Known Exploited Vulnerabilities

This vulnerability is exploited by sending a crafted XML document that references external entities with the likely goal of accessing local data.

This vulnerability is exploited by sending a crafted XML document that references external entities with the likely goal of accessing local data.

This vulnerability is exploited by sending a crafted XML document that references external entities with the likely goal of accessing local data.

CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.

CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.

CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.

CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.

CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.

CVE-2024-4671 is a use-after-free vulnerability where an adversary can perform a sandbox escape via a maliciously-crafted HTML page.

CVE-2024-4671 is a use-after-free vulnerability where an adversary can perform a sandbox escape via a maliciously-crafted HTML page.

This vulnerability is exploited by having a user open a maliciously-crafted pdf file, which can result in arbitrary code execution.

This vulnerability is exploited by having a user open a maliciously-crafted pdf file, which can result in arbitrary code execution.

This vulnerability has been exploited by a remote attacker to perform a sandbox escape via a crafted HTML page that allowed the attacker to exploit a heap corruption. This vulnerability was chained together with other CVEs during a spyware campaign performed by a customer or partner of a Spanish spyware company known as Variston IT.

This vulnerability has been exploited by a remote attacker to perform a sandbox escape via a crafted HTML page that allowed the attacker to exploit a heap corruption. This vulnerability was chained together with other CVEs during a spyware campaign performed by a customer or partner of a Spanish spyware company known as Variston IT.

CVE-2021-37975 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap.

CVE-2021-37975 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap.

CVE-2021-30554 allows an adversary to use JavaScript to exploit WebGL component of the Chromium browser that allows for execution of arbitrary code.

CVE-2021-30554 allows an adversary to use JavaScript to exploit WebGL component of the Chromium browser that allows for execution of arbitrary code.

This vulnerability is exploited by an unprivileged attacker by conducting malicious activity in GPU memory, gaining access to already freed memory. If successful, the threat actor could escalate their privileges to root as well as gain access to sensitive information. Detailed information about how adversaries exploit the GPU are not publicly available.

This vulnerability is exploited by an unprivileged attacker by conducting malicious activity in GPU memory, gaining access to already freed memory. If successful, the threat actor could escalate their privileges to root as well as gain access to sensitive information. Detailed information about how adversaries exploit the GPU are not publicly available.

This vulnerability is exploited by an unprivileged attacker by conducting malicious activity in GPU memory, gaining access to already freed memory. If successful, the threat actor could escalate their privileges to root as well as gain access to sensitive information. Detailed information about how adversaries exploit the GPU are not publicly available.

This exploit requires a user to open a malicious file. It can then result in execution of arbitrary code which could have any number of impacts.

This vulnerability is exploited through an authentication bypass weakness in the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure. Remote attackers leverage this vulnerability to perform remote arbitrary code execution on the Pulse Connect Secure gateway by bypassing authentication controls. The threat actor group UNC2630 has utilized this flaw to harvest login credentials, allowing them to move laterally within affected environments.

This vulnerability is exploited through an authentication bypass weakness in the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure. Remote attackers leverage this vulnerability to perform remote arbitrary code execution on the Pulse Connect Secure gateway by bypassing authentication controls. The threat actor group UNC2630 has utilized this flaw to harvest login credentials, allowing them to move laterally within affected environments.

This vulnerability is exploited through an authentication bypass weakness in the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure. Remote attackers leverage this vulnerability to perform remote arbitrary code execution on the Pulse Connect Secure gateway by bypassing authentication controls. The threat actor group UNC2630 has utilized this flaw to harvest login credentials, allowing them to move laterally within affected environments.

CVE-2021-21206 allows an adversary to use JavaScript to exploit the Blink rendering engine of the Chromium Browser that allows for execution of arbitrary code.

CVE-2021-21206 allows an adversary to use JavaScript to exploit the Blink rendering engine of the Chromium Browser that allows for execution of arbitrary code.

The exploitation technique for this vulnerability is based on a vulnerability in Client software. In the wild, this was seen to be exploited by a malicious excel file. The observed goals of this exploit from Group 123 are remote access and data exfiltration.

The exploitation technique for this vulnerability is based on a vulnerability in Client software. In the wild, this was seen to be exploited by a malicious excel file. The observed goals of this exploit from Group 123 are remote access and data exfiltration.

The exploitation technique for this vulnerability is based on a vulnerability in Client software. In the wild, this was seen to be exploited by a malicious excel file. The observed goals of this exploit from Group 123 are remote access and data exfiltration. Installation of the remote access software could allow for a number of different secondary impacts. See the MITRE ATT&CK reference on the DOGCALL software for more information.

This vulnerability is exploited via a maliciously-crafted Word document, which then extracts the adversary's RAT tool.

This vulnerability is exploited via a maliciously-crafted Word document, which then extracts the adversary's RAT tool.

This vulnerability is exploited by having users visit a maliciously website.

This use-after-free vulnerability is exploited by having the user open a maliciously-crafted file. This CVE was observed to be exploited by the threat actor known as BlackOasis.

This use-after-free vulnerability is exploited by having the user open a maliciously-crafted file. This CVE was observed to be exploited by the threat actor known as BlackOasis. The threat actor then installs command and control tools.

This vulnerability has been exploited in the wild by multiple different threat actors. Threat groups send phishing emails with URLs where maliciously-crafted javascript is hosted. This CVE has many mappable exploitation techniques and impacts. These adversaries using this exploit to deliver malicious payloads to the target machines establish DLL backdoors.

To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload.

This vulnerability has been exploited in the wild by multiple different threat actors. Threat groups send phishing emails with URLs where maliciously-crafted javascript is hosted. This CVE has many mappable exploitation techniques and impacts. These adversaries using this exploit to deliver malicious payloads to the target machines establish DLL backdoors.

To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload.

To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload.

To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload.

To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload.

This use-after-free vulnerability is exploited in-the-wild by drive-by-download.

This vulnerability is exploited via a maliciously-crafted file.

This vulnerability is exploited by having the user open a maliciously-crafted pdf file. In the wild, this has been observed to result in a malicious actor installing a custom executable on the victim's machine, and establishing communications.

This vulnerability is exploited by having the user open a maliciously-crafted pdf file. In the wild, this has been observed to result in a malicious actor installing a custom executable on the victim's machine, and establishing communications.

Exploitation of this vulnerability would allow for an attacker to use client-side software (in this case, Chrome), to execute code on the system.

Exploitation of this vulnerability would allow for an attacker to use client-side software (in this case, Chrome), to execute code on the system.

This vulnerability, if exploited, would allow an adversary to obtain SYSTEM-level privileges, resulting in total system compromise.

This vulnerability, if exploited, would allow an adversary to obtain SYSTEM-level privileges, resulting in total system compromise.

This vulnerability, if exploited, would allow an adversary to obtain SYSTEM-level privileges, resulting in total system compromise.

This vulnerability, if exploited, would allow an adversary to obtain SYSTEM-level privileges, resulting in total system compromise.

The use-after-free vulnerability present in various Apple device versions (that have since been patched out) allows for a malicious application to escalate its priviliges within the system.

The use-after-free vulnerability present in various Apple device versions (that have since been patched out) allows for a malicious application to escalate its priviliges within the system.

This use-after-free vulnerability in Windows has been exploited by attackers to gain SYSTEM-level privileges, leading to remote code execution, full system compromise, the modification of system processes to establish persistence on the machine, and the deployment of malware such as credential harvesters and ransomware.

This use-after-free vulnerability in Windows has been exploited by attackers to gain SYSTEM-level privileges, leading to remote code execution, full system compromise, the modification of system processes to establish persistence on the machine, and the deployment of malware such as credential harvesters and ransomware.

This use-after-free vulnerability in Windows has been exploited by attackers to gain SYSTEM-level privileges, leading to remote code execution, full system compromise, the modification of system processes to establish persistence on the machine, and the deployment of malware such as credential harvesters and ransomware.

