CVE & Threat Intelligence Library
78 practitioner-focused analyses — organized by attack category so your team can quickly find relevant CVE breakdowns, ransomware TTPs, and remediation guidance.
Ransomware Operations
Technical breakdowns of ransomware groups — attack chains, BYOVD techniques, EDR evasion, encryption schemes, and victim targeting patterns.
Windows Zero-Day BlueHammer RedSun: April 2026 Roundup
Two unpatched Windows LPE zero-days are actively exploited with no patch. Plus Payouts King QEMU ransomware, CISA's 6 new KEVs, and Cisco 9.9 flaws.
Qilin Ransomware BYOVD Attack: How It Silences 300+ EDR Tools Before Detonating
Cisco Talos and Trend Micro confirm Qilin ransomware is using BYOVD to systematically disable 300+ EDR products before deploying ransomware. Here's the full attack chain and what to do about it.
CVE-2024-38094 Explained: SharePoint Deserialization RCE to Domain Compromise | Decryption Digest
CVE-2024-38094 is a deserialization remote code execution vulnerability in Microsoft SharePoint Server patched in July 2024. Site Owner-authenticated attackers can execute arbitrary code on the SharePoint server. Real-world campaigns chained it with a privilege escalation bug to achieve full domain compromise. CISA added it to the Known Exploited Vulnerabilities catalog in October 2024.
CVE-2024-37085 Explained: VMware ESXi AD Auth Bypass Exploited by Ransomware
CVE-2024-37085 is an authentication bypass (CVSS 6.8) in VMware ESXi that allows a domain user who is a member of an Active Directory group named 'ESX Admins' to gain full administrative access to the ESXi hypervisor — regardless of whether that group was explicitly configured for ESXi access. Exploited by at least five ransomware groups (Black Basta, Akira, Medusa, RansomHub, and Scattered Spider) to target ESXi hosts directly, encrypting VM storage files and achieving mass disruption across virtualised environments.
CVE-2024-4577 Explained: PHP CGI Argument Injection on Windows | Decryption Digest
CVE-2024-4577 is a critical PHP argument injection flaw affecting Windows servers running PHP in CGI mode. A Unicode best-fit character mapping quirk allowed attackers to bypass the CVE-2012-1823 patch and execute arbitrary OS commands without authentication. TellYouThePass ransomware operators weaponized it within hours of the June 2024 PoC release. CVSS 9.8.
CVE-2024-1709 (SlashAndGrab) Explained: ConnectWise ScreenConnect Auth Bypass
CVE-2024-1709 is a CVSS 10.0 authentication bypass in ConnectWise ScreenConnect (< 23.9.8). An extra trailing slash in the URL path bypasses authentication middleware, allowing an unauthenticated attacker to execute the setup wizard and create a new administrator account. Exploited by LockBit, Black Basta, and multiple ransomware groups within 48 hours of disclosure. Affects all ScreenConnect on-premises deployments below version 23.9.8.
CVE-2023-46604 Explained: Apache ActiveMQ CVSS 10.0 RCE via OpenWire
CVE-2023-46604 is a CVSS 10.0 deserialization / remote class loading vulnerability in Apache ActiveMQ's OpenWire protocol. An unauthenticated attacker sends a specially crafted ClassInfo message to port 61616, causing the broker to load and execute a Java class from an attacker-controlled HTTP server. Active exploitation by HelloKitty ransomware and Kinsing cryptominer began within days of the advisory. Affects ActiveMQ versions up to 5.15.16, 5.16.7, 5.17.6, and 5.18.3.
CVE-2023-4966 (Citrix Bleed) Explained: Session Token Theft That Bypasses MFA
CVE-2023-4966, named Citrix Bleed, is a buffer over-read vulnerability in Citrix NetScaler ADC and Gateway that leaks memory contents — including active user session tokens — via unauthenticated HTTP requests. Stolen tokens bypass MFA because they represent already-authenticated sessions. Exploited as a zero-day by LockBit ransomware against Boeing, Comcast Xfinity, and others.
CVE-2023-42793 Explained: JetBrains TeamCity Auth Bypass, CVSS 9.8
CVE-2023-42793 is a CVSS 9.8 authentication bypass in JetBrains TeamCity (< 2023.05.4) allowing an unauthenticated attacker to generate an admin-level API token with a single HTTP request. Full remote code execution follows via plugin upload. Exploited by North Korea's Lazarus Group, Russia's COZY BEAR (APT29), and multiple ransomware operators for CI/CD pipeline compromise and software supply chain attacks.
CVE-2023-38831 Explained: WinRAR Code Execution via Crafted ZIP Archive
CVE-2023-38831 is a code execution vulnerability in WinRAR (< 6.23). An attacker creates a ZIP archive that displays an innocent filename — such as a PDF or image — but actually maps double-click to a hidden script. When the victim double-clicks the apparent document inside WinRAR, a script executes on their system. Exploited by Russian APT28 (Fancy Bear) and North Korean APT40 in targeted spear-phishing campaigns against financial traders and government officials. Affects all WinRAR versions prior to 6.23.
CVE-2023-34362 (MOVEit Transfer) Explained: CLOP SQL Injection That Breached 1,000+ Orgs
CVE-2023-34362 is a critical SQL injection vulnerability in Progress MOVEit Transfer that enables unauthenticated remote code execution. Exploited as a zero-day by the CLOP ransomware group beginning May 27, 2023, it was used to breach over 1,000 organizations simultaneously through data exfiltration without encryption. Victims include the US Department of Energy, Shell, British Airways, the BBC, Maximus, and hundreds more.
CVE-2023-28252 Explained: Windows CLFS Zero-Day Used by Nokoyawa Ransomware
CVE-2023-28252 is a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) kernel driver. A low-privileged attacker exploits a flaw in CLFS log file parsing to escalate to SYSTEM privileges. Discovered being actively used by the Nokoyawa ransomware gang as part of their pre-ransomware deployment privilege escalation chain. Patched on April 11, 2023 Patch Tuesday as a zero-day. CVSS 7.8.
CVE-2023-0669 Explained: GoAnywhere MFT RCE Exploited by Cl0p Ransomware
CVE-2023-0669 is a pre-authentication remote code execution vulnerability in Fortra GoAnywhere MFT (Managed File Transfer). The Cl0p ransomware group exploited it as a zero-day for approximately 10 days before any advisory was published, claiming over 130 victim organisations. The vulnerability allows unauthenticated attackers to execute commands on the GoAnywhere server via a Java deserialization attack against the administrative console. Affected versions: GoAnywhere MFT prior to 7.1.2.
CVE-2022-26134 (Confluence OGNL Zero-Day) Explained: CVSS 10.0 Pre-Auth RCE Exploited Before Patch
CVE-2022-26134 is a critical OGNL injection vulnerability in Atlassian Confluence Server and Data Center, enabling unauthenticated remote code execution. Disclosed as a zero-day on June 2, 2022 with active exploitation already confirmed, this vulnerability scores 10.0 CVSS. Within hours of technical details becoming public, mass scanning and exploitation began across the internet.
CVE-2021-26084 (Confluence OGNL) Explained: Pre-Auth RCE Exploited Within Hours of PoC Release
CVE-2021-26084 is a server-side template injection vulnerability in Atlassian Confluence Server and Data Center. An unauthenticated attacker can inject OGNL expressions via query parameters, achieving remote code execution on the Confluence server. The vulnerability was exploited at mass scale within hours of public PoC release, with ransomware groups and nation-state actors among the first adopters.
CVE-2021-34473 (ProxyShell) Explained: Pre-Auth Exchange RCE Chain Used by LockFile and Hive
CVE-2021-34473 is the first link in the ProxyShell exploit chain — three Microsoft Exchange Server vulnerabilities that together enable unauthenticated remote code execution. Chained with CVE-2021-34523 and CVE-2021-31207, an attacker can reach Exchange's backend PowerShell endpoint without credentials, impersonate any mailbox user, and write arbitrary files to Exchange's web root to deploy a web shell.
CVE-2021-27101 (Accellion FTA / CLOP) Explained: SQL Injection That Fueled 100+ Organization Data Extortion
CVE-2021-27101 is a critical SQL injection vulnerability in Accellion FTA (File Transfer Appliance) that allows unauthenticated remote code execution. Exploited by the CLOP ransomware group beginning in December 2020, the vulnerability was used to steal sensitive files from over 100 organizations including government agencies, universities, law firms, and financial institutions, without deploying ransomware encryption.
CVE-2020-14882 (Oracle WebLogic Console Bypass) Explained: Unauthenticated RCE Chain
CVE-2020-14882 is a critical authentication bypass in the Oracle WebLogic Server web-based administration console. Chained with CVE-2020-14883, it enables unauthenticated remote code execution on one of the most widely deployed Java EE application servers in enterprise environments. Exploitation began within days of Oracle's October 2020 Critical Patch Update and was adopted by nation-state actors and ransomware operators.
CVE-2019-19781 (Citrix ADC Shitrix) Explained: Pre-Auth RCE on VPN Gateways
CVE-2019-19781 is a pre-authentication path traversal vulnerability in Citrix ADC (NetScaler ADC) and Citrix Gateway that allows unauthenticated attackers to execute arbitrary OS commands. Exploited at mass scale before patches were released, it was used by nation-state APT groups and ransomware operators to compromise enterprise and government VPN gateways worldwide.
CVE-2019-11510 (Pulse Secure VPN) Explained: Pre-Auth Credential Theft at CVSS 10.0
CVE-2019-11510 is a pre-authentication arbitrary file read vulnerability in Pulse Connect Secure VPN appliances. An unauthenticated attacker can retrieve the VPN's configuration file and stored credentials — including plaintext passwords and cached Active Directory credentials — from any affected device reachable on the internet. Widely exploited by ransomware groups, APTs, and credential brokers.
