.:: manthan ::.
from life import experience as wisdom
archive|tags|stats

~/pages/threatbook

2026/Apr/30

Pulse

347,296
total CVEs
1,585
CISA KEV
8.8%
detection coverage
676
KEV undetected
7
new KEV (7d)
30
new KEV (30d)
130.8
CVEs/day (2026)
29,017
with known exploit
3.5%
KEV w/ Talos rule
27d
median TTE
23.6%
exploited as 0-day
CVE volume by year
KEV additions by month (last 24mo)
CVSS vs EPSS — risk quadrant (KEV highlighted)
151,069
high CVSS + high EPSS
1,136
high CVSS, low EPSS
169,183
low CVSS, actively exploited
2,192
low risk both
time-to-exploit collapse — median TTE per year vs zero-day rate

Bars = median days from CVE publish to first exploit. Line = % exploited as zero-day (TTE < 0). MOAK-class threats: TTE compresses toward zero.

exponential decay fit: half-life 1.0 yr · R²=0.805

Action Items

high-risk CVEs with zero detection — sorted by composite risk score (KEV+exploit+EPSS+CVSS)

CVETitleCVSSEPSS
CVE-2012-1710Oracle Fusion Middleware Unspecified Vulnerability (a:oracle:fusion_middleware)9.897.39%
CVE-2018-14839LG N1A1 NAS Remote Command Execution Vulnerability (o:lg:n1a1_firmware)9.899.60%
CVE-2018-0125Cisco VPN Routers Remote Code Execution Vulnerability (o:cisco:rv132w_firmware)9.896.63%
CVE-2018-14667Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability (a:redhat:richfaces)9.899.56%
CVE-2018-0147Cisco Secure Access Control System Java Deserialization Vulnerability (a:cisco:secure_access_control_system)9.888.39%
CVE-2018-14558Tenda AC7, AC9, and AC10 Routers Command Injection Vulnerability (o:tenda:ac10_firmware)9.899.03%
CVE-2018-4939Adobe ColdFusion Deserialization of Untrusted Data Vulnerability (a:adobe:coldfusion)9.897.86%
CVE-2018-20753Kaseya VSA Remote Code Execution Vulnerability (a:kaseya:virtual_system_administrator)9.897.22%
CVE-2018-19949QNAP NAS File Station Command Injection Vulnerability (o:qnap:qts)9.897.56%
CVE-2018-19323GIGABYTE Multiple Products Privilege Escalation Vulnerability (a:gigabyte:aorus_graphics_engine)9.894.51%

Recent KEV

CISA Known Exploited Vulnerabilities added in the last 90 days

CVETitleDate AddedDetections
CVE-2024-1708ConnectWise ScreenConnect Path Traversal Vulnerability (a:connectwise:screenconnect)2026/Apr/28
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2050990 ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - SetupWizard
SIEM · Sigma · proc_creation_win_powershell_iex_patterns
SIEM · Sigma · proc_creation_win_susp_weak_or_abused_passwords
SIEM · Sigma · file_event_win_exploit_cve_2024_1708_screenconnect
SIEM · Sigma · win_security_exploit_cve_2024_1708_screenconnect
SIEM · Sigma · file_event_win_apt_unknown_exploitation_indicators
SIEM · Splunk · ConnectWise ScreenConnect Path Traversal
SIEM · Splunk · ConnectWise ScreenConnect Path Traversal Windows SACL
SIEM · Splunk · ConnectWise ScreenConnect Authentication Bypass
SIEM · Splunk · Nginx ConnectWise ScreenConnect Authentication Bypass
YARA · expl_connectwise_screenconnect_vuln_feb24
Exploit · Metasploit · exploits/multi/http/connectwise_screenconnect_rce_cve_2024_1
CVE-2026-32202Microsoft Windows Protection Mechanism Failure Vulnerability (o:microsoft:windows_10_1607)2026/Apr/28
KEV · CISA · Known Exploited
CVE-2024-7399Samsung MagicINFO 9 Server Path Traversal Vulnerability (a:samsung:magicinfo_9_server)2026/Apr/24
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2062136 ET WEB_SPECIFIC_APPS Samsung MagicINFO SWUpdateFileUploader
Scanner · Nuclei · CVE-2024-7399
Exploit · Metasploit · exploits/windows/http/magicinfo_traversal
CVE-2024-57726SimpleHelp Missing Authorization Vulnerability (a:simple-help:simplehelp)2026/Apr/24
KEV · CISA · Known Exploited
CVE-2024-57728SimpleHelp Path Traversal Vulnerability (a:simple-help:simplehelp)2026/Apr/24
KEV · CISA · Known Exploited
CVE-2025-29635D-Link DIR-823X Command Injection Vulnerability (o:dlink:dir-823x_firmware)2026/Apr/24
KEV · CISA · Known Exploited
CVE-2026-39987Marimo Remote Code Execution Vulnerability (a:coreweave:marimo)2026/Apr/23
KEV · CISA · Known Exploited
Scanner · Nuclei · CVE-2026-39987
CVE-2026-33825Microsoft Defender Insufficient Granularity of Access Control Vulnerability (a:microsoft:defender_antimalware_platform)2026/Apr/22
KEV · CISA · Known Exploited
CVE-2023-27351PaperCut NG/MF Improper Authentication Vulnerability (a:papercut:papercut_mf)2026/Apr/20
KEV · CISA · Known Exploited
Scanner · Nuclei · CVE-2023-27351
CVE-2024-27199JetBrains TeamCity Relative Path Traversal Vulnerability (a:jetbrains:teamcity)2026/Apr/20
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2051508 ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypas
IDS · Suricata/ET · SID 2051509 ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypas
IDS · Suricata/ET · SID 2051510 ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypas
IDS · Suricata/ET · SID 2051511 ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypas
IDS · Suricata/ET · SID 2051512 ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypas
SIEM · Splunk · JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-271
Scanner · Nuclei · CVE-2024-27199

Detection Gaps

50
KEV undetected
0
pre-exploit watchlist
50
high-risk undetected

KEV — No Detection

CISA KEV entries with no detection rule — sorted by KEV date (newest first)

CVETitleCVSSEPSSKEV DateATT&CK
CVE-2026-32202Microsoft Windows Protection Mechanism Failure Vulnerability (o:microsoft:windows_10_1607)4.391.61%2026/Apr/28
CVE-2024-57726SimpleHelp Missing Authorization Vulnerability (a:simple-help:simplehelp)9.997.65%2026/Apr/24
CVE-2024-57728SimpleHelp Path Traversal Vulnerability (a:simple-help:simplehelp)7.298.25%2026/Apr/24T1574: Hijack Execution Flow · T1547: Boot or Logon Autostart Execution
CVE-2025-29635D-Link DIR-823X Command Injection Vulnerability (o:dlink:dir-823x_firmware)7.298.67%2026/Apr/24
CVE-2026-33825Microsoft Defender Insufficient Granularity of Access Control Vulnerability (a:microsoft:defender_antimalware_platform)7.887.27%2026/Apr/22
CVE-2026-20133Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (a:cisco:catalyst_sd-wan_manager)7.578.32%2026/Apr/20
CVE-2025-32975Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability (a:quest:kace_systems_management_appliance)10.097.67%2026/Apr/20
CVE-2025-48700Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability (a:synacor:zimbra_collaboration_suite)6.195.31%2026/Apr/20
CVE-2025-2749Kentico Xperience Path Traversal Vulnerability (a:kentico:xperience)7.289.80%2026/Apr/20
CVE-2026-32201Microsoft SharePoint Server Improper Input Validation Vulnerability (a:microsoft:sharepoint_server)6.592.06%2026/Apr/14T1574: Hijack Execution Flow · T1539: Steal Web Session Cookie

Pre-Exploit Watchlist

CVEs with public exploit (Metasploit · ExploitDB · Nuclei) but no detection rule — highest exploitation probability first. These are MOAK-ready: auto-exploitable with no defensive signal.

CVETitleCVSSEPSSKEVSourcesATT&CK

High-Risk — No Detection

CVSS ≥ 9.0 or EPSS ≥ 0.5 with no detection coverage — sorted by EPSS

CVETitleCVSSEPSSKEVATT&CK
CVE-2023-4863Google Chromium WebP Heap-Based Buffer Overflow Vulnerability (a:bandisoft:honeyview)8.899.91%KEV
CVE-2018-0798Microsoft Office Memory Corruption Vulnerability (a:microsoft:office)8.899.90%KEV
CVE-2016-3427Oracle Java SE and JRockit Unspecified Vulnerability (a:apache:cassandra)9.899.88%KEV
CVE-2016-8735Apache Tomcat Remote Code Execution Vulnerability (a:apache:tomcat)9.899.87%KEV
CVE-2010-2965(o:rockwellautomation:1756-enbt\/a_firmware)99.80%
CVE-2014-6321(o:microsoft:windows_7)99.79%
CVE-2024-38112Microsoft Windows MSHTML Platform Spoofing Vulnerability (o:microsoft:windows_10_1507)7.599.78%KEV
CVE-2019-1579Palo Alto Networks PAN-OS Remote Code Execution Vulnerability (o:paloaltonetworks:pan-os)8.199.78%KEV
CVE-2020-15999Google Chrome FreeType Heap Buffer Overflow Vulnerability (a:freetype:freetype)9.699.78%KEV
CVE-2022-34265(a:djangoproject:django)9.899.77%

Detection Coverage

347,296
total CVEs
3,758
detected
1.1%
detection coverage
343,538
undetected
CVEs covered by detection source
coverage by CVSS severity

By Source

count of CVEs with at least one detection rule per source

Suricata/ET 2,782 (0.8%)
Snort/Talos 1,027 (0.3%)
YARA 227 (0.1%)
Sigma 177 (0.1%)
Splunk 85 (0.0%)
Elastic 51 (0.0%)
Chronicle 17 (0.0%)
Sentinel 0 (0.0%)

By Severity

detection coverage broken down by CVSS severity band

SeverityTotalDetectedUncoveredCoverage
critical30,02974929,2802.5%
high81,08882280,2661.0%
medium94,13326193,8720.3%
low4,44354,4380.1%
unknown137,6031,921135,6821.4%

