Technical deep-dives into Critical and High-severity CISA Known Exploited Vulnerabilities (CVSS 7.0+) — the confirmed active threats that matter most to defenders.
An unauthenticated OS command injection vulnerability in Fortinet FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS allows remote code execution via crafted HTTP requests. Added to CISA KEV on 16 July 2026.
A second unauthenticated OS command injection vulnerability in Fortinet FortiSandbox allows remote code execution via crafted HTTP requests, exploiting a different code path from CVE-2026-25089. Both added to CISA KEV on 16 July 2026.
An unauthenticated deserialization vulnerability in Microsoft SharePoint allows network-based remote code execution. CISA added it to KEV on 16 July 2026 with a three-day remediation deadline, indicating active exploitation.
The KNX building automation protocol allows unauthenticated attackers to purge device configurations and set a BCU key that permanently locks devices from all future programming. CISA KEV-listed with a July 29 remediation deadline.
An unauthenticated network-accessible vulnerability in Oracle E-Business Suite's Payments File Transmission component allows complete takeover of Oracle EBS 12.2 deployments. CISA KEV-listed with a July 18 remediation deadline.
A server-side request forgery vulnerability in SonicWall SMA1000's WorkPlace interface allows unauthenticated attackers to proxy requests to internal network resources. CISA KEV-listed July 14, 2026, with a July 17 remediation deadline.
A code injection vulnerability in SonicWall SMA1000's Appliance Management Console allows authenticated administrators to achieve remote code execution on the host appliance. CISA KEV-listed July 14, 2026, with a July 17 remediation deadline.
Insufficient granularity of access control in Microsoft Active Directory Federation Services allows a low-privileged local user to escalate to full system privileges. CISA KEV-listed July 14 with a July 28 remediation deadline.
A missing authentication flaw in Microsoft SharePoint Server allows unauthenticated network attackers to elevate privileges. CISA has added it to KEV with a July 17 remediation deadline.
iCagenda for Joomla contains two distinct unauthenticated attack paths: a PHP file upload leading to RCE via the event submission form, and an access control bypass in the component's controller layer. Both are exploited by automated tooling. Patch to 4.0.8 or 3.9.15 immediately.
Balbooa·Balbooa Forms (Joomla extension)·CVSS 9.8·
A missing file type restriction in Balbooa Forms for Joomla allows unauthenticated attackers to upload arbitrary PHP files and achieve remote code execution. Actively exploited as a zero-day before the July 9 patch.
An unauthenticated path traversal in Adobe ColdFusion's Remote Development Services FILEIO handler allows attackers to write arbitrary files to the web root, achieving remote code execution without any credentials. CVSS 10.0, actively exploited within two hours of disclosure.
An unauthenticated arbitrary file upload in JoomShaper SP Page Builder for Joomla allows attackers to upload PHP webshells and achieve remote code execution with no credentials required. Over 194,000 exposed instances identified; active exploitation includes rogue admin user creation for persistence.
An Insecure Direct Object Reference in Langflow's /api/v1/responses endpoint allows any authenticated user to invoke AI flows belonging to other users by supplying their flow identifier. CVSS 9.9, actively exploited, with cross-tenant data exposure implications for multi-user Langflow deployments.
An unauthenticated arbitrary file upload in Page Builder CK for Joomla allows any visitor to write PHP files to the server and execute arbitrary commands. The only gate is a CSRF token obtainable from the site's own public pages, making exploitation trivially accessible.
CVSS 8.8 deserialization vulnerability in SharePoint Server 2016, 2019, and Subscription Edition allows an authenticated attacker with site Contribute access to execute arbitrary code remotely. CISA added it to KEV on July 1, 2026 confirming active exploitation.
A critical authentication bypass (CVSS 10.0) in SimpleHelp's OIDC login flow allows unauthenticated attackers to forge technician sessions and bypass MFA, exposing all managed endpoints. Approximately 14,000 internet-exposed servers are affected.
Critical deserialization vulnerability (CVSS 9.3) in PTC Windchill PDMLink and FlexPLM enables unauthenticated remote code execution. Actively exploited with JSP webshells observed in the wild. CISA KEV with June 28 federal deadline.
Server-side request forgery in Cisco Unified Communications Manager's WebDialer service allows unauthenticated attackers to write files to the OS and deploy persistent webshells. CVSS 8.6. Public PoC available; actively exploited via automated Tor-routed scans.
