Known Exploited Vulnerabilities Command Injection Capability Group

CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.

CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.

CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.

CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.

CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.

CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.

CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.

CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.

CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.

CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.

CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.

CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.

This vulnerability is exploited through a command injection weakness in the web components of Ivanti Connect Secure and Ivanti Policy Secure. Attackers leverage this vulnerability to achieve remote code execution by sending specially crafted requests to vulnerable instances, potentially without requiring authentication when combined with other vulnerabilities. This manipulation allows attackers to execute arbitrary commands on the appliance, potentially enabling further exploitation and system compromise. Threat actors have been reported as likely targeting credentials and the deployment of web shells to provide future access.

This vulnerability is exploited through a command injection weakness in the web components of Ivanti Connect Secure and Ivanti Policy Secure. Attackers leverage this vulnerability to achieve remote code execution by sending specially crafted requests to vulnerable instances, potentially without requiring authentication when combined with other vulnerabilities. This manipulation allows attackers to execute arbitrary commands on the appliance, potentially enabling further exploitation and system compromise. Threat actors have been reported as likely targeting credentials and the deployment of web shells to provide future access.

This vulnerability is exploited through a command injection weakness in the web components of Ivanti Connect Secure and Ivanti Policy Secure. Attackers leverage this vulnerability to achieve remote code execution by sending specially crafted requests to vulnerable instances, potentially without requiring authentication when combined with other vulnerabilities. This manipulation allows attackers to execute arbitrary commands on the appliance, potentially enabling further exploitation and system compromise. Threat actors have been reported as likely targeting credentials and the deployment of web shells to provide future access.

This vulnerability is exploited through a command injection weakness in the web components of Ivanti Connect Secure and Ivanti Policy Secure. Attackers leverage this vulnerability to achieve remote code execution by sending specially crafted requests to vulnerable instances, potentially without requiring authentication when combined with other vulnerabilities. This manipulation allows attackers to execute arbitrary commands on the appliance, potentially enabling further exploitation and system compromise. Threat actors have been reported as likely targeting credentials and the deployment of web shells to provide future access.

This vulnerability is exploited by an attacker who has access to administrator credentials. The adversary leverages these credentials to execute arbitrary commands using root privileges.

This vulnerability is exploited by an attacker who has access to administrator credentials. The adversary leverages these credentials to execute arbitrary commands using root privileges.

CVE-2023-49897 is an OS command injection vulnerability affecting AE1021PE firmware. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.

CVE-2023-49897 is an OS command injection vulnerability affecting AE1021PE firmware. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.

CVE-2023-49897 is an OS command injection vulnerability affecting AE1021PE firmware. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.

CVE-2023-47565 is an OS command injection vulnerability in QNAP VioStor network video recorder (NVR) devices. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.

CVE-2023-47565 is an OS command injection vulnerability in QNAP VioStor network video recorder (NVR) devices. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.

CVE-2023-47565 is an OS command injection vulnerability in QNAP VioStor network video recorder (NVR) devices. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.

This vulnerability is exploited by a remote, unauthenticated actor to gain remote code execution via a command injection attack. This vulnerability has been exploited in the wild; however, technical details have not been publicly shared.

This vulnerability is exploited by a remote, unauthenticated actor to gain remote code execution via a command injection attack. This vulnerability has been exploited in the wild; however, technical details have not been publicly shared.

This vulnerability is exploited through improper privilege escalation in the Web User Interface feature of Cisco IOS XE software. Attackers first used this vulnerability to elevate privileges from a normal user to root by leveraging a newly created local user account. This allowed them to write malicious implants that enable them to execute arbitrary commands to the file system This CVE was exploited after the adversary exploited CVE-2023-20198.

This vulnerability is exploited through improper privilege escalation in the Web User Interface feature of Cisco IOS XE software. Attackers first used this vulnerability to elevate privileges from a normal user to root by leveraging a newly created local user account. This allowed them to write an implant to the file system, further compromising the device. This CVE was exploited after the adversary exploited CVE-2023-20198.

