About this page: All 372 CVEs analysed by PatchNow since inception.
The main page and RSS show only T1190 (internet-facing) vulnerabilities within the KEV timeline window.
CVE-2025-48595 is an integer overflow vulnerability in Android that allows local privilege escalation without user interaction. While listed in CISA KEV indicating active exploitation, this is a client-side mobile OS vulnerability not typically deployed as an internet-facing service.
A compromised version of the Nx Console VS Code extension contained embedded malicious code. This is a supply chain attack targeting developer workstations, not internet-facing servers.
Trend Micro Apex One, Trend Micro Apex One as a Service
A directory traversal vulnerability in Trend Micro Apex One on-premise servers allows pre-authenticated local attackers with administrative credentials to inject malicious code for deployment to agents. This requires local access to the server and existing admin credentials, making it a privilege escalation rather than initial access vector.
Critical privilege escalation vulnerability in LiteSpeed cPanel/WHM plugins allowing attackers to potentially gain root access via network exploitation. This vulnerability is actively exploited in the wild and affects widely deployed web hosting control panel systems.
Critical unauthenticated SQL injection vulnerability in Drupal core affecting installations using PostgreSQL databases. Allows direct remote exploitation of internet-facing Drupal websites for full database access and potential remote code execution.
Microsoft Defender, Windows Defender, Microsoft Malware Protection Engine
CVE-2026-41091 is a local privilege escalation vulnerability in Microsoft Malware Protection Engine affecting Windows Defender. The vulnerability requires local access and existing low-level privileges to exploit, making it unsuitable for direct internet exploitation despite being in CISA KEV.
CVE-2026-45498 is a denial of service vulnerability in Microsoft Defender Antimalware Platform with local attack vector (CVSS AV:L). Despite being on CISA KEV, this is likely being exploited as part of ransomware attacks to disable endpoint protection rather than for initial access.
CVE-2026-8398 is a supply chain attack that compromised DAEMON Tools Lite installation packages with embedded malicious code. This is not a traditional network vulnerability but rather a software integrity issue requiring user download and installation of trojanized software.
Exchange Server, Exchange Server Subscription Edition
CVE-2026-42897 is a cross-site scripting vulnerability in Microsoft Exchange Server that enables spoofing attacks. This vulnerability is actively exploited in the wild and affects widely deployed internet-facing email servers through crafted network requests.
Critical authentication bypass in Cisco Catalyst SD-WAN Manager allows unauthenticated remote attackers to gain administrative privileges through crafted requests. This vulnerability is actively being exploited in the wild and is listed in CISA's KEV catalog.
Authentication bypass vulnerability in GlobalProtect portal/gateway components of Palo Alto Networks PAN-OS allows remote attackers to establish unauthorized VPN connections. Active exploitation confirmed with public PoC available.
This is a supply chain compromise where malicious versions of npm packages were published, not a vulnerability in internet-facing applications. The threat is to development environments and CI/CD pipelines that download these packages, not to production servers.
Critical SQL injection vulnerability in LiteLLM proxy server allowing unauthenticated attackers to read/modify database contents including API keys and credentials. Actively exploited within 36 hours of disclosure and added to CISA KEV catalog.
CVE-2026-6973 is an OS command injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that allows authenticated administrators to achieve remote code execution. EPMM is typically deployed as an internet-facing mobile device management server, making this a direct network exploitation risk.
Critical unauthenticated buffer overflow vulnerability in Palo Alto PAN-OS User-ID Authentication Portal allowing remote code execution with root privileges. Already under active exploitation in the wild against internet-facing firewalls.
Critical authentication bypass vulnerability in cPanel and WHM control panels allowing unauthenticated remote attackers to gain unauthorized access. These web hosting management platforms are almost universally internet-facing by design and widely exploited in the wild.
CVE-2026-31431 is a Linux kernel vulnerability in the crypto subsystem (algif_aead) that requires local access to exploit. Despite being in CISA KEV due to active exploitation, this is a privilege escalation vulnerability that cannot be directly exploited over the internet.
SharePoint Server, SharePoint Server Subscription Edition, SharePoint Enterprise Server
SharePoint Server spoofing vulnerability allowing unauthorized attackers to exploit via network access without authentication or user interaction. Listed in CISA KEV indicating active exploitation.
This is a local privilege escalation vulnerability in Microsoft Defender Antimalware Platform that requires existing local access to the system. Despite being high severity and in CISA KEV, it cannot be exploited directly over the internet as it's an endpoint security tool, not a public-facing service.
Windows Shell spoofing vulnerability affecting client Windows systems that requires user interaction (UI:R in CVSS). Despite network attack vector, this is primarily a client-side vulnerability requiring user interaction rather than direct server exploitation.
Adobe Acrobat Reader is affected by a prototype pollution vulnerability that enables arbitrary code execution. Exploitation requires a user to open a malicious PDF file, making this a client-side attack rather than server exploitation.
Marimo Python notebook server has a critical pre-authentication RCE vulnerability allowing unauthenticated attackers to execute arbitrary system commands via an unprotected terminal WebSocket endpoint. This vulnerability is actively exploited in the wild and was added to CISA KEV catalog after being exploited within 10 hours of disclosure.
Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All
Critical remote code execution vulnerability in Apache ActiveMQ through the Jolokia JMX-HTTP bridge exposed on web console. Authenticated attackers can exploit crafted discovery URIs to trigger remote Spring XML loading, leading to arbitrary code execution via bean factory methods.
CVE-2026-5281 is a use-after-free vulnerability in Google Chrome's Dawn component that allows arbitrary code execution via crafted HTML pages. While actively exploited in the wild, this affects client-side browser software, not internet-facing servers, making it a phishing/social engineering attack vector rather than direct internet exploitation.
TrueConf Client fails to verify update integrity, allowing attackers who can intercept the update delivery path to inject malicious code. This requires network positioning and user-initiated update actions, making direct internet exploitation unlikely.
CVE-2026-33634 represents a supply chain compromise where malicious code was embedded in security tools (Trivy, LiteLLM) and GitHub Actions. While technically network-exploitable, this is not a direct internet-facing application vulnerability but rather requires victims to download and execute compromised packages.
Critical memory overread vulnerability in NetScaler ADC and Gateway when configured as SAML IDP. Actively exploited in the wild with CISA KEV listing, directly exploitable over the network without authentication.
Critical unauthenticated remote code execution vulnerability in Langflow AI platform via public flow build endpoint. Attackers can execute arbitrary Python code without authentication, leading to complete system compromise.
CVE-2026-3910 is a Chrome V8 engine vulnerability that allows remote code execution via malicious HTML pages. While actively exploited, this requires user interaction and targets client browsers, not internet-facing servers.
CVE-2026-3909 is an out-of-bounds write vulnerability in Google Chrome's Skia component that requires user interaction (visiting a crafted HTML page). While actively exploited and severe for end-users, it does not affect internet-facing server applications and requires social engineering or phishing for exploitation.
Critical insecure deserialization vulnerability in Cisco Secure Firewall Management Center web interface allows unauthenticated remote code execution as root. Already exploited in the wild by Interlock ransomware group since January 2026.
CVE-2026-21385 is an integer overflow vulnerability in Qualcomm Snapdragon graphics processing causing memory corruption. While listed in CISA KEV indicating active exploitation, this affects primarily mobile devices, automotive systems, and embedded IoT platforms rather than internet-facing servers.
CVE-2026-20122 is a critical arbitrary file overwrite vulnerability in Cisco Catalyst SD-WAN Manager's API that allows authenticated attackers to gain elevated privileges. This vulnerability is actively exploited in the wild and listed in CISA's KEV catalog.
Critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Manager allowing unauthenticated remote attackers to gain administrative privileges. CISA has issued Emergency Directive ED 26-03 due to active exploitation in the wild.
CVE-2026-20128 is an information disclosure vulnerability in Cisco Catalyst SD-WAN Manager that exposes DCA user credentials in a readable file. The CVSS shows LOCAL attack vector, requiring high privileges and high complexity, making direct internet exploitation unlikely despite CISA KEV listing.
CVE-2026-20133 is an information disclosure vulnerability in Cisco Catalyst SD-WAN Manager that allows unauthenticated, remote attackers to view sensitive information by accessing the API. SD-WAN Manager is typically deployed as an internet-facing centralized management platform.
Dell RecoverPoint for VMs contains hardcoded credentials allowing unauthenticated remote attackers to gain root-level access to the underlying OS. This critical vulnerability is under active exploitation in the wild.
CVE-2026-2441 is a use-after-free vulnerability in Chrome's CSS processing that allows remote code execution via malicious HTML pages. Despite active exploitation, this affects client-side browser software, not internet-facing servers, requiring user interaction to visit malicious websites.
FileZen contains an OS command injection vulnerability allowing authenticated users to execute arbitrary OS commands via specially crafted HTTP requests when the Antivirus Check Option is enabled. This is a critical server-side vulnerability in a file sharing platform commonly deployed as internet-facing infrastructure.
Memory corruption vulnerability in Apple operating systems that allows arbitrary code execution with memory write capability. Despite being in CISA KEV due to active exploitation, this affects client-side operating systems that are rarely deployed as internet-facing servers.
CVE-2026-21525 is a null pointer dereference vulnerability in Windows Remote Access Connection Manager that allows local denial of service attacks. Despite being in CISA KEV, the CVSS attack vector is LOCAL, making it unsuitable for direct internet exploitation.
Microsoft 365 Apps for Enterprise, Microsoft Office LTSC, Microsoft Office LTSC for Mac
Security feature bypass vulnerability in Microsoft Word that allows attackers to bypass security protections when users open malicious documents. Requires local access and user interaction, making it unsuitable for direct internet exploitation despite being in CISA KEV.
Windows, Windows Server 2012/2012 R2, Windows Server
Windows Shell security feature bypass vulnerability with high CVSS score but requires user interaction. Affects primarily client systems with minimal internet-facing deployment likelihood.
Windows, Windows Server, Windows Server 2012/2012 R2
MSHTML Framework security feature bypass vulnerability requiring user interaction. While CVSS shows network attack vector, MSHTML is a client-side HTML rendering engine used in browsers and applications, not an internet-facing server service.
Windows Remote Desktop Services privilege escalation vulnerability affecting multiple Windows versions. Allows authorized attackers to elevate privileges locally, potentially leading to full system compromise on RDP-enabled systems. Listed in CISA KEV indicating active exploitation.
This is a local privilege escalation vulnerability in the Windows Desktop Window Manager (DWM) that requires local authentication and user interaction. While it affects both client and server Windows systems, it cannot be directly exploited over the internet as it requires local access to the system.
CVE-2026-1603 is an authentication bypass vulnerability in Ivanti Endpoint Manager that allows remote unauthenticated attackers to leak stored credential data. This vulnerability is actively exploited according to CISA KEV listing and can be directly exploited against internet-facing EPM instances.
Critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access allowing unauthenticated attackers to execute OS commands via specially crafted requests. Active exploitation confirmed with CISA KEV listing.
Critical unauthenticated SQL injection vulnerability in Fortinet FortiClient EMS 7.4.4 allows remote code execution via HTTP requests. This vulnerability is actively being exploited in the wild and has been added to CISA's KEV catalog.