Detection Source Overlap

how many CVEs have N detection sources (0 = no coverage)

CVEs by number of detection sources

Top Vendors by Coverage Gap

vendors ranked by number of CVEs with no detection rule — largest gaps first

VendorTotalDetectedUncoveredCoverageKEV
google12,75414512,6091.1%93
linux12,79529212,5032.3%26
microsoft13,9661,80412,16212.9%385
oracle10,2054749,7314.6%75
debian10,1044569,6484.5%119
apple8,5415398,0026.3%104
ibm8,1232947,8293.6%10
adobe7,0963546,7425.0%78
cisco6,5582706,2884.1%94
fedoraproject5,4201655,2553.0%84

Exploit Intelligence

4,250
exploited CVEs
1004
zero-days (23.6%)
27d
median TTE
481d
median TTD
23.2%
exploited w/ detection
time-to-exploit distribution
detection coverage of exploited CVEs by source

Exploitation Speed

within 1 day 39.5% (1680 CVEs) within 7 days 44.4% within 30 days 50.4% within 1 year 69.9%

exponential decay fit: half-life 1.0 yr · R²=0.805

Yearly Trend

median time-to-exploit and time-to-detect per year with zero-day rate

YearTTE MedianTTD MedianExploitedZero-daysZD Rate
20215671641811728.0%
20224139134610229.5%
2023210844512728.5%
202406261022436.7%
202503454312122.3%
2026081302519.2%

Worst Exposure Windows

CVEs with largest gap between exploit publication and detection (exposure = TTD - TTE)

CVETitleTTETTDExposureCVSSEPSSDetections
CVE-2010-0249(a:microsoft:internet_explorer)051345134d8.899.59%
IDS · Suricata/ET · SID 2010799 ET WEB_CLIENT Possible Internet Explorer srcElement Memory C
YARA · Constructor_Win32_CVE-2010-0249
Exploit · Metasploit · exploits/windows/browser/ms10_002_aurora
Exploit · Exploit-DB · EDB-11167
Exploit · Exploit-DB · EDB-16599
CVE-2010-3081(o:linux:linux_kernel)-948824891d7.891.65%
YARA · Exploit_Linux_CVE-2010-3081_A_MTB
Exploit · Exploit-DB · EDB-15024
CVE-2010-0840Oracle JRE Unspecified Vulnerability (a:oracle:jre)48150584577d9.899.71%
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2014160 ET DELETED Blackhole OBE Java Exploit request to /content/ob
YARA · Exploit_WinNT_CVE-2010-0840_PO
Exploit · Metasploit · exploits/multi/browser/java_trusted_chain
Exploit · Exploit-DB · EDB-16297
CVE-2011-3544Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability (a:oracle:jdk)8744924405d9.899.74%
KEV · CISA · Known Exploited
IDS · Snort/Talos · SID 21438 EXPLOIT-KIT Blackhole exploit kit JavaScript carat string sp
IDS · Snort/Talos · SID 27040 EXPLOIT-KIT Styx exploit kit plugin detection connection jor
IDS · Snort/Talos · SID 27041 EXPLOIT-KIT Styx exploit kit plugin detection connection jln
IDS · Snort/Talos · SID 27042 EXPLOIT-KIT Styx exploit kit plugin detection connection jov
IDS · Snort/Talos · SID 27144 EXPLOIT-KIT Private exploit kit outbound traffic
IDS · Suricata/ET · SID 2014048 ET DELETED Blackhole Exploit Kit Java Rhino Script Engine Re
IDS · Suricata/ET · SID 2014429 ET EXPLOIT Java Rhino Exploit Attempt - evilcode.class
IDS · Suricata/ET · SID 2014565 ET CURRENT_EVENTS JavaScript Determining OS MAC and Serving
IDS · Suricata/ET · SID 2018564 ET EXPLOIT_KIT BleedingLife Exploit Kit JAR Exploit Request
YARA · Exploit_WinNT_CVE-2011-3544_AV
YARA · Exploit_WinNT_CVE-2011-3544_BU
YARA · Exploit_WinNT_CVE-2011-3544_CF
Exploit · Metasploit · exploits/multi/browser/java_rhino
Exploit · Exploit-DB · EDB-18171
CVE-2009-1151phpMyAdmin Remote Code Execution Vulnerability (a:phpmyadmin:phpmyadmin)85551454290d9.899.78%
KEV · CISA · Known Exploited
IDS · Snort/Talos · SID 2281 SERVER-WEBAPP Setup.php access
IDS · Suricata/ET · SID 2009709 ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (phpinf
IDS · Suricata/ET · SID 2009710 ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (system
Scanner · Nuclei · CVE-2009-1151
Exploit · Metasploit · exploits/unix/webapp/phpmyadmin_config
Exploit · Exploit-DB · EDB-8921
Exploit · Exploit-DB · EDB-8992
Exploit · Exploit-DB · EDB-16913
CVE-2012-0507Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability (a:oracle:jre)2542604235d9.899.84%
KEV · CISA · Known Exploited
IDS · Snort/Talos · SID 21438 EXPLOIT-KIT Blackhole exploit kit JavaScript carat string sp
IDS · Snort/Talos · SID 27040 EXPLOIT-KIT Styx exploit kit plugin detection connection jor
IDS · Snort/Talos · SID 27041 EXPLOIT-KIT Styx exploit kit plugin detection connection jln
IDS · Snort/Talos · SID 27042 EXPLOIT-KIT Styx exploit kit plugin detection connection jov
IDS · Snort/Talos · SID 28795 EXPLOIT-KIT Goon/Infinity exploit kit payload download attem
IDS · Suricata/ET · SID 2014461 ET EXPLOIT Java Atomic Reference Exploit Attempt Metasploit
YARA · Exploit_WinNT_CVE-2012-0507_A
YARA · Exploit_WinNT_CVE-2012-0507_AY
YARA · Exploit_WinNT_CVE-2012-0507_B
Exploit · Metasploit · exploits/multi/browser/java_atomicreferencearray
Exploit · Exploit-DB · EDB-18679
CVE-2012-4681Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability (a:oracle:jdk)041784178d9.899.92%
KEV · CISA · Known Exploited
IDS · Snort/Talos · SID 21438 EXPLOIT-KIT Blackhole exploit kit JavaScript carat string sp
IDS · Snort/Talos · SID 26834 EXPLOIT-KIT Sweet Orange exploit kit landing page in.php bas
IDS · Snort/Talos · SID 27040 EXPLOIT-KIT Styx exploit kit plugin detection connection jor
IDS · Snort/Talos · SID 27041 EXPLOIT-KIT Styx exploit kit plugin detection connection jln
IDS · Snort/Talos · SID 27042 EXPLOIT-KIT Styx exploit kit plugin detection connection jov
YARA · Exploit_WinNT_CVE-2012-4681_AIK
YARA · Exploit_WinNT_CVE-2012-4681_AIL
YARA · Exploit_WinNT_CVE-2012-4681_AIM
Exploit · Metasploit · exploits/multi/browser/java_jre17_exec
Exploit · Exploit-DB · EDB-20865
CVE-2013-0422Oracle JRE Remote Code Execution Vulnerability (a:oracle:jdk)040434043d9.899.84%
KEV · CISA · Known Exploited
IDS · Snort/Talos · SID 27040 EXPLOIT-KIT Styx exploit kit plugin detection connection jor
IDS · Snort/Talos · SID 27041 EXPLOIT-KIT Styx exploit kit plugin detection connection jln
IDS · Snort/Talos · SID 27042 EXPLOIT-KIT Styx exploit kit plugin detection connection jov
YARA · Exploit_WinNT_CVE-2013-0422
YARA · Exploit_WinNT_CVE-2013-0422_A
Exploit · Metasploit · exploits/multi/browser/java_jre17_jmxbean
Exploit · Exploit-DB · EDB-24045
CVE-2012-1723Oracle Java SE Runtime Environment (JRE) Arbitrary Code Execution Vulnerability (a:oracle:jdk)27142513980d9.899.91%
KEV · CISA · Known Exploited
IDS · Snort/Talos · SID 21438 EXPLOIT-KIT Blackhole exploit kit JavaScript carat string sp
IDS · Snort/Talos · SID 26834 EXPLOIT-KIT Sweet Orange exploit kit landing page in.php bas
IDS · Snort/Talos · SID 27040 EXPLOIT-KIT Styx exploit kit plugin detection connection jor
IDS · Snort/Talos · SID 27041 EXPLOIT-KIT Styx exploit kit plugin detection connection jln
IDS · Snort/Talos · SID 27042 EXPLOIT-KIT Styx exploit kit plugin detection connection jov
IDS · Suricata/ET · SID 2018564 ET EXPLOIT_KIT BleedingLife Exploit Kit JAR Exploit Request
YARA · Exploit_WinNT_CVE-2012-1723
YARA · Exploit_WinNT_CVE-2012-1723_AHQ
YARA · Exploit_WinNT_CVE-2012-1723_BVA
Exploit · Metasploit · exploits/multi/browser/java_verifier_field_access
Exploit · Exploit-DB · EDB-19717
CVE-2013-0431Oracle JRE Sandbox Bypass Vulnerability (a:oracle:jre)4240223980d5.399.68%
KEV · CISA · Known Exploited
IDS · Snort/Talos · SID 26534 EXPLOIT-KIT Stamp exploit kit portable executable download
YARA · Exploit_WinNT_CVE-2013-0431
Exploit · Metasploit · exploits/multi/browser/java_jre17_jmxbean_2
Exploit · Exploit-DB · EDB-24539

ATT&CK Coverage

43,832
ATT&CK mapped CVEs
13
tactics tracked
15
techniques with gaps
347,296
total CVEs
CVEs per tactic — total vs detected
tactic detection coverage (%)

Tactic Detection Coverage

detection rule coverage per MITRE ATT&CK tactic across all CVEs mapped to that tactic