This vulnerability is exploited through improper privilege escalation in the Web User Interface feature of Cisco IOS XE software. Attackers first used this vulnerability to elevate privileges from a normal user to root by leveraging a newly created local user account. This allowed them to write malicious implants that enable them to execute arbitrary commands to the file system This CVE was exploited after the adversary exploited CVE-2023-20198.

CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.

CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.

CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.

CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.

CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.

This vulnerability allows remote attackers with read permissions to a public or private Bitbucket repositories to execute arbitrary code by sending a malicious HTTP request.

This vulnerability allows remote attackers with read permissions to a public or private Bitbucket repositories to execute arbitrary code by sending a malicious HTTP request.

CVE-2022-29303 is a command injection vulnerability within a PHP component in the product's web server. Reports indicate that the vulnerability have been exploited by operators of Mirai botnet malware.

CVE-2022-29303 is a command injection vulnerability within a PHP component in the product's web server. Reports indicate that the vulnerability have been exploited by operators of Mirai botnet malware.

CVE-2022-29303 is a command injection vulnerability within a PHP component in the product's web server. Reports indicate that the vulnerability have been exploited by operators of Mirai botnet malware.

CVE-2021-27104 is an operating system command injection vulnerability in Accellion File Transfer Appliance in that allows an adversary to execute commands by sending a specially crafted POST request to the product's administrative endpoint.

CVE-2021-27104 is an operating system command injection vulnerability in Accellion File Transfer Appliance in that allows an adversary to execute commands by sending a specially crafted POST request to the product's administrative endpoint.

CVE-2021-27104 is an operating system command injection vulnerability in Accellion File Transfer Appliance in that allows an adversary to execute commands by sending a specially crafted POST request to the product's administrative endpoint.

CVE-2021-27102 is an operating system command execution vulnerability in Accellion File Transfer Appliance that allows an adversary to execute arbitrary commands via a local web service call.

CVE-2021-27102 is an operating system command execution vulnerability in Accellion File Transfer Appliance that allows an adversary to execute arbitrary commands via a local web service call.

CVE-2021-27102 is an operating system command execution vulnerability in Accellion File Transfer Appliance that allows an adversary to execute arbitrary commands via a local web service call.

This vulnerability is exploited through a command injection weakness. Remote authenticated attackers leverage this vulnerability to perform arbitrary code execution on the target system via the Windows Resource Profiles Feature.

This vulnerability is exploited through a command injection weakness. Remote authenticated attackers leverage this vulnerability to perform arbitrary code execution on the target system via the Windows Resource Profiles Feature.

CVE-2021-1498 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device

CVE-2021-1498 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device

CVE-2021-1497 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Installer Virtual Machine. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device

CVE-2021-1497 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Installer Virtual Machine. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device

CVE-2020-25506 is a command injection vulnerability in the D-Link DNS-320 FW v2.06B01 Revision Ax system_mgr.cgi component, which can lead to remote arbitrary code execution.

CVE-2020-25506 is a command injection vulnerability in the D-Link DNS-320 FW v2.06B01 Revision Ax system_mgr.cgi component, which can lead to remote arbitrary code execution.

CVE-2020-25506 is a command injection vulnerability in the D-Link DNS-320 FW v2.06B01 Revision Ax system_mgr.cgi component, which can lead to remote arbitrary code execution.

This vulnerability, present in the API in Cisco ISE and Cisco ISE-PIC, allows for an attacker to use maliciously crafted API requests to a vulnerable device. If exploited, the attacker can gain the ability to execute arbitrary code at the root level.

This vulnerability, present in the API in Cisco ISE and Cisco ISE-PIC, allows for an attacker to use maliciously crafted API requests to a vulnerable device. If exploited, the attacker can gain the ability to execute arbitrary code at the root level.

This vulnerability, present in the API in Cisco ISE and Cisco ISE-PIC, allows for an attacker to use maliciously crafted API requests to a vulnerable device. If exploited, the attacker can gain the ability to execute arbitrary code at the root level.

This vulnerability, present in the API in Cisco ISE and Cisco ISE-PIC, allows for an attacker to use maliciously crafted API requests to a vulnerable device. If exploited, the attacker can gain the ability to execute arbitrary code at the root level.

