can be exploited by adversaries with local access creating specifically crafted download packages.
References
|
| CVE-2021-44168 | Fortinet FortiOS Arbitrary File Download | exploitation_technique | T1078.003 | Local Accounts |
Comments
CVE-2021-44168 is an unverified update download vulnerability that can be exploited by adversaries with local access creating specifically crafted download packages.
References
|
| CVE-2022-40684 | Fortinet Multiple Products Authentication Bypass Vulnerability | primary_impact | T1098.004 | SSH Authorized Keys |
Comments
This authentication bypass vulnerability allows an adversary to create an admin ssh key via any HTTP method.
References
|
| CVE-2022-40684 | Fortinet Multiple Products Authentication Bypass Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This authentication bypass vulnerability allows an adversary to create an admin ssh key via any HTTP method.
References
|
| CVE-2022-41328 | Fortinet FortiOS Path Traversal Vulnerability | secondary_impact | T1049 | System Network Connections Discovery |
Comments
CVE-2022-41328 is a path traversal vulnerability that allows a privileged attacked to read and write to files on the underlying Linux system via crafted CLI commands. Adversaries have been observed modifying files that establish persistence upon boot. The malicious files provide the adversaries with the capabilities of: data exfiltration, download/write files, remote shell, and discovery of network connections.
References
|
| CVE-2022-41328 | Fortinet FortiOS Path Traversal Vulnerability | secondary_impact | T1565.001 | Stored Data Manipulation |
Comments
CVE-2022-41328 is a path traversal vulnerability that allows a privileged attacked to read and write to files on the underlying Linux system via crafted CLI commands. Adversaries have been observed modifying files that establish persistence upon boot. The malicious files provide the adversaries with the capabilities of: data exfiltration, download/write files, remote shell, and discovery of network connections.
References
|
| CVE-2022-41328 | Fortinet FortiOS Path Traversal Vulnerability | primary_impact | T1037 | Boot or Logon Initialization Scripts |
Comments
CVE-2022-41328 is a path traversal vulnerability that allows a privileged attacked to read and write to files on the underlying Linux system via crafted CLI commands. Adversaries have been observed modifying files that establish persistence upon boot. The malicious files provide the adversaries with the capabilities of: data exfiltration, download/write files, remote shell, and discovery of network connections.
References
|
| CVE-2022-41328 | Fortinet FortiOS Path Traversal Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
CVE-2022-41328 is a path traversal vulnerability that allows a privileged attacked to read and write to files on the underlying Linux system via crafted CLI commands. Adversaries have been observed modifying files that establish persistence upon boot. The malicious files provide the adversaries with the capabilities of: data exfiltration, download/write files, remote shell, and discovery of network connections.
References
|
| CVE-2022-42475 | Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability | secondary_impact | T1071.001 | Web Protocols |
Comments
CVE-2022-42475 is a remotely-expoitable heap overflow vulnerability. Adversaries have been observed exploiting this vulnerability to deliver malicious software to the target device.
This malicious software has observed anti-debugging and command and control capabilities (over HTTP).
References
|
| CVE-2022-42475 | Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability | secondary_impact | T1622 | Debugger Evasion |
Comments
CVE-2022-42475 is a remotely-expoitable heap overflow vulnerability. Adversaries have been observed exploiting this vulnerability to deliver malicious software to the target device.
This malicious software has observed anti-debugging and command and control capabilities (over HTTP).
References
|
| CVE-2022-42475 | Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability | primary_impact | T1574 | Hijack Execution Flow |
Comments
CVE-2022-42475 is a remotely-expoitable heap overflow vulnerability. Adversaries have been observed exploiting this vulnerability to deliver malicious software to the target device.
This malicious software has observed anti-debugging and command and control capabilities (over HTTP).
References
|
| CVE-2022-42475 | Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2022-42475 is a remotely-expoitable heap overflow vulnerability. Adversaries have been observed exploiting this vulnerability to deliver malicious software to the target device.
This malicious software has observed anti-debugging and command and control capabilities (over HTTP).