TacticTotal CVEsDetectedGapCoverage
TA0002: Execution26,0102,02923,9817.8%
TA0006: Credential Access25,8182,72623,09210.6%
TA0008: Lateral Movement14,6721,60813,06411.0%
TA0004: Privilege Escalation14,0981,62612,47211.5%
TA0003: Persistence11,3281,25410,07411.1%
TA0007: Discovery9,4608,71974192.2%
TA0043: Reconnaissance6,8471,6125,23523.5%
TA0009: Collection5,7805935,18710.3%
TA0040: Impact4,2721344,1383.1%
TA0001: Initial Access3,0851952,8906.3%

Technique Detection Gap

top techniques by number of CVEs with no detection — largest blind spots first

TechniqueTotalDetectedGapCoverage
T1574: Hijack Execution Flow259122026238867.8%
T1550: Use Alternate Authentication Material132711089121828.2%
T1134: Access Token Manipulation122901047112438.5%
T1539: Steal Web Session Cookie1019292892649.1%
T1083: File and Directory Discovery938767287157.2%
T1111: Multi-Factor Authentication Interception704153965027.7%
T1082: System Information Discovery683254062927.9%
T1592: Gather Victim Host Information683254062927.9%
T1135: Network Share Discovery679453662587.9%
T1007: System Service Discovery679053662547.9%

Threat Intel

347,296
total CVEs
130.8/day
2026 pace
47,742
2026 projected
32,967
EPSS ≥ 0.9
30,029
CVSS critical
CVE volume by year
CISA KEV by month (last 18 months)

CVE Growth

year-over-year CVE publication volume with 3-year moving average

YearCountYoY %Cumulative
202615,700-64.4%347,296
202544,127+13.0%331,596
202439,063+25.3%287,469
202331,170+13.5%248,406
202227,468+17.6%217,236
202123,358+11.2%189,768
202021,013+19.6%166,410
201917,571-0.7%145,397
201817,698+3.7%127,826
201717,061+60.8%110,128

Top EPSS Movers

CVEs with the largest EPSS score increase over their tracked history

CVETitleCVSSEPSS StartEPSS NowDeltaDetections
CVE-2025-11371Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability (a:gladinet:centrestack)7.51.54%98.74%+0.972
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2065258 ET WEB_SPECIFIC_APPS Gladinet CentreStack and Triofox Local
Scanner · Nuclei · CVE-2025-11371
Exploit · Metasploit · auxiliary/gather/gladinet_storage_path_traversal_cve_2025_11
CVE-2026-20257.50.65%96.27%+0.956
Scanner · Nuclei · CVE-2026-2025
CVE-2025-32463Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability (a:sudo_project:sudo)7.81.28%96.19%+0.949
KEV · CISA · Known Exploited
SIEM · Sigma · file_event_lnx_exploit_cve_2025_32463
SIEM · Sigma · proc_creation_lnx_chroot_execution
SIEM · Elastic · Potential CVE-2025-32463 Nsswitch File Creation
SIEM · Elastic · Potential CVE-2025-32463 Sudo Chroot Execution Attempt
Exploit · Metasploit · exploits/linux/local/sudo_chroot_cve_2025_32463
Exploit · Exploit-DB · EDB-52352
CVE-2024-55963(a:appsmith:appsmith)6.51.48%96.14%+0.947
IDS · Suricata/ET · SID 2061291 ET WEB_SPECIFIC_APPS AppSmith PostgreSQL Command Injection A
Exploit · Exploit-DB · EDB-52118
CVE-2025-29927(a:vercel:next.js)9.15.25%99.77%+0.945
IDS · Suricata/ET · SID 2061026 ET WEB_SERVER Next.js Middleware Authorization Bypass (CVE-2
Scanner · Nuclei · CVE-2025-29927
Exploit · Exploit-DB · EDB-52124
CVE-2025-1232(a:geminilabs:site_reviews)8.83.64%97.94%+0.943
Scanner · Nuclei · CVE-2025-1232
CVE-2025-26493(a:jetbrains:teamcity)6.10.52%94.65%+0.941
CVE-2024-49754(a:librenms:librenms)5.40.39%93.90%+0.935
CVE-2025-31125Vite Vitejs Improper Access Control Vulnerability (a:vitejs:vite)7.55.78%99.26%+0.935
KEV · CISA · Known Exploited
Scanner · Nuclei · CVE-2025-31125
CVE-2025-30066tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability (a:tj-actions:changed-files)8.66.13%99.57%+0.934
KEV · CISA · Known Exploited

Recent High-EPSS CVEs

EPSS ≥ 0.9 published since 2026

CVETitleCVSSEPSSDetections
CVE-2024-6670Progress WhatsUp Gold SQL Injection Vulnerability (a:progress:whatsup_gold)9.8100.00%
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2055982 ET WEB_SPECIFIC_APPS Progress WhatsUp Gold Pre-Auth Password
IDS · Suricata/ET · SID 2055983 ET WEB_SPECIFIC_APPS Progress WhatsUp Gold HasErrors SQL Inj
Scanner · Nuclei · CVE-2024-6670
Exploit · Metasploit · auxiliary/admin/http/whatsup_gold_sqli
CVE-2024-23897Jenkins Command Line Interface (CLI) Path Traversal Vulnerability (a:jenkins:jenkins)9.8100.00%
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2050517 ET EXPLOIT Jenkins Unauthenticated RCE Attempt Observed (CVE
SIEM · Splunk · Jenkins Arbitrary File Read CVE-2024-23897
Scanner · Nuclei · CVE-2024-23897
Exploit · Metasploit · auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read
Exploit · Exploit-DB · EDB-51993
CVE-2024-7593Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability (a:ivanti:virtual_traffic_management)9.899.99%
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2055706 ET WEB_SPECIFIC_APPS Ivanti Virtual Traffic Manager Authenti
IDS · Suricata/ET · SID 2056184 ET WEB_SPECIFIC_APPS Ivanti Virtual Traffic Manager (vTM) Au
SIEM · Splunk · Ivanti VTM New Account Creation
Scanner · Nuclei · CVE-2024-7593
Exploit · Metasploit · auxiliary/admin/http/ivanti_vtm_admin
CVE-2024-28995SolarWinds Serv-U Path Traversal Vulnerability (a:solarwinds:serv-u)7.599.98%
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2053801 ET EXPLOIT Solarwinds Serv-U Directory Traversal Attempt Inb
Scanner · Nuclei · CVE-2024-28995
Exploit · Metasploit · auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995
Exploit · Exploit-DB · EDB-52311
CVE-2024-4040CrushFTP VFS Sandbox Escape Vulnerability (a:crushftp:crushftp)10.099.98%
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2052276 ET WEB_SPECIFIC_APPS CrushFTP Arbitrary File Read Attempt (C
IDS · Suricata/ET · SID 2052277 ET WEB_SPECIFIC_APPS CrushFTP working_dir Template Injection
SIEM · Splunk · CrushFTP Server Side Template Injection
Scanner · Nuclei · CVE-2024-4040
Exploit · Metasploit · auxiliary/gather/crushftp_fileread_cve_2024_4040
CVE-2024-3273D-Link Multiple NAS Devices Command Injection Vulnerability (o:dlink:dnr-202l_firmware)9.899.98%
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2051955 ET WEB_SPECIFIC_APPS D-Link NAS devices Backdoor Account Acc
Scanner · Nuclei · CVE-2024-3273
CVE-2024-36401OSGeo GeoServer GeoTools Eval Injection Vulnerability (a:geoserver:geoserver)9.899.98%
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2055805 ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE
IDS · Suricata/ET · SID 2055808 ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE
IDS · Suricata/ET · SID 2055809 ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE
IDS · Suricata/ET · SID 2055810 ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE
IDS · Suricata/ET · SID 2055811 ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE
Scanner · Nuclei · CVE-2024-36401
Exploit · Metasploit · exploits/multi/http/geoserver_unauth_rce_cve_2024_36401
CVE-2024-21887Ivanti Connect Secure and Policy Secure Command Injection Vulnerability (a:ivanti:connect_secure)9.199.98%
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2050095 ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypa
IDS · Suricata/ET · SID 2050096 ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypa
IDS · Suricata/ET · SID 2050131 ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentica
IDS · Suricata/ET · SID 2050280 ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentica
IDS · Suricata/ET · SID 2050700 ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy
SIEM · Splunk · Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
SIEM · Splunk · Ivanti Connect Secure Command Injection Attempts
SIEM · Splunk · Ivanti Connect Secure System Information Access via Auth Byp
Scanner · Nuclei · CVE-2024-21887
Exploit · Metasploit · exploits/linux/http/ivanti_connect_secure_rce_cve_2023_46805
Exploit · Metasploit · exploits/linux/http/ivanti_connect_secure_rce_cve_2024_21893
CVE-2024-4577PHP-CGI OS Command Injection Vulnerability (a:php:php)9.899.97%
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2013001 ET WEB_SERVER PHP Possible php Remote File Inclusion Attempt
IDS · Suricata/ET · SID 2019957 ET WEB_SERVER Generic PHP Remote File Include
IDS · Suricata/ET · SID 2060800 ET WEB_SPECIFIC_APPS PHP-CGI OS Command Injection (soft hyph
Scanner · Nuclei · CVE-2024-4577
Exploit · Metasploit · exploits/windows/http/php_cgi_arg_injection_rce_cve_2024_457
Exploit · Exploit-DB · EDB-52331
CVE-2024-38856Apache OFBiz Incorrect Authorization Vulnerability (a:apache:ofbiz)9.899.97%
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2054947 ET WEB_SPECIFIC_APPS Apache OFBiz Pre-Auth Remote Code Execu
Scanner · Nuclei · CVE-2024-38856
Exploit · Metasploit · exploits/multi/http/apache_ofbiz_forgot_password_directory_t

Exposure

5,983
exposed CVEs
4,468
exploited ITW
8
ThreatFox IOCs
1,896
CIRCL sightings

Exposed CVEs

CVEs with internet visibility via Shodan, CIRCL sightings, ThreatFox IOCs, or in-the-wild exploitation — ranked by composite risk score. Highlighted rows have no detection coverage.