Path traversal in Ubiquiti UniFi OS allows an attacker with network access to read and manipulate files on the underlying system, including credentials and configuration. CVSS 10.0. Part of a three-CVE chain enabling unauthenticated root RCE. Patched in UniFi OS Server 5.0.8.
Improper input validation in Ubiquiti UniFi OS enables command injection via crafted package names in the update function, allowing arbitrary OS command execution. CVSS 10.0. Part of a three-CVE chain enabling unauthenticated root RCE. Patched in UniFi OS Server 5.0.8.
Critical unauthenticated OS command injection in the Lantronix EDS5000 serial device server. Injected commands in the username parameter execute as root via the HTTP RPC authentication failure logging path.
Three critical vulnerabilities in Ubiquiti UniFi OS Server 5.0.6 and earlier chain together to give unauthenticated attackers root code execution. All three are CISA KEV additions as of June 23, 2026.
A missing authentication control in Splunk Enterprise's PostgreSQL sidecar service allows unauthenticated network-adjacent attackers to write arbitrary files and chain to remote code execution. CVSS 9.8. CISA added to KEV on June 18, 2026 with a three-day federal remediation deadline.
A three-part exploit chain in JCE's profile import endpoint allows unauthenticated attackers to upload and execute PHP webshells. CVSS 10.0, actively exploited, public PoC available.
A UNIX symlink following vulnerability in the LiteSpeed cPanel plugin allows FTP or web shell users to escape CloudLinux/CageFS isolation and access other tenants' data. Actively exploited since May 2026; patched June 1 with CISA remediation deadline of June 18.
A pre-authentication OS command injection in Ivanti Sentry's management interface allows remote unauthenticated attackers to execute arbitrary commands as root. CVSS 10.0. PoC public. Active backdooring confirmed by Shadowserver within 48 hours of advisory publication.
Critical CVSS 9.8 missing authentication flaw in Oracle PeopleSoft PeopleTools 8.61 and 8.62 enables unauthenticated remote code execution; actively exploited as a zero-day by ShinyHunters and Cl0p since late May 2026.
An out-of-bounds read and write in V8's TurboFan JIT optimizer allows remote attackers to achieve arbitrary code execution via a crafted HTML page. Google confirmed in-the-wild exploitation on the June 8 patch release.
A command injection vulnerability in Cisco Catalyst SD-WAN Manager allows an authenticated attacker with netadmin privileges to execute arbitrary commands as root. No patch is available. Actively exploited and added to CISA KEV on June 9, 2026.
A command injection vulnerability in LiteLLM's MCP preview endpoints allows any authenticated user — including low-privilege internal-user keys — to execute arbitrary OS commands on the proxy host. Chains with CVE-2026-48710 for unauthenticated RCE.
A critical authentication bypass in Check Point Security Gateway's IKEv1 VPN implementation allows unauthenticated remote attackers to establish VPN sessions without valid credentials. Qilin ransomware affiliates have been exploiting this since May 2026. CISA remediation deadline: 11 June 2026.
An uncontrolled resource consumption vulnerability in SolarWinds Serv-U allows unauthenticated attackers to crash the Serv-U service by sending a specially crafted POST request with a Content-Encoding: deflate header.
A stack-based buffer overflow in Windows Netlogon allows an unauthenticated attacker to achieve SYSTEM-level code execution on any unpatched domain controller. Active exploitation confirmed by Belgium's CCB. Patch immediately — no workaround removes the attack surface.
Mirasvit·Full Page Cache Warmer for Magento 2·CVSS 9.8·
PHP object injection via the CacheWarmer cookie in Mirasvit's Magento 2 extension allows unauthenticated attackers to execute arbitrary commands on any unpatched Magento or Adobe Commerce store. Actively exploited and added to CISA KEV.
A missing authorisation check in the Linux kernel's cgroups v1 release_agent mechanism allows unprivileged users with a container user namespace to escape container isolation and execute code as root on the host. Added to CISA KEV with a June 5, 2026 remediation deadline.
An integer overflow in the Android Framework component allows a local attacker to execute arbitrary code and escalate privileges without requiring any user interaction. Actively exploited in limited targeted attacks and added to CISA KEV with a June 5, 2026 deadline.
A pre-authentication information disclosure vulnerability in Oracle WebLogic Server exploitable via T3/IIOP protocols, allowing remote attackers to read sensitive server data without credentials. Added to CISA KEV June 2026.
CWE-565 cookie integrity failure in PAN-OS GlobalProtect allows unauthenticated attackers to forge authentication override cookies and establish unauthorised VPN tunnels. Actively exploited since May 2026; CISA KEV-listed with June 1 federal deadline.