This use-after-free vulnerability in Windows has been exploited by attackers to gain SYSTEM-level privileges, leading to remote code execution, full system compromise, the modification of system processes to establish persistence on the machine, and the deployment of malware such as credential harvesters and ransomware.

This use-after-free vulnerability in Windows has been exploited by attackers to gain SYSTEM-level privileges, leading to remote code execution, full system compromise, the modification of system processes to establish persistence on the machine, and the deployment of malware such as credential harvesters and ransomware.

This zero-day vulnerability has been exploited by attackers to gain SYSTEM-level privileges in Windows, leading to remote code execution, as well as the ability to disable security tools, deploy malicious payloads, and extract credentials from memory.

This zero-day vulnerability has been exploited by attackers to gain SYSTEM-level privileges in Windows, leading to remote code execution, as well as the ability to disable security tools, deploy malicious payloads, and extract credentials from memory.

This zero-day vulnerability has been exploited by attackers to gain SYSTEM-level privileges in Windows, leading to remote code execution, as well as the ability to disable security tools, deploy malicious payloads, and extract credentials from memory.

This zero-day vulnerability has been exploited by attackers to gain SYSTEM-level privileges in Windows, leading to remote code execution, as well as the ability to disable security tools, deploy malicious payloads, and extract credentials from memory.

This zero-day vulnerability has been exploited by attackers to gain SYSTEM-level privileges in Windows, leading to remote code execution, as well as the ability to disable security tools, deploy malicious payloads, and extract credentials from memory.

This vulnerability has been exploited to escalate an attacker's privileges to SYSTEM-level via Microsoft Windows Desktop Window Manager (DWM) Core Library, allowing the attacker to take significant actions such as registry modification.

This vulnerability has been exploited to escalate an attacker's privileges to SYSTEM-level via Microsoft Windows Desktop Window Manager (DWM) Core Library, allowing the attacker to take significant actions such as registry modification.

CVE-2022-29464 is an unrestricted file upload vulnerability where an adversary can upload arbitrary files and, due to a directory traversal issue, write files to locations where they can then send commands. Adversaries have been seen to use this to mine cryptocurrency.

CVE-2022-29464 is an unrestricted file upload vulnerability where an adversary can upload arbitrary files and, due to a directory traversal issue, write files to locations where they can then send commands. Adversaries have been seen to use this to mine cryptocurrency.

CVE-2022-29464 is an unrestricted file upload vulnerability where an adversary can upload arbitrary files and, due to a directory traversal issue, write files to locations where they can then send commands. Adversaries have been seen to use this to mine cryptocurrency.

This vulnerability is exploited when a remote unauthorized user sends a malicious payload to a server using an insecure version of Ignition. The payload targets the MakeViewVariableOptionalSolution.php module, leveraging insecure PHP functions file_get_contents and file_put_contents to specify a file path for executing arbitrary code.

This vulnerability is exploited when a remote unauthorized user sends a malicious payload to a server using an insecure version of Ignition. The payload targets the MakeViewVariableOptionalSolution.php module, leveraging insecure PHP functions file_get_contents and file_put_contents to specify a file path for executing arbitrary code.

CVE-2021-27860 is a vulnerability in the web management interface in FatPipe software. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors.

CVE-2021-27860 is a vulnerability in the web management interface in FatPipe software. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors.

This vulnerability is exploited through multiple unrestricted uploads. Adversaries with authenticated administrator privileges leverage this vulnerability to perform unauthorized file writes on the system via a maliciously crafted archive upload within the administrator web interface in Pulse Connect Secure.

This vulnerability is exploited through multiple unrestricted uploads. Adversaries with authenticated administrator privileges leverage this vulnerability to perform unauthorized file writes on the system via a maliciously crafted archive upload within the administrator web interface in Pulse Connect Secure.

This vulnerability is exploited by an adversary who can access the vCenter Server over the network. The adversary uploads a crafted file to the server's analytics service via port 443, exploiting the file upload vulnerability. This results in remote code execution on the host. Threat actors have been observed leveraging this vulnerability, identified as CVE-2021-22005, using code released by security researcher Jang, to gain unauthorized access to vCenter servers.

This vulnerability is exploited by an adversary who can access the vCenter Server over the network. The adversary uploads a crafted file to the server's analytics service via port 443, exploiting the file upload vulnerability. This results in remote code execution on the host. Threat actors have been observed leveraging this vulnerability, identified as CVE-2021-22005, using code released by security researcher Jang, to gain unauthorized access to vCenter servers.

This vulnerability is exploited by uploading a file to a public-facing ColdFusion server.

In the wild, this CVE was seen to result in defacement.

Advantive VeraCore versions prior to 2024.4.2.1 contain an unrestricted file upload flaw that can lead to remote code execution and full system compromise. This attack requires valid credentials for VeraCore.

Advantive VeraCore versions prior to 2024.4.2.1 contain an unrestricted file upload flaw that can lead to remote code execution and full system compromise. This attack requires valid credentials for VeraCore.

Attackers have exploited this SAP vulnerability to achieve remote code execution on the target system by sending malicious ZIP files to specific server endpoints. This can be done either through use of a single command or by uploading a web shell.

Attackers have exploited this SAP vulnerability to achieve remote code execution on the target system by sending malicious ZIP files to specific server endpoints. This can be done either through use of a single command or by uploading a web shell.

Attackers have exploited this SAP vulnerability to achieve remote code execution on the target system by sending malicious ZIP files to specific server endpoints. This can be done either through use of a single command or by uploading a web shell.

Attackers have exploited this SAP vulnerability to achieve remote code execution on the target system by sending malicious ZIP files to specific server endpoints. This can be done either through use of a single command or by uploading a web shell.

This vulnerability is exploited by the hosting of malicious content on a website. Adversaries use this to deliver an information-stealing payload within Chrome.

This vulnerability is exploited by the hosting of malicious content on a website. Adversaries use this to deliver an information-stealing payload within Chrome.

CVE-2024-4947 is a type confusion vulnerability in Chrome's V8 JavaScript engine. Adversaries have been observed exploiting this vulnerability by hosting a web-based game on a site that triggered the vulnerability and executed arbitrary code. Adversaries promoted the game on social media and through emails.

CVE-2024-4947 is a type confusion vulnerability in Chrome's V8 JavaScript engine. Adversaries have been observed exploiting this vulnerability by hosting a web-based game on a site that triggered the vulnerability and executed arbitrary code. Adversaries promoted the game on social media and through emails.

This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems.

This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems.

This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems.

This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems.

Victims are tricked into visiting malicious web pages crafted to trigger memory corruption, which can lead to arbitrary code execution.

Victims are tricked into visiting malicious web pages crafted to trigger memory corruption, which can lead to arbitrary code execution.

Victims are tricked into visiting malicious web pages crafted to trigger memory corruption, which can lead to arbitrary code execution.

This vulnerability has enabled attackers to use heap spraying techniques to trigger a memory corruption, allowing them to execute code remotely.

This vulnerability has enabled attackers to use heap spraying techniques to trigger a memory corruption, allowing them to execute code remotely.

This is an SQL injection vulnerability that can be exploited to execute remote code via specially crafted HTTP requests. Adversaries have been observed using this exploit to deploy tools on the target machine.

This is an SQL injection vulnerability that can be exploited to execute remote code via specially crafted HTTP requests. Adversaries have been observed using this exploit to deploy tools on the target machine.

This is an SQL injection vulnerability that can be exploited to execute remote code via specially crafted HTTP requests. Adversaries have been observed using this exploit to deploy tools on the target machine.

CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.

CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.

CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.

CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.

CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.

CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.

CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.

CVE-2021-42258 is a SQL injection vulnerability in BillQuick Web Suite that allows attackers to execute arbitrary SQL commands on the database server

CVE-2021-42258 is a SQL injection vulnerability in BillQuick Web Suite that allows attackers to execute arbitrary SQL commands on the database server

CVE-2021-27101 is a SQL injection vulnerability in Accellion File Transfer Appliance that allows an adversary to execute SQL commands.

CVE-2021-27101 is a SQL injection vulnerability in Accellion File Transfer Appliance that allows an adversary to execute SQL commands.