CVE Title CVSS EPSS ER Signals Malware Detections
CVE-2025-55182 Meta React Server Components Remote Code Execution Vulnerability (a:facebook:react) 10.0 99.33% 4/4 shodan↗C:1486T:32I:500 Mirai, Unknown malware
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2066027 ET WEB_SPECIFIC_APPS React Server Components React2Shell Uns
IDS · Suricata/ET · SID 2066028 ET WEB_SPECIFIC_APPS Vite RSC React2Shell Unsafe Flight Prot
IDS · Suricata/ET · SID 2066029 ET WEB_SPECIFIC_APPS Waku RSC React2Shell Unsafe Flight Prot
SIEM · Sigma · info
SIEM · Sigma · proc_creation_lnx_exploit_cve_2025_55182_susp_nodejs_server_child_process
SIEM · Sigma · proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process
SIEM · Elastic · Suspicious React Server Child Process
SIEM · Elastic · React2Shell (CVE-2025-55182) Exploitation Attempt
SIEM · Elastic · React2Shell Network Security Alert
Scanner · Nuclei · CVE-2025-55182
YARA · react_pocs_indicators_dec25
Exploit · Metasploit · exploits/multi/http/react2shell_unauth_rce_cve_2025_55182
Exploit · Exploit-DB · EDB-52506
CVE-2021-44228 Log4Shell (a:apache:log4j) 10.0 99.96% 4/4 shodan↗C:1455T:2I:502 Mirai
KEV · CISA · Known Exploited
IDS · Snort/Talos · SID 300055 SERVER-OTHER Apache Log4j logging remote code execution atte
IDS · Snort/Talos · SID 300056 SERVER-OTHER Apache Log4j logging remote code execution atte
IDS · Snort/Talos · SID 300057 SERVER-OTHER Apache Log4j logging remote code execution atte
IDS · Snort/Talos · SID 300058 SERVER-OTHER Apache Log4j logging remote code execution atte
IDS · Snort/Talos · SID 300061 SERVER-OTHER Apache Log4j logging remote code execution atte
IDS · Suricata/ET · SID 2034647 ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44
IDS · Suricata/ET · SID 2034648 ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-442
IDS · Suricata/ET · SID 2034649 ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-442
IDS · Suricata/ET · SID 2034650 ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-4422
IDS · Suricata/ET · SID 2034651 ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-442
SIEM · Sigma · web_cve_2021_44228_log4j
SIEM · Sigma · web_cve_2021_44228_log4j_fields
SIEM · Sigma · proc_creation_win_exploit_cve_2021_44228_vmware_horizon_log4j
SIEM · Splunk · Hunting for Log4Shell
SIEM · Splunk · PowerShell - Connect To Internet With Hidden Window
SIEM · Splunk · CMD Carry Out String Command Parameter
SIEM · Splunk · Outbound Network Connection from Java Using Default Ports
SIEM · Splunk · File Download or Read to Pipe Execution
Scanner · Nuclei · CVE-2021-44228
YARA · expl_log4j_cve_2021_44228
YARA · Exploit_WinNT_CVE-2021-44228_C_MTB
Exploit · Metasploit · auxiliary/scanner/http/log4shell_scanner
Exploit · Metasploit · exploits/multi/http/log4shell_header_injection
Exploit · Metasploit · exploits/multi/http/vmware_vcenter_log4shell
Exploit · Exploit-DB · EDB-50590
Exploit · Exploit-DB · EDB-50592
Exploit · Exploit-DB · EDB-51183
CVE-2024-4577 PHP-CGI OS Command Injection Vulnerability (a:php:php) 9.8 99.97% 4/4 shodan↗C:557I:337
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2013001 ET WEB_SERVER PHP Possible php Remote File Inclusion Attempt
IDS · Suricata/ET · SID 2019957 ET WEB_SERVER Generic PHP Remote File Include
IDS · Suricata/ET · SID 2060800 ET WEB_SPECIFIC_APPS PHP-CGI OS Command Injection (soft hyph
Scanner · Nuclei · CVE-2024-4577
Exploit · Metasploit · exploits/windows/http/php_cgi_arg_injection_rce_cve_2024_457
Exploit · Exploit-DB · EDB-52331
CVE-2021-41773 Apache HTTP Server Path Traversal Vulnerability (a:apache:http_server) 9.8 99.97% 4/4 shodan↗C:1I:337
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2034124 ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attemp
IDS · Suricata/ET · SID 2034125 ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attemp
IDS · Suricata/ET · SID 2034126 ET POLICY Apache HTTP Server 2.4.49 Observed - Vulnerable to
IDS · Suricata/ET · SID 2034128 ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attemp
SIEM · Sigma · web_cve_2021_41773_apache_path_traversal
Scanner · Nuclei · CVE-2021-41773
Exploit · Metasploit · auxiliary/scanner/http/apache_normalize_path
Exploit · Metasploit · exploits/multi/http/apache_normalize_path_rce
Exploit · Exploit-DB · EDB-50383
Exploit · Exploit-DB · EDB-50512
CVE-2022-26134 Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability (a:atlassian:confluence_data_center) 9.8 99.98% 4/4 shodan↗C:673I:311
KEV · CISA · Known Exploited
IDS · Snort/Talos · SID 59927 MALWARE-BACKDOOR Jsp.Webshell.TinyUploader upload attempt
IDS · Snort/Talos · SID 59928 MALWARE-BACKDOOR Jsp.Webshell.Chopper webshell download atte
IDS · Snort/Talos · SID 59929 MALWARE-BACKDOOR Jsp.Webshell.Behinder download attempt
IDS · Snort/Talos · SID 59930 MALWARE-BACKDOOR Jsp.Webshell.Noop download attempt
IDS · Snort/Talos · SID 59931 MALWARE-BACKDOOR Jsp.Webshell.Chopper upload attempt
SIEM · Sigma · web_java_payload_in_access_logs
SIEM · Sigma · java_ognl_injection_exploitation_attempt
SIEM · Sigma · proc_creation_lnx_exploit_cve_2022_26134_atlassian_confluence
SIEM · Splunk · Confluence Unauthenticated Remote Code Execution CVE-2022-26
Scanner · Nuclei · CVE-2022-26134
Exploit · Metasploit · exploits/multi/http/atlassian_confluence_namespace_ognl_inje
Exploit · Exploit-DB · EDB-50952
CVE-2023-46805 Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability (a:ivanti:connect_secure) 8.2 99.97% 3/4 shodan↗C:333I:308
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2050095 ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypa
IDS · Suricata/ET · SID 2050096 ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypa
IDS · Suricata/ET · SID 2050131 ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentica
IDS · Suricata/ET · SID 2050280 ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentica
SIEM · Splunk · Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
SIEM · Splunk · Ivanti Connect Secure Command Injection Attempts
SIEM · Splunk · Ivanti Connect Secure System Information Access via Auth Byp
Scanner · Nuclei · CVE-2023-46805
Exploit · Metasploit · exploits/linux/http/ivanti_connect_secure_rce_cve_2023_46805
CVE-2019-11510 Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability (a:ivanti:connect_secure) 10.0 100.00% 4/4 shodan↗C:363I:291
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2027904 ET EXPLOIT Pulse Secure SSL VPN - Arbitrary File Read (CVE-2
SIEM · Sigma · web_cve_2019_11510_pulsesecure_exploit
SIEM · Chronicle · pulse_secure_attack_cve_2019_11510
Scanner · Nuclei · CVE-2019-11510
Exploit · Metasploit · auxiliary/gather/pulse_secure_file_disclosure
Exploit · Exploit-DB · EDB-47297
CVE-2022-1388 F5 BIG-IP Missing Authentication Vulnerability (a:f5:big-ip_access_policy_manager) 9.8 99.99% 4/4 shodan↗C:290I:289
KEV · CISA · Known Exploited
IDS · Snort/Talos · SID 300131 SERVER-WEBAPP F5 BIG-IP iControl remote code execution attem
IDS · Snort/Talos · SID 57336 POLICY-OTHER F5 iControl REST interface tm.util.bash invocat
IDS · Suricata/ET · SID 2036546 ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass (CV
IDS · Suricata/ET · SID 2036547 ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Ser
IDS · Suricata/ET · SID 2036556 ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Att
IDS · Suricata/ET · SID 2049256 ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Att
SIEM · Splunk · F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
Scanner · Nuclei · CVE-2022-1388
Exploit · Metasploit · exploits/linux/http/f5_icontrol_rce
Exploit · Exploit-DB · EDB-50932
CVE-2024-24919 Check Point Quantum Security Gateways Information Disclosure Vulnerability (a:checkpoint:cloudguard_network_security) 8.6 99.96% 3/4 shodan↗C:529I:286
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2053031 ET WEB_SPECIFIC_APPS Checkpoint Quantum Security Gateway Arb
Scanner · Nuclei · CVE-2024-24919
Exploit · Metasploit · auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919
CVE-2017-9841 PHPUnit Command Injection Vulnerability (a:oracle:communications_diameter_signaling_router) 9.8 99.92% 3/4 shodan↗C:706I:282
KEV · CISA · Known Exploited
Scanner · Nuclei · CVE-2017-9841
Exploit · Exploit-DB · EDB-50702
CVE-2021-26084 Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability (a:atlassian:confluence_data_center) 9.8 99.99% 4/4 shodan↗C:479I:278
KEV · CISA · Known Exploited
SIEM · Sigma · web_java_payload_in_access_logs
SIEM · Sigma · proc_creation_win_exploit_cve_2021_26084_atlassian_confluence
SIEM · Sigma · web_cve_2021_26084_confluence_rce_exploit
Scanner · Nuclei · CVE-2021-26084
YARA · yara_mixed_ext_vars
YARA · expl_cve_2021_26084_confluence_log
Exploit · Metasploit · exploits/multi/http/atlassian_confluence_webwork_ognl_inject
Exploit · Exploit-DB · EDB-50243
CVE-2023-1389 TP-Link Archer AX-21 Command Injection Vulnerability (o:tp-link:archer_ax21_firmware) 8.8 99.84% 3/4 shodan↗C:7I:271
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2044585 ET EXPLOIT TP-Link Archer AX21 Unauthenticated Command Injec
SIEM · Sigma · proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21
Scanner · Nuclei · CVE-2023-1389
Exploit · Exploit-DB · EDB-51677
CVE-2024-23897 Jenkins Command Line Interface (CLI) Path Traversal Vulnerability (a:jenkins:jenkins) 9.8 100.00% 4/4 shodan↗C:1I:263
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2050517 ET EXPLOIT Jenkins Unauthenticated RCE Attempt Observed (CVE
SIEM · Splunk · Jenkins Arbitrary File Read CVE-2024-23897
Scanner · Nuclei · CVE-2024-23897
