| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2023-6548 | Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
This vulnerability allows for authenticated (low-privilege) remote code execution via code injection.
References
|
| CVE-2023-3519 | Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability | secondary_impact | T1087.002 | Domain Account |
Comments
This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data.
References
|
| CVE-2023-3519 | Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data.
References
|
| CVE-2023-3519 | Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability | primary_impact | T1105 | Ingress Tool Transfer |
Comments
This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data.
References
|
| CVE-2023-3519 | Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability | exploitation_technique | T1574 | Hijack Execution Flow |
Comments
This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data.
References
|
| CVE-2022-22947 | VMware Spring Cloud Gateway Code Injection Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited by a remote attacker via a code injection attack to gain perform arbitrary remote code execution. CISA has linked this vulnerability to adversary campaigns performed by Andariel to perform cyber espionage via ransomware operations.
References
|
| CVE-2022-22947 | VMware Spring Cloud Gateway Code Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
This vulnerability is exploited by a remote attacker via a code injection attack to gain perform arbitrary remote code execution. CISA has linked this vulnerability to adversary campaigns performed by Andariel to perform cyber espionage via ransomware operations.
References
|
| CVE-2022-22947 | VMware Spring Cloud Gateway Code Injection Vulnerability | secondary_impact | T1486 | Data Encrypted for Impact |
Comments
This vulnerability is exploited by a remote attacker via a code injection attack to gain perform arbitrary remote code execution. CISA has linked this vulnerability to adversary campaigns performed by Andariel to perform cyber espionage via ransomware operations.
References
|
| CVE-2021-44529 | Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
This vulnerability is exploited after an adversary sends a maliciously crafted cookie to the client endpoint (/client/index.php) to exploit Ivanti systems that utilized a malicious version of the "csrf-magic", which creates a backdoor into an Ivanti system. An unauthorized user can then execute malicious code stored in the cookie via Ivanti's "nobody" user account.
References
|
| CVE-2021-44529 | Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability | primary_impact | T1195.002 | Compromise Software Supply Chain |
Comments
This vulnerability is exploited after an adversary sends a maliciously crafted cookie to the client endpoint (/client/index.php) to exploit Ivanti systems that utilized a malicious version of the "csrf-magic", which creates a backdoor into an Ivanti system. An unauthorized user can then execute malicious code stored in the cookie via Ivanti's "nobody" user account.
References
|
| CVE-2025-21590 | Juniper Junos OS Improper Isolation or Compartmentalization Vulnerability | exploitation_technique | T1068 | Exploitation for Privilege Escalation |
Comments
This vulnerability allows for an adversary to escalate their privileges within the system, allowing them to execute arbitrary code.
References
|
| CVE-2025-21590 | Juniper Junos OS Improper Isolation or Compartmentalization Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
This vulnerability allows for an adversary to escalate their privileges within the system, allowing them to execute arbitrary code.
References
|
| CVE-2024-56145 | Craft CMS Code Injection Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
This vulnerability, which is dependent on the PHP configuration setting, "register_argc_argv" being enabled, can allow an attacker to craft a malicious HTTP request that CMS can process as legitimate, leading to remote code execution and, potentially, full system compromise.
References
|
| CVE-2024-56145 | Craft CMS Code Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
This vulnerability, which is dependent on the PHP configuration setting, "register_argc_argv" being enabled, can allow an attacker to craft a malicious HTTP request that CMS can process as legitimate, leading to remote code execution and, potentially, full system compromise.
References
|
| CVE-2022-43769 | Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
Attackers can use Server-Side Template Injection with a Thymeleaf template to inject malicious code.. When chained with CVE-2022-43939, can lead to unauthorized code execution.
References
|
| CVE-2022-43769 | Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
Attackers can use Server-Side Template Injection with a Thymeleaf template to inject malicious code.. When chained with CVE-2022-43939, can lead to unauthorized code execution.
References
|
| CVE-2025-49704 | Microsoft SharePoint Code Injection Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
When chained with CVE-2025-49706, this vulnerability allows for an attacker to send a malicious __VIEWSTATE object to the same endpoint that the POST requests were sent to. This exploits a code injection flaw and allows for code execution.
References
|
| CVE-2025-49704 | Microsoft SharePoint Code Injection Vulnerability | primary_impact | T1059.003 | Windows Command Shell |
Comments
When chained with CVE-2025-49706, this vulnerability allows for an attacker to send a malicious __VIEWSTATE object to the same endpoint that the POST requests were sent to. This exploits a code injection flaw and allows for code execution.
References
|
| CVE-2025-4428 | Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
By itself, this exploit requires an authenticated user in order to carry it out. However, when chained with CVE-2025-4427, the attacker achieves unauthenticated remote code execution.
References
|
| CVE-2025-4428 | Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
By itself, this exploit requires an authenticated user in order to carry it out. However, when chained with CVE-2025-4427, the attacker achieves unauthenticated remote code execution.
References
|
| CVE-2025-4428 | Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability | secondary_impact | T1543 | Create or Modify System Process |
Comments
By itself, this exploit requires an authenticated user in order to carry it out. However, when chained with CVE-2025-4427, the attacker achieves unauthenticated remote code execution.
References
|