Nation-State & APT Campaigns
Analysis of state-sponsored intrusion campaigns — from Chinese APT infrastructure to North Korean supply chain operations and Russian destructive attacks.
CyberAv3ngers Iran IRGC: Critical Infrastructure PLC Attack
CyberAv3ngers: Iran's IRGC-linked APT inside US water, energy and government PLCs — CVE-2021-22681 CVSS 9.8 has no patch and they are escalating.
Adobe Acrobat CVE-2026-34621: PDF Zero-Day Exploit
Adobe Acrobat Reader CVE-2026-34621: prototype pollution zero-day exploited by APT for 5 months before emergency patch APSB26-43.
AI Malware Active Deployment: HONESTCUE Gemini API
Google GTIG confirms HONESTCUE and PROMPTSTEAL in active deployment — AI malware that generates fileless code via Gemini mid-execution, evading every static signature.
Microsoft Patch Tuesday April 2026: 167 CVEs, 2 Zero-Days, and an Adobe Exploit Active Since November
April 2026 Patch Tuesday is the second-largest in Microsoft's history: 167 CVEs, 2 zero-days, and an Adobe Acrobat Reader flaw actively exploited by an APT-linked actor since at least November 2025. CVE-2026-34621 and CVE-2026-32201 are on CISA's KEV catalog today. BlueHammer (CVE-2026-33825) had a working public PoC before the patch. Here's the full priority triage, attack chain details, and a six-step action list.
North Korea Supply Chain Attack: 1,700 Malicious npm, PyPI & Go Packages Linked to DPRK
Socket Security has documented 1,700+ malicious packages tied to North Korea's Contagious Interview campaign across five package ecosystems. Separately, UNC1069 compromised the Axios npm maintainer via social engineering, injecting a backdoor into a library present in an estimated 80% of cloud environments. Here's the full attack chain, WAVESHAPER.V2 IOCs, and what to do now.
CVE-2025-0282 Explained: Ivanti Connect Secure Zero-Day Stack Overflow RCE | Decryption Digest
CVE-2025-0282 is a critical stack-based buffer overflow in Ivanti Connect Secure (versions before 22.7R2.5), Policy Secure, and Neurons for ZTA Gateways, disclosed January 2025. Exploited as a zero-day by UNC5337 (linked to the 2024 ArcaneDoor actor UNC5221), the flaw allows unauthenticated remote code execution on the VPN gateway. Mandiant confirmed exploitation in the wild beginning mid-December 2024. CVSS 9.0.
CVE-2024-12356 Explained: BeyondTrust RCE Used to Breach US Treasury | Decryption Digest
CVE-2024-12356 is a critical command injection vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) patched in December 2024. An unauthenticated attacker can inject operating system commands via a vulnerable API endpoint. The flaw was exploited by a Chinese state-sponsored actor to compromise a BeyondTrust SaaS instance and subsequently breach the US Treasury Department's Office of Foreign Assets Control (OFAC). CVSS 9.8.
CVE-2024-47575 (FortiJump) Explained: Fortinet FortiManager Auth Bypass (CVSS 9.8)
CVE-2024-47575 is a CVSS 9.8 missing authentication vulnerability in Fortinet FortiManager (FortiManager Cloud also affected) that allows an unauthenticated remote attacker to execute arbitrary code or commands via specially crafted requests to the FGFM (FortiGate to FortiManager) daemon. Dubbed 'FortiJump' by Mandiant. Exploited as a zero-day by UNC5820 — a suspected Chinese state-sponsored actor — targeting managed service providers and enterprise FortiManager deployments. CISA added it to the KEV catalog on October 23, 2024.
CVE-2024-20353 & CVE-2024-20359 ArcaneDoor Explained: Cisco ASA Zero-Days | Decryption Digest
CVE-2024-20353 and CVE-2024-20359 are two Cisco ASA and FTD zero-day vulnerabilities exploited in the ArcaneDoor espionage campaign by a suspected Chinese state-sponsored actor. The flaws enabled persistent backdoor implants (Line Dancer and Line Runner) on perimeter VPN devices protecting government and critical infrastructure networks across multiple countries. First exploitation observed in November 2023 — five months before public disclosure.
CVE-2023-46805 & CVE-2024-21887 Explained: Ivanti Connect Secure Zero-Day RCE Chain
CVE-2023-46805 is an authentication bypass (CVSS 8.2) in Ivanti Connect Secure and Policy Secure. Chained with CVE-2024-21887, a command injection (CVSS 9.1), it produces unauthenticated remote code execution on the VPN gateway. Exploited as a zero-day by suspected Chinese state-sponsored actor UNC5221 for at least two weeks before disclosure. CISA issued Emergency Directive 24-01 ordering federal agencies to disconnect or mitigate within 48 hours. Over 2,100 devices were compromised globally before patches were available.
CVE-2023-22515 (Confluence Broken Access Control) Explained: Nation-State Zero-Day Admin Takeover
CVE-2023-22515 is a maximum-severity broken access control vulnerability in Atlassian Confluence Data Center and Server. An unauthenticated external attacker can reach Confluence's setup endpoint on a fully configured instance and create a new administrator account, gaining complete control without credentials. Microsoft attributed active exploitation to Storm-0062 (a Chinese state-sponsored threat actor) beginning September 14, 2023 — three weeks before Atlassian's advisory.
CVE-2023-42793 Explained: JetBrains TeamCity Auth Bypass, CVSS 9.8
CVE-2023-42793 is a CVSS 9.8 authentication bypass in JetBrains TeamCity (< 2023.05.4) allowing an unauthenticated attacker to generate an admin-level API token with a single HTTP request. Full remote code execution follows via plugin upload. Exploited by North Korea's Lazarus Group, Russia's COZY BEAR (APT29), and multiple ransomware operators for CI/CD pipeline compromise and software supply chain attacks.
CVE-2023-38831 Explained: WinRAR Code Execution via Crafted ZIP Archive
CVE-2023-38831 is a code execution vulnerability in WinRAR (< 6.23). An attacker creates a ZIP archive that displays an innocent filename — such as a PDF or image — but actually maps double-click to a hidden script. When the victim double-clicks the apparent document inside WinRAR, a script executes on their system. Exploited by Russian APT28 (Fancy Bear) and North Korean APT40 in targeted spear-phishing campaigns against financial traders and government officials. Affects all WinRAR versions prior to 6.23.
CVE-2023-36884 Explained: Windows Search RCE in NATO Summit Attacks | Decryption Digest
CVE-2023-36884 is a remote code execution vulnerability in Windows Search and Microsoft Office exploited as a zero-day by Russian-nexus group Storm-0978 (RomCom) during the July 2023 NATO summit. Malicious Office documents triggered the flaw without macros or Protected View bypass, targeting NATO member governments. Microsoft disclosed it without a same-day patch — the fix arrived a month later.
CVE-2023-27997 (Fortinet FortiOS SSL-VPN) Explained: Pre-Auth Heap Overflow Zero-Day
CVE-2023-27997 is a pre-authentication heap buffer overflow in the Fortinet FortiOS SSL-VPN component enabling unauthenticated remote code execution on FortiGate VPN appliances. Exploited as a zero-day before Fortinet's June 2023 advisory, it affects FortiOS 6.0 through 7.2.4 with SSL-VPN enabled. CISA linked related Fortinet exploitation to Chinese state-sponsored actor Volt Typhoon targeting US critical infrastructure.
CVE-2023-23397 (Outlook NTLM) Explained: Zero-Click Hash Theft via Calendar Invite, Exploited by APT28
CVE-2023-23397 is a critical privilege escalation and credential theft vulnerability in Microsoft Outlook for Windows. A specially crafted calendar invitation with a UNC path in the reminder sound field causes Outlook to automatically connect to an attacker-controlled SMB server, leaking the victim's NTLM authentication hash. No user interaction is required — the exploit fires when the reminder triggers, even if the meeting invitation is never opened.
CVE-2022-47966 Explained: ManageEngine SAML RCE Affecting 24 Products (CVSS 9.8)
CVE-2022-47966 is a CVSS 9.8 unauthenticated RCE vulnerability affecting up to 24 Zoho ManageEngine products. It exploits a vulnerable Apache Santuario (XML Security for Java) component in the SAML SSO implementation, allowing an attacker to execute arbitrary code on any ManageEngine server where SAML-based single sign-on is or was enabled. Exploited by APT41 and other nation-state actors within weeks of the January 2023 disclosure. Affects products widely deployed in enterprise IT management: ServiceDesk Plus, Desktop Central, OpManager, and more.
CVE-2022-3236 Explained: Sophos Firewall Zero-Day Code Injection | Decryption Digest
CVE-2022-3236 is a critical code injection vulnerability in the User Portal and Webadmin interfaces of Sophos Firewall versions 19.5 MR3 and older. Exploited as a zero-day by a Chinese APT (Storm Cloud / Volt Typhoon cluster), the flaw enabled unauthenticated root-level code execution on internet-facing firewall appliances. Sophos delivered an automatic hotfix but it required manual intervention on restricted networks, leaving many deployments exposed.
CVE-2022-1388 (F5 BIG-IP iControl Auth Bypass) Explained: Unauthenticated Root in 24 Hours
CVE-2022-1388 is a critical authentication bypass vulnerability in the F5 BIG-IP iControl REST management API. Unauthenticated attackers with network access to the management interface can execute arbitrary OS commands as root by manipulating HTTP headers to bypass the API authentication layer. Mass exploitation began within 24 hours of F5's advisory. CISA and FBI issued a joint advisory warning of active exploitation.