References
|
| CVE-2023-48788 | Fortinet FortiClient EMS SQL Injection Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
This is an SQL injection vulnerability that can be exploited to execute remote code via specially crafted HTTP requests. Adversaries have been observed using this exploit to deploy tools on the target machine.
References
|
| CVE-2023-48788 | Fortinet FortiClient EMS SQL Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
This is an SQL injection vulnerability that can be exploited to execute remote code via specially crafted HTTP requests. Adversaries have been observed using this exploit to deploy tools on the target machine.
References
|
| CVE-2023-48788 | Fortinet FortiClient EMS SQL Injection Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This is an SQL injection vulnerability that can be exploited to execute remote code via specially crafted HTTP requests. Adversaries have been observed using this exploit to deploy tools on the target machine.
References
|
| CVE-2024-21762 | Fortinet FortiOS Out-of-Bound Write Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
This vulnerability allows adversaries to execute arbitrary code via specially crafted http requests that trigger an out of bounds write.
References
|
| CVE-2024-21762 | Fortinet FortiOS Out-of-Bound Write Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability allows adversaries to execute arbitrary code via specially crafted http requests that trigger an out of bounds write.
References
|
| CVE-2023-27997 | Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability | primary_impact | T1136 | Create Account |
Comments
This buffer overflow vulnerability allows adversaries to remotely execute arbitrary code via specially crafted requests.
Adversaries have been observed adding accounts to config files
References
|
| CVE-2023-27997 | Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
This buffer overflow vulnerability allows adversaries to remotely execute arbitrary code via specially crafted requests.
Adversaries have been observed adding accounts to config files
References
|
| CVE-2023-27997 | Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This buffer overflow vulnerability allows adversaries to remotely execute arbitrary code via specially crafted requests.
Adversaries have been observed adding accounts to config files
References
|
| CVE-2023-6548 | Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
This vulnerability allows for authenticated (low-privilege) remote code execution via code injection.
References
|
| CVE-2023-3519 | Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability | secondary_impact | T1087.002 | Domain Account |
Comments
This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data.
References
|
| CVE-2023-3519 | Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data.
References
|
| CVE-2023-3519 | Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data.
References
|
| CVE-2023-3519 | Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data.
References
|
| CVE-2023-6549 | Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability | primary_impact | T1499 | Endpoint Denial of Service |
Comments
This buffer overflow vulnerability can be exploited to cause a denial of service.
References
|
| CVE-2023-6549 | Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
This buffer overflow vulnerability can be exploited to cause a denial of service.
References
|
| CVE-2023-4966 | Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability | secondary_impact | T1134.001 | Token Impersonation/Theft |
Comments
This is a buffer overflow vulnerability that results in unauthorized disclosure of memory, including session tokens.
References
|
| CVE-2023-4966 | Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability | primary_impact | T1005 | Data from Local System |
Comments
This is a buffer overflow vulnerability that results in unauthorized disclosure of memory, including session tokens.
References
|
| CVE-2023-4966 | Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
This is a buffer overflow vulnerability that results in unauthorized disclosure of memory, including session tokens.
References
|
| CVE-2017-6742 | Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability | secondary_impact | T1542.005 | TFTP Boot |
Comments
CVE-2017-6742 is a Simple Network Management Protocol (SNMP) vulnerability in Cisco products related to a buffer overflow condition in the SNMP subsystem.
Reported by the NCSC, threat actors exploited CVE-2017-6742 to perform reconnaissance, enumerate router interfaces and deploy custom malware known as "Jaguar Tooth", as detailed in the NCSC’s Jaguar Tooth malware analysis report. This malware obtains further device information which is then exfiltrated over trivial file transfer protocol (TFTP) and enables unauthenticated access via a backdoor.
References
|
| CVE-2017-6742 | Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2017-6742 is a Simple Network Management Protocol (SNMP) vulnerability in Cisco products related to a buffer overflow condition in the SNMP subsystem.
Reported by the NCSC, threat actors exploited CVE-2017-6742 to perform reconnaissance, enumerate router interfaces and deploy custom malware known as "Jaguar Tooth", as detailed in the NCSC’s Jaguar Tooth malware analysis report. This malware obtains further device information which is then exfiltrated over trivial file transfer protocol (TFTP) and enables unauthenticated access via a backdoor.