Attackers compromised TanStack's GitHub Actions publishing pipeline on May 11 2026, distributing credential-stealing malware across 84 versions of 42 @tanstack/* npm packages. The attack exploited three chained GitHub Actions vulnerabilities to publish under a trusted identity.
A malicious version of the Nx Console VS Code extension (v18.95.0) was published for 18–36 minutes on May 18 2026, harvesting credentials from developer machines and contributing to a breach of 3,800 GitHub internal repositories.
Attackers compromised AVB Disc Soft's build or distribution infrastructure between April 8 and May 5 2026, trojanizing three binaries in the official DAEMON Tools Lite installer with digitally signed malware that downloads and executes arbitrary payloads at system startup.
A critical privilege escalation (CVSS 10.0) in LiteSpeed's user-end cPanel plugin allows any authenticated cPanel user to execute arbitrary scripts as root. Actively exploited; patch to version 2.4.7 immediately.
Three vulnerabilities in Cisco Catalyst SD-WAN Manager are being chained by attackers to achieve unauthenticated access, credential theft, and persistent webshell deployment. CISA added all three to the KEV catalogue in April 2026. Ten threat clusters are actively exploiting the chain.
A critical unauthenticated SQL injection in Fortinet FortiClient EMS allows remote attackers to execute arbitrary code on the management server. CISA added it to the KEV catalogue with an April 2026 remediation deadline. Ten distinct threat clusters have been observed exploiting this vulnerability.
An unauthenticated SQL injection in Drupal Core's PostgreSQL database abstraction layer allows attackers to read and modify database contents on affected installations. CISA added it to the KEV catalogue with a 27 May 2026 remediation deadline.
A critical origin validation error in Langflow's API server allows unauthenticated remote attackers to execute arbitrary code on the host by bypassing cross-origin request restrictions.
A directory traversal vulnerability in Trend Micro Apex One (On-Premise) allows authenticated attackers to read and write arbitrary files outside the intended directory, potentially leading to privilege escalation and system compromise.
A heap-based buffer overflow in Adobe Acrobat and Reader allows remote code execution when a victim opens a specially crafted PDF file, widely exploited in spear-phishing campaigns and drive-by attacks throughout 2009–2011.
A null byte overwrite vulnerability in Microsoft DirectX's quartz.dll MPEG2 media parser allows remote code execution when a user opens a specially crafted media file, exploited in targeted attacks and drive-by campaigns.
Microsoft·Microsoft Windows (Server Service)·CVSS 10·
A stack buffer overflow in the Windows Server Service RPC interface allows unauthenticated remote code execution and self-propagating worm spread across networks -- the vulnerability exploited by the Conficker worm and still actively exploited against unpatched legacy systems in 2026.
A use-after-free vulnerability in Internet Explorer 6 and 7 was exploited as a zero-day in Operation Aurora, the 2009–2010 campaign that targeted Google, Adobe, and dozens of major corporations in a coordinated nation-state espionage operation.
A use-after-free vulnerability in Internet Explorer 6 and 7's DHTML peering mechanism enables remote code execution via malicious web pages, widely exploited in drive-by download campaigns delivering banking trojans and other crimeware.
A link-following vulnerability in the Microsoft Malware Protection Engine allows a low-privilege local attacker to gain SYSTEM privileges by manipulating Defender into operating on attacker-controlled targets. Actively exploited in the wild.
A denial of service vulnerability in Microsoft Defender allows an attacker to crash or disable the antivirus scanning engine by supplying crafted malformed file content, undermining endpoint protection.
A reflected cross-site scripting vulnerability in Exchange Server's Outlook Web Access (OWA) enables arbitrary JavaScript execution in victim browsers, facilitating session hijacking and credential theft under specific interaction conditions.
Authentication bypass in Cisco Catalyst SD-WAN Manager and Controller allows unauthenticated remote attackers to gain full administrative privileges without credentials.
A SQL injection vulnerability in BerriAI LiteLLM allows authenticated attackers to read and modify the proxy database, exposing stored API keys for OpenAI, Anthropic, and other LLM providers.
Improper input validation in Ivanti Endpoint Manager Mobile (EPMM) allows an authenticated administrator to execute arbitrary OS commands, leading to full server compromise.
An out-of-bounds write vulnerability in PAN-OS's Captive Portal and User-ID service allows unauthenticated remote code execution as root on PA-Series and VM-Series firewalls.
An incorrect resource transfer between security domains in the Linux kernel allows a local unprivileged user to escalate to root privileges, affecting a broad range of distributions.