CVE-2021-40539 Explained: ManageEngine ADSelfService Plus Auth Bypass RCE | Decryption Digest
CVE-2021-40539 is a critical authentication bypass and remote code execution vulnerability in ManageEngine ADSelfService Plus (versions before build 6114), patched in September 2021. The flaw allowed unauthenticated attackers to access protected REST API endpoints and upload a JSP webshell, achieving code execution on the server. APT41 and at least two other threat actor clusters exploited it against U.S. defense contractors, academic institutions, and critical infrastructure. CVSS 9.8.
CVE-2021-26084 (Confluence OGNL) Explained: Pre-Auth RCE Exploited Within Hours of PoC Release
CVE-2021-26084 is a server-side template injection vulnerability in Atlassian Confluence Server and Data Center. An unauthenticated attacker can inject OGNL expressions via query parameters, achieving remote code execution on the Confluence server. The vulnerability was exploited at mass scale within hours of public PoC release, with ransomware groups and nation-state actors among the first adopters.
CVE-2021-26855 (ProxyLogon) Explained: Exchange SSRF Zero-Day That Compromised 250,000 Servers
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server allowing an unauthenticated attacker to bypass authentication and impersonate the Exchange server. Chained with CVE-2021-27065, it achieves pre-authentication RCE. Over 250,000 Exchange servers were compromised within days of public disclosure.
CVE-2020-14882 (Oracle WebLogic Console Bypass) Explained: Unauthenticated RCE Chain
CVE-2020-14882 is a critical authentication bypass in the Oracle WebLogic Server web-based administration console. Chained with CVE-2020-14883, it enables unauthenticated remote code execution on one of the most widely deployed Java EE application servers in enterprise environments. Exploitation began within days of Oracle's October 2020 Critical Patch Update and was adopted by nation-state actors and ransomware operators.
CVE-2020-5902 (F5 BIG-IP TMUI RCE) Explained: CVSS 10.0 Root Access to Your Load Balancer
CVE-2020-5902 is a critical remote code execution vulnerability in the F5 BIG-IP Traffic Management User Interface (TMUI). An unauthenticated attacker with network access to the TMUI can execute arbitrary system commands, create or delete files, enable or disable services, and fully compromise the BIG-IP device. With a CVSS score of 10.0, this vulnerability was exploited within hours of F5's advisory.
CVE-2019-19781 (Citrix ADC Shitrix) Explained: Pre-Auth RCE on VPN Gateways
CVE-2019-19781 is a pre-authentication path traversal vulnerability in Citrix ADC (NetScaler ADC) and Citrix Gateway that allows unauthenticated attackers to execute arbitrary OS commands. Exploited at mass scale before patches were released, it was used by nation-state APT groups and ransomware operators to compromise enterprise and government VPN gateways worldwide.
CVE-2019-11510 (Pulse Secure VPN) Explained: Pre-Auth Credential Theft at CVSS 10.0
CVE-2019-11510 is a pre-authentication arbitrary file read vulnerability in Pulse Connect Secure VPN appliances. An unauthenticated attacker can retrieve the VPN's configuration file and stored credentials — including plaintext passwords and cached Active Directory credentials — from any affected device reachable on the internet. Widely exploited by ransomware groups, APTs, and credential brokers.
CVE-2018-13379 (Fortinet FortiGate VPN) Explained: 87,000 Credentials Exposed via Path Traversal
CVE-2018-13379 is a pre-authentication path traversal vulnerability in the Fortinet FortiOS SSL VPN web portal. An unauthenticated attacker can read system files from the VPN appliance by crafting a malicious URL, including session files that contain plaintext credentials. Credentials from over 87,000 FortiGate devices were published publicly in 2021 — many from devices patched but with credentials never rotated.
Active Directory & Identity Attacks
Domain privilege escalation, credential theft, Kerberos abuse, AD Certificate Services exploits, and lateral movement techniques targeting enterprise identity infrastructure.
CVE-2024-38094 Explained: SharePoint Deserialization RCE to Domain Compromise | Decryption Digest
CVE-2024-38094 is a deserialization remote code execution vulnerability in Microsoft SharePoint Server patched in July 2024. Site Owner-authenticated attackers can execute arbitrary code on the SharePoint server. Real-world campaigns chained it with a privilege escalation bug to achieve full domain compromise. CISA added it to the Known Exploited Vulnerabilities catalog in October 2024.
CVE-2024-37085 Explained: VMware ESXi AD Auth Bypass Exploited by Ransomware
CVE-2024-37085 is an authentication bypass (CVSS 6.8) in VMware ESXi that allows a domain user who is a member of an Active Directory group named 'ESX Admins' to gain full administrative access to the ESXi hypervisor — regardless of whether that group was explicitly configured for ESXi access. Exploited by at least five ransomware groups (Black Basta, Akira, Medusa, RansomHub, and Scattered Spider) to target ESXi hosts directly, encrypting VM storage files and achieving mass disruption across virtualised environments.
CVE-2024-21413 Explained: Outlook MonikerLink NTLM Credential Theft | Decryption Digest
CVE-2024-21413, dubbed 'MonikerLink' by Checkpoint Research, is a critical Microsoft Outlook vulnerability patched in February 2024. A crafted file:// hyperlink with an exclamation mark suffix bypasses Outlook's Protected View, causing Windows to silently authenticate to an attacker's server via NTLMv2 — transmitting the victim's Net-NTLMv2 hash with no user interaction beyond opening or previewing the email. CISA added it to KEV after confirmed wild exploitation.
CVE-2023-28252 Explained: Windows CLFS Zero-Day Used by Nokoyawa Ransomware
CVE-2023-28252 is a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) kernel driver. A low-privileged attacker exploits a flaw in CLFS log file parsing to escalate to SYSTEM privileges. Discovered being actively used by the Nokoyawa ransomware gang as part of their pre-ransomware deployment privilege escalation chain. Patched on April 11, 2023 Patch Tuesday as a zero-day. CVSS 7.8.
CVE-2023-23397 (Outlook NTLM) Explained: Zero-Click Hash Theft via Calendar Invite, Exploited by APT28
CVE-2023-23397 is a critical privilege escalation and credential theft vulnerability in Microsoft Outlook for Windows. A specially crafted calendar invitation with a UNC path in the reminder sound field causes Outlook to automatically connect to an attacker-controlled SMB server, leaking the victim's NTLM authentication hash. No user interaction is required — the exploit fires when the reminder triggers, even if the meeting invitation is never opened.
CVE-2022-26923 Certifried Explained: AD CS Privilege Escalation | Decryption Digest
CVE-2022-26923 (Certifried) is a privilege escalation vulnerability in Active Directory Certificate Services (AD CS) patched in May 2022. A domain user with the ability to create or modify machine accounts can request a certificate that impersonates a Domain Controller, then use that certificate in a Kerberos PKINIT authentication to obtain a TGT with domain admin-equivalent privileges. CVSS 8.8.
CVE-2021-42287 & CVE-2021-42278 Explained: noPac Active Directory Privilege Escalation | Decryption Digest
CVE-2021-42287 and CVE-2021-42278 are Active Directory privilege escalation vulnerabilities patched in November 2021. Chained together in the 'noPac' exploit, they allowed any authenticated domain user to impersonate a Domain Controller via Kerberos, obtaining a TGT with domain admin-equivalent privileges — a complete Active Directory takeover from a standard user account with no additional tooling beyond a domain login.
CVE-2020-1472 (Zerologon) Explained: Instant Active Directory Domain Compromise in 10 Seconds
CVE-2020-1472 (Zerologon) is a 10.0 CVSS critical vulnerability in the Windows Netlogon Remote Protocol. A cryptographic flaw allows an attacker with network access to a domain controller to set the machine account password to empty, then impersonate the DC to achieve instant domain compromise in approximately 10 seconds.
CVE-2019-11510 (Pulse Secure VPN) Explained: Pre-Auth Credential Theft at CVSS 10.0
CVE-2019-11510 is a pre-authentication arbitrary file read vulnerability in Pulse Connect Secure VPN appliances. An unauthenticated attacker can retrieve the VPN's configuration file and stored credentials — including plaintext passwords and cached Active Directory credentials — from any affected device reachable on the internet. Widely exploited by ransomware groups, APTs, and credential brokers.
Remote Access & VPN Vulnerabilities
Critical flaws in VPN appliances, remote access gateways, and privileged access infrastructure — the most common initial access vector for enterprise breaches.
FortiClient EMS CVE-2026-35616: April 2026 Patch Roundup
FortiClient EMS CVE-2026-35616 pre-auth RCE exploited before advisory. Plus Rockstar 78M breach, Operation PowerOFF, and CISA KEV additions.
CVE-2025-0282 Explained: Ivanti Connect Secure Zero-Day Stack Overflow RCE | Decryption Digest
CVE-2025-0282 is a critical stack-based buffer overflow in Ivanti Connect Secure (versions before 22.7R2.5), Policy Secure, and Neurons for ZTA Gateways, disclosed January 2025. Exploited as a zero-day by UNC5337 (linked to the 2024 ArcaneDoor actor UNC5221), the flaw allows unauthenticated remote code execution on the VPN gateway. Mandiant confirmed exploitation in the wild beginning mid-December 2024. CVSS 9.0.
CVE-2024-12356 Explained: BeyondTrust RCE Used to Breach US Treasury | Decryption Digest
CVE-2024-12356 is a critical command injection vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) patched in December 2024. An unauthenticated attacker can inject operating system commands via a vulnerable API endpoint. The flaw was exploited by a Chinese state-sponsored actor to compromise a BeyondTrust SaaS instance and subsequently breach the US Treasury Department's Office of Foreign Assets Control (OFAC). CVSS 9.8.