References
|
| CVE-2017-6742 | Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
CVE-2017-6742 is a Simple Network Management Protocol (SNMP) vulnerability in Cisco products related to a buffer overflow condition in the SNMP subsystem.
Reported by the NCSC, threat actors exploited CVE-2017-6742 to perform reconnaissance, enumerate router interfaces and deploy custom malware known as "Jaguar Tooth", as detailed in the NCSC’s Jaguar Tooth malware analysis report. This malware obtains further device information which is then exfiltrated over trivial file transfer protocol (TFTP) and enables unauthenticated access via a backdoor.
References
|
| CVE-2021-4034 | Red Hat Polkit Out-of-Bounds Read and Write Vulnerability | exploitation_technique | T1068 | Exploitation for Privilege Escalation |
Comments
The Polkit/Pwnkit vulnerability (CVE-2021-4034) is a critical vulnerability impacting every major Linux distribution. Its attack vector allows privilege escalation and can even give the attacker root access.
References
|
| CVE-2021-22986 | F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability | primary_impact | T1090 | Proxy |
Comments
The iControl REST interface has an unauthenticated remote command execution vulnerability. This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services.
References
|
| CVE-2021-27860 | FatPipe WARP, IPVPN, and MPVPN Configuration Upload exploit | primary_impact | T1505.003 | Web Shell |
Comments
CVE-2021-27860 is a vulnerability in the web management interface in FatPipe software. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors.
References
|
| CVE-2023-2868 | Barracuda Networks ESG Appliance Improper Input Validation Vulnerability | secondary_impact | T1041 | Exfiltration Over C2 Channel |
Comments
CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions.
References
|
| CVE-2023-2868 | Barracuda Networks ESG Appliance Improper Input Validation Vulnerability | secondary_impact | T1105 | Ingress Tool Transfer |
Comments
CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions.
References
|
| CVE-2023-2868 | Barracuda Networks ESG Appliance Improper Input Validation Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions.
References
|
| CVE-2017-6742 | Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability | secondary_impact | T1048 | Exfiltration Over Alternative Protocol |
Comments
CVE-2017-6742 is a Simple Network Management Protocol (SNMP) vulnerability in Cisco products related to a buffer overflow condition in the SNMP subsystem.
Reported by the NCSC, threat actors exploited CVE-2017-6742 to perform reconnaissance, enumerate router interfaces and deploy custom malware known as "Jaguar Tooth", as detailed in the NCSC’s Jaguar Tooth malware analysis report. This malware obtains further device information which is then exfiltrated over trivial file transfer protocol (TFTP) and enables unauthenticated access via a backdoor.
References
|
| CVE-2021-22986 | F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
The iControl REST interface has an unauthenticated remote command execution vulnerability. This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services.
References
|
| CVE-2021-27860 | FatPipe WARP, IPVPN, and MPVPN Configuration Upload exploit | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2021-27860 is a vulnerability in the web management interface in FatPipe software. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors.
References
|
| CVE-2023-2868 | Barracuda Networks ESG Appliance Improper Input Validation Vulnerability | exploitation_technique | T1566.001 | Spearphishing Attachment |
Comments
CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions.
References
|
| CVE-2021-45046 | Apache Log4j2 Deserialization of Untrusted Data Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
CVE 2021-45046 is a Log4J-related vulnerability that has been seen to be used in cryptomining and ransomware operations.
References
|
| CVE-2020-1472 | Microsoft Netlogon Privilege Escalation Vulnerability | primary_impact | T1087.002 | Domain Account |
Comments
CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access.
References
|
| CVE-2020-1472 | Microsoft Netlogon Privilege Escalation Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. CVE-2020-1472 has been reported to be exploited by Ransomware groups for initial access.
References
|
| CVE-2020-1472 | Microsoft Netlogon Privilege Escalation Vulnerability | primary_impact | T1068 | Exploitation for Privilege Escalation |
Comments
CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access.