End-of-life GeoVision IoT devices contain improper input filtering, allowing for commands to be injected into the szSrvIpAddr parameter of the /DateSetting.cgi endpoint. Exploiting this vulnerability can allow remote code execution on the system.

End-of-life GeoVision IoT devices contain improper input filtering, allowing for commands to be injected into the szSrvIpAddr parameter of the /DateSetting.cgi endpoint. Exploiting this vulnerability can allow remote code execution on the system.

Due to improper handling of user input, an attacker can insert shell metacharacters into specific parameters, permitting the execution of arbitrary commands.

Due to improper handling of user input, an attacker can insert shell metacharacters into specific parameters, permitting the execution of arbitrary commands.

Improper input sanitization in the Mitel 6869i SIP Phone, firmware version 6.3.0.1020 can be exploited to obtain root access on the device and execute arbitrary code.

Improper input sanitization in the Mitel 6869i SIP Phone, firmware version 6.3.0.1020 can be exploited to obtain root access on the device and execute arbitrary code.

An unauthenticated, remote attacker can exploit this vulnerability to escalate privileges and execute arbitrary code with root access.

An unauthenticated, remote attacker can exploit this vulnerability to escalate privileges and execute arbitrary code with root access.

Specific end-of-life GeoVision IoT devices contain an insufficient input validation vulnerability that allows for unauthenticated attackers to inject arbitrary commands and execute them on the system.

Specific end-of-life GeoVision IoT devices contain an insufficient input validation vulnerability that allows for unauthenticated attackers to inject arbitrary commands and execute them on the system.

Specific end-of-life GeoVision IoT devices contain an insufficient input validation vulnerability that allows for unauthenticated attackers to inject arbitrary commands and execute them on the system. This leads to denial of service.

This post-authentication command injection vulnerability is chained with CVE-2024-38475 to allow command execution as the nobody user, affecting versions below 10.2.1.10-62sv.

This post-authentication command injection vulnerability is chained with CVE-2024-38475 to allow command execution as the nobody user, affecting versions below 10.2.1.10-62sv.

This post-authentication command injection vulnerability is chained with CVE-2024-38475 to allow command execution as the nobody user, affecting versions below 10.2.1.10-62sv.

This post-authentication command injection vulnerability is chained with CVE-2024-38475 to allow command execution as the nobody user, affecting versions below 10.2.1.10-62sv.

Attackers have gained access to affected ASUS routers by using brute-force login attempts and authentication bypasses, allowing them to inject and execute commands to enable SSH. Additionally, they can place a backdoor in the NVRAM.

Attackers have gained access to affected ASUS routers by using brute-force login attempts and authentication bypasses, allowing them to inject and execute commands to enable SSH. Additionally, they can place a backdoor in the NVRAM.

Attackers have gained access to affected ASUS routers by using brute-force login attempts and authentication bypasses, allowing them to inject and execute commands to enable SSH. Additionally, they can place a backdoor in the NVRAM.

Attackers have gained access to affected ASUS routers by using brute-force login attempts and authentication bypasses, allowing them to inject and execute commands to enable SSH. Additionally, they can place a backdoor in the NVRAM.

Attackers have gained access to affected ASUS routers by using brute-force login attempts and authentication bypasses, allowing them to inject and execute commands to enable SSH. Additionally, they can place a backdoor in the NVRAM.

End-of-life TP-Link routers contain an improper input sanitization flaw that attackers can exploit by sending specially crafted HTTP GET requests to the web interface, leading to privilege escalation and arbitrary code execution.

End-of-life TP-Link routers contain an improper input sanitization flaw that attackers can exploit by sending specially crafted HTTP GET requests to the web interface, leading to privilege escalation and arbitrary code execution.

While this vulnerability was originally considered a denial-of-service issue in 2021, this improper neutralization issue has been exploited in 2025 as a remote code execution vulnerability. After authenticating (either with default credentials or via brute force, password stuffing, or dictionary attacks), an attacker can execute arbitrary commands as a "nobody" user.

While this vulnerability was originally considered a denial-of-service issue in 2021, this improper neutralization issue has been exploited in 2025 as a remote code execution vulnerability. After authenticating (either with default credentials or via brute force, password stuffing, or dictionary attacks), an attacker can execute arbitrary commands as a "nobody" user.