Notepad++ WinGUp updater lacks cryptographic verification of updates, allowing man-in-the-middle attacks to deliver malicious installers. This is a client application vulnerability requiring user interaction (running the updater) and is not directly exploitable against internet-facing services.
Critical code injection vulnerability in Ivanti Endpoint Manager Mobile allowing unauthenticated remote code execution via network exploitation. This vulnerability is actively being exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities catalog.
Critical code injection vulnerability in Ivanti Endpoint Manager Mobile allowing unauthenticated remote code execution. This vulnerability is actively exploited in zero-day attacks and listed on CISA's KEV catalog.
Critical unauthenticated remote code execution vulnerability in SolarWinds Web Help Desk via untrusted data deserialization. Actively exploited in the wild with no authentication required.
CVE-2025-40536 is a security control bypass vulnerability in SolarWinds Web Help Desk that allows unauthenticated attackers to gain access to restricted functionality. This vulnerability is being actively exploited in the wild against internet-facing WHD instances for initial access and lateral movement.
Authentication bypass vulnerability in Fortinet FortiOS, FortiAnalyzer, and FortiManager allowing attackers with FortiCloud accounts to access other organizations' devices when FortiCloud SSO is enabled. CISA KEV listing indicates active exploitation in the wild.
Microsoft 365 Apps for Enterprise, Microsoft Office, Microsoft Office LTSC
CVE-2026-21509 is a security feature bypass vulnerability in Microsoft Office applications that requires local access and user interaction (AV:L/UI:R). Despite being in CISA KEV, it primarily affects client-side Office applications through malicious documents rather than internet-facing servers.
Critical unauthenticated remote code execution vulnerability in SmarterMail servers through the ConnectToHub API method. Attackers can execute arbitrary OS commands by pointing the server to a malicious HTTP server, with active exploitation confirmed by CISA KEV listing.
Critical authentication bypass vulnerability in SmarterMail email server allowing complete administrative takeover via password reset API. Over 6,000 vulnerable instances are internet-facing with active exploitation confirmed by CISA KEV listing.
Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Communications Manager IM and Presence Service
Critical remote code execution vulnerability in Cisco Unified Communications products allowing unauthenticated attackers to execute arbitrary commands via crafted HTTP requests to web management interfaces. Cisco confirms active exploitation attempts in the wild with potential for privilege escalation to root access.
Critical authentication bypass vulnerability in GNU InetUtils telnetd allows remote attackers to gain root access without credentials via malformed USER environment variable. Over 800,000 telnet servers are exposed on the internet with active exploitation observed in the wild.
SharePoint Server, SharePoint Server Subscription Edition
CVE-2026-20963 is a critical deserialization vulnerability in Microsoft SharePoint Server that allows remote code execution for authorized attackers over the network. This vulnerability is actively exploited by nation-state actors and is listed in CISA's KEV catalog, targeting internet-facing SharePoint deployments.
CVE-2026-20805 is a local information disclosure vulnerability in the Windows Desktop Window Manager (DWM) that requires local access and authentication. Despite being in CISA KEV, this is not directly internet exploitable as it affects client-side Windows desktop components.
CVE-2025-66376 is a stored XSS vulnerability in Zimbra Collaboration's Classic UI that allows remote attackers to execute malicious scripts via CSS @import directives in HTML emails. This vulnerability affects internet-facing email servers and has been actively exploited by Russian APT groups.
Critical unauthenticated file upload vulnerability in SmarterMail email servers allowing arbitrary file upload to any server location, leading to remote code execution. Active exploitation is occurring in the wild against internet-facing mail servers.
Local File Inclusion vulnerability in Zimbra Collaboration webmail allows unauthenticated remote attackers to include arbitrary files via crafted requests to /h/rest endpoint. Zimbra is commonly deployed as internet-facing email server infrastructure.
Critical Remote Code Execution vulnerability in n8n workflow automation platform allowing authenticated users to execute arbitrary code through expression injection. n8n is commonly deployed as an internet-facing service for workflow automation and API integrations.
Critical memory disclosure vulnerability in MongoDB Server allowing unauthenticated remote attackers to read heap memory through malformed Zlib compressed protocol headers. CISA has added this to KEV catalog due to confirmed active exploitation in the wild.
Critical out-of-bounds write vulnerability in WatchGuard Fireware OS affecting IKEv2 VPN services. Remote unauthenticated attackers can execute arbitrary code on internet-facing firewall systems through direct network exploitation.
CVE-2025-40602 is a local privilege escalation vulnerability in SonicWall SMA1000 appliances that is being actively exploited in the wild when chained with CVE-2025-23006. CISA has added this to the KEV catalog due to confirmed exploitation.
CVE-2025-68461 is a Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail that allows attackers to execute malicious JavaScript via SVG animate tags. This directly affects internet-facing webmail servers and can lead to email account takeover without user credentials.
CVE-2025-43529 is a use-after-free vulnerability in WebKit that affects client applications (Safari browser, iOS/iPadOS, tvOS, visionOS) when processing malicious web content. While actively exploited and on CISA KEV, this requires user interaction to visit malicious websites rather than direct exploitation of internet-facing servers.
Cisco Secure Email Gateway, Cisco Secure Email and Web Manager
Critical remote command execution vulnerability in Cisco Secure Email Gateway and Manager appliances with CVSS 10.0 score requiring no authentication or user interaction. CISA has added this to their KEV catalog due to active exploitation in the wild targeting these internet-facing email security appliances.
CVE-2025-59374 affects ASUS Live Update, a client-side software utility that was compromised through a supply chain attack with embedded malicious code. While it has network attack vector and is in CISA KEV, it's a client application not typically internet-facing.
CVE-2025-37164 is a critical unauthenticated remote code execution vulnerability in HPE OneView with a perfect CVSS score of 10.0. CISA has added this to their KEV catalog due to active exploitation in the wild, and a Metasploit module exists for exploitation.
Gladinet CentreStack and TrioFox use hardcoded AES keys enabling unauthenticated arbitrary local file inclusion on public-facing endpoints. This vulnerability is actively exploited and listed in CISA's KEV catalog.
CVE-2025-43510 is a memory corruption vulnerability in Apple's consumer operating systems that allows a malicious application to cause unexpected changes in shared memory. This requires local access and user interaction to install a malicious app, making it unsuitable for direct internet exploitation despite being actively exploited in the wild.
CVE-2025-43520 is a memory corruption vulnerability in Apple operating systems that allows malicious applications to cause system termination or write kernel memory. This is a local privilege escalation vulnerability requiring a malicious application to already be running on the device.
CVE-2025-14174 is an out-of-bounds memory access vulnerability in Google Chrome that requires user interaction with a crafted HTML page. While actively exploited and in CISA KEV, it affects client-side browser software, not internet-facing servers.
Critical RCE vulnerability in Gogs Git service allows authenticated users to achieve remote code execution via symbolic link bypass in the PutContents API. Over 700 internet-facing instances have been compromised with active exploitation ongoing.
A use-after-free vulnerability in Windows Cloud Files Mini Filter Driver allows local privilege escalation. Despite being in CISA KEV indicating active exploitation, this requires local authenticated access and cannot be exploited directly from the internet.
Critical SAML authentication bypass vulnerability in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allowing unauthenticated attackers to bypass FortiCloud SSO login authentication via crafted SAML response messages. CISA has confirmed active exploitation of this vulnerability.
A local privilege escalation vulnerability in Android's DevicePolicyManagerService allows adding a Device Owner after provisioning. This is a mobile OS vulnerability requiring local access and cannot be exploited over the internet despite being in CISA KEV.
This is a local privilege escalation vulnerability in Android that allows launching activities from the background due to a permissions bypass. While highly impactful on mobile devices and actively exploited according to CISA KEV, it cannot be exploited over the internet as it requires local access to the Android device.
Critical CORS misconfiguration in Langflow AI framework allows account takeover and remote code execution through cross-origin token hijacking. Affects internet-facing Langflow deployments up to version 1.6.9, with active exploitation observed in the wild.
Critical OS command injection vulnerability in Array Networks ArrayOS AG VPN appliances affecting versions before 9.4.5.9. Active exploitation confirmed in the wild from August-December 2025 with attackers deploying webshells for persistent access.
React Server Components, Next.js applications with App Router and Server Actions, react-server-dom-webpack (+2 more)
Critical pre-authentication remote code execution vulnerability in React Server Components allowing arbitrary code execution through unsafe deserialization of HTTP requests. Multiple threat actors are actively exploiting this vulnerability against internet-facing React applications.
GeoServer has an unauthenticated XML External Entity (XXE) vulnerability in the WMS GetMap feature that can be exploited directly over the network. CISA has confirmed active exploitation in the wild.
OS command injection vulnerability in Fortinet FortiWeb allowing authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. FortiWeb is a web application firewall that is almost universally deployed as an internet-facing service to protect web applications.
CVE-2025-13223 is a type confusion vulnerability in Chrome's V8 engine exploited via crafted HTML pages. While actively exploited in the wild, it requires user interaction to visit malicious websites, making it primarily a client-side phishing attack rather than direct server exploitation.
Critical path traversal vulnerability in Fortinet FortiWeb web application firewalls allows remote execution of administrative commands via crafted HTTP/HTTPS requests. Active exploitation is occurring in the wild with attackers creating administrative accounts for persistent access.
CVE-2025-62215 is a Windows kernel race condition vulnerability that allows local privilege escalation. While it affects Windows Server products, the CVSS attack vector is LOCAL (AV:L) requiring existing system access, making it unsuitable for direct internet exploitation.
Windows Server, Windows 11 Version 24H2, Windows 11 Version 25H2
CVE-2025-60710 is a local privilege escalation vulnerability in the Host Process for Windows Tasks component affecting Windows 11 and Windows Server 2025. The vulnerability requires local authenticated access and exploits improper link resolution to elevate privileges.
CVE-2025-12480 is a critical authentication bypass vulnerability in TrioFox file sharing platforms that allows unauthenticated attackers to access administrative setup pages. The vulnerability is being actively exploited in the wild and has been added to CISA's KEV catalog.
FreePBX Administration GUI contains an authenticated OS command injection vulnerability that allows attackers to execute arbitrary commands on the system. This vulnerability is actively exploited in the wild and listed in CISA KEV catalog.
CVE-2023-43000 is a use-after-free vulnerability in WebKit that affects client-side applications (Safari, iOS/iPadOS browsers, macOS Safari). Despite evidence of active exploitation, this requires user interaction to visit malicious websites and does not qualify as direct internet exploitation of public-facing applications.
React Native Metro Development Server, React Native Community CLI
Critical OS command injection vulnerability in React Native Metro Development Server that binds to external interfaces by default. Allows unauthenticated remote attackers to execute arbitrary commands via HTTP POST requests.
Critical pre-authentication remote code execution vulnerability in Oracle Identity Manager REST WebServices component. Allows complete system takeover via unauthenticated HTTP requests with CISA-confirmed active exploitation.
Motex Lanscope Endpoint Manager On-Premises v9.4.7.1 and earlier
Critical vulnerability in Motex Lanscope Endpoint Manager allowing remote code execution through improper verification of incoming network requests. Active exploitation confirmed with CISA KEV listing.