References
|
| CVE-2019-0708 | Microsoft Remote Desktop Services Remote Code Execution Vulnerability | secondary_impact | T1498 | Network Denial of Service |
Comments
CVE-2019-0708, also known as BlueKeep, is a remote code execution vulnerability present in the Windows Remote Desktop Services. Blue Keep can enable remote unauthenticated attackers to run arbitrary code, or conduct denial of service attacks, as well as potentially take control of vulnerable systems.
References
|
| CVE-2019-0708 | Microsoft Remote Desktop Services Remote Code Execution Vulnerability | primary_impact | T1059.004 | Unix Shell |
Comments
CVE-2019-0708, also known as BlueKeep, is a remote code execution vulnerability present in the Windows Remote Desktop Services. Blue Keep can enable remote unauthenticated attackers to run arbitrary code, or conduct denial of service attacks, as well as potentially take control of vulnerable systems.
References
|
| CVE-2021-42237 | Sitecore XP Remote Command Execution Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE 2021-42237related to a remote code execution vulnerability through insecure deserialization.
References
|
| CVE-2021-45046 | Apache Log4j2 Deserialization of Untrusted Data Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE 2021-45046 is a Log4J-related vulnerability that could enable enables an attacker to cause Remote Code Execution or other effects in certain non-default configurations. This specific vulnerability has been reported to have been leveraged in cryptomining and ransomware operations.
References
|
| CVE-2020-1472 | Microsoft Netlogon Privilege Escalation Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access.
References
|
| CVE-2019-0708 | Microsoft Remote Desktop Services Remote Code Execution Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2019-0708, also known as BlueKeep, is a remote code execution vulnerability present in the Windows Remote Desktop Services. Blue Keep can enable remote unauthenticated attackers to run arbitrary code, or conduct denial of service attacks, as well as potentially take control of vulnerable systems.
References
|
| CVE-2024-20399 | Cisco NX-OS Command Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
This vulnerability is exploited by an attacker who has access to administrator credentials. The adversary leverages these credentials to execute arbitrary commands using root privileges.
References
|
| CVE-2024-20399 | Cisco NX-OS Command Injection Vulnerability | exploitation_technique | T1078 | Valid Accounts |
Comments
This vulnerability is exploited by an attacker who has access to administrator credentials. The adversary leverages these credentials to execute arbitrary commands using root privileges.
References
|
| CVE-2023-20109 | Cisco IOS and IOS XE Group Encrypted Transport VPN Out-of-Bounds Write Vulnerability | primary_impact | T1499 | Endpoint Denial of Service |
Comments
This vulnerability is exploited by an authenticated, remote attacker who has administrative control of either a group member or a key server to execute arbitrary code on an affected device or cause the device to crash. This vulnerability has been identified as being exploited in the wild by Chinese adversary groups.
References
|
| CVE-2023-20109 | Cisco IOS and IOS XE Group Encrypted Transport VPN Out-of-Bounds Write Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
This vulnerability is exploited by an authenticated, remote attacker who has administrative control of either a group member or a key server to execute arbitrary code on an affected device or cause the device to crash. This vulnerability has been identified as being exploited in the wild by Chinese adversary groups.
References
|
| CVE-2023-20109 | Cisco IOS and IOS XE Group Encrypted Transport VPN Out-of-Bounds Write Vulnerability | exploitation_technique | T1078 | Valid Accounts |
Comments
This vulnerability is exploited by an authenticated, remote attacker who has administrative control of either a group member or a key server to execute arbitrary code on an affected device or cause the device to crash. This vulnerability has been identified as being exploited in the wild by Chinese adversary groups.
References
|
| CVE-2023-20269 | Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability | primary_impact | T1078 | Valid Accounts |
Comments
This vulnerability is exploited by an unauthenticated, remote attacker by specifying a default connection profile/tunnel group, enabling a brute-force attack to identify valid credentials and establish a clienteles SSL VPN session using those valid credentials.
References
|
| CVE-2023-20269 | Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
This vulnerability is exploited by an unauthenticated, remote attacker by specifying a default connection profile/tunnel group, enabling a brute-force attack to identify valid credentials and establish a clienteles SSL VPN session using those valid credentials.