Exploit · Metasploit · auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read
Exploit · Exploit-DB · EDB-51993
CVE-2023-27350 PaperCut MF/NG Improper Access Control Vulnerability (a:papercut:papercut_mf) 9.8 99.94% 4/4 shodan↗C:2I:263
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2045130 ET EXPLOIT PaperCut MF/NG SetupCompleted Authentication Bypa
Scanner · Nuclei · CVE-2023-27350
Exploit · Metasploit · exploits/multi/http/papercut_ng_auth_bypass
Exploit · Exploit-DB · EDB-51391
Exploit · Exploit-DB · EDB-51452
CVE-2023-0669 Fortra GoAnywhere MFT Remote Code Execution Vulnerability (a:fortra:goanywhere_managed_file_transfer) 7.2 99.97% 4/4 shodan↗C:2I:264
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2044143 ET WEB_SPECIFIC_APPS Fortra MFT Deserialization Remote Code
IDS · Suricata/ET · SID 2044144 ET WEB_SPECIFIC_APPS Fortra MFT Deserialization Remote Code
IDS · Suricata/ET · SID 2044145 ET EXPLOIT Fortra MFT Deserialization Remote Code Execution
Scanner · Nuclei · CVE-2023-0669
Exploit · Metasploit · exploits/multi/http/fortra_goanywhere_rce_cve_2023_0669
Exploit · Exploit-DB · EDB-51339
CVE-2023-42793 JetBrains TeamCity Authentication Bypass Vulnerability (a:jetbrains:teamcity) 9.8 99.78% 4/4 shodan↗C:573I:258
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2048460 ET EXPLOIT JetBrains TeamCity Auth Bypass Attempt (CVE-2023-
IDS · Suricata/ET · SID 2048461 ET EXPLOIT JetBrains TeamCity Auth Bypass Successful Attempt
SIEM · Sigma · dns_query_win_apt_diamond_steel_indicators
SIEM · Sigma · file_event_win_apt_diamond_sleet_indicators
SIEM · Sigma · image_load_apt_diamond_sleet_side_load
SIEM · Sigma · proc_creation_win_apt_diamond_sleet_indicators
SIEM · Sigma · registry_event_apt_diamond_sleet_scheduled_task
SIEM · Splunk · JetBrains TeamCity RCE Attempt
Scanner · Nuclei · CVE-2023-42793
YARA · expl_teamcity_2023_42793
Exploit · Metasploit · exploits/multi/http/jetbrains_teamcity_rce_cve_2023_42793
Exploit · Exploit-DB · EDB-51884
CVE-2023-23752 Joomla! Improper Access Control Vulnerability (a:joomla:joomla\!) 5.3 100.00% 4/4 shodan↗C:537I:257
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2052951 ET WEB_SPECIFIC_APPS Joomla Improper Access Control to Webse
SIEM · Sigma · web_cve_2023_23752_joomla_exploit_attempt
Scanner · Nuclei · CVE-2023-23752
Exploit · Metasploit · auxiliary/scanner/http/joomla_api_improper_access_checks
Exploit · Exploit-DB · EDB-51334
CVE-2023-22527 Atlassian Confluence Data Center and Server Template Injection Vulnerability (a:atlassian:confluence_data_center) 9.8 99.96% 3/4 shodan↗C:706I:256
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2050340 ET EXPLOIT Atlassian Confluence RCE Attempt Observed (CVE-20
IDS · Suricata/ET · SID 2050543 ET EXPLOIT Atlassian Confluence RCE Attempt Observed (CVE-20
SIEM · Splunk · Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
Scanner · Nuclei · CVE-2023-22527
Exploit · Metasploit · exploits/multi/http/atlassian_confluence_rce_cve_2023_22527
CVE-2022-40684 Fortinet Multiple Products Authentication Bypass Vulnerability (a:fortinet:fortiproxy) 9.8 99.98% 4/4 shodan↗C:379I:254
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2039173 ET WEB_SERVER [Cluster25] FortiOS Auth Bypass Attempt (CVE-2
IDS · Suricata/ET · SID 2039419 ET WEB_SERVER Successful FortiOS Auth Bypass Attempt - SSH K
IDS · Suricata/ET · SID 2039420 ET WEB_SERVER Successful FortiOS Auth Bypass Attempt - Admin
IDS · Suricata/ET · SID 2039485 ET WEB_SERVER Successful FortiOS Auth Bypass Attempt - Confi
SIEM · Splunk · Fortinet Appliance Auth bypass
Scanner · Nuclei · CVE-2022-40684
Exploit · Metasploit · exploits/linux/http/fortinet_authentication_bypass_cve_2022_
Exploit · Exploit-DB · EDB-51092
Exploit · Exploit-DB · EDB-52239
CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability (a:zohocorp:manageengine_adselfservice_plus) 9.8 99.98% 3/4 shodan↗I:254
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2034362 ET EXPLOIT ManageEngine AdSelfService Plus - Authentication
IDS · Suricata/ET · SID 2034363 ET EXPLOIT ManageEngine AdSelfService Plus - Arbritrary File
IDS · Suricata/ET · SID 2034364 ET EXPLOIT ManageEngine AdSelfService Plus - .jsp WebShell U
IDS · Suricata/ET · SID 2034365 ET EXPLOIT ManageEngine AdSelfService Plus - Possible Code E
SIEM · Sigma · proc_creation_win_java_keytool_susp_child_process
SIEM · Sigma · web_cve_2021_40539_adselfservice
SIEM · Sigma · web_cve_2021_40539_manageengine_adselfservice_exploit
Scanner · Nuclei · CVE-2021-40539
YARA · expl_adselfservice_cve_2021_40539
Exploit · Metasploit · exploits/windows/http/manageengine_adselfservice_plus_cve_20
CVE-2025-5777 Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability (a:citrix:netscaler_application_delivery_controller) 7.5 98.55% 3/4 shodan↗C:846I:250
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2063315 ET WEB_SPECIFIC_APPS Citrix Netscaler ADC & Gateway Memory L
SIEM · Splunk · Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
Scanner · Nuclei · CVE-2025-5777
Exploit · Exploit-DB · EDB-52401
CVE-2017-11882 Microsoft Office Memory Corruption Vulnerability (a:microsoft:office) 7.8 99.96% 3/4 shodan↗C:1I:252
KEV · CISA · Known Exploited
SIEM · Sigma · proc_creation_win_exploit_cve_2017_11882
SIEM · Sigma · proc_creation_win_regasm_no_flag_or_dll_execution
YARA · exploit_cve_2017_11882
YARA · gen_rtf_malver_objects
YARA · Exploit_O97M_CVE-2017-11882_AD_MTB
Exploit · Metasploit · exploits/windows/fileformat/office_ms17_11882
Exploit · Exploit-DB · EDB-43163
CVE-2023-20198 Cisco IOS XE Web UI Privilege Escalation Vulnerability (o:cisco:ios_xe) 10.0 99.89% 3/4 shodan↗C:799I:250
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2048583 ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-2
IDS · Suricata/ET · SID 2048584 ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-2
IDS · Suricata/ET · SID 2048737 ET EXPLOIT Cisco IOS XE Web Server Auth Bypass (CVE-2023-201
IDS · Suricata/ET · SID 2048738 ET EXPLOIT Cisco IOS XE Web Server Auth Bypass (CVE-2023-201
IDS · Suricata/ET · SID 2048739 ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Resp
SIEM · Sigma · cisco_syslog_cve_2023_20198_ios_xe_web_ui
SIEM · Splunk · Cisco IOS XE Implant Access
Scanner · Nuclei · CVE-2023-20198
Exploit · Metasploit · auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198
Exploit · Metasploit · auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273
Exploit · Metasploit · exploits/linux/misc/cisco_ios_xe_rce
CVE-2025-24893 XWiki Platform Eval Injection Vulnerability (a:xwiki:xwiki) 9.8 99.88% 4/4 shodan↗I:250
KEV · CISA · Known Exploited
Scanner · Nuclei · CVE-2025-24893
Exploit · Metasploit · exploits/multi/http/xwiki_unauth_rce_cve_2025_24893
Exploit · Exploit-DB · EDB-52136
Exploit · Exploit-DB · EDB-52429
CVE-2024-27198 JetBrains TeamCity Authentication Bypass Vulnerability (a:jetbrains:teamcity) 9.8 99.79% 4/4 shodan↗C:319I:246
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2051505 ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypas
IDS · Suricata/ET · SID 2051506 ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypas
IDS · Suricata/ET · SID 2051507 ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypas
SIEM · Splunk · JetBrains TeamCity Authentication Bypass CVE-2024-27198
SIEM · Splunk · JetBrains TeamCity Authentication Bypass Suricata CVE-2024-2
Scanner · Nuclei · CVE-2024-27198
Exploit · Metasploit · exploits/multi/http/jetbrains_teamcity_rce_cve_2024_27198
Exploit · Exploit-DB · EDB-52411
CVE-2025-49704 Microsoft SharePoint Code Injection Vulnerability (a:microsoft:sharepoint_server) 8.8 98.26% 2/4 shodan↗I:248
KEV · CISA · Known Exploited
SIEM · Sigma · file_event_win_exploit_cve_2025_53770
SIEM · Sigma · file_event_win_susp_filewrite_in_sharepoint_layouts_dir
Exploit · Metasploit · exploits/windows/http/sharepoint_toolpane_rce
CVE-2023-22518 Atlassian Confluence Data Center and Server Improper Authorization Vulnerability (a:atlassian:confluence_data_center) 9.8 99.97% 3/4 shodan↗C:4I:245
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2049080 ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vul
IDS · Suricata/ET · SID 2049081 ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vul
IDS · Suricata/ET · SID 2049082 ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vul
IDS · Suricata/ET · SID 2049083 ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vul
IDS · Suricata/ET · SID 2049084 ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vul
SIEM · Sigma · proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc
SIEM · Sigma · proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc
SIEM · Sigma · proxy_exploit_cve_2023_22518_confluence_auth_bypass
SIEM · Sigma · web_exploit_cve_2023_22518_confluence_auth_bypass
SIEM · Splunk · Confluence Data Center and Server Privilege Escalation
Scanner · Nuclei · CVE-2023-22518
Exploit · Metasploit · exploits/multi/http/atlassian_confluence_unauth_backup
CVE-2021-43798 Grafana Path Traversal Vulnerability (a:grafana:grafana) 7.5 99.99% 4/4 shodan↗I:242
KEV · CISA · Known Exploited
SIEM · Sigma · web_cve_2021_43798_grafana
Scanner · Nuclei · CVE-2021-43798
Exploit · Metasploit · auxiliary/scanner/http/grafana_plugin_traversal
Exploit · Exploit-DB · EDB-50581
CVE-2025-3248 Langflow Missing Authentication Vulnerability (a:langflow:langflow) 9.8 99.69% 4/4 shodan↗C:290I:243
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2061448 ET WEB_SPECIFIC_APPS Langflow AI Unauthenticated Remote Code
Scanner · Nuclei · CVE-2025-3248
Exploit · Metasploit · exploits/multi/http/langflow_unauth_rce_cve_2025_3248