Critical remote code execution vulnerability in F5 BIG-IP APM that can be exploited via network traffic without authentication. BIG-IP systems are commonly deployed as internet-facing load balancers and application delivery controllers.
Critical deserialization vulnerability in Windows Server Update Services (WSUS) allows unauthenticated remote code execution over the network. WSUS servers are commonly deployed as centralized internet-facing infrastructure for managing Windows updates in enterprise environments.
CVE-2025-59230 is a local privilege escalation vulnerability in Windows Remote Access Connection Manager with improper access control (CWE-284). The CVSS vector shows AV:L (Local attack vector) requiring an authorized attacker to be locally authenticated, making this not directly exploitable over the internet.
Windows, Windows Server 2008 SP2, Windows Server 2008 R2 SP1 (+2 more)
CVE-2025-24990 is a local privilege escalation vulnerability in the Agere Modem driver affecting multiple Windows versions. Despite being listed in CISA KEV, this is a local vulnerability requiring existing system access and is not directly exploitable over the internet.
CVE-2025-61884 is a high-severity vulnerability in Oracle E-Business Suite Configurator that allows unauthenticated remote attackers to access critical data via HTTP. The vulnerability has been actively exploited in the wild and added to CISA's KEV catalog.
CVE-2025-11371 is an unauthenticated Local File Inclusion vulnerability in Gladinet CentreStack and TrioFox file-sharing platforms. This zero-day vulnerability has been actively exploited in the wild and allows attackers to access system files without authentication.
Critical unauthenticated remote code execution vulnerability in Oracle E-Business Suite Concurrent Processing component accessible via HTTP. Actively exploited by Cl0p ransomware group for data theft attacks with complete system takeover potential.
VMware Tools, VMware Aria Operations, VMware Cloud Foundation (+3 more)
CVE-2025-41244 is a local privilege escalation vulnerability affecting VMware Aria Operations and VMware Tools. Despite being listed in CISA KEV, it requires local access to a VM with VMware Tools installed and is not directly exploitable over the internet.
CVE-2025-20362 is a missing authorization vulnerability in Cisco ASA and FTD VPN web servers that allows unauthenticated remote attackers to access restricted URL endpoints. The vulnerability is being actively exploited in the wild and affects internet-facing firewall appliances.
CVE-2025-20333 is a critical buffer overflow vulnerability in the VPN web server component of Cisco ASA and Firepower Threat Defense Software that allows authenticated remote attackers to execute arbitrary code as root. This vulnerability is actively being exploited in the wild and affects internet-facing VPN appliances that are commonly deployed with public internet access.
Critical SNMP stack overflow vulnerability in Cisco IOS/IOS XE that allows remote code execution with high privileges or denial of service with low privileges. Actively exploited in the wild against network infrastructure devices commonly exposed to the internet.
CVE-2025-10585 is a type confusion vulnerability in Chrome's V8 engine that allows remote code execution via crafted HTML pages. While actively exploited as a zero-day, it requires user interaction to visit malicious websites, making it a client-side attack rather than direct server exploitation.
Critical unauthenticated remote code execution vulnerability in SolarWinds Web Help Desk affecting the AjaxProxy component. This is a bypass of previous patches and allows direct exploitation over the internet without authentication.
Critical unauthenticated remote code execution vulnerability in CentOS Web Panel through OS command injection in the filemanager module. Actively exploited in the wild with public PoC exploits and Metasploit modules available.
Critical command injection vulnerability in Libraesva Email Security Gateway allowing remote code execution via malicious compressed email attachments. This vulnerability is actively exploited in the wild and affects internet-facing email security appliances.
CVE-2025-10035 is a critical deserialization vulnerability in Fortra GoAnywhere MFT's License Servlet that allows unauthenticated remote code execution. This vulnerability has been actively exploited as a zero-day and affects internet-facing managed file transfer servers.
Critical out-of-bounds write vulnerability in WatchGuard Fireware OS affecting IKEv2 VPN services that allows unauthenticated remote code execution. This is actively exploited in the wild according to CISA KEV and affects security appliances that are inherently internet-facing by design.
CVE-2025-21043 is an out-of-bounds write vulnerability in Samsung Android devices' image codec library that requires user interaction for exploitation. While actively exploited as a zero-day, it affects client devices rather than internet-facing servers.
CVE-2025-21042 is an out-of-bounds write vulnerability in Samsung mobile devices' image processing library that requires user interaction with malicious DNG image files. While actively exploited via messaging apps like WhatsApp, it targets client devices rather than internet-facing servers.
Adobe Commerce 2.4.4-p15 and earlier, Magento Open Source
CVE-2025-54236 is a critical improper input validation vulnerability in Adobe Commerce (Magento) that enables session takeover and potentially remote code execution without user interaction. This vulnerability is being actively exploited in the wild against internet-facing e-commerce platforms.
This is a local privilege escalation vulnerability in Android's Chrome sandbox that allows escaping to attack the system_server. While it has high impact and is actively exploited, it requires local access to the device and does not affect internet-facing services.
Sitecore Experience Manager to, Sitecore Experience Platform to
Critical ViewState deserialization vulnerability in Sitecore Experience Manager/Platform allowing remote code execution. Actively exploited in the wild since December 2024, affecting internet-facing Sitecore deployments using default sample machine keys.
TP-Link Systems Inc. Archer C7 V2, TP-Link Systems Inc. TL-WR841N/ND V9
CVE-2025-9377 is an authenticated remote command execution vulnerability in TP-Link router web interfaces that allows network-based exploitation of internet-facing devices. CISA has confirmed active exploitation and added it to the KEV catalog.
WhatsApp Desktop for Mac, WhatsApp Business for iOS, WhatsApp for iOS
CVE-2025-55177 affects WhatsApp client applications on iOS and macOS, allowing unauthorized processing of content from arbitrary URLs through crafted synchronization messages. While it has network attack vector and active exploitation evidence, it targets client applications rather than internet-facing servers.
FreePBX security-reporting module contains an authentication bypass vulnerability leading to SQL injection and RCE. This web-based PBX management interface is commonly exposed to the internet for remote administration and has been actively exploited since August 2025.
Critical memory overflow vulnerability in NetScaler ADC and Gateway allowing unauthenticated remote code execution. Active zero-day exploitation confirmed against internet-facing appliances with CISA KEV listing.
CVE-2025-43300 is an out-of-bounds write vulnerability in Apple's Image I/O framework affecting macOS, iOS, and iPadOS that requires user interaction to process a malicious image file. While actively exploited as a zero-day, it primarily affects client-side operating systems rather than internet-facing server applications.
Critical deserialization vulnerability in N-able N-central allows remote code execution with low privileges over network. This is actively exploited according to CISA KEV listing. N-central is commonly deployed as an internet-facing server for MSP remote management services.
CVE-2025-8876 is a critical OS command injection vulnerability in N-able N-central RMM platform that allows authenticated attackers to execute arbitrary commands. CISA has confirmed active exploitation in the wild, and the vulnerability affects internet-facing management platforms used by MSPs.
CVE-2025-8088 is a path traversal vulnerability in WinRAR that allows arbitrary code execution through malicious archive files. This requires user interaction to open/extract crafted archives and is not directly exploitable over the internet against public-facing services.
Adobe Experience Manager Forms on JEE versions 6.5.23 and earlier
Critical misconfiguration vulnerability in Adobe Experience Manager Forms on JEE allowing pre-authentication remote code execution via OGNL injection. The vulnerability requires no user interaction and can be exploited directly over the network against internet-facing AEM instances.
CVE-2025-54948 is a critical OS command injection vulnerability in Trend Micro Apex One on-premise management console that allows pre-authenticated remote attackers to upload malicious code and execute arbitrary commands. CISA has added this vulnerability to the KEV catalog due to active exploitation in the wild.
Critical missing authorization vulnerability in DELMIA Apriso manufacturing execution system allows unauthenticated attackers to gain privileged access over the network. CISA coordinator notes active exploitation is occurring in the wild.
Code injection vulnerability in Dassault Systèmes DELMIA Apriso manufacturing operations management platform allows arbitrary code execution. Requires high privileges but exploitable over network without user interaction.
Memory corruption vulnerability in Apple WebKit affecting Safari and other Apple client devices when processing malicious web content. This is a client-side vulnerability requiring user interaction to visit a malicious website, not exploitation of internet-facing servers.
CVE-2025-38352 is a race condition vulnerability in the Linux kernel's POSIX CPU timer subsystem that affects timer handling during process exit. This is a local privilege escalation vulnerability requiring existing system access to exploit, despite being actively exploited according to CISA KEV listing.
Microsoft SharePoint Enterprise Server, Microsoft SharePoint Server, Microsoft SharePoint Server Subscription Edition
Critical deserialization vulnerability in on-premises SharePoint Server allowing unauthenticated remote code execution over the network. Actively exploited in the wild with public exploits available.
eslint-config-prettier, Node.js development environments
eslint-config-prettier package was compromised with embedded malicious code that executes during installation. This is a supply chain attack that affects development environments rather than production internet-facing servers.
Critical vulnerability in CrushFTP file transfer server allows remote attackers to obtain admin access via HTTPS through mishandled AS2 validation. Actively exploited in the wild with large numbers of internet-facing instances vulnerable.
Livewire for Laravel, Laravel Web Applications using Livewire
Livewire v3 contains a critical remote command execution vulnerability during property update hydration that requires no authentication or user interaction. The vulnerability allows unauthenticated attackers to achieve RCE against web applications built with this Laravel framework component.
Critical SQL injection vulnerability in Fortinet FortiWeb WAF allowing unauthenticated attackers to execute arbitrary SQL and code via crafted HTTP/HTTPS requests. CISA has confirmed active exploitation in the wild with public PoC available.
Cisco Identity Services Engine Software, Cisco ISE Passive Identity Connector
Critical unauthenticated remote code execution vulnerability in Cisco ISE API that allows attackers to execute arbitrary code as root. The vulnerability is actively exploited in the wild and requires no authentication or user interaction.
CVE-2025-6558 is a Google Chrome vulnerability allowing sandbox escape via crafted HTML pages. While actively exploited and on CISA KEV, it requires user interaction to visit malicious websites, making it unsuitable for T1190 direct network exploitation.
Critical RCE vulnerability in Wing FTP Server allowing arbitrary Lua code injection through null byte mishandling in web interfaces. Exploitable remotely without authentication, including via anonymous FTP accounts, leading to total server compromise.
CVE-2025-47813 is an information disclosure vulnerability in Wing FTP Server that reveals the full local installation path through error messages when a long UID cookie value is used. While Wing FTP Server is commonly deployed as internet-facing infrastructure, this vulnerability only leaks path information and does not provide direct system compromise capabilities.
Git vulnerability allowing arbitrary code execution through malicious repositories with crafted submodule paths. Requires user interaction (git clone --recursive) and primarily affects client-side Git operations rather than internet-facing server applications.