Affected versions of FortiWeb contain insufficient input sanitization, allowing for an attacker to use SQL injection to write a malicious .pth file to the into FortiWeb's site-packages Python directory. This allows the malicious code to execute using the privileges granted to Python scripts in that high-level directory.

Affected versions of FortiWeb contain insufficient input sanitization, allowing for an attacker to use SQL injection to write a malicious .pth file to the into FortiWeb's site-packages Python directory. This allows the malicious code to execute using the privileges granted to Python scripts in that high-level directory.

Affected versions of FortiWeb contain insufficient input sanitization, allowing for an attacker to use SQL injection to write a malicious .pth file to the into FortiWeb's site-packages Python directory. This allows the malicious code to execute using the privileges granted to Python scripts in that high-level directory. Given the use of SQL, this can lead to potential loss of data within the database.

Affected versions of FortiWeb contain insufficient input sanitization, allowing for an attacker to use SQL injection to write a malicious .pth file to the into FortiWeb's site-packages Python directory. This allows the malicious code to execute using the privileges granted to Python scripts in that high-level directory. Given the use of SQL, this can lead to potential loss of data within the database.

Affected versions of FortiWeb contain insufficient input sanitization, allowing for an attacker to use SQL injection to write a malicious .pth file to the into FortiWeb's site-packages Python directory. This allows the malicious code to execute using the privileges granted to Python scripts in that high-level directory. Given the use of SQL, this can lead to potential loss of data within the database.

This vulnerability exists in the timeoutwarning.asp file in VeraCore versions up to 2025.1.0 and allows an attacker to execute commands due to a lack of proper input sanitization, leading to effects such as privilege escalation and data destruction.

This vulnerability exists in the timeoutwarning.asp file in VeraCore versions up to 2025.1.0 and allows an attacker to execute commands due to a lack of proper input sanitization, leading to effects such as privilege escalation and data destruction.

This vulnerability exists in the timeoutwarning.asp file in VeraCore versions up to 2025.1.0 and allows an attacker to execute commands due to a lack of proper input sanitization, leading to effects such as privilege escalation and data destruction.

Due to an improper sanitization flaw in the web-based CyberRoam WebAdmin administrative panel, an attacker with network access can use SQL injection to execute commands remotely.

Due to an improper sanitization flaw in the web-based CyberRoam WebAdmin administrative panel, an attacker with network access can use SQL injection to execute commands remotely.

This vulnerability is exploited through a victim visiting a malicious Web page or to clicking on an unsafe link. After visiting the website or clicking on the link, an adversary would gain the ability to execute arbitrary code on the victim system.

This vulnerability is exploited through a victim visiting a malicious Web page or to clicking on an unsafe link. After visiting the website or clicking on the link, an adversary would gain the ability to execute arbitrary code on the victim system.

Using a crafted .library-ms file, attackers can exploit this spoofing vulnerability to gain access to NTLM hashes on the system. This was officially patched by Microsoft on March 11, 2025, but has been exploited in the wild as of March 19, 2025.

Using a crafted .library-ms file, attackers can exploit this spoofing vulnerability to gain access to NTLM hashes on the system. This was officially patched by Microsoft on March 11, 2025, but has been exploited in the wild as of March 19, 2025.

This vulnerability is exploited through a Server-Side Request Forgery (SSRF) weakness in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted request to the /dana-ws/saml.ws endpoint, which can be accessed without authentication. This manipulation allows attackers to interact with internal services, potentially enabling further exploitation by chaining with other vulnerabilities.

This vulnerability is exploited through a Server-Side Request Forgery (SSRF) weakness in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted request to the /dana-ws/saml.ws endpoint, which can be accessed without authentication. This manipulation allows attackers to interact with internal services, potentially enabling further exploitation by chaining with other vulnerabilities.

This vulnerability is exploited through a Server-Side Request Forgery (SSRF) weakness in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted request to the /dana-ws/saml.ws endpoint, which can be accessed without authentication. This manipulation allows attackers to interact with internal services, potentially enabling further exploitation by chaining with other vulnerabilities.

This vulnerability is exploited through a Server-Side Request Forgery (SSRF) weakness in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted request to the /dana-ws/saml.ws endpoint, which can be accessed without authentication. This manipulation allows attackers to interact with internal services, potentially enabling further exploitation by chaining with other vulnerabilities.

CVE-2021-27103 is a server-side request forgery vulnerability in Accellion File Transfer Appliance in Accellion that allows an adversary to manipulate server requests via a crafted POST request.

CVE-2021-27103 is a server-side request forgery vulnerability in Accellion File Transfer Appliance in Accellion that allows an adversary to manipulate server requests via a crafted POST request.

This Server-Side Request Forgery (SSRF) vulnerability is exploited by an attacker with network access to the VMware server. This vulnerability enables the attacker to exploit an unauthenticated endpoint to send crafted requests to internal or external systems. By doing so, the attacker can potentially steal administrative credentials. Once these credentials are compromised, the attacker could gain maximum privileges within the application, enabling them to alter configurations and intercept sensitive data. This exploitation could lead to unauthorized access and manipulation of the application.

This vulnerability is exploited through an SSRF (Server Side Request Forgery) flaw in the vSphere Client (HTML5) of VMware's vCenter Server, affecting the vCenter Server plugin. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted POST request to the vCenter Server plugin, thereby bypassing URL validation. This manipulation enables the disclosure of sensitive information. By exploiting this flaw, attackers can scan the company's internal network and retrieve specifics about open ports and services.

This vulnerability is exploited through an SSRF (Server Side Request Forgery) flaw in the vSphere Client (HTML5) of VMware's vCenter Server, affecting the vCenter Server plugin. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted POST request to the vCenter Server plugin, thereby bypassing URL validation. This manipulation enables the disclosure of sensitive information. By exploiting this flaw, attackers can scan the company's internal network and retrieve specifics about open ports and services.

A CSRF vulnerability in PaperCut NG/MF can be exploited by an attacker targeting an admin with a current login session and tricking the admin into clicking a link. This exploit can lead to security setting modification and arbitrary code execution.

A CSRF vulnerability in PaperCut NG/MF can be exploited by an attacker targeting an admin with a current login session and tricking the admin into clicking a link. This exploit can lead to security setting modification and arbitrary code execution.

A CSRF vulnerability in PaperCut NG/MF can be exploited by an attacker targeting an admin with a current login session and tricking the admin into clicking a link. This exploit can lead to security setting modification and arbitrary code execution.

Due to an issue with deployWebpackage.do, Commvault Command Center is vulnerable to SSRF attacks due to flawed host filtering, which an attacker can exploit to achieve remote code execution using malicious archives with .jsp files in them.

Due to an issue with deployWebpackage.do, Commvault Command Center is vulnerable to SSRF attacks due to flawed host filtering, which an attacker can exploit to achieve remote code execution using malicious archives with JavaScript files in them.

CVE-2023-21715 is a security feature bypass vulnerability exploitable when a user opens a specially-crafted file bypassing macro policies.

This vulnerability is exploited via authentication bypass, allowing the adversary to write to files.

This vulnerability is exploited via authentication bypass, allowing the adversary to write to files.

This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

Attackers can double-archive malicious payloads with 7-Zip to bypass Windows's Mark-of-the-Web security feature, further allowing the bypassing of Microsoft Defender SmartScreen. This allows attackers to disseminate these payloads via methods like email attachments, which would normally be subject to additional scrutiny by the service's protective measures. This flaw was patched in 7-Zip version 24.09.

Attackers can double-archive malicious payloads with 7-Zip to bypass Windows's Mark-of-the-Web security feature, further allowing the bypassing of Microsoft Defender SmartScreen. This allows attackers to disseminate these payloads via methods like email attachments, which would normally be subject to additional scrutiny by the service's protective measures. This flaw was patched in 7-Zip version 24.09.