References
|
| CVE-2024-20359 | Cisco ASA and FTD Privilege Escalation Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
This vulnerability is exploited by an authenticated, local attacker in order to execute arbitrary code with root-level privileges by copying a crafted file to the disk0: file system. This is possible due to improper validation of a file when it is read from system flash memory. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices.
References
|
| CVE-2024-20359 | Cisco ASA and FTD Privilege Escalation Vulnerability | exploitation_technique | T1078 | Valid Accounts |
Comments
This vulnerability is exploited by an authenticated, local attacker in order to execute arbitrary code with root-level privileges by copying a crafted file to the disk0: file system. This is possible due to improper validation of a file when it is read from system flash memory. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices.
References
|
| CVE-2024-20353 | Cisco ASA and FTD Denial of Service Vulnerability | secondary_impact | T1608.001 | Upload Malware |
Comments
This vulnerability is exploited by a remote, unauthenticated attacker by sending a crafted HTTP request to a vulnerable device's web server. This exploitation is possible due to incomplete error checking when parsing HTTP headers. If successfully exploited, it can cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices.
References
|
| CVE-2024-20353 | Cisco ASA and FTD Denial of Service Vulnerability | primary_impact | T1653 | Power Settings |
Comments
This vulnerability is exploited by a remote, unauthenticated attacker by sending a crafted HTTP request to a vulnerable device's web server. This exploitation is possible due to incomplete error checking when parsing HTTP headers. If successfully exploited, it can cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices.
References
|
| CVE-2024-20353 | Cisco ASA and FTD Denial of Service Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited by a remote, unauthenticated attacker by sending a crafted HTTP request to a vulnerable device's web server. This exploitation is possible due to incomplete error checking when parsing HTTP headers. If successfully exploited, it can cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. In early 2024, the Cisco Product Security Incident Response Team (PSIRT) identified an attack campaign named ArcaneDoor, which targeted these vulnerabilities to implant malware, execute commands, and potentially exfiltrate data from compromised devices.
References
|
| CVE-2022-20699 | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | primary_impact | T1059.004 | Unix Shell |
Comments
This vulnerability is exploited by a remote, unauthenticated attacker by "sending a specially crafted HTTP request to a vulnerable device that is acting as an SSL VPN Gateway.” This can be performed due to insufficient boundary checks when processing specific HTTP requests. If exploited, this could grant root privileges to the attacker.
References
|
| CVE-2022-20699 | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
This vulnerability is exploited by a remote, unauthenticated attacker by "sending a specially crafted HTTP request to a vulnerable device that is acting as an SSL VPN Gateway.” This can be performed due to insufficient boundary checks when processing specific HTTP requests. If exploited, this could grant root privileges to the attacker.
References
|
| CVE-2022-20700 | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | primary_impact | T1059.004 | Unix Shell |
Comments
This vulnerability is exploited by a remote attacker who sends specific commands to a Cisco router that does not have sufficient authorization enforcement mechanisms in place. This could allow the remote attacker to gain root privileges and execute arbitrary commands on the system.
References
|
| CVE-2022-20700 | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited by a remote attacker who sends specific commands to a Cisco router that does not have sufficient authorization enforcement mechanisms in place. This could allow the remote attacker to gain root privileges and execute arbitrary commands on the system.
References
|
| CVE-2022-20701 | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
This insufficient authorization vulnerability is exploited by a local attacker who has access to low-privileged code where they then execute commands within confd_cli at a higher privilege levels. Performing these commands could grant the local attacker root privileges.
References
|
| CVE-2022-20701 | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | exploitation_technique | T1078 | Valid Accounts |
Comments
This insufficient authorization vulnerability is exploited by a local attacker who has access to low-privileged code where they then execute commands within confd_cli at a higher privilege levels. Performing these commands could grant the local attacker root privileges.
References
|
| CVE-2022-20708 | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | primary_impact | T1068 | Exploitation for Privilege Escalation |
Comments
This vulnerability is exploited by bypassing user authentication mechanisms via a lack of proper validation of a user-supplied string before executing a system call. This could grant adversaries root access to execute arbitrary code.