CVE-2024-47575 (FortiJump) Explained: Fortinet FortiManager Auth Bypass (CVSS 9.8)
CVE-2024-47575 is a CVSS 9.8 missing authentication vulnerability in Fortinet FortiManager (FortiManager Cloud also affected) that allows an unauthenticated remote attacker to execute arbitrary code or commands via specially crafted requests to the FGFM (FortiGate to FortiManager) daemon. Dubbed 'FortiJump' by Mandiant. Exploited as a zero-day by UNC5820 — a suspected Chinese state-sponsored actor — targeting managed service providers and enterprise FortiManager deployments. CISA added it to the KEV catalog on October 23, 2024.
CVE-2024-20353 & CVE-2024-20359 ArcaneDoor Explained: Cisco ASA Zero-Days | Decryption Digest
CVE-2024-20353 and CVE-2024-20359 are two Cisco ASA and FTD zero-day vulnerabilities exploited in the ArcaneDoor espionage campaign by a suspected Chinese state-sponsored actor. The flaws enabled persistent backdoor implants (Line Dancer and Line Runner) on perimeter VPN devices protecting government and critical infrastructure networks across multiple countries. First exploitation observed in November 2023 — five months before public disclosure.
CVE-2024-21762 Explained: Fortinet FortiOS SSL VPN RCE, CVSS 9.6
CVE-2024-21762 is a CVSS 9.6 out-of-bounds write in Fortinet FortiOS and FortiProxy SSL VPN. An unauthenticated remote attacker sends specially crafted HTTP requests to the SSL VPN web management interface, achieving arbitrary code or command execution. CISA added it to the Known Exploited Vulnerabilities catalog on February 9, 2024 — one day after disclosure — confirming active exploitation. Over 150,000 Fortinet devices were estimated to be running vulnerable firmware at time of disclosure.
CVE-2023-46805 & CVE-2024-21887 Explained: Ivanti Connect Secure Zero-Day RCE Chain
CVE-2023-46805 is an authentication bypass (CVSS 8.2) in Ivanti Connect Secure and Policy Secure. Chained with CVE-2024-21887, a command injection (CVSS 9.1), it produces unauthenticated remote code execution on the VPN gateway. Exploited as a zero-day by suspected Chinese state-sponsored actor UNC5221 for at least two weeks before disclosure. CISA issued Emergency Directive 24-01 ordering federal agencies to disconnect or mitigate within 48 hours. Over 2,100 devices were compromised globally before patches were available.
CVE-2023-4966 (Citrix Bleed) Explained: Session Token Theft That Bypasses MFA
CVE-2023-4966, named Citrix Bleed, is a buffer over-read vulnerability in Citrix NetScaler ADC and Gateway that leaks memory contents — including active user session tokens — via unauthenticated HTTP requests. Stolen tokens bypass MFA because they represent already-authenticated sessions. Exploited as a zero-day by LockBit ransomware against Boeing, Comcast Xfinity, and others.
CVE-2023-3519 Explained: Citrix NetScaler ADC/Gateway Unauthenticated RCE
CVE-2023-3519 is a CVSS 9.8 unauthenticated remote code execution vulnerability in Citrix NetScaler ADC and NetScaler Gateway (formerly Citrix ADC / Citrix Gateway). Exploited as a zero-day before any patch was available, it was used to compromise a US critical infrastructure organization. After patches were released, mass exploitation resulted in over 2,000 backdoored appliances within days. Requires the device to be configured as a Gateway or AAA virtual server.
CVE-2023-27997 (Fortinet FortiOS SSL-VPN) Explained: Pre-Auth Heap Overflow Zero-Day
CVE-2023-27997 is a pre-authentication heap buffer overflow in the Fortinet FortiOS SSL-VPN component enabling unauthenticated remote code execution on FortiGate VPN appliances. Exploited as a zero-day before Fortinet's June 2023 advisory, it affects FortiOS 6.0 through 7.2.4 with SSL-VPN enabled. CISA linked related Fortinet exploitation to Chinese state-sponsored actor Volt Typhoon targeting US critical infrastructure.
CVE-2019-19781 (Citrix ADC Shitrix) Explained: Pre-Auth RCE on VPN Gateways
CVE-2019-19781 is a pre-authentication path traversal vulnerability in Citrix ADC (NetScaler ADC) and Citrix Gateway that allows unauthenticated attackers to execute arbitrary OS commands. Exploited at mass scale before patches were released, it was used by nation-state APT groups and ransomware operators to compromise enterprise and government VPN gateways worldwide.
CVE-2019-11510 (Pulse Secure VPN) Explained: Pre-Auth Credential Theft at CVSS 10.0
CVE-2019-11510 is a pre-authentication arbitrary file read vulnerability in Pulse Connect Secure VPN appliances. An unauthenticated attacker can retrieve the VPN's configuration file and stored credentials — including plaintext passwords and cached Active Directory credentials — from any affected device reachable on the internet. Widely exploited by ransomware groups, APTs, and credential brokers.
CVE-2018-13379 (Fortinet FortiGate VPN) Explained: 87,000 Credentials Exposed via Path Traversal
CVE-2018-13379 is a pre-authentication path traversal vulnerability in the Fortinet FortiOS SSL VPN web portal. An unauthenticated attacker can read system files from the VPN appliance by crafting a malicious URL, including session files that contain plaintext credentials. Credentials from over 87,000 FortiGate devices were published publicly in 2021 — many from devices patched but with credentials never rotated.
Microsoft Ecosystem Vulnerabilities
High-impact CVEs across Windows, Exchange Server, SharePoint, Office, and Azure — frequently exploited by both ransomware groups and nation-state actors.
Windows Zero-Day BlueHammer RedSun: April 2026 Roundup
Two unpatched Windows LPE zero-days are actively exploited with no patch. Plus Payouts King QEMU ransomware, CISA's 6 new KEVs, and Cisco 9.9 flaws.
Microsoft Patch Tuesday April 2026: 167 CVEs, 2 Zero-Days, and an Adobe Exploit Active Since November
April 2026 Patch Tuesday is the second-largest in Microsoft's history: 167 CVEs, 2 zero-days, and an Adobe Acrobat Reader flaw actively exploited by an APT-linked actor since at least November 2025. CVE-2026-34621 and CVE-2026-32201 are on CISA's KEV catalog today. BlueHammer (CVE-2026-33825) had a working public PoC before the patch. Here's the full priority triage, attack chain details, and a six-step action list.
CVE-2024-12356 Explained: BeyondTrust RCE Used to Breach US Treasury | Decryption Digest
CVE-2024-12356 is a critical command injection vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) patched in December 2024. An unauthenticated attacker can inject operating system commands via a vulnerable API endpoint. The flaw was exploited by a Chinese state-sponsored actor to compromise a BeyondTrust SaaS instance and subsequently breach the US Treasury Department's Office of Foreign Assets Control (OFAC). CVSS 9.8.
CVE-2024-38094 Explained: SharePoint Deserialization RCE to Domain Compromise | Decryption Digest
CVE-2024-38094 is a deserialization remote code execution vulnerability in Microsoft SharePoint Server patched in July 2024. Site Owner-authenticated attackers can execute arbitrary code on the SharePoint server. Real-world campaigns chained it with a privilege escalation bug to achieve full domain compromise. CISA added it to the Known Exploited Vulnerabilities catalog in October 2024.
CVE-2024-30078 Explained: Windows Wi-Fi Driver Over-The-Air RCE | Decryption Digest
CVE-2024-30078 is a remote code execution vulnerability in the Windows Wi-Fi driver patched in June 2024. An unauthenticated attacker on the same Wi-Fi network — or operating a rogue access point the device connects to — can send a crafted wireless frame to achieve kernel-mode code execution with no user interaction. Every unpatched Wi-Fi-capable Windows device in any shared network environment is in scope.
CVE-2024-4577 Explained: PHP CGI Argument Injection on Windows | Decryption Digest
CVE-2024-4577 is a critical PHP argument injection flaw affecting Windows servers running PHP in CGI mode. A Unicode best-fit character mapping quirk allowed attackers to bypass the CVE-2012-1823 patch and execute arbitrary OS commands without authentication. TellYouThePass ransomware operators weaponized it within hours of the June 2024 PoC release. CVSS 9.8.
CVE-2024-21413 Explained: Outlook MonikerLink NTLM Credential Theft | Decryption Digest
CVE-2024-21413, dubbed 'MonikerLink' by Checkpoint Research, is a critical Microsoft Outlook vulnerability patched in February 2024. A crafted file:// hyperlink with an exclamation mark suffix bypasses Outlook's Protected View, causing Windows to silently authenticate to an attacker's server via NTLMv2 — transmitting the victim's Net-NTLMv2 hash with no user interaction beyond opening or previewing the email. CISA added it to KEV after confirmed wild exploitation.
CVE-2023-22515 (Confluence Broken Access Control) Explained: Nation-State Zero-Day Admin Takeover
CVE-2023-22515 is a maximum-severity broken access control vulnerability in Atlassian Confluence Data Center and Server. An unauthenticated external attacker can reach Confluence's setup endpoint on a fully configured instance and create a new administrator account, gaining complete control without credentials. Microsoft attributed active exploitation to Storm-0062 (a Chinese state-sponsored threat actor) beginning September 14, 2023 — three weeks before Atlassian's advisory.
CVE-2023-36884 Explained: Windows Search RCE in NATO Summit Attacks | Decryption Digest
CVE-2023-36884 is a remote code execution vulnerability in Windows Search and Microsoft Office exploited as a zero-day by Russian-nexus group Storm-0978 (RomCom) during the July 2023 NATO summit. Malicious Office documents triggered the flaw without macros or Protected View bypass, targeting NATO member governments. Microsoft disclosed it without a same-day patch — the fix arrived a month later.
CVE-2023-28252 Explained: Windows CLFS Zero-Day Used by Nokoyawa Ransomware
CVE-2023-28252 is a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) kernel driver. A low-privileged attacker exploits a flaw in CLFS log file parsing to escalate to SYSTEM privileges. Discovered being actively used by the Nokoyawa ransomware gang as part of their pre-ransomware deployment privilege escalation chain. Patched on April 11, 2023 Patch Tuesday as a zero-day. CVSS 7.8.
