1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Deserialization of Untrusted Data Capability Group

Known Exploited Vulnerabilities Deserialization of Untrusted Data Capability Group

All Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2023-40044 Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability secondary_impact T1202 Indirect Command Execution
Comments
Zero-day .NET deserialization vulnerability that allows an adversary to make an HTTP POST request to a vulnerable WS_FTP Server and execute commands.
References
  1. https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044
  2. https://www.tenable.com/blog/cve-2023-40044-cve-2023-42657-progress-software-patches-multiple-vulnerabilities-in-ws-ftp
CVE-2023-40044 Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability primary_impact T1071.002 File Transfer Protocols
Comments
Zero-day .NET deserialization vulnerability that allows an adversary to make an HTTP POST request to a vulnerable WS_FTP Server and execute commands.
References
  1. https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044
  2. https://www.tenable.com/blog/cve-2023-40044-cve-2023-42657-progress-software-patches-multiple-vulnerabilities-in-ws-ftp
CVE-2023-26359 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability primary_impact T1059 Command and Scripting Interpreter
Comments
This vulnerability is utilized by exploiting a public-facing server.
References
  1. https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html
CVE-2019-18935 Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability primary_impact T1041 Exfiltration Over C2 Channel
Comments
CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.
References
  1. https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/
  2. https://news.sophos.com/en-us/2022/06/15/telerik-ui-exploitation-leads-to-cryptominer-cobalt-strike-infections/
  3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a
CVE-2019-18935 Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability primary_impact T1496 Resource Hijacking
Comments
CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.
References
  1. https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/
  2. https://news.sophos.com/en-us/2022/06/15/telerik-ui-exploitation-leads-to-cryptominer-cobalt-strike-infections/
  3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a
CVE-2019-18935 Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability primary_impact T1505.003 Web Shell
Comments
CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.
References
  1. https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/
  2. https://news.sophos.com/en-us/2022/06/15/telerik-ui-exploitation-leads-to-cryptominer-cobalt-strike-infections/
  3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a
CVE-2019-18935 Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.
References
  1. https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/
  2. https://news.sophos.com/en-us/2022/06/15/telerik-ui-exploitation-leads-to-cryptominer-cobalt-strike-infections/
  3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a
CVE-2023-26360 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability secondary_impact T1071.001 Web Protocols
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
  1. https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf
CVE-2023-26360 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability secondary_impact T1105 Ingress Tool Transfer
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
  1. https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf
CVE-2023-26360 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability secondary_impact T1046 Network Service Discovery
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
  1. https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf
CVE-2023-26360 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability secondary_impact T1003.001 LSASS Memory
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
  1. https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf
CVE-2023-26360 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability secondary_impact T1036.005 Match Legitimate Name or Location
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
  1. https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf
CVE-2023-26360 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability secondary_impact T1484.001 Group Policy Modification
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
  1. https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf
CVE-2023-26360 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability secondary_impact T1505.003 Web Shell
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
  1. https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf
CVE-2023-26360 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability primary_impact T1059.007 JavaScript
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
  1. https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf
CVE-2023-26360 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
  1. https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf
CVE-2017-9805 Apache Struts Deserialization of Untrusted Data Vulnerability primary_impact T1059 Command and Scripting Interpreter
Comments
CVE-2017-9805 is a deserialization vulnerability in the Apache Struts REST Plugin that could allow an attacker to execute arbitrary commands remotely on the affected systems by sending a specially crafted web request to the application.
References
  1. https://securityaffairs.com/62746/hacking/struts-cve-2017-9805-flaw.html
  2. https://www.rapid7.com/blog/post/2017/09/06/apache-struts-s2-052-cve-2017-9805-what-you-need-to-know/
CVE-2017-9805 Apache Struts Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
CVE-2017-9805 is a deserialization vulnerability in the Apache Struts REST Plugin that could allow an attacker to execute arbitrary commands remotely on the affected systems by sending a specially crafted web request to the application.
References
  1. https://www.rapid7.com/blog/post/2017/09/06/apache-struts-s2-052-cve-2017-9805-what-you-need-to-know/
  2. https://securityaffairs.com/62746/hacking/struts-cve-2017-9805-flaw.html
CVE-2018-4939 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability primary_impact T1190 Exploit Public-Facing Application
Comments
As referenced in the attached report, T1190 is a known impact of this exploit.
References
  1. https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html
  2. https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
CVE-2018-4939 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability primary_impact T1133 External Remote Services
Comments
As referenced in the attached report, T1133 is a known impact of this exploit.
References
  1. https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html
  2. https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