An authentication bypass vulnerability in cPanel & WHM's login flow grants unauthenticated attackers full control panel access, affecting millions of web hosting deployments worldwide.
Missing authorization in SimpleHelp allows low-privilege technicians to create API keys with excessive permissions, enabling full privilege escalation to admin level.
A path traversal (zip slip) vulnerability in SimpleHelp allows admin users to upload crafted archives that write arbitrary files anywhere on the server filesystem.
Path traversal in Samsung MagicINFO 9 Server before version 21.1050.0 allows unauthenticated attackers to write arbitrary files with system-level permissions, enabling remote code execution.
Command injection in D-Link DIR-823X firmware allows authenticated high-privilege attackers to execute arbitrary OS commands via the /goform/set_prohibiting endpoint. No patch will be issued -- the device is end-of-life.
Marimo reactive Python notebook before version 0.23.0 exposes an unauthenticated /terminal/ws WebSocket endpoint that grants any unauthenticated attacker a full PTY shell and arbitrary code execution.
An insufficient granularity of access control vulnerability in Microsoft Defender allows an authorized local attacker to escalate privileges. CISA added this to the KEV catalogue in April 2026 following confirmed exploitation.
An improper authentication flaw in PaperCut NG/MF allows remote unauthenticated attackers to bypass the SecurityRequestFilter and access restricted functionality.
Path traversal in JetBrains TeamCity before 2023.11.4 allows unauthenticated network-based attackers to bypass authentication and perform limited administrative actions on the CI/CD server.
A path traversal vulnerability in Kentico Xperience allows authenticated users to upload arbitrary data to relative path locations via the Staging Sync Server.
Quest·KACE Systems Management Appliance (SMA)·CVSS 9.8·
An improper authentication vulnerability in Quest KACE Systems Management Appliance (SMA) allows attackers to impersonate legitimate users without valid credentials, potentially compromising endpoint management across the entire managed fleet.
Improper input validation in Apache ActiveMQ's Jolokia JMX-HTTP bridge allows authenticated attackers to load remote Spring XML application contexts and execute arbitrary code.
Code injection in Ivanti Endpoint Manager Mobile (EPMM) versions up to and including 12.7.0.0 allows unauthenticated remote attackers to execute arbitrary code with no credentials required.
Improper access control in Fortinet FortiClient EMS allows unauthenticated attackers to execute unauthorized code via crafted requests to the management server.
Embedded malicious code in Aqua Security Trivy enables a supply chain attack granting attackers access to CI/CD tokens, SSH keys, and cloud credentials.
A code injection vulnerability in Langflow allows unauthenticated attackers to achieve RCE by building and executing public flows without authentication.
Cisco·Secure Firewall Management Center (FMC) / Security Cloud Control·CVSS 9.8·
Deserialization of untrusted data in Cisco Secure Firewall Management Center allows unauthenticated remote attackers to execute arbitrary Java code as root.
Improper restriction of operations within a memory buffer in Chromium's V8 engine allows remote attackers to execute arbitrary code in the sandbox via crafted HTML.
Improper control of dynamically managed code resources in n8n's workflow expression evaluation allows unauthenticated attackers to achieve remote code execution.
An authentication bypass using alternate path in Ivanti Endpoint Manager allows unauthenticated remote attackers to leak stored credential data from the EPM server.
Improper access controls on Cisco SD-WAN CLI commands allow authenticated local attackers to traverse paths and execute commands as root, escalating from limited to full administrative OS privileges.
Cisco·Catalyst SD-WAN Controller and Manager·CVSS 9.8·
An authentication bypass in Cisco Catalyst SD-WAN Controller and Manager allows unauthenticated remote attackers to bypass authentication and obtain admin privileges.
An OS command injection vulnerability in Soliton Systems FileZen allows attackers to execute arbitrary commands by sending a specially crafted HTTP request after login. CISA KEV-listed February 2026.
Deserialization of untrusted data in Roundcube Webmail allows authenticated users to achieve remote code execution via the _from parameter in upload.php.
Dell·RecoverPoint for Virtual Machines (RP4VMs)·CVSS 9.8·
Hard-coded credentials in Dell RecoverPoint for Virtual Machines allow unauthenticated remote attackers to gain unauthorized OS access and root-level persistence. CISA KEV-listed February 2026.
Synacor·Zimbra Collaboration Suite (ZCS)·CVSS 9.8·
An SSRF vulnerability in Zimbra Collaboration Suite, triggered when the WebEx zimlet is installed and JSP is enabled, allows attackers to perform server-side requests to internal resources. CISA KEV-listed February 2026.