Exploit · Exploit-DB · EDB-52262
Exploit · Exploit-DB · EDB-52364
CVE-2024-36401 OSGeo GeoServer GeoTools Eval Injection Vulnerability (a:geoserver:geoserver) 9.8 99.98% 3/4 shodan↗C:506I:243
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2055805 ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE
IDS · Suricata/ET · SID 2055808 ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE
IDS · Suricata/ET · SID 2055809 ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE
IDS · Suricata/ET · SID 2055810 ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE
IDS · Suricata/ET · SID 2055811 ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE
Scanner · Nuclei · CVE-2024-36401
Exploit · Metasploit · exploits/multi/http/geoserver_unauth_rce_cve_2024_36401
CVE-2021-36260 Hikvision Improper Input Validation (o:hikvision:ds-2cd2021g1-i\(w\)_firmware) 9.8 99.99% 4/4 shodan↗C:5I:240
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2034630 ET EXPLOIT Hikvision IP Camera RCE Attempt (CVE-2021-36260)
Scanner · Nuclei · CVE-2021-36260
Exploit · Metasploit · exploits/linux/http/hikvision_cve_2021_36260_blind
Exploit · Exploit-DB · EDB-50441
CVE-2022-46169 Cacti Command Injection Vulnerability (a:cacti:cacti) 9.8 100.00% 4/4 shodan↗I:240
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2043010 ET EXPLOIT Possible Cacti Unauthenticated RCE Inbound M1 (CV
IDS · Suricata/ET · SID 2043011 ET EXPLOIT Possible Cacti Unauthenticated RCE Inbound M2 (CV
SIEM · Sigma · web_cve_2022_46169_cacti_exploitation_attempt
Scanner · Nuclei · CVE-2022-46169
YARA · expl_cve_2022_46169_cacti
Exploit · Metasploit · exploits/linux/http/cacti_unauthenticated_cmd_injection
Exploit · Exploit-DB · EDB-51166
CVE-2025-31161 CrushFTP Authentication Bypass Vulnerability (a:crushftp:crushftp) 9.8 99.41% 3/4 shodan↗I:238
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2061227 ET WEB_SPECIFIC_APPS CrushFTP Authentication Bypass (CVE-202
IDS · Suricata/ET · SID 2061619 ET EXPLOIT [CORELIGHT] CrushFTP Auth Bypass Attempt (CVE-202
SIEM · Sigma · proc_creation_win_crushftp_susp_child_processes
SIEM · Splunk · Windows Shell Process from CrushFTP
SIEM · Splunk · CrushFTP Authentication Bypass Exploitation
SIEM · Splunk · CrushFTP Max Simultaneous Users From IP
Scanner · Nuclei · CVE-2025-31161
Exploit · Exploit-DB · EDB-52295
CVE-2023-46747 F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability (a:f5:big-ip_access_policy_manager) 9.8 99.99% 3/4 shodan↗I:235
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2048925 ET WEB_SPECIFIC_APPS Possible F5 BIG-IP AJP Request Smugglin
IDS · Suricata/ET · SID 2049057 ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling
IDS · Suricata/ET · SID 2049058 ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling
IDS · Suricata/ET · SID 2049059 ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling
SIEM · Sigma · proxy_cve_2023_46747_f5_remote_code_execution
SIEM · Sigma · web_cve_2023_46747_f5_remote_code_execution
SIEM · Splunk · F5 TMUI Authentication Bypass
Scanner · Nuclei · CVE-2023-46747
Exploit · Metasploit · exploits/linux/http/f5_bigip_tmui_rce_cve_2023_46747
CVE-2022-22947 VMware Spring Cloud Gateway Code Injection Vulnerability (a:oracle:commerce_guided_search) 10.0 99.99% 4/4 shodan↗I:232
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2035380 ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2
IDS · Suricata/ET · SID 2035381 ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2
Scanner · Nuclei · CVE-2022-22947
Exploit · Metasploit · exploits/linux/http/spring_cloud_gateway_rce
Exploit · Exploit-DB · EDB-50799
CVE-2020-8515 Multiple DrayTek Vigor Routers Web Management Page Vulnerability (o:draytek:vigor2960_firmware) 9.8 99.96% 3/4 shodan↗C:1I:229
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2029804 ET EXPLOIT Multiple DrayTek Products Pre-authentication Remo
IDS · Suricata/ET · SID 2029805 ET EXPLOIT Multiple DrayTek Products Pre-authentication Remo
IDS · Suricata/ET · SID 2029806 ET EXPLOIT Multiple DrayTek Products Pre-authentication Remo
IDS · Suricata/ET · SID 2029807 ET EXPLOIT Multiple DrayTek Products Pre-authentication Remo
SIEM · Chronicle · draytek_pre_auth_remote_root_rce
Scanner · Nuclei · CVE-2020-8515
Exploit · Exploit-DB · EDB-48268
CVE-2022-22963 VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability (a:oracle:banking_branch) 9.8 100.00% 4/4 shodan↗I:228
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2035670 ET EXPLOIT Possible Spring Cloud Connector RCE Inbound (CVE-
SIEM · Splunk · Web Spring Cloud Function FunctionRouter
Scanner · Nuclei · CVE-2022-22963
Exploit · Metasploit · exploits/multi/http/spring_cloud_function_spel_injection
Exploit · Exploit-DB · EDB-51577
CVE-2022-29464 WSO2 Multiple Products Unrestrictive Upload of File Vulnerability (a:wso2:api_manager) 9.8 99.99% 3/4 shodan↗C:387I:227
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2036378 ET EXPLOIT WSO2 Server RCE (CVE-2022-29464)
Scanner · Nuclei · CVE-2022-29464
Exploit · Metasploit · exploits/multi/http/wso2_file_upload_rce
CVE-2021-22986 F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability (a:f5:big-ip_access_policy_manager) 9.8 100.00% 4/4 shodan↗C:8I:226
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2032092 ET EXPLOIT F5 BIG-IP iControl REST Unauthenticated RCE Inbou
IDS · Suricata/ET · SID 2032220 ET EXPLOIT [NCC/FOX-IT] Possible F5 BIG-IP/BIG-IQ iControl R
Scanner · Nuclei · CVE-2021-22986
YARA · exploit_f5_bigip_cve_2021_22986_log
Exploit · Metasploit · exploits/linux/http/f5_icontrol_rest_ssrf_rce
Exploit · Exploit-DB · EDB-49738
CVE-2023-32315 Ignite Realtime Openfire Path Traversal Vulnerability (a:igniterealtime:openfire) 7.5 99.99% 3/4 shodan↗I:228
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2047862 ET WEB_SPECIFIC_APPS Openfire Authentication Bypass With RCE
Scanner · Nuclei · CVE-2023-32315
Exploit · Metasploit · exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315
CVE-2022-22954 VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability (a:vmware:cloud_foundation) 9.8 99.99% 3/4 shodan↗I:228
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2035874 ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-20
IDS · Suricata/ET · SID 2035875 ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-20
IDS · Suricata/ET · SID 2035876 ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-20
IDS · Suricata/ET · SID 2036416 ET EXPLOIT Possible VMware Workspace ONE Access RCE via Serv
SIEM · Sigma · proc_creation_win_exploit_cve_2022_22954_vmware_workspace_one_rce
SIEM · Splunk · VMware Server Side Template Injection Hunt
SIEM · Splunk · VMware Workspace ONE Freemarker Server-side Template Injecti
Scanner · Nuclei · CVE-2022-22954
YARA · exploit_cve_2022_22954_vmware_workspace_one
Exploit · Metasploit · exploits/linux/http/vmware_workspace_one_access_cve_2022_229
CVE-2023-36845 Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability (o:juniper:junos) 9.8 99.96% 3/4 shodan↗I:228
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2047869 ET EXPLOIT Junos OS - Unauthenticated PHPRC Environmental Va
IDS · Suricata/ET · SID 2047870 ET EXPLOIT Junos OS - Unauthenticated PHPRC Environmental Va
SIEM · Splunk · Juniper Networks Remote Code Execution Exploit Detection
Scanner · Nuclei · CVE-2023-36845
Exploit · Metasploit · exploits/freebsd/http/junos_phprc_auto_prepend_file
CVE-2016-20016 (o:mvpower:tv-7104he_firmware) 9.8 99.62% 2/4 shodan↗I:230
IDS · Suricata/ET · SID 2030092 ET WEB_SPECIFIC_APPS MVPower CCTV DVR /shell JAWS Webserver
Exploit · Metasploit · exploits/linux/http/mvpower_dvr_shell_exec
CVE-2022-30525 Zyxel Multiple Firewalls OS Command Injection Vulnerability (o:zyxel:atp100_firmware) 9.8 99.99% 4/4 shodan↗I:226
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2036596 ET EXPLOIT [Rapid7] Zyxel ZTP setWanPortSt mtu Parameter Exp
Scanner · Nuclei · CVE-2022-30525
Exploit · Metasploit · exploits/linux/http/zyxel_ztp_rce
Exploit · Exploit-DB · EDB-50946
CVE-2024-10914 (o:dlink:dns-320_firmware) 9.8 99.88% 2/4 shodan↗C:361I:226
IDS · Suricata/ET · SID 2057330 ET WEB_SPECIFIC_APPS D-Link NAS OS Command Injection in cgi_
Scanner · Nuclei · CVE-2024-10914
CVE-2023-4220 (a:chamilo:chamilo_lms) 6.1 99.81% 4/4 shodan↗C:4I:225
Scanner · Nuclei · CVE-2023-4220
Exploit · Metasploit · exploits/linux/http/chamilo_bigupload_webshell
Exploit · Exploit-DB · EDB-52083
CVE-2025-4428 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability (a:ivanti:endpoint_manager_mobile) 8.8 95.66% 2/4 shodan↗I:225
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2062419 ET WEB_SPECIFIC_APPS Ivanti EPMM Authentication Bypass and R
SIEM · Sigma · web_invanti_epmm_cve_2025_4427_and_cve_2025_4428
Exploit · Metasploit · exploits/multi/http/ivanti_epmm_rce_cve_2025_4427_4428
CVE-2023-26801 (o:lb-link:bl-ac1900_firmware) 9.8 98.32% 1/4 shodan↗C:476I:225
IDS · Suricata/ET · SID 2048548 ET EXPLOIT LB-Link Command Injection Attempt (CVE-2023-26801
CVE-2024-12847 (o:netgear:dgn1000_firmware) 9.8 98.64% 2/4 shodan↗C:15I:224
IDS · Suricata/ET · SID 2034576 ET EXPLOIT Netgear DGN Remote Code Execution (CVE-2024-12847
Exploit · Metasploit · exploits/linux/http/netgear_dgn1000_setup_unauth_exec
CVE-2022-47986 IBM Aspera Faspex Code Execution Vulnerability (a:ibm:aspera_faspex) 9.8 99.96% 3/4 shodan↗C:1I:222
KEV · CISA · Known Exploited
IDS · Suricata/ET · SID 2057137 ET WEB_SPECIFIC_APPS IBM Aspera Faspex Pre-Auth RCE Attempt
Scanner · Nuclei · CVE-2022-47986
Exploit · Exploit-DB · EDB-51316