CVE-2018-4939 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability exploitation_technique T1203 Exploitation for Client Execution
Comments
This deserialization vulnerability allows adversaries to insert their own objects into client software for potential execution.
References
  1. https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html
  2. https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
CVE-2023-38203 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability primary_impact T1105 Ingress Tool Transfer
Comments
This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.
References
  1. https://threatprotect.qualys.com/2023/07/18/adobe-coldfusion-vulnerabilities-exploited-in-the-attacks-in-dropping-webshell-cve-2023-29298-cve-2023-29300-and-cve-2023-38203/
CVE-2023-38203 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.
References
  1. https://threatprotect.qualys.com/2023/07/18/adobe-coldfusion-vulnerabilities-exploited-in-the-attacks-in-dropping-webshell-cve-2023-29298-cve-2023-29300-and-cve-2023-38203/
CVE-2023-29300 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability primary_impact T1105 Ingress Tool Transfer
Comments
This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.
References
  1. https://teamt5.org/en/posts/alerts-of-exploiting-adobe-cold-fusion-cve-2023-29300/
CVE-2023-29300 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.
References
  1. https://teamt5.org/en/posts/alerts-of-exploiting-adobe-cold-fusion-cve-2023-29300/
CVE-2023-26359 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This vulnerability is utilized by exploiting a public-facing server.
References
  1. https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html
CVE-2023-29492 Novi Survey Insecure Deserialization Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
CVE-2023-29492 is an insecure deserialization vulnerability. Exploitation of this vulnerability gives remote attackers arbitrary code execution in the context of the service account.
References
  1. https://novisurvey.net/blog/novi-survey-security-advisory-apr-2023.aspx
CVE-2023-40044 Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability exploitation_technique T1059 Command and Scripting Interpreter
Comments
Zero-day .NET deserialization vulnerability that allows an adversary to make an HTTP POST request to a vulnerable WS_FTP Server and execute commands.
References
  1. https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044
  2. https://www.tenable.com/blog/cve-2023-40044-cve-2023-42657-progress-software-patches-multiple-vulnerabilities-in-ws-ftp
CVE-2021-45046 Apache Log4j2 Deserialization of Untrusted Data Vulnerability secondary_impact T1486 Data Encrypted for Impact
Comments
CVE 2021-45046 is a Log4J-related vulnerability that has been seen to be used in cryptomining and ransomware operations.
References
  1. https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/
  2. https://therecord.media/local-governments-allegedly-targeted-with-iranian-drokbk-malware-through-log4j-vulnerability
  3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a
CVE-2021-45046 Apache Log4j2 Deserialization of Untrusted Data Vulnerability primary_impact T1059 Command and Scripting Interpreter
Comments
CVE 2021-45046 is a Log4J-related vulnerability that could enable enables an attacker to cause Remote Code Execution or other effects in certain non-default configurations. This specific vulnerability has been reported to have been leveraged in cryptomining and ransomware operations.
References
  1. https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/
  2. https://therecord.media/local-governments-allegedly-targeted-with-iranian-drokbk-malware-through-log4j-vulnerability
  3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a
CVE-2023-46604 Apache ActiveMQ Deserialization of Untrusted Data Vulnerability secondary_impact T1053.005 Scheduled Task
Comments
This vulnerability is exploited by a remote attacker who manipulates serialized class types in the OpenWire protocol to run arbitrary shell commands. This allows the adversary to execute remote code, leading to the download and installation of malware, such as the Kinsing malware and cryptocurrency miners, on Linux systems. Additionally, attackers have attempted to deploy ransomware, attributed to the HelloKitty ransomware family, on target systems.
References
  1. https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog
  2. https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/
  3. https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html
CVE-2023-46604 Apache ActiveMQ Deserialization of Untrusted Data Vulnerability primary_impact T1059.004 Unix Shell
Comments
This vulnerability is exploited by a remote attacker who manipulates serialized class types in the OpenWire protocol to run arbitrary shell commands. This allows the adversary to execute remote code, leading to the download and installation of malware, such as the Kinsing malware and cryptocurrency miners, on Linux systems. Additionally, attackers have attempted to deploy ransomware, attributed to the HelloKitty ransomware family, on target systems.
References
  1. https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog
  2. https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/
  3. https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html
CVE-2023-46604 Apache ActiveMQ Deserialization of Untrusted Data Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This vulnerability is exploited by a remote attacker who manipulates serialized class types in the OpenWire protocol to run arbitrary shell commands. This allows the adversary to execute remote code, leading to the download and installation of malware, such as the Kinsing malware and cryptocurrency miners, on Linux systems. Additionally, attackers have attempted to deploy ransomware, attributed to the HelloKitty ransomware family, on target systems.
References
  1. https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog
  2. https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/
  3. https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html

Capabilities

Capability ID Capability Name Number of Mappings
CVE-2019-18935 Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability 4
CVE-2023-40044 Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability 3
CVE-2021-45046 Apache Log4j2 Deserialization of Untrusted Data Vulnerability 2
CVE-2023-26360 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability 9
CVE-2023-29300 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability 2
CVE-2023-38203 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability 2
CVE-2023-26359 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability 2
CVE-2023-46604 Apache ActiveMQ Deserialization of Untrusted Data Vulnerability 3
CVE-2023-29492 Novi Survey Insecure Deserialization Vulnerability 1
CVE-2017-9805 Apache Struts Deserialization of Untrusted Data Vulnerability 2
CVE-2018-4939 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability 3