A critical RCE vulnerability in the Windows Video ActiveX Control allows attackers to execute code with the rights of the logged-on user via a specially crafted webpage. An extremely old CVE newly KEV-listed in February 2026.
An unrestricted file upload vulnerability in TeamT5 ThreatSonar Anti-Ransomware allows admin-privileged attackers to upload malicious files and execute arbitrary system commands. CISA KEV-listed February 2026.
A use-after-free in Chromium's CSS component allows remote attackers to exploit heap corruption via a crafted HTML page, affecting all Chromium-based browsers including Chrome, Edge, and Opera.
BeyondTrust·Remote Support / Privileged Remote Access·CVSS 9.8·
An unauthenticated OS command injection in BeyondTrust RS and PRA allows remote attackers to execute arbitrary OS commands as the site user without any credentials.
SQL injection in Microsoft Configuration Manager (SCCM/MEM) allows unauthenticated attackers to execute arbitrary commands on the server and database via specially crafted requests. CISA KEV-listed February 2026.
Notepad++'s WinGUp updater component can be intercepted to deliver attacker-controlled installers, enabling arbitrary code execution with user privileges. CISA KEV-listed February 2026.
A security control bypass in SolarWinds Web Help Desk allows unauthenticated attackers to access restricted functionality. CISA KEV-listed February 2026, companion to the deserialization RCE CVE-2025-40551.
An improper restriction of operations within memory buffer bounds in Apple iOS/macOS/tvOS/watchOS/visionOS allows attackers with memory write capability to execute arbitrary code. CISA KEV-listed February 2026.
A protection mechanism failure in Microsoft Windows Shell allows unauthorized remote attackers to bypass a security feature. CISA KEV-listed as part of February 2026 Patch Tuesday active exploitation.
A protection mechanism failure in Microsoft Windows MSHTML allows an unauthorized attacker to bypass a security feature over the network. CISA KEV-listed February 2026 as part of Patch Tuesday exploitation.
Reliance on untrusted inputs in Microsoft Office Word's security decision logic allows authorized local attackers to elevate privileges. CISA KEV-listed as part of February 2026 Patch Tuesday exploitation.
A type confusion vulnerability in Windows Desktop Window Manager (DWM) allows authorized local attackers to elevate privileges. CISA KEV-listed as part of February 2026 Patch Tuesday active exploitation.
An improper privilege management vulnerability in Windows Remote Desktop Services allows authorized local attackers to elevate privileges. CISA KEV-listed February 2026 Patch Tuesday.
React Native Community·React Native CLI / Metro Development Server·CVSS 9.8·
OS command injection via POST requests to React Native's Metro Development Server allows unauthenticated network attackers to execute arbitrary commands, including shell commands on Windows. CISA KEV-listed February 2026.
Missing authentication in SmarterMail's ConnectToHub API allows attackers to redirect the mail server to a malicious HTTP server, achieving OS command execution. Associated with ransomware; CISA KEV-listed February 2026.
An improper authentication flaw in FreePBX allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin interface. Legacy CVE with renewed KEV attention in February 2026.
Deserialization of untrusted data in SolarWinds Web Help Desk allows unauthenticated remote attackers to execute arbitrary commands on the host machine. CISA KEV-listed February 2026.
Post-authentication command injection in FreePBX Endpoint Manager's check_ssh_connect() function allows authenticated attackers to obtain remote access as the asterisk user. CISA KEV-listed February 2026.
Improper handling of length parameter inconsistency in MongoDB's Zlib-compressed wire protocol allows unauthenticated clients to read uninitialized heap memory from the server. CISA KEV-listed December 2025.
A missing authorization flaw enabling command injection via time_tzsetup.cgi in the Digiever DS-2105 Pro NVR allows unauthenticated attackers to execute arbitrary OS commands.
An out-of-bounds write in the WatchGuard Firebox iked process allows unauthenticated remote attackers to execute arbitrary code via crafted IKEv2 VPN traffic. CISA KEV-listed December 2025.
Cisco·Secure Email Gateway / AsyncOS / Web Manager·CVSS 8.8·
Improper input validation in Cisco Secure Email Gateway and Web Manager allows authenticated attackers to execute arbitrary OS commands with root privileges. CISA KEV-listed December 2025.
ASUS Live Update clients were distributed with unauthorized modifications enabling targeted device compromise. A supply chain attack affecting potentially millions of ASUS devices; CISA KEV-listed December 2025.