Attackers can double-archive malicious payloads with 7-Zip to bypass Windows's Mark-of-the-Web security feature, further allowing the bypassing of Microsoft Defender SmartScreen. This allows attackers to disseminate these payloads via methods like email attachments, which would normally be subject to additional scrutiny by the service's protective measures. This flaw was patched in 7-Zip version 24.09.

Attackers can send a specially crafted email that uses the file:// protocol to reference a server that they own, ending the file:// link with an exclamation mark to bypass Outlook's security features, leading to remote code execution.

Attackers can send a specially crafted email that uses the file:// protocol to reference a server that they own, ending the file:// link with an exclamation mark to bypass Outlook's security features, leading to remote code execution.

This vulnerability allows bypassing sandbox protection and run native code.

This vulnerability allows bypassing sandbox protection and run native code.

This vulnerability allows attackers to escape Chrome’s sandbox through a Mojo IPC message crafted to trigger higher privilege. Exploitation has been reported as part of a cyber-espionage campaign.

This vulnerability allows attackers to escape Chrome’s sandbox through a Mojo IPC message crafted to trigger higher privilege. Exploitation has been reported as part of a cyber-espionage campaign.

This vulnerability allows attackers to escape Chrome’s sandbox through a Mojo IPC message crafted to trigger higher privilege. Exploitation has been reported as part of a cyber-espionage campaign.

CVE-2021-21166 allows an adversary to use JavaScript to exploit the Chromium browser via the audio object using a race condition to write into the heap.

CVE-2021-21166 allows an adversary to use JavaScript to exploit the Chromium browser via the audio object using a race condition to write into the heap.

This vulnerability is exploited by a remote attacker who forges a session cookie leveraging user_id or _user_id set to 1 in order to log in as an administrator. A successful exploitation could allow the adversary to gain authenticated access and gain access to unauthorized resources.

This vulnerability is exploited by a remote attacker who forges a session cookie leveraging user_id or _user_id set to 1 in order to log in as an administrator. A successful exploitation could allow the adversary to gain authenticated access and gain access to unauthorized resources.

Attackers can use malicious Human Interface Devices (keyboard, mouse, etc.) to trigger a kernel-level memory leak due to improper initialization and use of uninitialized resources. This leads to the returning of the uninitialized kernel data, which can be collected and exfiltrated.

Attackers can use malicious Human Interface Devices (keyboard, mouse, etc.) to trigger a kernel-level memory leak due to improper initialization and use of uninitialized resources. This leads to the returning of the uninitialized kernel data, which can be collected and exfiltrated.

Attackers can use malicious Human Interface Devices (keyboard, mouse, etc.) to trigger a kernel-level memory leak due to improper initialization and use of uninitialized resources. This leads to the returning of the uninitialized kernel data, which can be collected and exfiltrated.

This zero-day vulnerability presents itself after an adversary has already infiltrated the victim's network and enables the adversary to obtain SYSTEM level privileges via Microsoft Windows Hyper-V product. As of now, details of how the attacker's methods to exploit this vulnerability are undisclosed.

This zero-day vulnerability presents itself after an adversary has already infiltrated the victim's network and enables the adversary to obtain SYSTEM level privileges via Microsoft Windows Hyper-V product. As of now, details of how the attacker's methods to exploit this vulnerability are undisclosed.

This vulnerability is a zero-day exploit that is believed to still be utilized by various adversarial groups leading to limited publicly available exploitation information. The vulnerability is a "heap-based protector flood susceptibility impacting the Windows DWM Core Library" enabling an adversary to gain SYSTEM privileges.

This vulnerability is exploited by an authenticated, local attacker in order to execute arbitrary code with root-level privileges by copying a crafted file to the disk0: file system. This is possible due to improper validation of a file when it is read from system flash memory. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices.

This vulnerability is exploited by an authenticated, local attacker in order to execute arbitrary code with root-level privileges by copying a crafted file to the disk0: file system. This is possible due to improper validation of a file when it is read from system flash memory. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices.

This vulnerability is exploited by an authenticated, local attacker in order to execute arbitrary code with root-level privileges by copying a crafted file to the disk0: file system. This is possible due to improper validation of a file when it is read from system flash memory. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices.

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs. Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE:

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs.

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs. Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE:

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs. Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE:

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs. Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE:

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs. Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE:

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs. Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE:

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain limited SYSTEM level privileges. This vulnerability has been exploited in the wild; however, no technical information has been published related to the exploitation. Microsoft has identified that successful exploitation of this vulnerability requires an attacker to win a race condition.

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain limited SYSTEM level privileges. This vulnerability has been exploited in the wild; however, no technical information has been published related to the exploitation. Microsoft has identified that successful exploitation of this vulnerability requires an attacker to win a race condition.

This vulnerability is exploited when an adversary sends a specially-crafted email which can result in the disclosure of authentication information that an adversary can replay to gain access to systems.

This vulnerability is exploited when an adversary sends a specially-crafted email which can result in the disclosure of authentication information that an adversary can replay to gain access to systems.

This vulnerability is exploited when an adversary sends a specially-crafted email which can result in the disclosure of authentication information that an adversary can replay to gain access to systems.

This vulnerability is exploited by an authenticated adversary. It is identified as requiring local access via Microsoft; however, other reports have identified remote, authenticated adversaries can exploit this vulnerability. A successful exploitation would grant an attacker SYSTEM level privileges. This vulnerability has been exploited in the wild; however, technical details of how this was leveraged in an attack has not been publicly shared.

This vulnerability is exploited by an authenticated adversary. It is identified as requiring local access via Microsoft; however, other reports have identified remote, authenticated adversaries can exploit this vulnerability. A successful exploitation would grant an attacker SYSTEM level privileges. This vulnerability has been exploited in the wild; however, technical details of how this was leveraged in an attack has not been publicly shared.

This vulnerability is exploited through improper access control in the Web User Interface feature of Cisco IOS XE software. Attackers first used this vulnerability to gain initial access by issuing a privilege level 15 command, which allowed them to create a local user account with a password.

This vulnerability is exploited through improper access control in the Web User Interface feature of Cisco IOS XE software. Attackers first used this vulnerability to gain initial access by issuing a privilege level 15 command, which allowed them to create a local user account with a password.

This vulnerability is exploited by an attacker who has obtained local access with low privileges on the target system. The vulnerability lies in the Cryptography API: Next Generation (CNG) Key Isolation Service, specifically due to a memory overflow issue. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary commands with SYSTEM privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the memory overflow in the CNG Key Isolation Service to gain SYSTEM-level access. Once the vulnerability is exploited, attackers can manipulate system processes and access sensitive information stored in the service, such as cryptographic keys. This allows them to achieve their objectives, such as executing code with elevated privileges and compromising the security of the affected system.

This vulnerability is exploited by an attacker who has obtained local access with low privileges on the target system. The vulnerability lies in the Cryptography API: Next Generation (CNG) Key Isolation Service, specifically due to a memory overflow issue. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary commands with SYSTEM privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the memory overflow in the CNG Key Isolation Service to gain SYSTEM-level access. Once the vulnerability is exploited, attackers can manipulate system processes and access sensitive information stored in the service, such as cryptographic keys. This allows them to achieve their objectives, such as executing code with elevated privileges and compromising the security of the affected system.

This vulnerability is exploited by an attacker who has obtained local access with low privileges on the target system. The vulnerability lies in the Cryptography API: Next Generation (CNG) Key Isolation Service, specifically due to a memory overflow issue. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary commands with SYSTEM privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the memory overflow in the CNG Key Isolation Service to gain SYSTEM-level access. Once the vulnerability is exploited, attackers can manipulate system processes and access sensitive information stored in the service, such as cryptographic keys. This allows them to achieve their objectives, such as executing code with elevated privileges and compromising the security of the affected system.

This vulnerability is exploited by an attacker who has obtained access to manipulate the Print Spooler service on the target system. The vulnerability lies in the Print Spooler, specifically involving XML manipulation and path traversal to a writable path containing a modified version of the `prntvpt.dll` file. This vulnerability has been exploited by threat actors to load unauthorized code on Windows systems. Attackers leveraged this flaw to execute arbitrary code, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the path traversal vulnerability to load a malicious DLL by manipulating the Print Spooler service. Once the vulnerability is exploited, attackers can bypass impersonation controls to load untrusted resources, thereby executing arbitrary code with elevated privileges.