References
|
| CVE-2022-20708 | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited by bypassing user authentication mechanisms via a lack of proper validation of a user-supplied string before executing a system call. This could grant adversaries root access to execute arbitrary code.
References
|
| CVE-2021-22005 | VMware vCenter Server File Upload Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
This vulnerability is exploited by an adversary who can access the vCenter Server over the network. The adversary uploads a crafted file to the server's analytics service via port 443, exploiting the file upload vulnerability. This results in remote code execution on the host. Threat actors have been observed leveraging this vulnerability, identified as CVE-2021-22005, using code released by security researcher Jang, to gain unauthorized access to vCenter servers.
References
|
| CVE-2021-22005 | VMware vCenter Server File Upload Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited by an adversary who can access the vCenter Server over the network. The adversary uploads a crafted file to the server's analytics service via port 443, exploiting the file upload vulnerability. This results in remote code execution on the host. Threat actors have been observed leveraging this vulnerability, identified as CVE-2021-22005, using code released by security researcher Jang, to gain unauthorized access to vCenter servers.
References
|
| CVE-2021-22017 | VMware vCenter Server Improper Access Control | primary_impact | T1090.001 | Internal Proxy |
Comments
The vulnerability in Rhttproxy within VMware's vCenter Server arises from an improper implementation of URI normalization. Attackers with network access to port 443 on the vCenter Server exploit this flaw by sending specially crafted requests, allowing them to bypass the proxy mechanism. This exploitation grants unauthorized access to internal endpoints, potentially exposing sensitive information.
References
|
| CVE-2021-22017 | VMware vCenter Server Improper Access Control | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
The vulnerability in Rhttproxy within VMware's vCenter Server arises from an improper implementation of URI normalization. Attackers with network access to port 443 on the vCenter Server exploit this flaw by sending specially crafted requests, allowing them to bypass the proxy mechanism. This exploitation grants unauthorized access to internal endpoints, potentially exposing sensitive information.
References
|
| CVE-2022-20821 | Cisco IOS XR Open Port Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited by an unauthenticated, remote user who can access the Redis instance via port 6379 due to a health check RPM issue in IOS XR software. A successful exploitation of this vulnerability could allow an attacker the ability to write to the Redis in-memory database, write arbitrary files to the file system, or retrieve information about the Redis database. This vulnerability has been identified as being exploited in the wild, but specific details have not been released.
References
|
| CVE-2022-20703 | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
This Digital Signature Verification Bypass vulnerability is exploited by an unauthenticated, local attacker. The attacker exploits an improper verification of software images that could allow the attacker to install and boot malicious images or execute unsigned binaries.
References
|
| CVE-2021-21973 | VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability | primary_impact | T1046 | Network Service Discovery |
Comments
This vulnerability is exploited through an SSRF (Server Side Request Forgery) flaw in the vSphere Client (HTML5) of VMware's vCenter Server, affecting the vCenter Server plugin. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted POST request to the vCenter Server plugin, thereby bypassing URL validation. This manipulation enables the disclosure of sensitive information. By exploiting this flaw, attackers can scan the company's internal network and retrieve specifics about open ports and services.
References
|
| CVE-2021-21973 | VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited through an SSRF (Server Side Request Forgery) flaw in the vSphere Client (HTML5) of VMware's vCenter Server, affecting the vCenter Server plugin. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted POST request to the vCenter Server plugin, thereby bypassing URL validation. This manipulation enables the disclosure of sensitive information. By exploiting this flaw, attackers can scan the company's internal network and retrieve specifics about open ports and services.
References
|
| CVE-2023-34048 | VMware vCenter Server Out-of-Bounds Write Vulnerability | secondary_impact | T1588.001 | Malware |
Comments
This vulnerability is exploited by an adversary who has already gained network access to the vCenter Server. The adversary sends a crafted payload to the server that has a vulnerable DCERPC protocol and causes an out-of-bounds write on the jmp rax instruction. Adversary group UNC3886 has been attributed to leveraging this vulnerability in the wild to establish a backdoor in victim vCenter servers.