Microsoft SharePoint Enterprise Server, Microsoft SharePoint Server, Microsoft SharePoint Server Subscription Edition
CVE-2025-49706 is an improper authentication vulnerability in Microsoft SharePoint Server that allows network-based spoofing attacks without authentication. The vulnerability is actively exploited in the wild and enables attackers to bypass authentication by manipulating HTTP headers.
Microsoft SharePoint Enterprise Server, Microsoft SharePoint Server
CVE-2025-49704 is a critical code injection vulnerability in Microsoft SharePoint that allows remote code execution over the network with only low-privilege authentication required. SharePoint servers are commonly deployed as internet-facing enterprise applications, making this vulnerability highly exploitable via T1190.
CVE-2025-6554 is a type confusion vulnerability in Google Chrome's V8 JavaScript engine that allows arbitrary read/write via crafted HTML pages. While actively exploited and on CISA KEV, it requires user interaction and affects client-side browser software, not internet-facing server applications.
CVE-2025-32463 is a local privilege escalation vulnerability in Sudo that allows local users to gain root access via the --chroot option. While Sudo is ubiquitous on Linux systems, this is a LOCAL attack vector requiring existing user access to the system.
Critical unauthenticated remote code execution vulnerability in Cisco ISE API that allows attackers to execute arbitrary code as root via crafted API requests. Actively exploited in the wild with CVSS 10.0 severity.
Critical memory overflow vulnerability in NetScaler ADC and Gateway that allows remote network exploitation leading to denial of service and potential code execution. The vulnerability is actively exploited in the wild as a zero-day since May 2025.
Quest KACE Systems Management Appliance contains an authentication bypass vulnerability allowing attackers to impersonate legitimate users and gain complete administrative control without valid credentials. This is a critical CVSS 10.0 vulnerability with active exploitation confirmed by CISA KEV listing.
CVE-2025-48700 is a Cross-Site Scripting (XSS) vulnerability in Zimbra Collaboration Suite that executes JavaScript in users' email sessions when viewing crafted emails. While Zimbra is widely deployed as an internet-facing email server, this XSS vulnerability compromises user sessions rather than the server itself, making it unsuitable for T1190 direct server exploitation.
CVE-2025-6218 is a directory traversal vulnerability in RARLAB WinRAR that allows remote code execution when a user opens a malicious archive file. Despite being on CISA KEV, this is a client-side vulnerability requiring user interaction and does not affect internet-facing services.
Critical memory overread vulnerability in NetScaler ADC/Gateway allowing unauthenticated remote attackers to read sensitive memory contents including session tokens. Actively exploited in the wild with CISA KEV listing.
Apple iOS and iPadOS, Apple macOS, Apple iPadOS (+2 more)
CVE-2025-43200 is a logic issue in Apple client operating systems (iOS, macOS, iPadOS, watchOS, visionOS) that processes malicious media shared via iCloud Links. While it has network attack vector and is actively exploited, it targets client devices rather than internet-facing server applications.
Windows, Windows Server 2008 SP2, Windows Server 2008 R2 SP1 (+2 more)
CVE-2025-33073 is an SMB client elevation of privilege vulnerability that allows authenticated attackers to perform NTLM reflection attacks. While it has a network attack vector, it targets SMB client functionality rather than internet-facing server services, making direct internet exploitation unlikely.
Microsoft Windows 10 Version, Microsoft Windows Server, Microsoft Windows 10 Version 21H2 (+1 more)
CVE-2025-33053 is a remote code execution vulnerability in Windows Internet Shortcut Files that requires user interaction (clicking malicious WebDAV links). While it has CVSS attack vector NETWORK, it primarily relies on spearphishing rather than direct exploitation of internet-facing services.
IGEL OS Secure Boot bypass vulnerability that requires physical access to mount crafted root filesystem from unverified SquashFS image. This is a local boot-time security control bypass, not a network-exploitable vulnerability.
CVE-2025-21479 is a memory corruption vulnerability in Snapdragon GPU components that requires local access and user interaction. Despite being in CISA KEV, it affects mobile/client chipsets rather than internet-facing servers.
Use-after-free vulnerability in Qualcomm Adreno GPU drivers when rendering graphics in Chrome. This affects mobile devices, wearables, and IoT platforms rather than internet-facing servers. Exploitation requires user interaction to view malicious content.
Memory corruption vulnerability in Qualcomm Snapdragon GPU micronode allowing unauthorized command execution. Despite being in CISA KEV, this is a local privilege escalation requiring user interaction on mobile/IoT devices, not an internet-facing server vulnerability.
CVE-2025-5419 is an out-of-bounds read/write vulnerability in Chrome's V8 engine that allows remote code execution via crafted HTML pages. While severe for client security, this is a browser vulnerability requiring user interaction and does not qualify as T1190 since Chrome is client software, not a public-facing server application.
Critical deserialization vulnerability in DELMIA Apriso manufacturing execution system allowing remote code execution without authentication. Active exploitation observed in the wild targeting internet-facing instances.
Critical RCE vulnerability in Roundcube Webmail allowing authenticated users to achieve remote code execution via PHP object deserialization. This is actively exploited in the wild and affects internet-facing webmail servers globally.
TeleMessage service exposes an unauthenticated Spring Boot Actuator /heapdump endpoint that allows attackers to extract sensitive credentials remotely. This vulnerability is actively exploited in the wild and affects internet-facing enterprise messaging systems.
TeleMessage service exposes heap content similar to a core dump containing previously transmitted passwords. This is classified as CWE-528 (exposure of core dump file) with local attack vector, indicating the vulnerability requires local system access rather than direct internet exploitation.
Versa Concerto SD-WAN orchestration platform contains an authentication bypass vulnerability in the Traefik reverse proxy configuration, allowing attackers to access administrative endpoints and internal Actuator endpoints. This vulnerability provides direct network-based access to heap dumps and trace logs containing sensitive information.
Remote command injection vulnerability in Smartbedded MeteoBridge weather station management systems allows unauthenticated attackers to execute arbitrary commands with root privileges. Despite CVSS rating as ADJACENT network, many MeteoBridge systems are deployed as internet-facing weather monitoring stations.
CVE-2025-30397 is a type confusion vulnerability in Microsoft's scripting engine affecting Windows client and server operating systems. Despite being in CISA KEV, this requires user interaction (UI:R in CVSS) and primarily targets client-side script execution rather than internet-facing server services.
Windows Server 2008/2008 R2/2012/2012 R2/2016/2019/2022/2025, Windows
CVE-2025-32709 is a local privilege escalation vulnerability in the Windows Ancillary Function Driver for WinSock affecting all major Windows versions. While the affected products include Windows Server editions that can be internet-facing, this vulnerability requires local access and authorized user privileges to exploit, making it unsuitable for direct internet exploitation via T1190.
Windows Server 2008/2008 R2/2012/2012 R2/2016/2019/2022/2025, Windows
CVE-2025-32706 is a local privilege escalation vulnerability in the Windows Common Log File System Driver that requires authenticated local access. Despite being in CISA KEV, this is not directly exploitable over the internet as it requires local access with authentication to escalate privileges.
CVE-2025-32701 is a local privilege escalation vulnerability in the Windows Common Log File System Driver affecting all Windows versions. Despite being on CISA KEV due to active exploitation, this is a local-only vulnerability requiring existing access to the system to exploit.
CVE-2025-30400 is a use-after-free vulnerability in Windows Desktop Window Manager (DWM) Core Library that allows local privilege escalation. Despite being on CISA KEV, this is a local-only vulnerability requiring existing system access and cannot be exploited directly over the internet.
Remote Code Execution vulnerability in Ivanti Endpoint Manager Mobile API component that allows authenticated attackers to execute arbitrary code via crafted API requests. This vulnerability is actively exploited and listed in CISA KEV.
CVE-2025-4427 is an authentication bypass vulnerability in the API component of Ivanti Endpoint Manager Mobile that allows unauthenticated attackers to access protected resources. This vulnerability is actively being exploited in the wild and is listed in CISA's KEV catalog.
Critical stack-based buffer overflow vulnerability in multiple Fortinet server products that allows remote unauthenticated code execution via crafted HTTP requests. This vulnerability is actively exploited in the wild and affects enterprise-grade security and communications infrastructure commonly exposed to the internet.
Critical path traversal vulnerability in Samsung MagicINFO 9 Server allows unauthenticated remote attackers to write arbitrary files with system authority. The vulnerability is actively exploited in the wild and listed in CISA KEV, with CAPEC-650 indicating web shell upload capability.
Critical insecure deserialization vulnerability in SAP NetWeaver Visual Composer development server that allows privileged users to upload malicious content leading to complete system compromise. CISA KEV listing indicates active exploitation in the wild.
TeleMessage archiving backend stores cleartext copies of encrypted messages, contrary to documentation claiming end-to-end encryption. This is a data exposure vulnerability rather than a traditional exploitable security flaw, requiring prior unauthorized access to the system.
Craft CMS allows unauthenticated attackers to write arbitrary content (including PHP code) to predictable session file locations on the server. This vulnerability enables potential remote code execution without authentication and is actively being exploited in the wild according to CISA KEV.
CVE-2025-2776 is an unauthenticated XML External Entity (XXE) vulnerability in SysAid On-Prem that allows remote attackers to achieve administrator account takeover and file read access without any authentication. This vulnerability is actively being exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities catalog.
SysAid On-Prem is vulnerable to an unauthenticated XML External Entity (XXE) vulnerability allowing administrator account takeover and file read primitives. This is a server-side application typically deployed with internet-facing interfaces for IT support services.
Directory traversal vulnerability in Srimax Output Messenger allows remote attackers to access sensitive files outside intended directories. This vulnerability is actively exploited by APT group 'Marbled Dust' for regional espionage and is listed in CISA KEV catalog.
ConnectWise ScreenConnect versions 25.2.3 and earlier are vulnerable to ViewState code injection leading to remote code execution. ScreenConnect is a remote access and support software typically deployed as an internet-facing web application for technicians to remotely access client systems.
Commvault Web Server contains an unspecified vulnerability that allows remote authenticated attackers to compromise web servers by creating and executing web shells. This vulnerability is actively exploited in the wild and is listed in the CISA KEV catalog.
Craft CMS contains a critical remote code execution vulnerability that requires no authentication or user interaction. With a CVSS score of 10.0 and inclusion in CISA's KEV catalog, this vulnerability is actively exploited in the wild against internet-facing CMS installations.
SAP NetWeaver Visual Composer development server VCFRAMEWORK
Critical file upload vulnerability in SAP NetWeaver Visual Composer development server allows unauthenticated attackers to upload malicious executables for remote code execution. The vulnerability is actively exploited in the wild and listed in CISA KEV catalog.
CVE-2025-1976 is a privilege escalation vulnerability in Brocade Fabric OS that allows local admin users to execute arbitrary code with root privileges. Despite being on CISA KEV, this requires adjacent network access and existing admin credentials, making direct internet exploitation unlikely.
Commvault Command Center Innovation Release 11.38.0
Critical unauthenticated remote code execution vulnerability in Commvault Command Center that allows attackers to upload malicious ZIP packages containing JSP files via path traversal. The vulnerability enables complete server compromise without authentication and is actively being exploited in the wild.