This vulnerability is exploited by an attacker who has obtained access to manipulate the Print Spooler service on the target system. The vulnerability lies in the Print Spooler, specifically involving XML manipulation and path traversal to a writable path containing a modified version of the `prntvpt.dll` file. This vulnerability has been exploited by threat actors to load unauthorized code on Windows systems. Attackers leveraged this flaw to execute arbitrary code, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the path traversal vulnerability to load a malicious DLL by manipulating the Print Spooler service. Once the vulnerability is exploited, attackers can bypass impersonation controls to load untrusted resources, thereby executing arbitrary code with elevated privileges.

This vulnerability is exploited by an attacker who has obtained access to manipulate the Print Spooler service on the target system. The vulnerability lies in the Print Spooler, specifically involving XML manipulation and path traversal to a writable path containing a modified version of the `prntvpt.dll` file. This vulnerability has been exploited by threat actors to load unauthorized code on Windows systems. Attackers leveraged this flaw to execute arbitrary code, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the path traversal vulnerability to load a malicious DLL by manipulating the Print Spooler service. Once the vulnerability is exploited, attackers can bypass impersonation controls to load untrusted resources, thereby executing arbitrary code with elevated privileges.

CVE-2022-41033 is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows COM+ Event System Service, due to improper handling of privilege escalation scenarios. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves pairing the elevation of privilege vulnerability with other code-execution exploits, often through social engineering tactics such as enticing a user to open a malicious attachment or visit a harmful website. Once the vulnerability is exploited, attackers can manipulate system privileges to perform arbitrary actions with SYSTEM-level permissions. This allows them to achieve their objectives, such as installing programs, viewing or changing data, and creating new accounts with full user rights.

CVE-2022-41033 is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows COM+ Event System Service, due to improper handling of privilege escalation scenarios. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves pairing the elevation of privilege vulnerability with other code-execution exploits, often through social engineering tactics such as enticing a user to open a malicious attachment or visit a harmful website. Once the vulnerability is exploited, attackers can manipulate system privileges to perform arbitrary actions with SYSTEM-level permissions. This allows them to achieve their objectives, such as installing programs, viewing or changing data, and creating new accounts with full user rights.

This vulnerability is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows Common Log File System (CLFS) Driver, specifically due to improper bounds checking on the `cbSymbolZone` field in the Base Record Header for the base log file (BLF). This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves setting the `cbSymbolZone` field to an invalid offset, triggering an out-of-bound write that corrupts a pointer to the CClfsContainer object. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary actions with SYSTEM-level privileges. This allows them to achieve their objectives, such as disabling security applications and gaining full control over the compromised system.

This vulnerability is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows Common Log File System (CLFS) Driver, specifically due to improper bounds checking on the `cbSymbolZone` field in the Base Record Header for the base log file (BLF). This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves setting the `cbSymbolZone` field to an invalid offset, triggering an out-of-bound write that corrupts a pointer to the CClfsContainer object. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary actions with SYSTEM-level privileges. This allows them to achieve their objectives, such as disabling security applications and gaining full control over the compromised system.

This vulnerability is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows Common Log File System (CLFS) Driver, specifically due to improper bounds checking on the `cbSymbolZone` field in the Base Record Header for the base log file (BLF). This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves setting the `cbSymbolZone` field to an invalid offset, triggering an out-of-bound write that corrupts a pointer to the CClfsContainer object. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary actions with SYSTEM-level privileges. This allows them to achieve their objectives, such as disabling security applications and gaining full control over the compromised system.

This vulnerability is exploited by an adversary who has already gained local access to the victim system. To exploit this vulnerability, the adversary needs to already have access to the system and must also "win a race condition". If successfully exploited, the adversary would gain elevated privileges on the victim system. This vulnerability has been identified as exploited in the wild; however, technical exploitation details have not been publicly shared.

This vulnerability is exploited by an adversary who has already gained local access to the victim system. To exploit this vulnerability, the adversary needs to already have access to the system and must also "win a race condition". If successfully exploited, the adversary would gain elevated privileges on the victim system. This vulnerability has been identified as exploited in the wild; however, technical exploitation details have not been publicly shared.

This vulnerability is exploited by an attacker who has already obtained access to a target system to execute code. The vulnerability lies in the Common Log File System (CLFS) driver, specifically in the `CClfsBaseFilePersisted::LoadContainerQ()` function, due to a logic bug in handling container context objects. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary code with system-level privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in ransomware campaigns. It involves corrupting the `pContainer` field of a container context object with a user-mode address by using malformed BLF files. Once the vulnerability is exploited, attackers can manipulate memory to execute code with elevated privileges. This allows them to achieve their objectives, such as stealing the System token and gaining full control over the compromised system.

This vulnerability is exploited by an attacker who has already obtained access to a target system to execute code. The vulnerability lies in the Common Log File System (CLFS) driver, specifically in the `CClfsBaseFilePersisted::LoadContainerQ()` function, due to a logic bug in handling container context objects. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary code with system-level privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in ransomware campaigns. It involves corrupting the `pContainer` field of a container context object with a user-mode address by using malformed BLF files. Once the vulnerability is exploited, attackers can manipulate memory to execute code with elevated privileges. This allows them to achieve their objectives, such as stealing the System token and gaining full control over the compromised system.

This vulnerability is exploited by an attacker who has already obtained access to a target system to execute code. The vulnerability lies in the Common Log File System (CLFS) driver, specifically in the `CClfsBaseFilePersisted::LoadContainerQ()` function, due to a logic bug in handling container context objects. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary code with system-level privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in ransomware campaigns. It involves corrupting the `pContainer` field of a container context object with a user-mode address by using malformed BLF files. Once the vulnerability is exploited, attackers can manipulate memory to execute code with elevated privileges. This allows them to achieve their objectives, such as stealing the System token and gaining full control over the compromised system.

This vulnerability allows adversaries with local access to escalate privileges to root. Adversaries have been observed chaining this following exploit of CVE-2022-22954.

This vulnerability is leveraged by an adversary who has already gained local access to the victim system. The adversary exploits this vulnerability to elevate their privileges on the system via the Print Spooler, which could give the adversary the ability to distribute and install malicious programs on victims’ computers that can steal stored data This vulnerability has been actively exploited by cybercriminals to gain unauthorized access to corporate networks and resources. Details about who is exploiting this vulnerability and their exact movements have not been publicly shared.

This vulnerability is leveraged by an adversary who has already gained local access to the victim system. The adversary exploits this vulnerability to elevate their privileges on the system via the Print Spooler, which could give the adversary the ability to distribute and install malicious programs on victims’ computers that can steal stored data This vulnerability has been actively exploited by cybercriminals to gain unauthorized access to corporate networks and resources. Details about who is exploiting this vulnerability and their exact movements have not been publicly shared.

This vulnerability is exploited by an attacker who has obtained local access tothe target system. The vulnerability lies in the Client Server Run-Time Subsystem (CSRSS) on Windows, specifically in the activation context caching mechanism, due to improper handling of crafted assembly manifests. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system-level commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves creating a malicious activation context by providing a crafted assembly manifest, which is cached and used the next time the process spawns. Once the vulnerability is exploited, attackers can load a malicious DLL to achieve system-level code execution. This allows them to achieve their objectives, such as executing arbitrary code with elevated privileges, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained local access tothe target system. The vulnerability lies in the Client Server Run-Time Subsystem (CSRSS) on Windows, specifically in the activation context caching mechanism, due to improper handling of crafted assembly manifests. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system-level commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves creating a malicious activation context by providing a crafted assembly manifest, which is cached and used the next time the process spawns. Once the vulnerability is exploited, attackers can load a malicious DLL to achieve system-level code execution. This allows them to achieve their objectives, such as executing arbitrary code with elevated privileges, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained local access tothe target system. The vulnerability lies in the Client Server Run-Time Subsystem (CSRSS) on Windows, specifically in the activation context caching mechanism, due to improper handling of crafted assembly manifests. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system-level commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves creating a malicious activation context by providing a crafted assembly manifest, which is cached and used the next time the process spawns. Once the vulnerability is exploited, attackers can load a malicious DLL to achieve system-level code execution. This allows them to achieve their objectives, such as executing arbitrary code with elevated privileges, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained local access tothe target system. The vulnerability lies in the Client Server Run-Time Subsystem (CSRSS) on Windows, specifically in the activation context caching mechanism, due to improper handling of crafted assembly manifests. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system-level commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves creating a malicious activation context by providing a crafted assembly manifest, which is cached and used the next time the process spawns. Once the vulnerability is exploited, attackers can load a malicious DLL to achieve system-level code execution. This allows them to achieve their objectives, such as executing arbitrary code with elevated privileges, with the same permissions as the compromised system's user.

