Known Exploited Vulnerabilities Deserialization of Untrusted Data Capability Group

This vulnerability is exploited by a remote attacker who manipulates serialized class types in the OpenWire protocol to run arbitrary shell commands. This allows the adversary to execute remote code, leading to the download and installation of malware, such as the Kinsing malware and cryptocurrency miners, on Linux systems. Additionally, attackers have attempted to deploy ransomware, attributed to the HelloKitty ransomware family, on target systems.

This vulnerability is exploited by a remote attacker who manipulates serialized class types in the OpenWire protocol to run arbitrary shell commands. This allows the adversary to execute remote code, leading to the download and installation of malware, such as the Kinsing malware and cryptocurrency miners, on Linux systems. Additionally, attackers have attempted to deploy ransomware, attributed to the HelloKitty ransomware family, on target systems.

This vulnerability is exploited by a remote attacker who manipulates serialized class types in the OpenWire protocol to run arbitrary shell commands. This allows the adversary to execute remote code, leading to the download and installation of malware, such as the Kinsing malware and cryptocurrency miners, on Linux systems. Additionally, attackers have attempted to deploy ransomware, attributed to the HelloKitty ransomware family, on target systems.

Zero-day .NET deserialization vulnerability that allows an adversary to make an HTTP POST request to a vulnerable WS_FTP Server and execute commands.

Zero-day .NET deserialization vulnerability that allows an adversary to make an HTTP POST request to a vulnerable WS_FTP Server and execute commands.

Zero-day .NET deserialization vulnerability that allows an adversary to make an HTTP POST request to a vulnerable WS_FTP Server and execute commands.

This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.

This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.

CVE-2023-29492 is an insecure deserialization vulnerability. Exploitation of this vulnerability gives remote attackers arbitrary code execution in the context of the service account.

This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.

This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells.

This vulnerability gives an adversary access through exploitation of a public-facing server.

This vulnerability gives an adversary access through exploitation of a public-facing server.

This vulnerability gives an adversary access through exploitation of a public-facing server.

This vulnerability gives an adversary access through exploitation of a public-facing server.

This vulnerability gives an adversary access through exploitation of a public-facing server.

This vulnerability gives an adversary access through exploitation of a public-facing server.

This vulnerability gives an adversary access through exploitation of a public-facing server.

This vulnerability gives an adversary access through exploitation of a public-facing server.

This vulnerability gives an adversary access through exploitation of a public-facing server.

This vulnerability is utilized by exploiting a public-facing server.

This vulnerability is utilized by exploiting a public-facing server.

CVE 2021-45046 is a Log4J-related vulnerability that could enable enables an attacker to cause Remote Code Execution or other effects in certain non-default configurations. This specific vulnerability has been reported to have been leveraged in cryptomining and ransomware operations.

CVE 2021-45046 is a Log4J-related vulnerability that has been seen to be used in cryptomining and ransomware operations.

CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.

CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.

CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.

CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.

As referenced in the attached report, T1190 is a known impact of this exploit.

This deserialization vulnerability allows adversaries to insert their own objects into client software for potential execution.

As referenced in the attached report, T1133 is a known impact of this exploit.

CVE-2017-9805 is a deserialization vulnerability in the Apache Struts REST Plugin that could allow an attacker to execute arbitrary commands remotely on the affected systems by sending a specially crafted web request to the application.

CVE-2017-9805 is a deserialization vulnerability in the Apache Struts REST Plugin that could allow an attacker to execute arbitrary commands remotely on the affected systems by sending a specially crafted web request to the application.

This pre-authentication vulnerability, present in SonicWall SMA1000 appliances running version 12.4.3-02804 or earlier, allows attackers to perform remote code execution on exploited machines, allowing for arbitrary OS command execution.

This pre-authentication vulnerability, present in SonicWall SMA1000 appliances running version 12.4.3-02804 or earlier, allows attackers to perform remote code execution on exploited machines, allowing for arbitrary OS command execution.

A deserialization vulnerability in Trimble Cityworks versions before 15.8.9 (and Cityworks with Office Companion versions prior to 23.10) can be exploited by attackers using maliciously crafted serialized objects to the server, ending with escalated privileges permitting the execution remote code against a target's Microsoft IIS web server.

A deserialization vulnerability in Trimble Cityworks versions before 15.8.9 (and Cityworks with Office Companion versions prior to 23.10) can be exploited by attackers to execute remote code against a target web server.

An attacker can create a serialized object specifically designed to exploit the deserialization vulnerability, embedding this payload into a request, which is then sent to a WebLogic server, leading to arbitrary code execution.

An attacker can create a serialized object specifically designed to exploit the deserialization vulnerability, embedding this payload into a request, which is then sent to a WebLogic server, leading to arbitrary code execution.

Attackers with API access have been reported as exploiting this vulnerability through a JSON payload sent to a Wazuh worker server. Requests relayed to the master server can result in arbitrary code execution.

Attackers with API access have been reported as exploiting this vulnerability through a JSON payload sent to a Wazuh worker server. Requests relayed to the master server can result in arbitrary code execution.

Attackers with API access have been reported as exploiting this vulnerability through a JSON payload sent to a Wazuh worker server. Requests relayed to the master server can result in arbitrary code execution.

This deserialization vulnerability in Microsoft SharePoint allows an unauthenticated remote attacker to execute remote code on the network.

This deserialization vulnerability in Microsoft SharePoint allows an unauthenticated remote attacker to execute remote code on the network.

This deserialization vulnerability in NetWeaver Visual Composer, when chained with CVE-2025-31324, allows an attacker to execute unauthenticated remote code with administrator privileges, leading to consequences such as web shell deployment.

This deserialization vulnerability in NetWeaver Visual Composer, when chained with CVE-2025-31324, allows an attacker to execute unauthenticated remote code with administrator privileges, leading to consequences such as web shell deployment.

This deserialization vulnerability in NetWeaver Visual Composer, when chained with CVE-2025-31324, allows an attacker to execute unauthenticated remote code with administrator privileges, leading to consequences such as web shell deployment.

This deserialization vulnerability in NetWeaver Visual Composer, when chained with CVE-2025-31324, allows an attacker to execute unauthenticated remote code with administrator privileges, leading to consequences such as web shell deployment.