Hardcoded AES cryptographic keys in Gladinet CentreStack and Triofox degrade endpoint security, potentially allowing unauthenticated local file inclusion via crafted requests. CISA KEV-listed December 2025.
A use-after-free in Apple's WebKit engine allows processing maliciously crafted web content to lead to memory corruption, affecting iOS, iPadOS, macOS, and Safari. CISA KEV-listed December 2025.
Authenticated HTTP requests to Sierra Wireless AirLink ALEOS can upload and execute arbitrary files. Likely EoL product; CISA KEV-listed December 2025 indicating ongoing exploitation.
An out-of-bounds memory access in Chromium's ANGLE graphics library allows remote code execution via a crafted HTML page, affecting Chrome, Edge, Opera, and all Chromium-based browsers.
An XML External Entity injection in GeoServer's /geoserver/wms GetMap operation allows attackers to read local files and perform SSRF. CISA KEV-listed December 2025.
A path traversal vulnerability in WinRAR allows attackers to extract files to arbitrary locations, enabling code execution in the context of the current user. CISA KEV-listed December 2025.
Microsoft·Windows Cloud Files Mini Filter Driver·CVSS 7.8·
A use-after-free in Windows Cloud Files Mini Filter Driver allows a locally authorized attacker to elevate privileges. CISA KEV-listed December 2025 amid active exploitation.
A buffer overflow vulnerability in D-Link routers allows remote attackers to compromise confidentiality, integrity, and availability. Affects likely EoL devices; CISA KEV-listed December 2025.
An OS command injection vulnerability in Array Networks ArrayOS AG allows attackers to execute arbitrary OS commands, potentially compromising SSL VPN infrastructure. KEV-listed December 2025.
Meta React Server Components·React Server Components·CVSS 9.8·
A critical flaw in React Server Components payload decoding allows unauthenticated remote code execution on any server deploying RSC endpoints. Associated with ransomware campaigns and KEV-listed 2025-12-05.
Authenticated attackers can upload arbitrary JSP files via ScadaBR's view_edit.shtm endpoint, enabling remote code execution on industrial control systems. CISA KEV-listed in December 2025.
An unspecified flaw in Android Framework enables privilege escalation. CISA added this to the KEV catalog on 2025-12-02, indicating active exploitation in targeted attacks.
A high-severity use-after-free vulnerability in the Windows Common Log File System (CLFS) driver allows local attackers to escalate privileges to SYSTEM, actively exploited as a zero-day by ransomware operators before Microsoft's April 2025 Patch Tuesday.
A critical deserialization vulnerability in the Apache Parquet Java library that allows arbitrary code execution when parsing attacker-controlled Parquet files, affecting data engineering and analytics pipelines.
A Microsoft Management Console security feature bypass that allows attackers to execute malicious MSC files without security warnings, exploited by the EncryptHub threat actor.
A second Windows Ancillary Function Driver privilege escalation vulnerability, patched in February 2025, exploited as a zero-day to elevate privileges to SYSTEM on Windows systems.
A critical pre-authentication deserialization vulnerability in SonicWall Secure Mobile Access 1000 appliances that allows unauthenticated remote attackers to execute arbitrary OS commands.
Ivanti·Connect Secure / Policy Secure / Neurons for ZTA·CVSS 9·
A critical stack-based buffer overflow in Ivanti Connect Secure allows unauthenticated remote attackers to execute arbitrary code, exploited as a zero-day in targeted campaigns before Ivanti's January 2025 advisory, following the pattern of prior Ivanti VPN zero-day exploitation.
A critical unrestricted file upload vulnerability in Cleo's managed file transfer products (Harmony, VLTrader, LexiCom) allows unauthenticated attackers to upload and execute arbitrary code, exploited by the Clop ransomware group in a wave of targeted data theft attacks.
A high-severity unrestricted file upload and download vulnerability in Cleo's Harmony, VLTrader, and LexiCom MFT products allows remote attackers to execute arbitrary commands, serving as the precursor exploit chain to the more critical CVE-2024-55956 zero-day exploitation campaign.
A Windows vulnerability that allows attackers to steal NTLM authentication hashes through minimal user interaction with a malicious file, enabling credential relay and pass-the-hash attacks.
A Windows Task Scheduler privilege escalation vulnerability that allows a low-privileged attacker to execute code at a higher integrity level, exploited as a zero-day by Russian threat actors.
A high-severity deserialization vulnerability in Microsoft SharePoint Server allows an authenticated attacker with Site Owner permissions to execute arbitrary code on the server, exploited in the wild for persistent access and network reconnaissance in targeted intrusion campaigns.