This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.

This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.

This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.

This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.

This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.

This vulnerability is exploited by an adversary who has already gained local access to the victim system. The adversary gains access to the vulnerability either by social engineering, a separate exploit, or malware. Exploiting this vulnerability grants the adversary elevated privileges on the victim system. This vulnerability has been identified as being exploited in the wild; however, technical details of how the vulnerability has been leveraged by a hacker or APT have not been publicly released.

This vulnerability is exploited by an adversary who has already gained local access to the victim system. The adversary gains access to the vulnerability either by social engineering, a separate exploit, or malware. Exploiting this vulnerability grants the adversary elevated privileges on the victim system. This vulnerability has been identified as being exploited in the wild; however, technical details of how the vulnerability has been leveraged by a hacker or APT have not been publicly released.

The vulnerability in Microsoft Windows allows local attackers to escalate privileges by exploiting a flaw in the Windows Installer service. By creating a junction, attackers can delete targeted files or directories, potentially executing arbitrary code with SYSTEM privileges. However, attackers must already have access and the ability to execute low-privileged code on the target system to exploit this vulnerability. This vulnerability has been identified as exploited in the wild; however, specific details on how the vulnerability was exploited have not been publicly released.

The vulnerability in Microsoft Windows allows local attackers to escalate privileges by exploiting a flaw in the Windows Installer service. By creating a junction, attackers can delete targeted files or directories, potentially executing arbitrary code with SYSTEM privileges. However, attackers must already have access and the ability to execute low-privileged code on the target system to exploit this vulnerability. This vulnerability has been identified as exploited in the wild; however, specific details on how the vulnerability was exploited have not been publicly released.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

This vulnerability is exploited by a local or remote adversary who already has access to the system. The vulnerability enables the attacker to elevate their privileges due to over permissive ACLs on system file and elevate their privileges to SYSTEM level. By exploiting this vulnerability an attacker could gain the ability to run arbitrary code, install programs, view/modify/delete data, or create new user accounts with full rights.

This vulnerability is exploited by a local or remote adversary who already has access to the system. The vulnerability enables the attacker to elevate their privileges due to over permissive ACLs on system file and elevate their privileges to SYSTEM level. By exploiting this vulnerability an attacker could gain the ability to run arbitrary code, install programs, view/modify/delete data, or create new user accounts with full rights.

This privilege escalation vulnerability can be exploited by sending a specially crafted HTTP request to the exchange server, is it often chained together with CVE-2021-34473, a remote code execution vulnerability.

Local escalation of privilege attack. Attacker would most likely gain access through an executable or script on the local computer sent to the user via an email attachment.

Local escalation of privilege attack. Attacker would most likely gain access through an executable or script on the local computer sent to the user via an email attachment.

CVE-2020-1472 is a privilege elevation vulnerability. The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.

CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access.

CVE-2020-1472 is a privilege escalation vulnerability in Windows Netlogon. After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials.

CVE-2020-1472 is a privilege elevation vulnerability. The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.

CVE-2020-1472 is a privilege elevation vulnerability. The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.

CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. CVE-2020-1472 has been reported to be exploited by Ransomware groups for initial access.

CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access.

CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access.

CVE-2019-0211 is a privilege escalation vulnerability in Apache HTTP Server with MPM event, worker, or prefork that allows an attacker to execute code with the privileges of that parent process (usually root).

Exploiting this link-following vulnerability can lead to privilege escalation, with the primary result being deletion of system data. As a consequence of this, deletion of certain files could also make the recovery process more difficult.

Exploiting this link-following vulnerability can lead to privilege escalation, with the primary result being deletion of system data. As a consequence of this, deletion of certain files could also make the recovery process more difficult.

Exploiting this link-following vulnerability can lead to privilege escalation, with the primary result being deletion of system data. As a consequence of this, deletion of certain files could also make the recovery process more difficult.

Brocade Fabric OS versions 9.1.0 through 9.1.1d6 contain an improper IP validation flaw that allows a user with valid administrative access to escalate their privileges further, allowing for root-level code execution.

Brocade Fabric OS versions 9.1.0 through 9.1.1d6 contain an improper IP validation flaw that allows a user with valid administrative access to escalate their privileges further, allowing for root-level code execution.

No public proof-of-concept for this exploit exists, but an attacker with existing administrative privileges can exploit this vulnerability can execute arbitrary commands at a higher privilege level.

No public proof-of-concept for this exploit exists, but an attacker with existing administrative privileges can exploit this vulnerability can execute arbitrary commands at a higher privilege level.

Linux kernel's OverlayFS contains a privilege escalation vulnerability that allows a local user with no privileges to obtain root-level privileges.

Linux kernel's OverlayFS contains a privilege escalation vulnerability that allows a local user with no privileges to obtain root-level privileges.

Linux kernel's OverlayFS contains a privilege escalation vulnerability that allows a local user with no privileges to obtain root-level privileges.

Linux kernel's OverlayFS contains a privilege escalation vulnerability that allows a local user with no privileges to obtain root-level privileges.

This vulnerability is exploited with maliciously-crafted code hosted on a webpage via drive-by compromise.

This vulnerability is exploited via embedded javascript within a user-executed malicious pdf. There are two mapped exploitation_technqiues for this CVE.

This vulnerability is exploited via embedded javascript within a user-executed malicious pdf. There are two mapped exploitation_technqiues for this CVE.

CVE-2024-4978 is a vulnerability where compromised software is signed and hosted on the legitimate software distribution website. Adversaries have been observed to use this backdoored software to install additional tools on target machines. The adversary-installed software establishing persistent communications with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, it transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2.

CVE-2024-4978 is a vulnerability where compromised software is signed and hosted on the legitimate software distribution website. Adversaries have been observed to use this backdoored software to install additional tools on target machines. The adversary-installed software establishing persistent communications with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, it transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2.

CVE-2024-4978 is a vulnerability where compromised software is signed and hosted on the legitimate software distribution website. Adversaries have been observed to use this backdoored software to install additional tools on target machines. The adversary-installed software establishing persistent communications with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, it transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2.

CVE-2024-4978 is a vulnerability where compromised software is signed and hosted on the legitimate software distribution website. Adversaries have been observed to use this backdoored software to install additional tools on target machines. The adversary-installed software establishing persistent communications with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, it transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2.

CVE-2024-23692 is a OS command injection vulnerability within the HTTP File Server (HFS) process for Rejetto. It has been reported to be exploited by threat actors to deploy cryptomining malware, install backdoors, Remote Access Trojans (RATs), and other malware like “GoThief” to exfiltrate sensitive data.

CVE-2024-23692 is a OS command injection vulnerability within the HTTP File Server (HFS) process for Rejetto. It has been reported to be exploited by threat actors to deploy cryptomining malware, install backdoors, Remote Access Trojans (RATs), and other malware like “GoThief” to exfiltrate sensitive data.

CVE-2024-23692 is a OS command injection vulnerability within the HTTP File Server (HFS) process for Rejetto. It has been reported to be exploited by threat actors to deploy cryptomining malware, install backdoors, Remote Access Trojans (RATs), and other malware like “GoThief” to exfiltrate sensitive data.