Actors

4
malware families
8
attributed CVEs
0
KEV-confirmed techniques
1
detection-confirmed

technique source confidence: kev curated KEV→ATT&CK mapping  ·  det detection rule confirmed  ·  cwe inferred via CWE→CAPEC chain (noisy)

Malware Families

malware families observed exploiting CVEs via ThreatFox IOC tags

Malware FamilyCVEsSample CVEs
Mirai 3 CVE-2021-44228 · CVE-2024-3721 · CVE-2025-55182
Unidentified 001 3 CVE-2011-3230 · CVE-2026-21509 · CVE-2026-21513
Unknown malware 2 CVE-2025-55182 · CVE-2026-1731
BEARDSHELL 2 CVE-2026-21509 · CVE-2026-21514
top ATT&CK techniques — colored by source confidence

Technique Breakdown

top ATT&CK techniques with mapping confidence — kev and det are high-signal; cwe entries are inferred via CWE→CAPEC chain and should be treated as approximate

TechniqueCVEsConfidence
T1574: Services File Permissions Weakness 25,912 det_confirmed
T1550: Web Session Cookie 13,271 cwe_chain
T1134: Token Impersonation/Theft 12,290 cwe_chain
T1539: Steal Web Session Cookie 10,192 cwe_chain
T1083: File and Directory Discovery 9,387 cwe_chain
T1111: Multi-Factor Authentication Interception 7,041 cwe_chain
T1082: System Information Discovery 6,832 cwe_chain
T1592: Gather Victim Host Information 6,832 cwe_chain
T1135: Network Share Discovery 6,794 cwe_chain
T1007: System Service Discovery 6,790 cwe_chain
T1016: System Network Configuration Discovery 6,790 cwe_chain
T1018: Remote System Discovery 6,790 cwe_chain
T1033: System Owner/User Discovery 6,790 cwe_chain
T1046: Network Service Discovery 6,790 cwe_chain
T1049: System Network Connections Discovery 6,790 cwe_chain

Data Completeness

49.0%
CWE coverage
60.4%
CVSS coverage
85.1%
CPE coverage
75.1%
ref coverage
446
total CNAs
377
active CNAs

CNA Leaderboard

CVE Numbering Authorities ranked by data completeness across CWE, CVSS, CPE, and reference fields

CNATotalCWE%CVSS%CPE%Refs%Score
Fidelis Cybersecurity, Inc.13100.0100.0100.0100.0100.0
Cyber Security Works Pvt. Ltd.11100.0100.0100.0100.0100.0
Securifera, Inc.25100.0100.0100.0100.0100.0
VDOO Connected Trust Ltd.11100.0100.0100.0100.0100.0
Silver Peak Systems, Inc.8100.0100.0100.0100.0100.0
Exodus Intelligence37100.0100.0100.097.399.3
Becton, Dickinson and Company (BD)2295.5100.095.595.596.6
Alias Robotics S.L.2986.2100.0100.0100.096.5
IDEMIA785.7100.0100.0100.096.4
Mirantis580.0100.0100.0100.095.0

Publishing Activity

CNA publishing rate compared to their historical baseline — highlights unusual activity

CNA30dBaseline/moDeviationStatusLast Pub
Artica PFMS80.23900.0%surge2026/Apr/13
PaperCut20.11900.0%surge2026/Mar/31
SailPoint Technologies20.11900.0%surge2026/Apr/29
Canonical Ltd.553.81347.4%surge2026/Apr/27
Open-Xchange292.41108.3%surge2026/Apr/22
Sierra Wireless Inc.30999.9%surge2026/Apr/07
runZero120999.9%surge2026/Apr/07
Foxit161.5966.7%surge2026/Apr/27
floragunn GmbH30.3900.0%surge2026/Mar/31
bcorg50.5900.0%surge2026/Apr/15

Research Labs

Vulnerability research teams attributed via CVE reference URLs — CVE count, KEV rate, and average severity per lab.

18
labs tracked
19,868
attributed CVEs
856
KEV among attributed
CrowdStrike
highest KEV rate (94.1%)
CVEs per lab — KEV vs non-KEV
avg CVSS vs KEV rate — bubble size = CVE count

Lab Scorecard

KEV rate = % of lab's CVEs added to CISA's Known Exploited Vulnerabilities catalog — a proxy for weaponization impact

Lab / Team CVEs KEV KEV% Avg CVSS Avg EPSS% Top CVEs by EPSS
Microsoft MSRC 8,307 293 3.5% 7.1 71.55 CVE-2019-0708 · CVE-2019-0604 · CVE-2020-0796 · CVE-2023-44487 · CVE-2020-0688
Zero Day Initiative 4,796 31 0.6% 7.4 63.41 CVE-2020-16846 · CVE-2020-2883 · CVE-2023-27350 · CVE-2016-3088 · CVE-2014-8361
Cisco Talos 2,636 44 1.7% 8.0 58.76 CVE-2017-1000353 · CVE-2019-2725 · CVE-2020-3452 · CVE-2018-11776 · CVE-2024-36401
HackerOne 1,093 5 0.5% 6.2 53.86 CVE-2021-22205 · CVE-2022-2992 · CVE-2021-22204 · CVE-2021-22214 · CVE-2021-22911
Tenable 843 52 6.2% 7.2 71.14 CVE-2018-13379 · CVE-2019-11510 · CVE-2021-22005 · CVE-2021-40438 · CVE-2021-21985
Cisco PSIRT 799 34 4.3% 6.8 44.26 CVE-2023-20198 · CVE-2018-0101 · CVE-2023-20273 · CVE-2024-20419 · CVE-2023-20073
Rapid7 422 98 23.2% 7.3 73.87 CVE-2019-3396 · CVE-2016-10033 · CVE-2023-32315 · CVE-2023-46604 · CVE-2023-40044
Palo Alto Unit 42 267 128 47.9% 8.7 94.0 CVE-2018-1000861 · CVE-2021-22986 · CVE-2022-46169 · CVE-2022-22963 · CVE-2022-44877
Check Point Research 189 38 20.1% 7.7 73.14 CVE-2018-7600 · CVE-2014-0160 · CVE-2021-36260 · CVE-2024-3273 · CVE-2020-7961
Google Project Zero 181 31 17.1% 6.8 65.69 CVE-2017-5753 · CVE-2020-15999 · CVE-2018-14912 · CVE-2017-0037 · CVE-2017-5715
Qualys TRU 64 4 6.2% 7.0 70.36 CVE-2016-10372 · CVE-2021-4034 · CVE-2023-4911 · CVE-2023-38408 · CVE-2025-26466
SentinelOne 61 15 24.6% 8.6 59.24 CVE-2022-1388 · CVE-2023-47246 · CVE-2022-47986 · CVE-2022-37042 · CVE-2024-8963
Google Security 54 3 5.6% 7.2 49.83 CVE-2022-1471 · CVE-2017-14492 · CVE-2016-7255 · CVE-2021-22555 · CVE-2024-38289
Claroty 53 1 1.9% 8.2 43.8 CVE-2023-38950 · CVE-2023-33177 · CVE-2023-38952 · CVE-2023-38951 · CVE-2023-33364
Mandiant 42 39 92.9% 8.4 95.07 CVE-2019-19781 · CVE-2022-1040 · CVE-2024-21887 · CVE-2019-1653 · CVE-2023-46805
CrowdStrike 34 32 94.1% 8.9 96.15 CVE-2021-44529 · CVE-2023-35078 · CVE-2020-14750 · CVE-2023-46747 · CVE-2020-5902
Secureworks 15 5 33.3% 6.8 65.36 CVE-2011-3544 · CVE-2022-21445 · CVE-2010-0738 · CVE-2014-6324 · CVE-2021-4104
IBM X-Force 12 3 25.0% 7.5 79.4 CVE-2016-6277 · CVE-2014-6332 · CVE-2015-2051 · CVE-2016-20016 · CVE-2014-8889