Critical stack-based buffer overflow in Active! mail 6 email server allows remote unauthenticated code execution. This vulnerability is actively exploited in the wild and listed in CISA KEV catalog.
CVE-2025-32433 is a critical pre-authentication remote code execution vulnerability in Erlang/OTP SSH servers with a CVSS score of 10.0. The vulnerability allows unauthenticated attackers to execute arbitrary commands by exploiting flaws in SSH protocol message handling, with active exploitation confirmed in the wild.
Memory corruption vulnerability in Apple's media processing affecting iOS, macOS, visionOS, and tvOS. Exploitation requires users to process maliciously crafted media files. Apple reports active exploitation in targeted attacks.
CVE-2025-31201 is a Pointer Authentication bypass vulnerability affecting Apple consumer devices (iOS, iPadOS, macOS, tvOS, visionOS). Despite being exploited in the wild and requiring network access, this affects client-side operating systems that are rarely exposed as internet-facing servers.
Critical vulnerability in Yii 2 framework involving improper protection of behavior attachment mechanism. This is a regression of CVE-2024-4990 that allows remote code execution and has been actively exploited in the wild according to CISA KEV listing.
Windows, Windows Server, Windows Server 2012/2012 R2 (+1 more)
CVE-2025-29824 is a use-after-free vulnerability in the Windows Common Log File System Driver that allows local privilege escalation. Despite being listed in CISA KEV indicating active exploitation, this is a local vulnerability that requires existing access to a Windows system and cannot be directly exploited over the internet.
Langflow is an AI workflow platform that allows remote code execution through an unauthenticated API endpoint. This vulnerability enables direct server compromise via crafted HTTP requests to /api/v1/validate/code.
Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA
Critical stack-based buffer overflow in Ivanti remote access gateways allows unauthenticated remote code execution. These products are specifically designed to be internet-facing to provide secure remote access to corporate networks.
Critical deserialization vulnerability in Gladinet CentreStack due to hardcoded machineKey, enabling remote code execution on the server. This vulnerability is actively exploited in the wild and listed in CISA KEV.
CrushFTP versions 10.x before, CrushFTP versions 11.x before
Critical authentication bypass vulnerability in CrushFTP server allows attackers to takeover admin accounts via malformed AWS4-HMAC headers. The vulnerability has been actively exploited in the wild and is listed in CISA KEV.
Vite development server vulnerability allows bypass of filesystem restrictions to expose sensitive files via crafted URLs with ?inline&import or ?raw&import parameters. Only affects Vite dev servers explicitly exposed to the network using --host configuration.
This is a sandbox escape vulnerability in Google Chrome requiring a malicious file to be opened by a user. While it has a high CVSS score and is in CISA KEV, it affects a client application (browser) rather than a server application, making it unsuitable for direct internet exploitation via T1190.
Command injection vulnerability in D-Link DIR-823X routers allows authorized attackers to execute arbitrary commands via POST request to /goform/set_prohibiting. This vulnerability is actively exploited in Mirai botnet campaigns and is listed on CISA KEV.
Authenticated remote code execution vulnerability in Kentico Xperience CMS allowing file upload via path traversal. Attackers can upload web shells to achieve server-side code execution. Listed in CISA KEV indicating active exploitation.
Critical authentication bypass vulnerability in Kentico Xperience CMS allows complete bypass of authentication via Staging Sync Server component. The vulnerability gives attackers control over administrative objects and is actively being exploited in the wild according to CISA KEV listing.
Authentication bypass vulnerability in Kentico Xperience CMS allows attackers to control administrative objects via empty SHA1 username handling in digest authentication. The vulnerability is actively exploited and affects internet-facing CMS deployments.
Multiple Reviewdog GitHub Actions were compromised with malicious code that dumped exposed secrets to workflow logs during a specific timeframe (March 11, 2025). This is a supply chain attack against CI/CD pipeline tools, not a direct internet-facing application vulnerability.
tj-actions changed-files, GitHub Actions workflows using affected versions
A supply chain attack compromised the tj-actions changed-files GitHub Action where threat actors modified tags v1-v45.0.7 to point to malicious code that exfiltrates secrets from GitHub Actions workflows. This is not a direct server exploitation but rather a software supply chain compromise affecting CI/CD pipelines.
CVE-2025-21590 is a local privilege escalation vulnerability in Juniper Junos OS that requires high privileges and shell access to exploit. Despite being in CISA KEV due to active exploitation, it cannot be directly exploited from the internet as it requires LOCAL attack vector and existing high-privilege access to the device shell.
This is a stored XSS vulnerability in Zimbra Collaboration Server that requires a user to view a malicious email containing a crafted ICS calendar file. Despite being in CISA KEV, this is not a direct server compromise but rather a client-side attack targeting user sessions.
An out-of-bounds write vulnerability in Apple's WebKit engine allows maliciously crafted web content to break out of the Web Content sandbox. This affects client devices (iOS, macOS, Safari) when users visit malicious websites, not internet-facing servers.
Windows Server, Windows Server 2012 R2, Windows Server 2008 R2 (+1 more)
This is a local security feature bypass vulnerability in Microsoft Management Console (MMC) that allows attackers to bypass security features locally. The vulnerability requires local access and user interaction, making it unsuitable for direct internet exploitation.
Windows, Windows Server, Windows Server 2008 R2 (+1 more)
CVE-2025-24993 is a heap-based buffer overflow in Windows NTFS that allows local code execution with user interaction required. Despite being on CISA KEV, this is a LOCAL vulnerability (CVSS AV:L/UI:R) affecting the NTFS file system, not internet-facing services.
CVE-2025-24991 is an out-of-bounds read vulnerability in Windows NTFS that allows local information disclosure. Despite being on CISA KEV, this is a local vulnerability requiring existing system access and user interaction, not directly exploitable over the internet.
Windows Server, Windows Server 2012/2012 R2, Windows Server 2008/2008 R2 (+1 more)
CVE-2025-24985 is an integer overflow vulnerability in the Windows Fast FAT File System Driver that allows local code execution. The vulnerability requires local access and user interaction (mounting/accessing malicious FAT file systems), making it unsuitable for direct internet exploitation despite being in CISA KEV.
Windows Server 2012/2012 R2, Windows Server, Windows
Windows NTFS information disclosure vulnerability that allows unauthorized attackers to access sensitive information from log files through physical access to affected systems. Despite being in CISA KEV, this requires physical access and cannot be exploited remotely over the internet.
Windows Server 2008 SP2, Windows Server, Windows Server 2012 R2 (+1 more)
CVE-2025-24983 is a local privilege escalation vulnerability in the Windows Win32 Kernel Subsystem affecting older Windows versions. The CVSS attack vector is LOCAL (AV:L), requiring an authorized attacker with existing system access to exploit a use-after-free condition for privilege escalation.
Windows Server 2008 R2, Windows Server 2012/2012 R2, Windows Server (+1 more)
CVE-2025-24054 is an NTLM hash disclosure spoofing vulnerability affecting Windows operating systems that allows attackers to perform spoofing attacks over a network. The vulnerability enables credential theft and man-in-the-middle attacks against NTLM authentication, particularly affecting Windows Server deployments that are commonly internet-facing.
AMI MegaRAC-SPx versions 12.0 to <12.7 and 13.0 to <13.5
Critical authentication bypass vulnerability in AMI MegaRAC BMC software affecting server management interfaces. Allows remote unauthenticated attackers to bypass authentication through the Redfish Host Interface with no user interaction required.
CVE-2025-27363 is an out-of-bounds write vulnerability in FreeType versions 2.13.0 and below that allows arbitrary code execution when parsing malicious TrueType font files. While highly severe and actively exploited in the wild, this primarily affects client applications that process fonts rather than internet-facing servers.
Apache Tomcat path traversal vulnerability enabling remote code execution and information disclosure via malicious PUT requests. Affects millions of internet-facing web applications globally. Listed in CISA KEV with active exploitation evidence and public POCs available.
Critical OS command injection vulnerability in Edimax IC-7100 IP cameras allows unauthenticated remote code execution via specially crafted network requests. The vulnerability has been added to CISA KEV indicating active exploitation in the wild.
CVE-2025-22226 is an information disclosure vulnerability in VMware virtualization products affecting HGFS (Host-Guest File System). Despite being in CISA KEV, this is a local vulnerability requiring administrative access to a virtual machine to leak memory from the vmx process, not directly exploitable over the internet.
VMware ESXi contains an arbitrary write vulnerability allowing sandbox escape from the VMX process to kernel level. This is a local privilege escalation vulnerability requiring existing privileged access within the VMX process, not directly exploitable over the internet.
VMware ESXi, VMware Workstation, VMware Cloud Foundation (+2 more)
CVE-2025-22224 is a critical TOCTOU vulnerability in VMware virtualization products that allows VM escape from guest to host. Despite being in CISA KEV, this requires local administrative privileges within a VM and primarily affects infrastructure software not typically exposed to the internet.
NAKIVO Backup & Replication Director contains an absolute path traversal vulnerability that allows unauthenticated remote attackers to read arbitrary files and potentially achieve remote code execution. The vulnerability is actively being exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog.
XWiki Platform contains a critical remote code execution vulnerability (CVE-2025-24893) that allows unauthenticated attackers to execute arbitrary code via the SolrSearch endpoint. This vulnerability affects a widely-deployed enterprise wiki platform that is commonly internet-facing and has been added to CISA's Known Exploited Vulnerabilities catalog.
Microsoft Power Pages contains an improper access control vulnerability that allows unauthorized attackers to elevate privileges over a network, potentially bypassing user registration controls. This vulnerability is actively exploited in the wild and affects a cloud-based web application platform that is inherently internet-facing.
CVE-2025-0111 is an authenticated file read vulnerability in Palo Alto Networks PAN-OS management web interface that allows attackers to read files on the filesystem. This vulnerability is being actively exploited in the wild and is part of CISA's Known Exploited Vulnerabilities catalog.
Authentication bypass vulnerability in Palo Alto Networks PAN-OS management web interface allows unauthenticated attackers to bypass authentication and invoke PHP scripts that can compromise firewall integrity and confidentiality. This vulnerability is actively exploited in the wild and listed in CISA KEV catalog.
CVE-2025-21418 is a heap-based buffer overflow in the Windows Ancillary Function Driver for WinSock that allows local privilege escalation. Despite affecting both Windows client and server systems, this is fundamentally a local vulnerability requiring existing system access to exploit.
CVE-2025-21391 is a Windows Storage elevation of privilege vulnerability affecting multiple Windows versions and Windows Server editions. Despite being in CISA KEV, this is a local privilege escalation vulnerability requiring prior system access, not a direct internet-exploitable flaw.
Authentication bypass vulnerability in Fortinet FortiOS and FortiProxy allows remote unauthenticated attackers to gain super-admin privileges via crafted CSF proxy requests when Security Fabric is enabled. This is actively exploited and listed in CISA KEV.
Critical unsafe deserialization vulnerability in Wazuh security platform allows remote code execution through the DistributedAPI. Attackers with API access can inject malicious dictionaries to execute arbitrary Python code on Wazuh servers.
CVE-2025-24200 is a physical access vulnerability in iOS/iPadOS that allows disabling USB Restricted Mode on locked devices. This requires direct physical access to the device and cannot be exploited over the internet.