CVE-2023-23397 (Outlook NTLM) Explained: Zero-Click Hash Theft via Calendar Invite, Exploited by APT28
CVE-2023-23397 is a critical privilege escalation and credential theft vulnerability in Microsoft Outlook for Windows. A specially crafted calendar invitation with a UNC path in the reminder sound field causes Outlook to automatically connect to an attacker-controlled SMB server, leaking the victim's NTLM authentication hash. No user interaction is required — the exploit fires when the reminder triggers, even if the meeting invitation is never opened.
CVE-2022-41040 & CVE-2022-41082 (ProxyNotShell) Explained: Exchange SSRF + PowerShell RCE Zero-Day
CVE-2022-41040 and CVE-2022-41082, collectively called ProxyNotShell, are chained vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040 is a server-side request forgery flaw that, when chained with CVE-2022-41082, enables an authenticated attacker to achieve remote code execution. Both were exploited in the wild before Microsoft released patches.
CVE-2022-30190 (Follina) Explained: Zero-Click Microsoft Office RCE via MSDT
CVE-2022-30190 (Follina) is a critical RCE vulnerability in the Microsoft Support Diagnostic Tool (MSDT) triggered via the ms-msdt:// URI scheme from within a malicious Office document. Attackers achieve code execution with no macro prompts, and in some configurations previewing the file in Windows Explorer alone triggers the exploit.
CVE-2021-42287 & CVE-2021-42278 Explained: noPac Active Directory Privilege Escalation | Decryption Digest
CVE-2021-42287 and CVE-2021-42278 are Active Directory privilege escalation vulnerabilities patched in November 2021. Chained together in the 'noPac' exploit, they allowed any authenticated domain user to impersonate a Domain Controller via Kerberos, obtaining a TGT with domain admin-equivalent privileges — a complete Active Directory takeover from a standard user account with no additional tooling beyond a domain login.
CVE-2021-40444 (MSHTML) Explained: Zero-Click Office RCE Without Macros
CVE-2021-40444 is a remote code execution vulnerability in the MSHTML (Trident) browser engine built into Windows. A malicious Office document embedding a specially crafted ActiveX control causes MSHTML to download and execute a malicious DLL from an attacker-controlled server. No macros are used. No Enable Content prompt appears. The exploit was used in targeted attacks before Microsoft patched it.
CVE-2021-34473 (ProxyShell) Explained: Pre-Auth Exchange RCE Chain Used by LockFile and Hive
CVE-2021-34473 is the first link in the ProxyShell exploit chain — three Microsoft Exchange Server vulnerabilities that together enable unauthenticated remote code execution. Chained with CVE-2021-34523 and CVE-2021-31207, an attacker can reach Exchange's backend PowerShell endpoint without credentials, impersonate any mailbox user, and write arbitrary files to Exchange's web root to deploy a web shell.
CVE-2021-34527 (PrintNightmare) Explained: Windows Print Spooler RCE Affecting All Windows Versions
CVE-2021-34527 (PrintNightmare) is a critical vulnerability in the Windows Print Spooler service enabling remote code execution with SYSTEM privileges. A proof-of-concept was accidentally published publicly on June 29, 2021, triggering emergency out-of-band patches and immediate mass exploitation.
CVE-2021-26855 (ProxyLogon) Explained: Exchange SSRF Zero-Day That Compromised 250,000 Servers
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server allowing an unauthenticated attacker to bypass authentication and impersonate the Exchange server. Chained with CVE-2021-27065, it achieves pre-authentication RCE. Over 250,000 Exchange servers were compromised within days of public disclosure.
CVE-2020-1472 (Zerologon) Explained: Instant Active Directory Domain Compromise in 10 Seconds
CVE-2020-1472 (Zerologon) is a 10.0 CVSS critical vulnerability in the Windows Netlogon Remote Protocol. A cryptographic flaw allows an attacker with network access to a domain controller to set the machine account password to empty, then impersonate the DC to achieve instant domain compromise in approximately 10 seconds.
CVE-2020-1350 SigRed Explained: Wormable Windows DNS Server RCE | Decryption Digest
CVE-2020-1350 (SigRed) is a critical wormable remote code execution vulnerability in Windows DNS Server discovered by Check Point Research and patched in July 2020. A crafted DNS response can trigger a heap overflow in dns.exe, granting SYSTEM-level code execution on any Windows Server configured as a DNS resolver — with no authentication and no user interaction required. CVSS 10.0.
CVE-2020-0796 (SMBGhost) Explained: Wormable Windows 10 Kernel RCE via SMBv3 Compression
CVE-2020-0796 (SMBGhost) is an integer overflow vulnerability in the SMBv3 compression feature introduced in Windows 10 1903. An unauthenticated attacker can achieve remote code execution in kernel context by sending a specially crafted compressed SMBv3 packet. No credentials or user interaction are required, making it wormable across any network where port 445 is reachable.
CVE-2019-0708 (BlueKeep) Explained: Wormable RDP Zero-Day in Windows XP Through Server 2008
CVE-2019-0708 (BlueKeep) is a critical pre-authentication RCE vulnerability in Windows Remote Desktop Services affecting Windows XP, Vista, 7, and Server 2003/2008. Like EternalBlue, it is wormable — requiring no credentials or user interaction — and was rated 9.8 CVSS by NVD.
CVE-2017-0144 (EternalBlue) Explained: SMBv1 RCE Behind WannaCry and NotPetya
CVE-2017-0144 is the SMBv1 remote code execution vulnerability exploited by the EternalBlue exploit, originally developed by the NSA and leaked by the Shadow Brokers in April 2017. It powered both WannaCry and NotPetya — two attacks that caused a combined $30+ billion in global damages.
Supply Chain & Developer Ecosystem Attacks
Malicious packages, compromised maintainers, CI/CD pipeline attacks, and open source repository poisoning targeting software development infrastructure.
North Korea Supply Chain Attack: 1,700 Malicious npm, PyPI & Go Packages Linked to DPRK
Socket Security has documented 1,700+ malicious packages tied to North Korea's Contagious Interview campaign across five package ecosystems. Separately, UNC1069 compromised the Axios npm maintainer via social engineering, injecting a backdoor into a library present in an estimated 80% of cloud environments. Here's the full attack chain, WAVESHAPER.V2 IOCs, and what to do now.
CVE-2024-23897 Explained: Jenkins CLI Arbitrary File Read and RCE | Decryption Digest
CVE-2024-23897 is a critical Jenkins CLI vulnerability allowing unauthenticated arbitrary file reads via the args4j argument parser's @ file expansion feature. Disclosed January 2024, the flaw exposed Jenkins controller filesystems including credential stores and cryptographic keys. In certain configurations, key material exposure escalated to full remote code execution. CISA added it to KEV in February 2024.
CVE-2023-42793 Explained: JetBrains TeamCity Auth Bypass, CVSS 9.8
CVE-2023-42793 is a CVSS 9.8 authentication bypass in JetBrains TeamCity (< 2023.05.4) allowing an unauthenticated attacker to generate an admin-level API token with a single HTTP request. Full remote code execution follows via plugin upload. Exploited by North Korea's Lazarus Group, Russia's COZY BEAR (APT29), and multiple ransomware operators for CI/CD pipeline compromise and software supply chain attacks.
CVE-2023-34362 (MOVEit Transfer) Explained: CLOP SQL Injection That Breached 1,000+ Orgs
CVE-2023-34362 is a critical SQL injection vulnerability in Progress MOVEit Transfer that enables unauthenticated remote code execution. Exploited as a zero-day by the CLOP ransomware group beginning May 27, 2023, it was used to breach over 1,000 organizations simultaneously through data exfiltration without encryption. Victims include the US Department of Energy, Shell, British Airways, the BBC, Maximus, and hundreds more.
CVE-2021-44228 (Log4Shell) Explained: JNDI RCE in Apache Log4j 2, CVSS 10.0
CVE-2021-44228 — Log4Shell — is a critical remote code execution vulnerability in Apache Log4j 2 scoring a perfect 10.0 CVSS. A single malicious string sent to any log field triggers JNDI injection, allowing an attacker to execute arbitrary code on the vulnerable server with no authentication required.
CVE-2021-27101 (Accellion FTA / CLOP) Explained: SQL Injection That Fueled 100+ Organization Data Extortion
CVE-2021-27101 is a critical SQL injection vulnerability in Accellion FTA (File Transfer Appliance) that allows unauthenticated remote code execution. Exploited by the CLOP ransomware group beginning in December 2020, the vulnerability was used to steal sensitive files from over 100 organizations including government agencies, universities, law firms, and financial institutions, without deploying ransomware encryption.
Network Infrastructure & Firewall Exploits
RCE and authentication bypass vulnerabilities in firewalls, load balancers, DNS servers, and network appliances from Cisco, F5, Sophos, and Palo Alto.
Windows Zero-Day BlueHammer RedSun: April 2026 Roundup
Two unpatched Windows LPE zero-days are actively exploited with no patch. Plus Payouts King QEMU ransomware, CISA's 6 new KEVs, and Cisco 9.9 flaws.
Qilin Ransomware BYOVD Attack: How It Silences 300+ EDR Tools Before Detonating
Cisco Talos and Trend Micro confirm Qilin ransomware is using BYOVD to systematically disable 300+ EDR products before deploying ransomware. Here's the full attack chain and what to do about it.