CVE-2024-23692 is a OS command injection vulnerability within the HTTP File Server (HFS) process for Rejetto. It has been reported to be exploited by threat actors to deploy cryptomining malware, install backdoors, Remote Access Trojans (RATs), and other malware like “GoThief” to exfiltrate sensitive data.

CVE-2024-23692 is a OS command injection vulnerability within the HTTP File Server (HFS) process for Rejetto. It has been reported to be exploited by threat actors to deploy cryptomining malware, install backdoors, Remote Access Trojans (RATs), and other malware like “GoThief” to exfiltrate sensitive data.

This vulnerability is exploited through a 'Rapid Reset' flaw in HTTP/2 endpoints. Attackers initiate this vulnerability by sending a crafted sequence of HTTP requests using HEADERS followed by RST_STREAM frames. This allows them to generate substantial traffic on targeted servers, significantly increasing CPU usage and leading to resource exhaustion without authentication.

This vulnerability is exploited through a 'Rapid Reset' flaw in HTTP/2 endpoints. Attackers initiate this vulnerability by sending a crafted sequence of HTTP requests using HEADERS followed by RST_STREAM frames. This allows them to generate substantial traffic on targeted servers, significantly increasing CPU usage and leading to resource exhaustion without authentication.

This vulnerability is exploited through a PHP External Variable Modification flaw in the J-Web interface of Juniper Networks Junos OS, affecting EX Series switches and SRX Series firewalls. Attackers leverage this vulnerability to gain initial access by crafting a request that sets the PHPRC variable, thereby altering the PHP execution environment. This manipulation enables the injection and execution of arbitrary code. By exploiting the auto_prepend_file and allow_url_include PHP features, attackers can include a base64 encoded PHP payload using the data:// wrapper. This method allows them to execute code within a confined FreeBSD jail environment, with the potential to escalate privileges by stealing authentication tokens from a user logged into the J-Web application, ultimately enabling unauthorized SSH access with elevated privileges.

This vulnerability is exploited through a PHP External Variable Modification flaw in the J-Web interface of Juniper Networks Junos OS, affecting EX Series switches and SRX Series firewalls. Attackers leverage this vulnerability to gain initial access by crafting a request that sets the PHPRC variable, thereby altering the PHP execution environment. This manipulation enables the injection and execution of arbitrary code. By exploiting the auto_prepend_file and allow_url_include PHP features, attackers can include a base64 encoded PHP payload using the data:// wrapper. This method allows them to execute code within a confined FreeBSD jail environment, with the potential to escalate privileges by stealing authentication tokens from a user logged into the J-Web application, ultimately enabling unauthorized SSH access with elevated privileges.

This vulnerability is exploited through a PHP External Variable Modification flaw in the J-Web component of Juniper Networks Junos OS on EX Series devices. Attackers first use this vulnerability to gain control over certain environment variables by sending a crafted request, which allows them to manipulate these variables without authentication.

This vulnerability is exploited through a PHP External Variable Modification flaw in the J-Web component of Juniper Networks Junos OS on EX Series devices. Attackers first use this vulnerability to gain control over certain environment variables by sending a crafted request, which allows them to manipulate these variables without authentication.

This vulnerability is exploited by an unauthenticated, remote user who can access the Redis instance via port 6379 due to a health check RPM issue in IOS XR software. A successful exploitation of this vulnerability could allow an attacker the ability to write to the Redis in-memory database, write arbitrary files to the file system, or retrieve information about the Redis database. This vulnerability has been identified as being exploited in the wild, but specific details have not been released.

CVE-2020-8515 is a command injection vulnerability affecting certain DrayTek devices, This vulnerability allows an attacker to make arbitrary commands on the affected devices without authentication. Successful exploitation has been reported leading to resource hijacking for botnet use.

CVE-2020-8515 is a command injection vulnerability affecting certain DrayTek devices, This vulnerability allows an attacker to make arbitrary commands on the affected devices without authentication. Successful exploitation has been reported leading to resource hijacking for botnet use.

CVE-2020-8515 is a command injection vulnerability affecting certain DrayTek devices, This vulnerability allows an attacker to make arbitrary commands on the affected devices without authentication. Successful exploitation has been reported leading to resource hijacking for botnet use.

This vulnerability is exploited through a user opening a maliciously-crafted pdf file or swf file.

This vulnerability is exploited by having a user open a maliciously-crafted pdf file.

This exploit is part of a chain of exploits (with CVE-2025-0108 and CVE-2024-9474) that can end with an attacker gaining root access to the system. After bypassing authentication with CVE-2025-0108, the attacker can exploit this to gain read access to system files with "nobody" privileges.

This exploit is part of a chain of exploits (with CVE-2025-0108 and CVE-2024-9474) that can end with an attacker gaining root access to the system. After bypassing authentication with CVE-2025-0108, the attacker can exploit this to gain read access to system files with "nobody" privileges.

The Yii2 PHP framework, prior to version 2.0.52, contains an improper validation flaw that allows an attacker to input arbitrary PHP classes to a JSON file, which will then be instantiated and executed. This can lead to remote code execution and server-side request forgery, among other potential impacts.

The Yii2 PHP framework, prior to version 2.0.52, contains an improper validation flaw that allows an attacker to input arbitrary PHP classes to a JSON file, which will then be instantiated and executed. This can lead to remote code execution and server-side request forgery, among other potential impacts.

Insufficient authorization checks in affected Apache OFBiz versions (before 18.12.16) allow an attacker running their own server to send POST requests that instruct the OFBiz server to fetch malicious files from the attacker's server. The attacker can then send another request that triggers the malicious files to run arbitrary code.

Insufficient authorization checks in affected Apache OFBiz versions (before 18.12.16) allow an attacker running their own server to send POST requests that instruct the OFBiz server to fetch malicious files from the attacker's server. The attacker can then send another request that triggers the malicious files to run arbitrary code.

Insufficient authorization checks in affected Apache OFBiz versions (before 18.12.16) allow an attacker running their own server to send POST requests that instruct the OFBiz server to fetch malicious files from the attacker's server. The attacker can then send another request that triggers the malicious files to run arbitrary code.

Insufficient authorization checks in affected Apache OFBiz versions (before 18.12.16) allow an attacker running their own server to send POST requests that instruct the OFBiz server to fetch malicious files from the attacker's server. The attacker can then send another request that triggers the malicious files to run arbitrary code.

Improper escaping in Apache HTTP Server versions 2.4.59 and before permits code execution or disclosure of source code, as well as session hijacking and a potential full system compromise. An attacker can use a crafted URL to perform a traversal attack to trick the Apache server into reading sensitive files.

Improper escaping in Apache HTTP Server versions 2.4.59 and before permits code execution or disclosure of source code, as well as session hijacking and a potential full system compromise. An attacker can use a crafted URL to perform a traversal attack to trick the Apache server into reading sensitive files.

Improper escaping in Apache HTTP Server versions 2.4.59 and before permits code execution or disclosure of source code, as well as session hijacking and a potential full system compromise. An attacker can use a crafted URL to perform a traversal attack to trick the Apache server into reading sensitive files.

Improper escaping in Apache HTTP Server versions 2.4.59 and before permits code execution or disclosure of source code, as well as session hijacking and a potential full system compromise. An attacker can use a crafted URL to perform a traversal attack to trick the Apache server into reading sensitive files.

This information disclosure vulnerability allows an attacker to gain access to ObjRef URI, which can be leveraged to facilitate remote code execution and privilege escalation.

This information disclosure vulnerability allows an attacker to gain access to ObjRef URI, which can be leveraged to facilitate remote code execution and privilege escalation.

This vulnerability stems from improper HTTP header validation, if exploited, allows for remote code execution on affected devices.

This vulnerability stems from improper HTTP header validation, if exploited, allows for remote code execution on affected devices.

This vulnerability stems from improper HTTP header validation, if exploited, allows for remote code execution on affected devices.