Risk Matrix

1,585
CISA KEV total
1,584
KEV + high EPSS
163,307
high EPSS, no KEV
100,697
CVSS + EPSS agree
120,076
CVSS low, EPSS high

EPSS x CVSS Matrix

| EPSS \ CVSS | Critical (9.0–10.0) | High (7.0–8.9) | Medium (4.0–6.9) | Low (0.1–3.9) | None |
|-------------|------:|------:|------:|------:|------:|
| **Very High (>0.5)** | 18950 | 36274 | 24737 | 584 | 84288 |
| **High (0.1–0.5)** | 9997 | 35476 | 51160 | 2526 | 32678 |
| **Medium (0.01–0.1)** | 1017 | 8294 | 16233 | 1191 | 2932 |
| **Low (≤0.01)** | 57 | 998 | 1919 | 141 | 181 |
| **None** | 8 | 46 | 84 | 1 | 17524 |

Blind Spots

high EPSS, no KEV, no detection

CVETitleCVSSEPSSCWE
CVE-2010-2965(o:rockwellautomation:1756-enbt\/a_firmware)99.80%CWE-863: Incorrect Authorization
CVE-2014-6321(o:microsoft:windows_7)99.79%CWE-94: Improper Control of Generation of Code ('Code Injection')
CVE-2022-34265(a:djangoproject:django)9.899.77%CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2019-10173(a:oracle:banking_platform)9.899.76%
CVE-2024-215349.899.76%
CVE-2022-37434(a:netapp:active_iq_unified_manager)9.899.74%CWE-787: Out-of-bounds Write
CVE-2021-40346(a:haproxy:haproxy)7.599.73%CWE-190: Integer Overflow or Wraparound
CVE-2020-14645(a:oracle:weblogic_server)9.899.73%
CVE-2023-2650(a:openssl:openssl)6.599.70%CWE-770: Allocation of Resources Without Limits or Throttling
CVE-2017-7529(a:apple:xcode)7.599.70%

Model Gaps

in CISA KEV but EPSS < 0.1

CVETitleCVSSEPSSDetections
CVE-2023-43000Apple Multiple products Use-After-Free Vulnerability (a:apple:safari)8.85.48%
KEV · CISA · Known Exploited

Vendors

Vendors and products ranked by undetected CVE count — most blind spots first.

Vendors

ranked by CVEs with no detection rule

google 12609 gap · 1.1% det
linux 12503 gap · 2.3% det
microsoft 12162 gap · 12.9% det
oracle 9731 gap · 4.6% det
debian 9648 gap · 4.5% det
apple 8002 gap · 6.3% det
ibm 7829 gap · 3.6% det
adobe 6742 gap · 5.0% det
cisco 6288 gap · 4.1% det
fedoraproject 5255 gap · 3.0% det
redhat 5215 gap · 6.6% det
canonical 3947 gap · 6.3% det
mozilla 3356 gap · 4.4% det
opensuse 3102 gap · 5.1% det
apache 2483 gap · 12.1% det
qualcomm 2417 gap · 1.3% det
netapp 2395 gap · 4.4% det
huawei 2313 gap · 1.1% det
siemens 2076 gap · 3.1% det
hp 2072 gap · 11.1% det
top vendors — CVE count vs detection coverage (%)

Products

products with most undetected CVEs

Vendor Product Total CVEs Detected Gaps Det % KEV
linux linux_kernel 12760 292 12468 2.3% 26
debian debian_linux 9960 448 9512 4.5% 119
google android 8028 62 7966 0.8% 19
fedoraproject fedora 5351 164 5187 3.1% 84
microsoft windows_server_2016 4564 261 4303 5.7% 152
microsoft windows_server_2019 4295 163 4132 3.8% 154
google chrome 3982 64 3918 1.6% 74
canonical ubuntu_linux 4105 266 3839 6.5% 44
apple iphone_os 3944 247 3697 6.3% 92
microsoft windows_server_2012 3784 336 3448 8.9% 155
microsoft windows_server_2008 3554 418 3136 11.8% 148
mozilla firefox 3083 127 2956 4.1% 15
apple mac_os_x 3210 277 2933 8.6% 26
microsoft windows_10 2974 245 2729 8.2% 2
apple macos 2612 11 2601 0.4% 69
microsoft windows_server_2022 2649 68 2581 2.6% 104
microsoft windows_7 2368 364 2004 15.4% 101
microsoft windows_8.1 2216 285 1931 12.9% 95
opensuse leap 1897 57 1840 3.0% 18
microsoft windows_10_22h2 1884 47 1837 2.5% 81
microsoft windows_10_21h2 1886 54 1832 2.9% 96
apple ipados 1827 10 1817 0.5% 79
microsoft windows_10_1809 1888 81 1807 4.3% 149
redhat enterprise_linux_desktop 1928 137 1791 7.1% 56
apple tvos 1959 170 1789 8.7% 37
redhat enterprise_linux_server 1891 131 1760 6.9% 58
microsoft windows_rt_8.1 2020 265 1755 13.1% 87
adobe acrobat_dc 1781 37 1744 2.1% 7
adobe acrobat_reader_dc 1781 37 1744 2.1% 7
redhat enterprise_linux_workstation 1845 132 1713 7.2% 57

About

How Threatbook works, what data it uses, and licensing for each source.

Pipeline

fetch updatebasedata.sh → downloads raw data from ~18 sources daily process processbasedata.py → correlates CVEs across all sources, computes flags + scores export threatbook.json → pre-aggregated JSON (all tabs read from this single file) render kalpi.py + Jinja2 → static HTML, no server-side logic refresh daily 04:00 via systemd → full re-fetch and re-process nightly corpus 347,128 CVEs → NVD 1999–present, all years

Data Sources

Source Used For License Attribution
NVD CVE metadata, CVSS scores, CPE, description Public domain (US Gov) Data from NVD API. Not endorsed by NVD.
CISA KEV Known Exploited Vulnerabilities catalog CC0 (public domain) None required
EPSS Exploitation probability scores (daily) Open (FIRST.org, no formal license) See EPSS at FIRST.org
MITRE ATT&CK Technique mapping, tactic attribution, ATT&CK coverage MITRE royalty-free license © The MITRE Corporation. Used with permission. ATT&CK® is a registered trademark.
MITRE CWE Weakness taxonomy per CVE MITRE royalty-free license © The MITRE Corporation.
MITRE CAPEC Attack pattern chains (CWE→CAPEC→ATT&CK mapping) MITRE royalty-free license © The MITRE Corporation.
ThreatFox (Abuse.ch) Malware family → CVE IOC attribution Fair use (non-commercial) Data from ThreatFox by Abuse.ch
CIRCL CVE sighting counts from passive monitoring CC-BY 4.0 CIRCL — Computer Incident Response Center Luxembourg
Exploit-DB Exploit code availability per CVE GPL-2.0 (repo); site ToS applies Exploit-DB by OffSec
Metasploit Module availability per CVE BSD-3-Clause Metasploit Framework, Rapid7
Sigma Rules SIEM detection rule coverage per CVE Detection Rule License (DRL 1.1) SigmaHQ contributors
Elastic Detection Rules Detection coverage, ATT&CK technique confirmation Elastic License 2.0 Elastic N.V.
Splunk Security Content Detection analytics per CVE Apache 2.0 Splunk Inc.
Microsoft Sentinel Detection rule coverage per CVE MIT Microsoft Corporation
Nuclei Templates Scanner template availability per CVE MIT ProjectDiscovery, Inc.
VulnCheck KEV Extended KEV catalog with additional exploited CVEs Community license — attribution required VulnCheck Known Exploited Vulnerabilities data is provided by VulnCheck and used here under their community license.
HackerOne Public bug bounty disclosure rankings Proprietary (public disclosures only) HackerOne
Shodan Internet exposure search links per CVE Proprietary (personal account) Shodan data is not redistributed here. Links go directly to Shodan search.

Notes

Shodan ToS prohibits redistribution of data. Exposure tab links to Shodan's search UI per CVE — no host counts are stored or displayed. VulnCheck KEV This product uses VulnCheck Known Exploited Vulnerabilities data, provided by VulnCheck and available at vulncheck.com/kev. MITRE ATT&CK ATT&CK® is a registered trademark of The MITRE Corporation. Technique mappings come from three sources: curated KEV→ATT&CK, detection rule attribution, and CWE→CAPEC→ATT&CK inference. CWE-chain mappings are approximate. ThreatFox Used under Abuse.ch fair-use terms for non-commercial purposes. Labs tab Lab attribution is inferred from CVE reference URLs — reflects where disclosures were published, not necessarily who discovered the vulnerability.

Tabs

TabWhat it shows
PulseOverview KPIs, CVE volume trend, KEV additions by month, CVSS vs EPSS risk scatter
GapsCVEs with no detection coverage across any source
CoverageDetection source breakdown — how many CVEs are covered by each tool
ExploitCVEs with public exploit code (EDB, Metasploit, Nuclei, GitHub PoC)
ATT&CKMITRE ATT&CK tactic/technique coverage and gap analysis
IntelThreat intelligence signals: EPSS movers, zero-days, recent KEV
ExposureCVEs with active internet presence (CIRCL sightings, ThreatFox IOCs, ITW exploits) — ranked by composite risk score
ActorsMalware family → CVE attribution (ThreatFox) and ATT&CK technique mapping
CompletenessCNA data quality ranking — coverage of CVSS, CWE, CPE, and references per CVE numbering authority
LabsResearch team attribution from CVE reference URLs — CVE volume, KEV rate, and avg severity per lab
RiskEPSS × CVSS risk matrix, blind spots (high EPSS, no KEV, no detection), and model gaps (KEV with low EPSS)
VendorsVendor and product CVE coverage — ranked by undetected CVE count, with detection percentage and KEV exposure
AboutThis page — pipeline, data sources, licenses