A critical format string vulnerability in Fortinet FortiOS, FortiProxy, FortiPAM, and FortiWeb's fgfmd daemon allows unauthenticated remote attackers to execute arbitrary commands via specially crafted requests to the FGFM protocol.
A critical SQL injection vulnerability in Ivanti Endpoint Manager's Core server allows unauthenticated attackers on the same network to execute arbitrary code via the DAS component, confirmed as actively exploited by CISA in September 2024.
A use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock that allows local attackers to escalate privileges to SYSTEM, exploited by Lazarus Group as a zero-day.
A Windows MSHTML platform spoofing vulnerability that allows attackers to open Internet Explorer via malicious .url files, bypassing modern browser security controls to execute arbitrary code.
A signal handler race condition in OpenSSH's sshd allows unauthenticated remote code execution as root on glibc-based Linux systems, a regression of a 2006 vulnerability reintroduced in OpenSSH 8.5p1.
A Windows Error Reporting service privilege escalation vulnerability that allows local attackers to elevate to SYSTEM privileges by exploiting improper file handling in the WER service.
A critical argument injection vulnerability in PHP-CGI on Windows allows unauthenticated remote attackers to execute arbitrary PHP code by exploiting how PHP handles Unicode character conversion in CGI mode, affecting XAMPP and other common Windows PHP deployments.
A critical use-after-free vulnerability in Microsoft Message Queuing Service that allows unauthenticated remote attackers to execute arbitrary code on Windows systems with MSMQ enabled.
A heap buffer overflow in the Windows Desktop Window Manager Core Library that allows local attackers to escalate privileges to SYSTEM, exploited as a zero-day alongside QakBot malware campaigns.
A critical account takeover vulnerability in GitLab CE/EE allows unauthenticated attackers to send password reset emails to arbitrary email addresses, enabling complete account hijacking without user interaction, including of administrator accounts.
A denial-of-service and information disclosure vulnerability in Cisco ASA and FTD that was exploited as part of the ArcaneDoor espionage campaign targeting government perimeter devices.
A critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProtect gateway allows unauthenticated remote attackers to execute arbitrary commands as root, actively exploited as a zero-day before patch availability.
A critical SQL injection vulnerability in Fortinet FortiClientEMS allows unauthenticated remote attackers to execute arbitrary commands via crafted requests to the management server, with active exploitation confirmed by multiple threat intelligence sources.
A critical authentication bypass in JetBrains TeamCity's web server allows unauthenticated attackers to gain administrative control and achieve remote code execution, leading to widespread supply chain compromise campaigns.
A Windows kernel privilege escalation vulnerability in the AppLocker driver that allows attackers to elevate privileges to SYSTEM, exploited by Lazarus Group to disable security tools via their FudModule rootkit.
A critical authentication bypass in ConnectWise ScreenConnect's setup wizard endpoint allows unauthenticated attackers to create new administrator accounts, immediately followed by RCE via the companion path traversal vulnerability CVE-2024-1708.
A critical out-of-bounds write vulnerability in Fortinet FortiOS SSL VPN allows unauthenticated remote attackers to achieve arbitrary code execution via specially crafted HTTP requests, with active exploitation observed in CISA KEV.
A server-side request forgery vulnerability in Ivanti Connect Secure and Policy Secure's SAML component allows unauthenticated attackers to access restricted resources, exploited as part of a multi-CVE attack chain targeting government and enterprise VPN infrastructure.
An authentication bypass vulnerability in Ivanti Connect Secure and Policy Secure allows remote attackers to circumvent authentication controls via crafted URL path traversal, typically chained with CVE-2024-21887 for unauthenticated RCE.
A command injection vulnerability in Ivanti Connect Secure and Policy Secure allows authenticated administrators to execute arbitrary commands, chained with CVE-2023-46805 for zero-click unauthenticated RCE in the wild.
A critical information disclosure vulnerability in ownCloud's graphapi app exposes PHP environment variables including admin passwords, mail server credentials, and license keys to unauthenticated attackers via a publicly accessible URL.
A critical pre-authentication command injection vulnerability in the Sophos Web Appliance warning page that allows unauthenticated remote attackers to execute arbitrary code.
A Windows SmartScreen security bypass that allows attackers to craft malicious .url shortcut files that execute without triggering SmartScreen warnings, used in phishing and malware delivery campaigns.
A PHP environment variable manipulation vulnerability in Juniper's J-Web interface that, chained with a file upload bug, achieves unauthenticated remote code execution on SRX and EX series devices.