An attacker with local access can exploit a DLL sideloading vulnerability by tricking mDNSResponder.exe into loading a malicious DLL, facilitating arbitrary code execution.

An attacker with local access can exploit a DLL sideloading vulnerability by tricking mDNSResponder.exe into loading a malicious DLL, facilitating arbitrary code execution.

TeleMessage TM SNGL utilizes a JavaServer Pages framework which improperly handles content in heaps and making them functionally the same as a core dump file. Attackers with local access can use this to obtain sensitive information, including credentials.

TeleMessage TM SNGL utilizes a JavaServer Pages framework which improperly handles content in heaps and making them functionally the same as a core dump file. Attackers with local access can use this to obtain sensitive information, including credentials.

TeleMessage TM SNGL utilizes a JavaServer Pages framework which improperly handles content in heaps and making them functionally the same as a core dump file. Attackers with local access can use this to obtain sensitive information, including credentials.

TeleMessage TM SNGL's Spring Boot Actuator exposes the /heapdump endpoint publicly, allowing an unauthenticated attacker to access it.

TeleMessage TM SNGL's Spring Boot Actuator exposes the /heapdump endpoint publicly, allowing an unauthenticated attacker to access it.

TeleMessage TM SNGL's Spring Boot Actuator exposes the /heapdump endpoint publicly, allowing an unauthenticated attacker to access it.

While public technical details of this exploit are limited, including the techniques used, it is known that authenticated, low-privileged attackers were able to achieve remote code execution and web shell deployment.

While public technical details of this exploit are limited, including the techniques used, it is known that authenticated, low-privileged attackers were able to achieve remote code execution and web shell deployment.

This vulnerability allows an attacker to write arbitrary files to a known location on the target server, including potentially malicious files such as PHP scripts by leveraging the fact that Craft CMS creates session files for unauthenticated users at the login page. However, this vulnerability does not, by itself, cause any scripts to be executed or any information to be accessed, so it would need to be chained with another vulnerability in order to achieve code execution.

This vulnerability allows an attacker to write arbitrary files to a known location on the target server, including potentially malicious files such as PHP scripts by leveraging the fact that Craft CMS creates session files for unauthenticated users at the login page. However, this vulnerability does not, by itself, cause any scripts to be executed or any information to be accessed, so it can only write files and would need to be chained with another vulnerability in order to achieve code execution.

This vulnerability allows an attacker to write arbitrary files to a known location on the target server, including potentially malicious files such as PHP scripts by leveraging the fact that Craft CMS creates session files for unauthenticated users at the login page. However, this vulnerability does not, by itself, cause any scripts to be executed or any information to be accessed, so it can only write files and would need to be chained with another vulnerability in order to achieve code execution.

By manipulating the working directory of Windows processes, attackers can utilize these valid processes and trick them into running arbitrary code from a WebDAV server. This has been done by using a phishing email with a malicious PDF document attached, leading to code execution, the creation of backdoors, the introduction of a keylogger onto the system, and data exfiltration via C2.

By manipulating the working directory of Windows processes, attackers can utilize these valid processes and trick them into running arbitrary code from a WebDAV server. This has been done by using a phishing email with a malicious PDF document attached, leading to code execution, the creation of backdoors, the introduction of a keylogger onto the system, and data exfiltration via C2.

By manipulating the working directory of Windows processes, attackers can utilize these valid processes and trick them into running arbitrary code from a WebDAV server. This has been done by using a phishing email with a malicious PDF document attached, leading to code execution, the creation of backdoors, the introduction of a keylogger onto the system, and data exfiltration via C2.

By manipulating the working directory of Windows processes, attackers can utilize these valid processes and trick them into running arbitrary code from a WebDAV server. This has been done by using a phishing email with a malicious PDF document attached, leading to code execution, the creation of backdoors, the introduction of a keylogger onto the system, and data exfiltration via C2.

By manipulating the working directory of Windows processes, attackers can utilize these valid processes and trick them into running arbitrary code from a WebDAV server. This has been done by using a phishing email with a malicious PDF document attached, leading to code execution, the creation of backdoors, the introduction of a keylogger onto the system, and data exfiltration via C2.

CVE-2020-0688 exists in Microsoft Office, which is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code if unpatched, in the context of the current user, by failing to properly handle objects in memory. Cyber actors continued to exploit this vulnerability in Microsoft Office. The vulnerability is ideal for phasing campaigns, and it enables RCE on vulnerable systems.

CVE-2020-0688 exists in Microsoft Office, which is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code if unpatched, in the context of the current user, by failing to properly handle objects in memory. Cyber actors continued to exploit this vulnerability in Microsoft Office. The vulnerability is ideal for phishing campaigns, and it enables RCE on vulnerable systems.

This vulnerability is exploited by a maliciously-crafted .swf file which can be run on a user system.

This vulnerability is exploited by a maliciously-crafted .swf file which can be run on a user system.

This vulnerability is exploited by a maliciously-crafted .swf file which can be run on a user system via drive-by compromise.

This vulnerability is exploited via maliciously-crafted javascript.

This vulnerability is exploited via a maliciously-crafted pdf delivered as an email attachment.

This vulnerability is exploited by a maliciously-crafted .swf via drive-by compromise.

This vulnerability is exploited via a maliciously-crafted MP4 file. As a result of the exploit, malicious software is installed on the target machine.

This vulnerability is exploited via a maliciously-crafted MP4 file. As a result of the exploit, malicious software is installed on the target machine.

This vulnerability is exploited by crafted swf content via drive-by compromise when a user visits a malicious website. This vulnerability is also exploited via user execution of a maliciously crafted pdf file. In the wild, threat actors have used this to download malicious software onto the target system.

This vulnerability is exploited by crafted swf content via drive-by compromise when a user visits a malicious website. This vulnerability is also exploited via user execution of a maliciously crafted pdf file. In the wild, threat actors have used this to download malicious software onto the target system.

This vulnerability is exploited by crafted swf content via drive-by compromise when a user visits a malicious website. This vulnerability is also exploited via user execution of a maliciously crafted pdf file. In the wild, threat actors have used this to download malicious software onto the target system.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

This vulnerability is exploited by having the user open a malicious pdf file to achieve arbitrary code execution.

This integer overflow vulnerability is exploited by a remote attacker who has already compromised the renderer process of Google Chrome. Exploiting this vulnerability might lead to incorrect rendering, memory corruption, and arbitrary code execution that could grant the adversary unauthorized access to the system. Exploitation in the wild techniques have not been publicly released to reduce further abuse.

This vulnerability is exploited via an integer overflow.

This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits whose goal is frequently to load ransomware onto the target machine.

This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits whose goal is frequently to load ransomware onto the target machine.

This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits whose goal is frequently to load ransomware onto the target machine.

This vulnerability can be exploited by a malicioiusly-crafted webpage via drive-by compromise.

An attacker can trick users into executing malicious code by mounting images or drives. This code exploits vulnerabilities in the Windows Fast FAT File System Driver.

An attacker can trick users into executing malicious code by mounting images or drives. This code exploits vulnerabilities in the Windows Fast FAT File System Driver.

This vulnerability is a zero-day exploit that "manipulates the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges." This vulnerability has been exploited by the Black Basta ransomware group.

This vulnerability is a zero-day exploit that "manipulates the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges." This vulnerability has been exploited by the Black Basta ransomware group.

This vulnerability is a zero-day exploit that "manipulates the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges." This vulnerability has been exploited by the Black Basta ransomware group.

This vulnerability is exploited by an unauthenticated, remote attacker by specifying a default connection profile/tunnel group, enabling a brute-force attack to identify valid credentials and establish a clienteles SSL VPN session using those valid credentials.

This vulnerability is exploited by an unauthenticated, remote attacker by specifying a default connection profile/tunnel group, enabling a brute-force attack to identify valid credentials and establish a clienteles SSL VPN session using those valid credentials.

CVE-2020-0787 is a privilege elevation vulnerability in the Windows Background Intelligent Transfer Service (BITS). An actor can exploit this vulnerability if it improperly handles symbolic links to execute arbitrary code with system-level privileges.