CVE-2024-47575 (FortiJump) Explained: Fortinet FortiManager Auth Bypass (CVSS 9.8)
CVE-2024-47575 is a CVSS 9.8 missing authentication vulnerability in Fortinet FortiManager (FortiManager Cloud also affected) that allows an unauthenticated remote attacker to execute arbitrary code or commands via specially crafted requests to the FGFM (FortiGate to FortiManager) daemon. Dubbed 'FortiJump' by Mandiant. Exploited as a zero-day by UNC5820 — a suspected Chinese state-sponsored actor — targeting managed service providers and enterprise FortiManager deployments. CISA added it to the KEV catalog on October 23, 2024.
CVE-2024-20353 & CVE-2024-20359 ArcaneDoor Explained: Cisco ASA Zero-Days | Decryption Digest
CVE-2024-20353 and CVE-2024-20359 are two Cisco ASA and FTD zero-day vulnerabilities exploited in the ArcaneDoor espionage campaign by a suspected Chinese state-sponsored actor. The flaws enabled persistent backdoor implants (Line Dancer and Line Runner) on perimeter VPN devices protecting government and critical infrastructure networks across multiple countries. First exploitation observed in November 2023 — five months before public disclosure.
CVE-2024-3400 Explained: Palo Alto PAN-OS Command Injection (CVSS 10.0)
CVE-2024-3400 is a CVSS 10.0 OS command injection in Palo Alto Networks PAN-OS affecting devices with the GlobalProtect gateway or portal enabled. An unauthenticated attacker sends a crafted HTTP request with a malicious SESSID cookie value, achieving root-level remote code execution. Discovered and disclosed April 12, 2024, it was being actively exploited as a zero-day by a state-sponsored threat actor (UTA0218) since at least March 26, 2024.
CVE-2024-21762 Explained: Fortinet FortiOS SSL VPN RCE, CVSS 9.6
CVE-2024-21762 is a CVSS 9.6 out-of-bounds write in Fortinet FortiOS and FortiProxy SSL VPN. An unauthenticated remote attacker sends specially crafted HTTP requests to the SSL VPN web management interface, achieving arbitrary code or command execution. CISA added it to the Known Exploited Vulnerabilities catalog on February 9, 2024 — one day after disclosure — confirming active exploitation. Over 150,000 Fortinet devices were estimated to be running vulnerable firmware at time of disclosure.
CVE-2023-20198 Explained: Cisco IOS XE Zero-Day That Compromised 50,000 Devices
CVE-2023-20198 is a critical unauthenticated privilege escalation vulnerability in Cisco IOS XE software's web UI feature. Exploited as a zero-day before Cisco published any advisory, attackers used it to create administrator accounts and then chained it with CVE-2023-20273 to deploy a persistent Lua-based implant on over 50,000 network devices. No authentication or user interaction required.
CVE-2023-27997 (Fortinet FortiOS SSL-VPN) Explained: Pre-Auth Heap Overflow Zero-Day
CVE-2023-27997 is a pre-authentication heap buffer overflow in the Fortinet FortiOS SSL-VPN component enabling unauthenticated remote code execution on FortiGate VPN appliances. Exploited as a zero-day before Fortinet's June 2023 advisory, it affects FortiOS 6.0 through 7.2.4 with SSL-VPN enabled. CISA linked related Fortinet exploitation to Chinese state-sponsored actor Volt Typhoon targeting US critical infrastructure.
CVE-2022-3236 Explained: Sophos Firewall Zero-Day Code Injection | Decryption Digest
CVE-2022-3236 is a critical code injection vulnerability in the User Portal and Webadmin interfaces of Sophos Firewall versions 19.5 MR3 and older. Exploited as a zero-day by a Chinese APT (Storm Cloud / Volt Typhoon cluster), the flaw enabled unauthenticated root-level code execution on internet-facing firewall appliances. Sophos delivered an automatic hotfix but it required manual intervention on restricted networks, leaving many deployments exposed.
CVE-2022-1388 (F5 BIG-IP iControl Auth Bypass) Explained: Unauthenticated Root in 24 Hours
CVE-2022-1388 is a critical authentication bypass vulnerability in the F5 BIG-IP iControl REST management API. Unauthenticated attackers with network access to the management interface can execute arbitrary OS commands as root by manipulating HTTP headers to bypass the API authentication layer. Mass exploitation began within 24 hours of F5's advisory. CISA and FBI issued a joint advisory warning of active exploitation.
CVE-2020-1350 SigRed Explained: Wormable Windows DNS Server RCE | Decryption Digest
CVE-2020-1350 (SigRed) is a critical wormable remote code execution vulnerability in Windows DNS Server discovered by Check Point Research and patched in July 2020. A crafted DNS response can trigger a heap overflow in dns.exe, granting SYSTEM-level code execution on any Windows Server configured as a DNS resolver — with no authentication and no user interaction required. CVSS 10.0.
CVE-2020-5902 (F5 BIG-IP TMUI RCE) Explained: CVSS 10.0 Root Access to Your Load Balancer
CVE-2020-5902 is a critical remote code execution vulnerability in the F5 BIG-IP Traffic Management User Interface (TMUI). An unauthenticated attacker with network access to the TMUI can execute arbitrary system commands, create or delete files, enable or disable services, and fully compromise the BIG-IP device. With a CVSS score of 10.0, this vulnerability was exploited within hours of F5's advisory.
CVE-2018-13379 (Fortinet FortiGate VPN) Explained: 87,000 Credentials Exposed via Path Traversal
CVE-2018-13379 is a pre-authentication path traversal vulnerability in the Fortinet FortiOS SSL VPN web portal. An unauthenticated attacker can read system files from the VPN appliance by crafting a malicious URL, including session files that contain plaintext credentials. Credentials from over 87,000 FortiGate devices were published publicly in 2021 — many from devices patched but with credentials never rotated.
Linux & Open Source Vulnerabilities
Kernel privilege escalation, bash injection, package manager flaws, and authentication bypasses in Linux-based systems and popular open source software.
CVE-2024-6387 (regreSSHion) Explained: OpenSSH RCE Race Condition
CVE-2024-6387, dubbed regreSSHion by Qualys, is a signal handler race condition in OpenSSH's sshd daemon affecting versions 8.5p1 through 9.7p1 on glibc-based Linux. An unauthenticated attacker can exploit the race condition to achieve remote code execution as root. The vulnerability is a regression of CVE-2006-5051, which was fixed in 2006 and inadvertently reintroduced in OpenSSH 8.5p1 in 2021.
CVE-2023-32315 Explained: Openfire Authentication Bypass and Plugin RCE | Decryption Digest
CVE-2023-32315 is a critical path traversal vulnerability in the Openfire XMPP messaging server admin console (versions 3.10.0 through 4.7.4), patched in May 2023. An unauthenticated attacker can access the admin console setup wizard by bypassing the authentication filter via a URL path traversal, then upload a malicious Openfire plugin containing arbitrary Java code. Over 3,000 servers were compromised in active exploitation campaigns observed through mid-2023.
CVE-2023-28252 Explained: Windows CLFS Zero-Day Used by Nokoyawa Ransomware
CVE-2023-28252 is a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) kernel driver. A low-privileged attacker exploits a flaw in CLFS log file parsing to escalate to SYSTEM privileges. Discovered being actively used by the Nokoyawa ransomware gang as part of their pre-ransomware deployment privilege escalation chain. Patched on April 11, 2023 Patch Tuesday as a zero-day. CVSS 7.8.
CVE-2022-0847 (Dirty Pipe) Explained: Overwrite Read-Only Files, Get Root on Linux
CVE-2022-0847, named Dirty Pipe, is a Linux kernel vulnerability allowing any unprivileged local user to write to arbitrary read-only files and achieve root privilege escalation. Unlike the 2016 Dirty Cow vulnerability it resembles, Dirty Pipe requires no race condition — it is deterministic and reliable. Affects Linux kernels 5.8 through 5.16.10 and was quickly weaponized for container escapes and Android rooting.
CVE-2021-4034 (PwnKit) Explained: 12-Year polkit Flaw Gives Any Local User Root
CVE-2021-4034, named PwnKit by Qualys, is an out-of-bounds write vulnerability in pkexec — a SUID-root binary part of the polkit framework installed by default on virtually every Linux distribution. Any local unprivileged user can exploit it to gain root without any sudo permissions, without knowing any password, and without triggering standard auth log entries. Present since May 2009.
CVE-2021-3156 (Baron Samedit) Explained: Sudo Heap Overflow to Root on Linux
CVE-2021-3156, named Baron Samedit, is a heap-based buffer overflow in the sudo utility that allows any unprivileged local user to gain root privileges without authentication, without being listed in the sudoers file, and without any race condition. Present in sudo for nearly 10 years, it affects every major Linux distribution. Qualys developed working exploits for Ubuntu 20.04, 18.04, Debian 10, and Fedora 33 default installations.
CVE-2020-0796 (SMBGhost) Explained: Wormable Windows 10 Kernel RCE via SMBv3 Compression
CVE-2020-0796 (SMBGhost) is an integer overflow vulnerability in the SMBv3 compression feature introduced in Windows 10 1903. An unauthenticated attacker can achieve remote code execution in kernel context by sending a specially crafted compressed SMBv3 packet. No credentials or user interaction are required, making it wormable across any network where port 445 is reachable.
CVE-2014-6271 (Shellshock) Explained: Bash RCE via Environment Variables
CVE-2014-6271, known as Shellshock, is a remote code execution vulnerability in GNU Bash where function definitions stored in environment variables execute appended commands at shell startup. Any service passing attacker-controlled data through environment variables into Bash — primarily CGI-based web applications — is exploitable without authentication via a single HTTP request. Affected an estimated 500 million systems at disclosure.
Browser & Client-Side Zero-Days
Zero-day vulnerabilities in Chromium, Chrome, and PDF readers — use-after-free bugs, renderer escapes, and drive-by download chains exploited in the wild.