A privilege escalation and command injection vulnerability in Cisco IOS XE's web management interface that forms the second stage of the CVE-2023-20198 exploit chain, enabling root code execution.
A critical information disclosure vulnerability in Citrix NetScaler ADC and Gateway allows unauthenticated attackers to retrieve session tokens from device memory, enabling session hijacking without requiring any credentials.
A critical zero-day privilege escalation in Cisco IOS XE's web UI feature allows unauthenticated remote attackers to create administrator-level accounts, exploited massively to implant a persistent backdoor on tens of thousands of Cisco network devices.
Atlassian·Confluence Data Center and Server·CVSS 10·
A critical privilege escalation vulnerability in Atlassian Confluence Data Center and Server allows unauthenticated attackers to create administrator accounts by accessing a restricted endpoint, exploited as a zero-day in targeted attacks.
A critical .NET deserialization vulnerability in WS_FTP Server's Ad Hoc Transfer module that allows unauthenticated attackers to execute arbitrary commands on the underlying operating system.
A critical pre-authentication bypass in JetBrains TeamCity allows unauthenticated attackers to create admin tokens and gain full server control, exploited by APT29 and North Korean actors in supply chain intrusion campaigns targeting software development pipelines.
A critical authentication bypass in Ivanti Endpoint Manager Mobile that allows unauthenticated remote access to the API, exposing user data and enabling device configuration changes.
A critical heap-based buffer overflow in Fortinet FortiOS and FortiProxy SSL-VPN allows pre-authentication remote attackers to execute arbitrary code, actively exploited by multiple threat actors including ransomware groups and nation-state APTs.
A critical SQL injection vulnerability in Progress Software MOVEit Transfer allows unauthenticated attackers to escalate privileges and achieve remote code execution, exploited at massive scale by the Cl0p ransomware group in a wave of data theft affecting thousands of organisations.
An unauthenticated OS command injection in Zyxel firewall IKE packet handler that allows remote attackers to execute commands as root by sending malformed IKEv2 packets.
A critical authentication bypass in PaperCut MF and NG print management software that allows unauthenticated attackers to execute arbitrary code on the application server.
An improper access control vulnerability in Adobe ColdFusion that allows unauthenticated remote code execution through deserialization of malicious objects.
A critical YAML deserialization vulnerability in IBM Aspera Faspex's API allows unauthenticated remote attackers to execute arbitrary code, exploited by ransomware groups within days of public disclosure via a pre-authentication attack path.
A high-severity pre-authentication remote code execution vulnerability in Fortra's GoAnywhere Managed File Transfer was exploited as a zero-day by the Cl0p ransomware group, compromising over 130 organisations before a patch was available.
An authentication bypass vulnerability in Citrix Application Delivery Controller and Gateway that allows unauthenticated remote attackers to gain unauthorised access to gateway user capabilities.
A server-side request forgery vulnerability in Microsoft Exchange that forms the first stage of the ProxyNotShell exploit chain, enabling authenticated attackers to reach internal Exchange backend services.
A code injection vulnerability in the Sophos Firewall User Portal and Webadmin interfaces that allows unauthenticated remote code execution, exploited by a suspected Chinese APT as a zero-day.
Atlassian·Confluence Server / Data Center·CVSS 9.8·
A critical OGNL injection vulnerability in Atlassian Confluence Server and Data Center allows unauthenticated attackers to execute arbitrary commands via crafted HTTP requests, exploited as a zero-day in targeted attacks before patch availability.
An unauthenticated OS command injection vulnerability in Zyxel firewall devices that allows attackers to execute arbitrary commands as the nobody user via the administrative HTTP interface.
A critical authentication bypass in F5 BIG-IP's iControl REST API allows unauthenticated remote attackers with network access to the management interface to execute arbitrary system commands as root, massively exploited within days of disclosure.
A critical JNDI injection vulnerability in Apache Log4j 2 allows unauthenticated remote code execution by logging a specially crafted string, affecting an enormous portion of the Java application ecosystem and triggering one of the most urgent security responses in history.
A server-side request forgery vulnerability in Microsoft Exchange Server that, chained with other bugs, allows unauthenticated attackers to execute arbitrary code and take full control of the server.
A path confusion vulnerability in Microsoft Exchange's Autodiscover endpoint that allows unauthenticated remote code execution when chained with two other ProxyShell bugs.
A REST API authentication bypass in Zoho ManageEngine ADSelfService Plus that allows unauthenticated attackers to execute arbitrary code on the server.