Trimble Cityworks contains a deserialization vulnerability allowing authenticated remote code execution against IIS web servers. CISA reports active exploitation of this vulnerability in the wild.
Post-authentication command injection vulnerability in Zyxel VMG4325-B10A DSL modem allows authenticated attackers to execute OS commands via Telnet. This is a legacy, unsupported device that is actively exploited in the wild according to CISA KEV listing.
Command injection vulnerability in Zyxel VMG4325-B10A DSL router allows authenticated attackers to execute OS commands via crafted HTTP POST requests. This legacy CPE device is commonly internet-facing and is listed in CISA KEV indicating active exploitation.
Digiever DS-2105 Pro NVR, Digiever Network Video Recorder devices
Command injection vulnerability in Digiever DS-2105 Pro NVR devices allows remote code execution via the time_tzsetup.cgi endpoint. This IoT surveillance device is commonly internet-facing for remote monitoring and is actively exploited in the wild.
Advantive VeraCore contains an unrestricted file upload vulnerability allowing authenticated remote attackers to upload malicious files to web-accessible directories. This vulnerability is actively exploited in the wild by the XE Group and listed in CISA KEV.
SQL injection vulnerability in Advantive VeraCore's timeoutWarning.asp allows remote attackers to execute arbitrary SQL commands without authentication. This vulnerability is actively exploited in the wild and listed in CISA KEV catalog.
CVE-2025-24085 is a use-after-free vulnerability in Apple operating systems that allows a malicious application to elevate privileges. While it has a CVSS score of 10.0 and is in CISA KEV, this is primarily a local privilege escalation vulnerability affecting client-side Apple devices, not internet-facing servers.
CVE-2025-0411 is a Mark-of-the-Web bypass vulnerability in 7-Zip that allows attackers to deliver malware without Windows security warnings. Despite being listed in CISA KEV, this is a client-side vulnerability requiring user interaction (opening a malicious archive) and does not affect internet-facing servers.
Critical pre-authentication deserialization vulnerability in SonicWall SMA1000 remote access appliances that allows unauthenticated remote attackers to execute arbitrary OS commands. This vulnerability is actively being exploited in the wild according to CISA KEV.
Remote Code Execution vulnerability in Craft CMS when the security key is compromised. This vulnerability has been actively exploited in the wild and is listed in CISA KEV catalog.
SimpleHelp remote support software v5.5.7 and earlier contains a privilege escalation vulnerability allowing low-privilege technicians to create API keys with excessive permissions, escalating to server admin role. This vulnerability is actively exploited in the wild and listed in CISA KEV.
SimpleHelp remote support software v5.5.7 and earlier contains critical path traversal vulnerabilities allowing unauthenticated attackers to download arbitrary files including server configuration files and hashed passwords. This vulnerability is actively exploited and listed in CISA KEV.
SimpleHelp remote support software v5.5.7 and earlier contains a zip slip vulnerability allowing admin users to upload arbitrary files anywhere on the file system and execute code. This remote support software is commonly deployed as internet-facing infrastructure for IT support organizations.
CVE-2025-21334 is a local privilege escalation vulnerability in Windows Hyper-V NT Kernel Integration VSP component with a use-after-free flaw. Despite being in CISA KEV indicating active exploitation, it requires local access and authenticated user privileges to exploit.
CVE-2025-21333 is a local privilege escalation vulnerability in Windows Hyper-V NT Kernel Integration VSP affecting multiple Windows versions. Despite being in CISA KEV, it requires local access and is not directly exploitable from the internet against public-facing applications.
Windows 10 21H2, Windows 10 22H2, Windows 11 22H2 (+4 more)
This is a local privilege escalation vulnerability in Windows Hyper-V's NT Kernel Integration VSP component affecting multiple Windows versions. The vulnerability requires local access and low-level privileges to exploit, making it unsuitable for direct internet exploitation.
Critical absolute path traversal vulnerability in Ivanti Endpoint Manager allows remote unauthenticated attackers to access sensitive information. The vulnerability is actively exploited in the wild according to CISA KEV listing.
CVE-2024-13160 is a critical absolute path traversal vulnerability in Ivanti Endpoint Manager that allows remote unauthenticated attackers to leak sensitive information. This vulnerability is actively exploited in the wild and listed in CISA's Known Exploited Vulnerabilities catalog.
Critical absolute path traversal vulnerability in Ivanti Endpoint Manager allowing remote unauthenticated attackers to leak sensitive information. The vulnerability has a CVSS score of 9.8 and is actively being exploited in the wild according to CISA KEV.
Critical authentication bypass vulnerability in Fortinet FortiOS and FortiProxy allows remote attackers to gain super-admin privileges via crafted requests to Node.js websocket module. This vulnerability is actively exploited in the wild and listed in CISA KEV.
Authentication bypass vulnerability in SonicWall firewall SSL VPN authentication mechanism allows remote attackers to bypass authentication without credentials. This affects the SSL VPN service which is specifically designed for internet exposure to provide remote access.
Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA
Critical stack-based buffer overflow in Ivanti VPN and secure gateway products allows remote unauthenticated attackers to achieve remote code execution. This vulnerability is actively exploited in the wild and listed in CISA KEV catalog.
Critical unauthenticated OS command injection vulnerability in Aviatrix Controller allowing remote code execution via API endpoints. The vulnerability is actively exploited in the wild and listed in CISA KEV. Aviatrix Controllers are typically deployed as internet-facing cloud management platforms.
Critical OS command injection vulnerability in DrayTek router web management interfaces allowing unauthenticated remote code execution. The vulnerability affects the apmcfgupload endpoint and has been added to CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation.
CVE-2024-53197 is a Linux kernel vulnerability in the USB audio subsystem that allows out-of-bounds memory access when handling malicious USB audio devices. The vulnerability requires physical access to connect a malicious USB device and has a LOCAL attack vector, making it unsuitable for internet exploitation.
CVE-2024-53150 is a Linux kernel vulnerability in the USB audio driver that allows out-of-bounds reads when processing malicious USB device descriptors. Despite being in CISA KEV, this is primarily a local privilege escalation issue requiring physical USB device insertion or prior system access.
Critical remote code execution vulnerability in Craft CMS affecting all versions since 3.0.0 when PHP register_argc_argv is enabled. This vulnerability allows unauthenticated attackers to execute arbitrary code on vulnerable web servers and is actively exploited in the wild.
OS command injection vulnerability in BeyondTrust Remote Support and Privileged Remote Access allowing attackers with administrative privileges to execute commands as site users. This affects remote access platforms that are inherently internet-facing by design and is actively exploited in the wild per CISA KEV.
This vulnerability affects Mitel MiCollab and allows authenticated administrators to read local files through path traversal. Despite being in CISA KEV, it has a LOCAL attack vector and requires administrative privileges, limiting its internet exploitability.
CVE-2024-53104 is a Linux kernel vulnerability in the UVC video driver that causes out-of-bounds writes during USB camera parsing. Despite being in CISA KEV, this is a local privilege escalation vulnerability requiring physical access or malicious USB devices, not an internet-facing service vulnerability.
This is an improper access control vulnerability in Microsoft Partner Center (Partner.Microsoft.com) that allows unauthenticated attackers to elevate privileges over a network. The vulnerability is classified as an 'exclusively-hosted-service' and is actively being exploited in the wild according to CISA KEV.
CVE-2024-50302 is a Linux kernel HID (Human Interface Device) subsystem vulnerability that allows information disclosure through uninitialized memory in report buffers. Despite being in CISA KEV, this is a LOCAL attack vector vulnerability requiring existing system access, making it unsuitable for direct internet exploitation.
CVE-2024-11182 is a stored XSS vulnerability in MDaemon Email Server's webmail component that requires an attacker to send a malicious HTML email to victims. While the email server itself is internet-facing, this vulnerability targets user browser sessions rather than providing direct server access, making it a phishing/social engineering attack vector rather than direct server exploitation.
GeoVision GV-VS12 Video Server, GeoVision GV-VS11 Video Server, GeoVision GV-DSP LPR V3 License Plate Recognition System (+2 more)
Critical OS command injection vulnerability in GeoVision video surveillance and license plate recognition devices allows unauthenticated remote attackers to execute arbitrary system commands. The vulnerability is being actively exploited in the wild and affected devices are end-of-life with no patches available.
CVE-2024-8069 is an adjacent network RCE vulnerability in Citrix Session Recording requiring authenticated intranet access. Despite CISA KEV listing indicating active exploitation, the attack vector is limited to adjacent networks, not direct internet exploitation.
CVE-2024-8068 is a privilege escalation vulnerability in Citrix Session Recording that allows an authenticated Active Directory domain user to escalate privileges to NetworkService Account level. Despite being in CISA KEV, this requires existing domain authentication and adjacent network access, making it primarily useful for lateral movement rather than initial access.
Critical unauthenticated path traversal vulnerability in Mitel MiCollab NuPoint Unified Messaging component allows remote attackers to view, corrupt, or delete user data and system configurations. This vulnerability is actively exploited and listed in CISA KEV.
Critical SQL injection vulnerability in Microsoft Configuration Manager (SCCM) allowing unauthenticated remote code execution. CISA has listed this in their Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
CVE-2024-20439 is a critical authentication bypass vulnerability in Cisco Smart License Utility due to hardcoded administrative credentials. Attackers can remotely login with administrative privileges over the CSLU application API without any authentication. Active exploitation has been observed in the wild.
CVE-2024-45195 is a Critical forced browsing vulnerability in Apache OFBiz allowing unauthorized access to protected application areas without authentication. This vulnerability has active exploitation confirmed by CISA KEV listing and affects enterprise ERP systems commonly deployed as internet-facing web applications.
CVE-2024-7694 is an unrestricted file upload vulnerability in TeamT5 ThreatSonar Anti-Ransomware that allows remote attackers with admin privileges to upload malicious files and execute arbitrary system commands. This vulnerability is actively exploited in the wild and listed in CISA KEV catalog.
Mitel 6800 Series SIP Phones, Mitel 6900 Series SIP Phones, Mitel 6900w Series SIP Phones (+1 more)
Mitel SIP phones contain an argument injection vulnerability allowing authenticated administrators to execute arbitrary commands. While these phones are network devices often deployed on corporate networks with some internet exposure, the attack vector is adjacent network and requires high privileges.
This is a Cross-Site Scripting (XSS) vulnerability in Zimbra webmail that requires sending a malicious email with crafted calendar headers to victims. While Zimbra is internet-facing, this XSS only compromises user sessions, not the server itself, making it a phishing attack rather than direct server exploitation.
Path traversal vulnerability in Samsung MagicINFO 9 Server allows remote attackers to write arbitrary files with system authority. The vulnerability is actively exploited in the wild and listed in CISA KEV catalog.
Cross-Site Scripting vulnerability in Roundcube webmail allows attackers to steal and send emails via crafted email messages. Despite high CVSS score and CISA KEV listing, this is client-side XSS requiring user interaction, not direct server compromise.