Adobe Acrobat CVE-2026-34621: PDF Zero-Day Exploit
Adobe Acrobat Reader CVE-2026-34621: prototype pollution zero-day exploited by APT for 5 months before emergency patch APSB26-43.
Malicious Chrome Extensions: 108 Stealing OAuth2 Tokens Now
108 malicious Chrome extensions steal Google OAuth2 tokens from 20,000 users. All linked to one C2. All still live in the Chrome Web Store.
Microsoft Patch Tuesday April 2026: 167 CVEs, 2 Zero-Days, and an Adobe Exploit Active Since November
April 2026 Patch Tuesday is the second-largest in Microsoft's history: 167 CVEs, 2 zero-days, and an Adobe Acrobat Reader flaw actively exploited by an APT-linked actor since at least November 2025. CVE-2026-34621 and CVE-2026-32201 are on CISA's KEV catalog today. BlueHammer (CVE-2026-33825) had a working public PoC before the patch. Here's the full priority triage, attack chain details, and a six-step action list.
Chrome Zero-Day CVE-2026-5281: WebGPU Use-After-Free Exploited in the Wild
Google shipped an emergency patch for CVE-2026-5281, a use-after-free in Chrome's Dawn/WebGPU component confirmed exploited in the wild. CISA added it to KEV the next day with an April 15 deadline. Here's what happened, why renderer-compromise-required is not reassuring, and what your fleet needs right now.
CVE-2023-38831 Explained: WinRAR Code Execution via Crafted ZIP Archive
CVE-2023-38831 is a code execution vulnerability in WinRAR (< 6.23). An attacker creates a ZIP archive that displays an innocent filename — such as a PDF or image — but actually maps double-click to a hidden script. When the victim double-clicks the apparent document inside WinRAR, a script executes on their system. Exploited by Russian APT28 (Fancy Bear) and North Korean APT40 in targeted spear-phishing campaigns against financial traders and government officials. Affects all WinRAR versions prior to 6.23.
CVE-2021-40444 (MSHTML) Explained: Zero-Click Office RCE Without Macros
CVE-2021-40444 is a remote code execution vulnerability in the MSHTML (Trident) browser engine built into Windows. A malicious Office document embedding a specially crafted ActiveX control causes MSHTML to download and execute a malicious DLL from an attacker-controlled server. No macros are used. No Enable Content prompt appears. The exploit was used in targeted attacks before Microsoft patched it.
OT/ICS & Critical Infrastructure
Attacks targeting operational technology, industrial control systems, PLCs, SCADA networks, and critical infrastructure — water, energy, and manufacturing sectors.
CyberAv3ngers Iran IRGC: Critical Infrastructure PLC Attack
CyberAv3ngers: Iran's IRGC-linked APT inside US water, energy and government PLCs — CVE-2021-22681 CVSS 9.8 has no patch and they are escalating.
Windows Zero-Day BlueHammer RedSun: April 2026 Roundup
Two unpatched Windows LPE zero-days are actively exploited with no patch. Plus Payouts King QEMU ransomware, CISA's 6 new KEVs, and Cisco 9.9 flaws.
ShinyHunters McGraw-Hill Breach: 45M Salesforce Records on Dark Web
ShinyHunters listed McGraw-Hill on their dark web extortion portal claiming 45 million Salesforce records containing PII. McGraw-Hill confirmed the breach on April 14, 2026 — the same day the ransom deadline expired — characterising it as 'limited and non-sensitive.' ShinyHunters also hit Rockstar Games, Hims & Hers, and the European Commission in 2026. The root cause: a Salesforce misconfiguration affecting multiple tenants. Full breakdown of the attack model, ShinyHunters' 2026 campaign, and what organisations on Salesforce need to do today.
Chrome Zero-Day CVE-2026-5281: WebGPU Use-After-Free Exploited in the Wild
Google shipped an emergency patch for CVE-2026-5281, a use-after-free in Chrome's Dawn/WebGPU component confirmed exploited in the wild. CISA added it to KEV the next day with an April 15 deadline. Here's what happened, why renderer-compromise-required is not reassuring, and what your fleet needs right now.
CVE-2024-6387 (regreSSHion) Explained: OpenSSH RCE Race Condition
CVE-2024-6387, dubbed regreSSHion by Qualys, is a signal handler race condition in OpenSSH's sshd daemon affecting versions 8.5p1 through 9.7p1 on glibc-based Linux. An unauthenticated attacker can exploit the race condition to achieve remote code execution as root. The vulnerability is a regression of CVE-2006-5051, which was fixed in 2006 and inadvertently reintroduced in OpenSSH 8.5p1 in 2021.
CVE-2024-20353 & CVE-2024-20359 ArcaneDoor Explained: Cisco ASA Zero-Days | Decryption Digest
CVE-2024-20353 and CVE-2024-20359 are two Cisco ASA and FTD zero-day vulnerabilities exploited in the ArcaneDoor espionage campaign by a suspected Chinese state-sponsored actor. The flaws enabled persistent backdoor implants (Line Dancer and Line Runner) on perimeter VPN devices protecting government and critical infrastructure networks across multiple countries. First exploitation observed in November 2023 — five months before public disclosure.
CVE-2024-3400 Explained: Palo Alto PAN-OS Command Injection (CVSS 10.0)
CVE-2024-3400 is a CVSS 10.0 OS command injection in Palo Alto Networks PAN-OS affecting devices with the GlobalProtect gateway or portal enabled. An unauthenticated attacker sends a crafted HTTP request with a malicious SESSID cookie value, achieving root-level remote code execution. Discovered and disclosed April 12, 2024, it was being actively exploited as a zero-day by a state-sponsored threat actor (UTA0218) since at least March 26, 2024.
CVE-2023-3519 Explained: Citrix NetScaler ADC/Gateway Unauthenticated RCE
CVE-2023-3519 is a CVSS 9.8 unauthenticated remote code execution vulnerability in Citrix NetScaler ADC and NetScaler Gateway (formerly Citrix ADC / Citrix Gateway). Exploited as a zero-day before any patch was available, it was used to compromise a US critical infrastructure organization. After patches were released, mass exploitation resulted in over 2,000 backdoored appliances within days. Requires the device to be configured as a Gateway or AAA virtual server.
CVE-2023-27997 (Fortinet FortiOS SSL-VPN) Explained: Pre-Auth Heap Overflow Zero-Day
CVE-2023-27997 is a pre-authentication heap buffer overflow in the Fortinet FortiOS SSL-VPN component enabling unauthenticated remote code execution on FortiGate VPN appliances. Exploited as a zero-day before Fortinet's June 2023 advisory, it affects FortiOS 6.0 through 7.2.4 with SSL-VPN enabled. CISA linked related Fortinet exploitation to Chinese state-sponsored actor Volt Typhoon targeting US critical infrastructure.
CVE-2022-3236 Explained: Sophos Firewall Zero-Day Code Injection | Decryption Digest
CVE-2022-3236 is a critical code injection vulnerability in the User Portal and Webadmin interfaces of Sophos Firewall versions 19.5 MR3 and older. Exploited as a zero-day by a Chinese APT (Storm Cloud / Volt Typhoon cluster), the flaw enabled unauthenticated root-level code execution on internet-facing firewall appliances. Sophos delivered an automatic hotfix but it required manual intervention on restricted networks, leaving many deployments exposed.
CVE-2022-1388 (F5 BIG-IP iControl Auth Bypass) Explained: Unauthenticated Root in 24 Hours
CVE-2022-1388 is a critical authentication bypass vulnerability in the F5 BIG-IP iControl REST management API. Unauthenticated attackers with network access to the management interface can execute arbitrary OS commands as root by manipulating HTTP headers to bypass the API authentication layer. Mass exploitation began within 24 hours of F5's advisory. CISA and FBI issued a joint advisory warning of active exploitation.
CVE-2022-0847 (Dirty Pipe) Explained: Overwrite Read-Only Files, Get Root on Linux
CVE-2022-0847, named Dirty Pipe, is a Linux kernel vulnerability allowing any unprivileged local user to write to arbitrary read-only files and achieve root privilege escalation. Unlike the 2016 Dirty Cow vulnerability it resembles, Dirty Pipe requires no race condition — it is deterministic and reliable. Affects Linux kernels 5.8 through 5.16.10 and was quickly weaponized for container escapes and Android rooting.
CVE-2021-4034 (PwnKit) Explained: 12-Year polkit Flaw Gives Any Local User Root
CVE-2021-4034, named PwnKit by Qualys, is an out-of-bounds write vulnerability in pkexec — a SUID-root binary part of the polkit framework installed by default on virtually every Linux distribution. Any local unprivileged user can exploit it to gain root without any sudo permissions, without knowing any password, and without triggering standard auth log entries. Present since May 2009.
CVE-2021-22005 Explained: VMware vCenter Unauthenticated RCE | Decryption Digest
CVE-2021-22005 is a critical unauthenticated file upload vulnerability in VMware vCenter Server's CEIP analytics service. Disclosed September 2021, it allowed any attacker with network access to the vCenter HTTPS interface to upload an arbitrary file and achieve remote code execution as the vCenter service account — effectively granting control of every managed virtual machine. Mass exploitation began within 48 hours of disclosure.
CVE-2021-40539 Explained: ManageEngine ADSelfService Plus Auth Bypass RCE | Decryption Digest
CVE-2021-40539 is a critical authentication bypass and remote code execution vulnerability in ManageEngine ADSelfService Plus (versions before build 6114), patched in September 2021. The flaw allowed unauthenticated attackers to access protected REST API endpoints and upload a JSP webshell, achieving code execution on the server. APT41 and at least two other threat actor clusters exploited it against U.S. defense contractors, academic institutions, and critical infrastructure. CVSS 9.8.