References
|
| CVE-2023-34048 | VMware vCenter Server Out-of-Bounds Write Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is exploited by an adversary who has already gained network access to the vCenter Server. The adversary sends a crafted payload to the server that has a vulnerable DCERPC protocol and causes an out-of-bounds write on the jmp rax instruction. Adversary group UNC3886 has been attributed to leveraging this vulnerability in the wild to establish a backdoor in victim vCenter servers.
References
|
| CVE-2022-22948 | VMware vCenter Server Incorrect Default File Permissions Vulnerability | secondary_impact | T1068 | Exploitation for Privilege Escalation |
Comments
This vulnerability is exploited by an adversary who has gained access to a valid account on the vCenter Server. The adversary can gain access to unencrypted Postgres credentials on the server, which grants the adversary access to the vCenter's internal database where the vpxuser account passphrase is stored. Adversaries can leverage this information to decrypt the vpxuser password, which will grant them root privileges.
References
|
| CVE-2022-22948 | VMware vCenter Server Incorrect Default File Permissions Vulnerability | primary_impact | T1212 | Exploitation for Credential Access |
Comments
This vulnerability is exploited by an adversary who has gained access to a valid account on the vCenter Server. The adversary can gain access to unencrypted Postgres credentials on the server, which grants the adversary access to the vCenter's internal database where the vpxuser account passphrase is stored. Adversaries can leverage this information to decrypt the vpxuser password, which will grant them root privileges.
References
|
| CVE-2022-22948 | VMware vCenter Server Incorrect Default File Permissions Vulnerability | exploitation_technique | T1078 | Valid Accounts |
Comments
This vulnerability is exploited by an adversary who has gained access to a valid account on the vCenter Server. The adversary can gain access to unencrypted Postgres credentials on the server, which grants the adversary access to the vCenter's internal database where the vpxuser account passphrase is stored. Adversaries can leverage this information to decrypt the vpxuser password, which will grant them root privileges.
References
|
| CVE-2024-37085 | VMware ESXi Authentication Bypass Vulnerability | secondary_impact | T1608.001 | Upload Malware |
Comments
This vulnerability is exploited by an adversary who has already exploited an ESXi system and gained access to a valid account. Using this account, the adversary creates a new AD group named "ESXi Admins" that the ESXi Hypervisor grants full admin privileges. Adversary groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have leveraged this vulnerability to deploy ransomware known as Akira and Black Basta onto compromised environments.
References
|
| CVE-2024-37085 | VMware ESXi Authentication Bypass Vulnerability | primary_impact | T1068 | Exploitation for Privilege Escalation |
Comments
This vulnerability is exploited by an adversary who has already exploited an ESXi system and gained access to a valid account. Using this account, the adversary creates a new AD group named "ESXi Admins" that the ESXi Hypervisor grants full admin privileges. Adversary groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have leveraged this vulnerability to deploy ransomware known as Akira and Black Basta onto compromised environments.
References
|
| CVE-2024-37085 | VMware ESXi Authentication Bypass Vulnerability | exploitation_technique | T1078 | Valid Accounts |
Comments
This vulnerability is exploited by an adversary who has already exploited an ESXi system and gained access to a valid account. Using this account, the adversary creates a new AD group named "ESXi Admins" that the ESXi Hypervisor grants full admin privileges. Adversary groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have leveraged this vulnerability to deploy ransomware known as Akira and Black Basta onto compromised environments.
References
|
| CVE-2021-22900 | Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability | primary_impact | T1068 | Exploitation for Privilege Escalation |
Comments
This vulnerability is exploited through multiple unrestricted uploads. Adversaries with authenticated administrator privileges leverage this vulnerability to perform unauthorized file writes on the system via a maliciously crafted archive upload within the administrator web interface in Pulse Connect Secure.
References
|
| CVE-2021-22900 | Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability | exploitation_technique | T1059 | Command and Scripting Interpreter |
Comments
This vulnerability is exploited through multiple unrestricted uploads. Adversaries with authenticated administrator privileges leverage this vulnerability to perform unauthorized file writes on the system via a maliciously crafted archive upload within the administrator web interface in Pulse Connect Secure.
References
|