CVE-2024-21182 is an unauthenticated network vulnerability in Oracle WebLogic Server allowing unauthorized access to critical data via T3/IIOP protocols. WebLogic Server is commonly deployed as an internet-facing enterprise application server, making this vulnerability highly exploitable from the internet.
CVE-2024-38475 is a critical vulnerability in Apache HTTP Server's mod_rewrite module that allows remote attackers to map URLs to unintended filesystem locations, leading to code execution or source code disclosure. This vulnerability affects one of the world's most widely deployed web servers and has been added to CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
Critical unauthenticated remote code execution vulnerability in WhatsUp Gold's API endpoint allows attackers to execute arbitrary commands with IIS application pool privileges. This network monitoring software is commonly deployed as an internet-facing service for remote monitoring capabilities.
Critical heap-overflow vulnerability in VMware vCenter Server's DCERPC protocol implementation allows remote code execution via specially crafted network packets. This vulnerability is actively exploited in the wild and affects a core infrastructure product commonly exposed to networks.
GeoVision IP Cameras, GeoVision Video Servers, GeoVision License Plate Recognition (+1 more)
Critical OS command injection vulnerability affecting multiple end-of-life GeoVision IP cameras and video servers. Unauthenticated attackers can execute arbitrary system commands remotely over the network with CVSS 9.8 severity.
Authentication bypass vulnerability in TP-Link TL-WR841N router's httpd service allows unauthenticated attackers to disclose stored credentials via TCP port 80. This is actively exploited and listed in CISA KEV.
CVE-2024-29059 is an information disclosure vulnerability in .NET Framework that can expose sensitive information through error messages. While CISA has added it to the KEV catalog indicating active exploitation, the vulnerability is limited to information disclosure rather than remote code execution.
Path traversal vulnerability in JetBrains TeamCity allowing unauthenticated attackers to perform limited admin actions. This CI/CD server is commonly exposed to the internet for developer access and is actively being exploited in the wild.
CVE-2024-1708 is a critical path traversal vulnerability in ConnectWise ScreenConnect that enables remote code execution on internet-facing remote access servers. This vulnerability is actively exploited in the wild and listed in CISA KEV.
This is a critical deserialization vulnerability in Oracle Agile PLM that allows complete system takeover via HTTP network access with low privileges. The vulnerability is actively exploited in the wild and listed in CISA KEV.
Microsoft Outlook, Microsoft 365 Apps for Enterprise, Microsoft Office LTSC
Microsoft Outlook Remote Code Execution vulnerability affects client email applications, not server infrastructure. Despite the critical CVSS score and CISA KEV listing, this requires phishing/social engineering to deliver malicious content to Outlook clients rather than direct internet exploitation of servers.
D-Link DIR-859 router has a critical path traversal vulnerability in hedwig.cgi that allows remote attackers to access arbitrary files without authentication. This vulnerability is actively exploited and listed in CISA KEV, affecting an end-of-life router model.
CVE-2023-41974 is a use-after-free vulnerability in iOS and iPadOS that allows malicious apps to execute arbitrary code with kernel privileges. While listed in CISA KEV and actively exploited, this affects mobile client devices, not internet-facing servers.
SonicWall SMA100 SSL-VPN appliances contain an OS command injection vulnerability in the management interface allowing authenticated administrators to execute arbitrary commands. These appliances are specifically designed to be internet-facing and this vulnerability is actively exploited in the wild.
CVE-2023-48365 is an unauthenticated remote code execution vulnerability in Qlik Sense Enterprise for Windows caused by improper HTTP header validation. Attackers can tunnel HTTP requests to execute commands on the backend repository server, leading to complete system compromise.
Windows, Windows Server, Windows Server Core installations
Windows Common Log File System Driver privilege escalation vulnerability affecting Windows client and server operating systems. Requires local access and authentication to exploit, making it unsuitable for direct internet exploitation despite being in CISA KEV.
Critical OS command injection vulnerability in ASUS RT-AX55 router web management interface. Authenticated attackers can execute arbitrary commands via the qos_bw_rulelist parameter. Listed in CISA KEV with evidence of active exploitation.
CVE-2022-48503 is a WebKit bounds check vulnerability affecting Apple's client-side products (Safari, iOS, macOS, etc.) that allows arbitrary code execution when processing malicious web content. While listed in CISA KEV indicating active exploitation, this is a client-side vulnerability requiring user interaction rather than a server-side exploit.
CVE-2023-38950 is a path traversal vulnerability in ZKTeco BioTime's iclock API that allows unauthenticated attackers to read arbitrary files remotely. This is actively exploited in the wild and listed in CISA's KEV catalog.
Cross-site scripting vulnerability in Zimbra Collaboration Suite 8.8.15 affecting the /h/autoSaveDraft function. Despite being in CISA KEV, this is an XSS vulnerability that compromises user sessions rather than the server itself, requiring authenticated user interaction for exploitation.
CSRF vulnerability in PaperCut NG/MF that requires an admin to click a malicious link while logged in. Despite the high CVSS score and CISA KEV listing, this is not direct server exploitation but requires social engineering to trick administrators.
TP-Link routers contain a command injection vulnerability in the /userRpm/WlanNetworkRpm component that allows authenticated attackers to execute arbitrary commands. This vulnerability is actively exploited in the wild and affects commonly deployed home/small business routers that are inherently internet-facing.
PaperCut NG contains an authentication bypass vulnerability that allows remote attackers to bypass authentication without any user interaction. This vulnerability is actively exploited in the wild and listed in CISA's Known Exploited Vulnerabilities catalog.
Command injection vulnerability in Cisco Small Business Router web management interface allows authenticated remote attackers to execute arbitrary commands with root privileges. Proof-of-concept exploits exist and active exploitation has been observed in the wild since March 2025.
Authentication bypass vulnerability in Pentaho Business Analytics Server allows attackers to circumvent security restrictions using non-canonical URLs. The vulnerability leads to SSTI (Server-Side Template Injection) and code execution according to exploit references.
Hitachi Vantara Pentaho Business Analytics Server contains a Spring Template injection vulnerability allowing authenticated attackers to execute arbitrary code. This affects web services that improperly sanitize user input containing Spring templates, leading to server-side template injection (SSTI).
CVE-2023-0386 is a local privilege escalation vulnerability in the Linux kernel's OverlayFS subsystem that allows a local user to escalate privileges by exploiting a uid mapping bug when copying capable files between mounts. This requires local access and cannot be exploited directly over the internet, making it a post-compromise escalation tool rather than an initial attack vector.
CVE-2023-21529 is a remote code execution vulnerability in Microsoft Exchange Server caused by deserialization of untrusted data (CWE-502). This vulnerability allows authenticated attackers to execute arbitrary code on Exchange servers, which are commonly internet-facing for email services.
Critical command injection vulnerability in D-Link DNR-322L Cloud Network Video Recorder allowing authenticated attackers to execute OS-level commands via the 'Backup Config' functionality. This network device is commonly internet-facing for remote monitoring purposes and is actively exploited according to CISA KEV.
CVE-2022-23748 is a DLL sideloading vulnerability in mDNSResponder.exe from Audinate Dante Application Library. Despite being listed in CISA KEV, this is a local attack requiring user interaction to execute the malicious DLL alongside the legitimate executable.
CVE-2022-20775 is a local privilege escalation vulnerability in Cisco SD-WAN Software CLI that allows authenticated, local attackers to execute commands as root. While the affected products are commonly internet-facing, the vulnerability itself requires existing local access and cannot be directly exploited over the internet.
Critical buffer overflow vulnerability in D-Link GO-RT-AC750 wireless routers affecting cgibin and hnap_main components. This vulnerability is actively exploited in the wild and listed in CISA KEV, allowing unauthenticated remote code execution.
Linux Kernel, Docker containers, Kubernetes clusters (+3 more)
CVE-2022-0492 is a Linux kernel privilege escalation vulnerability in the cgroups v1 release_agent feature that allows bypassing namespace isolation. This is a local exploit requiring existing access to a system or container, commonly used for Docker container escapes.
VMware Workspace ONE UEM console contains an unauthenticated SSRF vulnerability that allows remote attackers to access sensitive information. This enterprise mobility management platform is commonly exposed to the internet for device management purposes.
Windows, Windows Server, Windows Server 2012/2012 R2 (+1 more)
CVE-2021-43226 is a local privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver that requires local access and low-level privileges to exploit. While it affects both client and server Windows systems, it cannot be exploited directly over the internet as it requires local system access.
GitLab Community Edition, GitLab Enterprise Edition
Server-Side Request Forgery (SSRF) vulnerability in GitLab CI Lint API allows unauthorized external users to perform internal network requests. GitLab instances are commonly internet-facing, making this vulnerability directly exploitable over the network without authentication.
Grafana instances are vulnerable to directory traversal attacks allowing unauthorized access to local files through crafted URLs. This affects internet-facing Grafana dashboards commonly exposed for monitoring and observability purposes. The vulnerability has been actively exploited in the wild.
OS Command Injection vulnerability in SonicWall SMA100 management interface allows remote authenticated attackers to execute arbitrary commands as 'nobody' user. The vulnerability is actively exploited in the wild according to CISA KEV listing.
WebKit integer overflow vulnerability in Apple client operating systems requiring user interaction with malicious web content. Despite CISA KEV listing, this affects client-side web browsers, not internet-facing servers, making it unsuitable for T1190 exploitation.
Linux Kernel, Ubuntu, Red Hat Enterprise Linux (+4 more)
Linux kernel netfilter heap out-of-bounds write vulnerability allowing privilege escalation and DoS. Requires adjacent network access and high attack complexity. Despite high deployment, this is primarily a privilege escalation vulnerability requiring existing local or adjacent network access.
Server-Side Request Forgery (SSRF) vulnerability in GitLab allows unauthenticated attackers to make requests to internal networks when webhook internal network requests are enabled. This affects GitLab instances from version 10.5 through multiple 13.x versions and is actively exploited according to CISA KEV.
OpenPLC ScadaBR, ScadaBR Linux versions through, ScadaBR Windows versions through
CVE-2021-26828 is a critical file upload vulnerability in OpenPLC ScadaBR that allows authenticated remote users to upload and execute arbitrary JSP files. This vulnerability enables direct remote code execution on SCADA/HMI systems that are commonly internet-facing for remote monitoring and control operations.
Stored XSS vulnerability in OpenPLC ScadaBR system settings that requires user interaction. Despite CISA KEV listing, this targets user sessions rather than the server infrastructure itself.
Authentication bypass vulnerability in ASUS router administrator interfaces allows unauthenticated remote attackers to gain full administrative access. The vulnerability affects router web management interfaces that are commonly exposed to the internet for remote administration.
Critical authentication bypass vulnerability in Rockwell Automation industrial control systems allowing unauthenticated attackers to bypass verification mechanisms and authenticate with Logix controllers over the network. This vulnerability is actively exploited and listed in CISA KEV catalog.
Adminer, a popular PHP-based database management tool, contains an SSRF vulnerability (CWE-918) that allows unauthenticated attackers to make server-side requests. This vulnerability is actively exploited in the wild and listed in CISA's KEV catalog.
Critical SQL injection vulnerability in Cyberoam OS WebAdmin interface allows unauthenticated remote attackers to execute arbitrary SQL statements. This affects network security appliances that are typically deployed as internet-facing gateway devices.