CVE-2021-34473 (ProxyShell) Explained: Pre-Auth Exchange RCE Chain Used by LockFile and Hive
CVE-2021-34473 is the first link in the ProxyShell exploit chain — three Microsoft Exchange Server vulnerabilities that together enable unauthenticated remote code execution. Chained with CVE-2021-34523 and CVE-2021-31207, an attacker can reach Exchange's backend PowerShell endpoint without credentials, impersonate any mailbox user, and write arbitrary files to Exchange's web root to deploy a web shell.
CVE-2021-21985 (VMware vCenter RCE) Explained: Unauthenticated Root Access to Every VM
CVE-2021-21985 is a critical remote code execution vulnerability in VMware vCenter Server's vSphere Client web interface. An unauthenticated attacker with network access to vCenter's HTTPS port can send a specially crafted request to the Virtual SAN Health Check plugin — enabled by default — to achieve RCE with root or SYSTEM privileges on the vCenter server. Compromise of vCenter means control over every virtual machine in the managed infrastructure.
CVE-2021-3156 (Baron Samedit) Explained: Sudo Heap Overflow to Root on Linux
CVE-2021-3156, named Baron Samedit, is a heap-based buffer overflow in the sudo utility that allows any unprivileged local user to gain root privileges without authentication, without being listed in the sudoers file, and without any race condition. Present in sudo for nearly 10 years, it affects every major Linux distribution. Qualys developed working exploits for Ubuntu 20.04, 18.04, Debian 10, and Fedora 33 default installations.
Enterprise Application Vulnerabilities
Authentication bypasses, deserialization flaws, and RCE in widely-deployed enterprise software — VMware, ManageEngine, Confluence, ServiceNow, and more.
CVE-2024-38094 Explained: SharePoint Deserialization RCE to Domain Compromise | Decryption Digest
CVE-2024-38094 is a deserialization remote code execution vulnerability in Microsoft SharePoint Server patched in July 2024. Site Owner-authenticated attackers can execute arbitrary code on the SharePoint server. Real-world campaigns chained it with a privilege escalation bug to achieve full domain compromise. CISA added it to the Known Exploited Vulnerabilities catalog in October 2024.
CVE-2024-37085 Explained: VMware ESXi AD Auth Bypass Exploited by Ransomware
CVE-2024-37085 is an authentication bypass (CVSS 6.8) in VMware ESXi that allows a domain user who is a member of an Active Directory group named 'ESX Admins' to gain full administrative access to the ESXi hypervisor — regardless of whether that group was explicitly configured for ESXi access. Exploited by at least five ransomware groups (Black Basta, Akira, Medusa, RansomHub, and Scattered Spider) to target ESXi hosts directly, encrypting VM storage files and achieving mass disruption across virtualised environments.
CVE-2023-46604 Explained: Apache ActiveMQ CVSS 10.0 RCE via OpenWire
CVE-2023-46604 is a CVSS 10.0 deserialization / remote class loading vulnerability in Apache ActiveMQ's OpenWire protocol. An unauthenticated attacker sends a specially crafted ClassInfo message to port 61616, causing the broker to load and execute a Java class from an attacker-controlled HTTP server. Active exploitation by HelloKitty ransomware and Kinsing cryptominer began within days of the advisory. Affects ActiveMQ versions up to 5.15.16, 5.16.7, 5.17.6, and 5.18.3.
CVE-2023-4966 (Citrix Bleed) Explained: Session Token Theft That Bypasses MFA
CVE-2023-4966, named Citrix Bleed, is a buffer over-read vulnerability in Citrix NetScaler ADC and Gateway that leaks memory contents — including active user session tokens — via unauthenticated HTTP requests. Stolen tokens bypass MFA because they represent already-authenticated sessions. Exploited as a zero-day by LockBit ransomware against Boeing, Comcast Xfinity, and others.
CVE-2023-22515 (Confluence Broken Access Control) Explained: Nation-State Zero-Day Admin Takeover
CVE-2023-22515 is a maximum-severity broken access control vulnerability in Atlassian Confluence Data Center and Server. An unauthenticated external attacker can reach Confluence's setup endpoint on a fully configured instance and create a new administrator account, gaining complete control without credentials. Microsoft attributed active exploitation to Storm-0062 (a Chinese state-sponsored threat actor) beginning September 14, 2023 — three weeks before Atlassian's advisory.
CVE-2023-3519 Explained: Citrix NetScaler ADC/Gateway Unauthenticated RCE
CVE-2023-3519 is a CVSS 9.8 unauthenticated remote code execution vulnerability in Citrix NetScaler ADC and NetScaler Gateway (formerly Citrix ADC / Citrix Gateway). Exploited as a zero-day before any patch was available, it was used to compromise a US critical infrastructure organization. After patches were released, mass exploitation resulted in over 2,000 backdoored appliances within days. Requires the device to be configured as a Gateway or AAA virtual server.
CVE-2023-34362 (MOVEit Transfer) Explained: CLOP SQL Injection That Breached 1,000+ Orgs
CVE-2023-34362 is a critical SQL injection vulnerability in Progress MOVEit Transfer that enables unauthenticated remote code execution. Exploited as a zero-day by the CLOP ransomware group beginning May 27, 2023, it was used to breach over 1,000 organizations simultaneously through data exfiltration without encryption. Victims include the US Department of Energy, Shell, British Airways, the BBC, Maximus, and hundreds more.
CVE-2023-0669 Explained: GoAnywhere MFT RCE Exploited by Cl0p Ransomware
CVE-2023-0669 is a pre-authentication remote code execution vulnerability in Fortra GoAnywhere MFT (Managed File Transfer). The Cl0p ransomware group exploited it as a zero-day for approximately 10 days before any advisory was published, claiming over 130 victim organisations. The vulnerability allows unauthenticated attackers to execute commands on the GoAnywhere server via a Java deserialization attack against the administrative console. Affected versions: GoAnywhere MFT prior to 7.1.2.
CVE-2022-47966 Explained: ManageEngine SAML RCE Affecting 24 Products (CVSS 9.8)
CVE-2022-47966 is a CVSS 9.8 unauthenticated RCE vulnerability affecting up to 24 Zoho ManageEngine products. It exploits a vulnerable Apache Santuario (XML Security for Java) component in the SAML SSO implementation, allowing an attacker to execute arbitrary code on any ManageEngine server where SAML-based single sign-on is or was enabled. Exploited by APT41 and other nation-state actors within weeks of the January 2023 disclosure. Affects products widely deployed in enterprise IT management: ServiceDesk Plus, Desktop Central, OpManager, and more.
CVE-2022-26134 (Confluence OGNL Zero-Day) Explained: CVSS 10.0 Pre-Auth RCE Exploited Before Patch
CVE-2022-26134 is a critical OGNL injection vulnerability in Atlassian Confluence Server and Data Center, enabling unauthenticated remote code execution. Disclosed as a zero-day on June 2, 2022 with active exploitation already confirmed, this vulnerability scores 10.0 CVSS. Within hours of technical details becoming public, mass scanning and exploitation began across the internet.
CVE-2021-22005 Explained: VMware vCenter Unauthenticated RCE | Decryption Digest
CVE-2021-22005 is a critical unauthenticated file upload vulnerability in VMware vCenter Server's CEIP analytics service. Disclosed September 2021, it allowed any attacker with network access to the vCenter HTTPS interface to upload an arbitrary file and achieve remote code execution as the vCenter service account — effectively granting control of every managed virtual machine. Mass exploitation began within 48 hours of disclosure.
CVE-2021-40539 Explained: ManageEngine ADSelfService Plus Auth Bypass RCE | Decryption Digest
CVE-2021-40539 is a critical authentication bypass and remote code execution vulnerability in ManageEngine ADSelfService Plus (versions before build 6114), patched in September 2021. The flaw allowed unauthenticated attackers to access protected REST API endpoints and upload a JSP webshell, achieving code execution on the server. APT41 and at least two other threat actor clusters exploited it against U.S. defense contractors, academic institutions, and critical infrastructure. CVSS 9.8.
CVE-2021-26084 (Confluence OGNL) Explained: Pre-Auth RCE Exploited Within Hours of PoC Release
CVE-2021-26084 is a server-side template injection vulnerability in Atlassian Confluence Server and Data Center. An unauthenticated attacker can inject OGNL expressions via query parameters, achieving remote code execution on the Confluence server. The vulnerability was exploited at mass scale within hours of public PoC release, with ransomware groups and nation-state actors among the first adopters.
CVE-2021-34527 (PrintNightmare) Explained: Windows Print Spooler RCE Affecting All Windows Versions
CVE-2021-34527 (PrintNightmare) is a critical vulnerability in the Windows Print Spooler service enabling remote code execution with SYSTEM privileges. A proof-of-concept was accidentally published publicly on June 29, 2021, triggering emergency out-of-band patches and immediate mass exploitation.
CVE-2021-21985 (VMware vCenter RCE) Explained: Unauthenticated Root Access to Every VM
CVE-2021-21985 is a critical remote code execution vulnerability in VMware vCenter Server's vSphere Client web interface. An unauthenticated attacker with network access to vCenter's HTTPS port can send a specially crafted request to the Virtual SAN Health Check plugin — enabled by default — to achieve RCE with root or SYSTEM privileges on the vCenter server. Compromise of vCenter means control over every virtual machine in the managed infrastructure.
CVE-2019-19781 (Citrix ADC Shitrix) Explained: Pre-Auth RCE on VPN Gateways
CVE-2019-19781 is a pre-authentication path traversal vulnerability in Citrix ADC (NetScaler ADC) and Citrix Gateway that allows unauthenticated attackers to execute arbitrary OS commands. Exploited at mass scale before patches were released, it was used by nation-state APT groups and ransomware operators to compromise enterprise and government VPN gateways worldwide.
Get new analyses in your inbox
New CVE breakdowns and threat intelligence briefings every week — free.