D-Link DCS-2530L IP Camera, D-Link DCS-2670L IP Camera
D-Link DCS-2530L and DCS-2670L IP cameras expose an unauthenticated /config/getuser endpoint that allows remote disclosure of administrator passwords. This vulnerability enables direct network exploitation against internet-facing security cameras commonly deployed for remote monitoring.
D-Link DCS-2530L IP Camera, D-Link DCS-2670L IP Camera
Command injection vulnerability in D-Link IP cameras' web management interface allows authenticated attackers to execute arbitrary commands. These cameras are commonly deployed with internet-facing web interfaces for remote monitoring.
TP-Link TL-WA855RE V5 WiFi range extender allows unauthenticated attackers on the same network to perform factory reset via TDDP_RESET POST request and then set new administrative password. This vulnerability is actively exploited and listed in CISA KEV.
CVE-2020-9715 is a use-after-free vulnerability in Adobe Acrobat and Reader that allows arbitrary code execution. This affects client-side PDF applications that require user interaction to open malicious documents, not internet-facing servers.
Critical buffer overflow vulnerability in Sophos XG Firewall's HTTP/S Bookmarks feature that allows remote code execution without authentication. This vulnerability affects firewall appliances that are inherently internet-facing and is actively exploited in the wild.
CVE-2020-11023 is a cross-site scripting (XSS) vulnerability in jQuery that allows execution of untrusted JavaScript code in victims' browsers when processing malicious HTML with
Critical unauthenticated deserialization vulnerability in Oracle WebLogic Server allowing complete server takeover via network protocols IIOP and T3. This vulnerability is actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog.
SSRF vulnerability in Zimbra Collaboration Suite when WebEx zimlet is installed and JSP is enabled. This is a critical server-side vulnerability in a commonly internet-facing email/collaboration platform with active exploitation confirmed by CISA KEV listing.
Authentication bypass vulnerability in Sangoma FreePBX allowing remote unauthenticated access to administrative functions. This is a critical vulnerability with CVSS 9.8 that has been actively exploited in the wild and added to CISA KEV.
CVE-2019-6693 is a hard-coded cryptographic key vulnerability in Fortinet FortiGate configuration backup files. An attacker with access to backup files can decrypt sensitive data including user passwords and private key passphrases, potentially leading to credential theft and unauthorized access.
Sitecore CMS platforms through version 9.1 contain a deserialization vulnerability in the anti-CSRF module that allows authenticated attackers to execute arbitrary code via HTTP POST parameters. This vulnerability is actively exploited in the wild and affects a widely deployed web content management platform.
Critical deserialization vulnerability in Sitecore CMS allowing unauthenticated remote code execution via malicious .NET objects in CSRF tokens. Actively exploited in the wild and listed in CISA KEV catalog.
Remote code execution vulnerability in Sierra Wireless AirLink ES450 router allowing authenticated attackers to upload and execute malicious code via HTTP request to upload.cgi. This vulnerability is in CISA KEV indicating active exploitation in the wild.
Server-Side Request Forgery (SSRF) vulnerability in Zimbra Collaboration Suite's ProxyServlet component allows unauthenticated network-based exploitation. Zimbra is widely deployed as an internet-facing email and collaboration server, making this vulnerability directly exploitable from the internet against the server itself.
CVE-2019-5418 is a file content disclosure vulnerability in Rails Action View that allows attackers to read arbitrary files from the server filesystem using specially crafted Accept headers. This affects web applications built with Rails, which are commonly deployed as internet-facing services.
Windows, Windows Server, Windows Server 2012 R2 (+2 more)
CVE-2018-8639 is a local privilege escalation vulnerability in the Windows Win32k component that allows attackers with existing access to escalate privileges. This affects both Windows desktop and server systems but requires local access to exploit.
Critical authentication bypass in PRTG Network Monitor allowing remote unauthenticated attackers to create administrator accounts via Local File Inclusion. Exploitation requires only crafting HTTP requests to the publicly accessible web interface.
Linux Kernel 2.6.x, Linux Kernel 3.10.x, Linux Kernel 4.14.x (+4 more)
CVE-2018-14634 is a local privilege escalation vulnerability in the Linux kernel's create_elf_tables() function that allows unprivileged users to gain root privileges. Despite being in CISA KEV, this requires local access and cannot be exploited directly from the internet.
PRTG Network Monitor contains an OS command injection vulnerability in the web administrative console that allows authenticated attackers with admin privileges to execute arbitrary commands on the server. This is a high-risk vulnerability for internet-facing deployments, confirmed by CISA KEV listing indicating active exploitation.
Jenkins automation servers prior to version 2.56 (and 2.46.1 LTS) contain an unauthenticated remote code execution vulnerability through the CLI interface via Java deserialization. This vulnerability allows complete server compromise without any user interaction and has active exploitation documented by CISA KEV.
Directory traversal vulnerability in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via path traversal in a JavaScript UI endpoint. This vulnerability has been actively exploited in the wild and is included in CISA's Known Exploited Vulnerabilities catalog.
CVE-2016-7836 is a remote code execution vulnerability in SKYSEA Client View's management console TCP connection authentication. While technically exploitable over the network without user interaction, this is primarily enterprise endpoint management software that is rarely deployed as internet-facing.
Authentication bypass vulnerability in Hikvision IP cameras allows attackers to escalate privileges and gain unauthorized access. The vulnerability is classified as CWE-287 (Improper Authentication) and is actively exploited in the wild according to CISA KEV.
Critical Java deserialization vulnerability in Adobe ColdFusion allowing remote code execution via the Apache BlazeDS library. ColdFusion is primarily deployed as an internet-facing web application server, making this vulnerability directly exploitable over the internet without authentication.
Memory corruption vulnerability in MRLG (Multi-Router Looking Glass) fastping.c allows remote attackers to cause arbitrary memory write and corruption. This is a web-based network diagnostic tool typically deployed on internet-facing web servers for public network troubleshooting services.
PHPMailer before 5.2.18 contains a command injection vulnerability allowing remote attackers to execute arbitrary code via a crafted Sender property. This vulnerability affects countless web applications that use PHPMailer for email functionality and is actively exploited in the wild.
Juniper ScreenOS Firewalls, Juniper SSG Series, Juniper ISG Series
Critical authentication bypass backdoor in Juniper ScreenOS firewalls allowing remote administrative access via SSH/Telnet with an unknown hardcoded password. This is the infamous Juniper backdoor that compromised enterprise network perimeters worldwide.
CVE-2014-6278 is a Bash Shellshock vulnerability allowing remote command execution via crafted environment variables. It affects internet-facing services using Bash for CGI scripts, SSH, DHCP, and other network services that process environment variables.
Internet Explorer, Windows XP, Windows Server (+3 more)
ActiveX control vulnerability in Internet Explorer allowing remote code execution when users visit malicious web pages. This is a client-side vulnerability requiring user interaction, not a server-side vulnerability exploitable over the internet.
CVE-2013-3893 is a use-after-free vulnerability in Internet Explorer 6-11 that allows remote code execution via crafted JavaScript when a user visits a malicious website. This is a client-side browser vulnerability requiring user interaction, not a server-side vulnerability.
Microsoft Office, Visual Basic for Applications, Summit VBA SDK
CVE-2012-1854 is an untrusted search path vulnerability in Microsoft Office VBA that allows local privilege escalation via DLL hijacking. Exploitation requires a user to open a malicious Office document from a directory containing a Trojan horse DLL.
Windows XP SP2/SP3, Windows Server 2003 SP2, Windows Vista SP2 (+2 more)
CVE-2011-3402 is a TrueType font parsing vulnerability in Windows kernel-mode drivers that was exploited by the Duqu malware. The vulnerability requires user interaction to open a malicious Word document or visit a compromised web page containing crafted font data.
CVE-2010-3962 is a use-after-free vulnerability in Internet Explorer 6, 7, and 8 that allows remote code execution via malicious CSS. While it was actively exploited in the wild and is on CISA KEV, it targets client-side browsers, not internet-facing servers.
CVE-2010-3765 is a memory corruption vulnerability in Mozilla Firefox, Thunderbird, and SeaMonkey browsers that allows remote code execution when JavaScript is enabled. Despite being in CISA KEV and having a high CVSS score, this is a client-side browser vulnerability requiring users to visit malicious websites, not a server-side vulnerability.
Use-after-free vulnerability in Internet Explorer 6-7 that allows remote code execution when users visit malicious websites. This is a client-side browser vulnerability exploited through malicious web content, not a server-side vulnerability.
Internet Explorer, Windows XP/Vista/7, Windows Server 2003/2008
Use-after-free vulnerability in Internet Explorer 6-8 that allows remote code execution when users visit malicious websites. This was famously exploited in Operation Aurora attacks but requires user interaction to visit attacker-controlled content.
CVE-2009-3459 is a heap-based buffer overflow in Adobe Reader/Acrobat that allows remote code execution via crafted PDF files. This is a client-side vulnerability requiring user interaction to open a malicious PDF, not a server-side vulnerability that can be directly exploited over the internet.
Windows XP SP2/SP3, Windows Vista, Windows Server 2003 SP2 (+2 more)
CVE-2008-0015 is a stack-based buffer overflow in Microsoft's Video ActiveX Control that allows remote code execution via crafted web pages. While the vulnerability enables remote code execution, it targets client-side ActiveX components in web browsers rather than server infrastructure, requiring user interaction to visit a malicious website.
DirectX 7.0-9.0c, Windows XP SP2/SP3, Windows Server 2003 SP2 (+1 more)
CVE-2009-1537 is a vulnerability in Microsoft DirectX's QuickTime Movie Parser that allows remote code execution when processing crafted QuickTime media files. This is a client-side vulnerability requiring user interaction to open malicious media files, not a server-side vulnerability exploitable over the internet.
Microsoft PowerPoint 2000 SP3, Microsoft PowerPoint 2002 SP3, Microsoft PowerPoint 2003 SP3 (+1 more)
Microsoft PowerPoint memory corruption vulnerability that allows remote code execution when a user opens a specially crafted PowerPoint file. Despite being in CISA KEV, this is a client-side application vulnerability requiring user interaction, not a server-side exploit.
Microsoft Excel, Excel Viewer, Office Compatibility Pack (+1 more)
CVE-2009-0238 is a client-side vulnerability in Microsoft Excel that allows remote code execution via malicious Excel documents. While it has been exploited in the wild via Trojan.Mdropper.AC, it requires user interaction to open a crafted document and does not directly compromise internet-facing servers.
Windows Server, Windows XP, Windows Vista (+1 more)
CVE-2008-4250 is a critical buffer overflow in Windows Server service that allows remote code execution via crafted RPC requests. This vulnerability was actively exploited by the Conficker worm and affects network-accessible Windows systems including servers commonly exposed to the internet.
Microsoft Excel, Microsoft Excel XP, Microsoft Excel 2004 for Mac
Microsoft Excel vulnerability allowing arbitrary code execution when users open malicious Excel files. Requires user interaction to open the file. This is client-side exploitation, not server compromise.
PatchNow - Analysis History