Notable CVEs#
Reference of high-impact CVEs an operator should recognize on sight. The CVE catalog contains 250,000+ entries; the ones below are the small set that defined the modern threat-and-patch cadence.
For real-time prioritization, consult CISA KEV (Known Exploited Vulnerabilities) and EPSS (Exploit Prediction Scoring System); they’re the live, action-guiding lists. For techniques and groups, see Hacking and Hacker Groups.
The classics (RCE / pre-auth)#
CVE |
Notes |
|---|---|
CVE-2014-0160 |
Heartbleed; OpenSSL TLS heartbeat memory-disclosure; pre-auth; one of the earliest mass-impact OSS bugs. |
CVE-2014-6271 |
Shellshock; bash function parsing; pre-auth RCE via any CGI / DHCP / SSH ForceCommand. |
CVE-2017-0144 |
EternalBlue (MS17-010); SMBv1 RCE; powered WannaCry, NotPetya, Bad Rabbit. |
CVE-2017-5638 |
Apache Struts 2 OGNL; pre-auth RCE; Equifax breach. |
CVE-2017-7494 |
SambaCry; SMB RCE on Linux Samba. |
CVE-2017-9805 |
Struts 2 REST plugin RCE (XStream). |
CVE-2018-7600 |
Drupalgeddon 2; Drupal pre-auth RCE. |
CVE-2019-0708 |
BlueKeep; pre-auth RDP RCE on legacy Windows. |
CVE-2019-19781 |
Citrix ADC / Gateway path traversal -> RCE. |
CVE-2020-0796 |
SMBGhost; SMBv3 compression pre-auth RCE. |
CVE-2020-1472 |
Zerologon; Netlogon AES-CFB8 zero-IV downgrade -> instant Domain Admin. |
CVE-2020-5902 |
F5 BIG-IP TMUI RCE. |
CVE-2021-3156 |
Sudo Baron Samedit; sudo heap overflow; local privesc to root. |
CVE-2021-26855 |
ProxyLogon; Exchange Server pre-auth SSRF + auth bypass; HAFNIUM mass exploit. |
CVE-2021-34527 |
PrintNightmare; Print Spooler RCE / privesc. |
CVE-2021-34473 |
ProxyShell (chain with -34523 / -31207); Exchange RCE. |
CVE-2021-44228 |
Log4Shell; JNDI lookup in log4j 2 -> RCE; “every Java app on the internet”; multi-year tail. |
CVE-2021-45046 |
follow-up Log4j patch bypass. |
CVE-2022-22965 |
Spring4Shell; Spring Framework RCE via class loader. |
CVE-2022-30190 |
Follina / MSDT; Office document RCE via ms-msdt:. |
CVE-2022-26134 |
Atlassian Confluence OGNL injection RCE. |
CVE-2022-1388 |
F5 BIG-IP iControl auth bypass -> RCE. |
CVE-2022-41040 + -41082 |
ProxyNotShell; Exchange post-auth chain. |
CVE-2023-23397 |
Outlook NTLM credential leak via crafted appointment (no click). |
CVE-2023-34362 |
MOVEit Transfer SQLi -> RCE; Cl0p mass exploit. |
CVE-2023-3519 |
Citrix NetScaler ADC / Gateway pre-auth RCE. |
CVE-2023-46805 + CVE-2024-21887 |
Ivanti Connect Secure pre-auth chain. |
CVE-2024-3094 |
XZ Utils backdoor (sshd); supply-chain near-miss in liblzma, caught at build time. |
CVE-2024-21412 |
Microsoft Defender SmartScreen bypass; in-the-wild abuse. |
CVE-2024-21893 |
Ivanti SAML SSRF; 0-day. |
Web app classics#
CVE |
Notes |
|---|---|
CVE-2017-5638 |
Struts (above). |
CVE-2017-9805 |
Struts REST. |
CVE-2018-1273 |
Spring Data Commons RCE. |
CVE-2019-2725 |
Oracle WebLogic RCE. |
CVE-2019-3396 |
Confluence Widget Connector RCE. |
CVE-2021-22941 |
Citrix ShareFile pre-auth RCE. |
CVE-2021-26084 |
Confluence OGNL pre-auth RCE. |
CVE-2022-1040 |
Sophos Firewall pre-auth RCE. |
CVE-2023-22515 |
Confluence Data Center / Server priv-esc. |
CVE-2023-22518 |
Confluence broken access control. |
CVE-2023-29298 + CVE-2023-38203 |
Adobe ColdFusion auth bypass + RCE. |
CVE-2024-23897 |
Jenkins arbitrary file read via CLI. |
Browser / client#
CVE |
Notes |
|---|---|
CVE-2021-30860 |
FORCEDENTRY; iMessage CoreGraphics zero-click; NSO Pegasus chain. |
CVE-2022-22587 |
iOS WebKit + IOMobileFrameBuffer; Pegasus. |
CVE-2023-41064 |
iOS BLASTPASS chain (with -41061); zero-click; Pegasus. |
CVE-2023-32434 |
iOS triangulation operation chain (kernel). |
CVE-2024-23222 |
Safari WebKit type confusion; in-the-wild iOS exploit. |
CVE-2024-44131 |
Magnet GoldDigger iOS exploit chain. |
CVE-2023-3079 |
Chrome V8 type confusion; in-the-wild. |
CVE-2024-7965 |
Chrome V8 (mid-2024); in-the-wild. |
CVE-2024-30056 |
Edge / Chromium spoofing. |
Cloud / SaaS#
CVE |
Notes |
|---|---|
CVE-2019-5736 |
runc container escape (host root). |
CVE-2022-0185 |
Linux fs context heap overflow; container escape. |
CVE-2022-0492 |
cgroups v1 release_agent escape. |
CVE-2024-21626 |
runc /proc fd leak; container escape. |
CVE-2023-2640 + CVE-2023-32629 |
Ubuntu OverlayFS local privesc (“GameOver(lay)”). |
CVE-2023-50387 |
KeyTrap; DNSSEC validator algorithmic complexity DoS. |
CVE-2024-3661 |
TunnelVision; DHCP option 121 to bypass VPN routing. |
Network appliances#
CVE |
Notes |
|---|---|
CVE-2020-3452 |
Cisco ASA / FTD path traversal. |
CVE-2021-22893 |
Pulse Connect Secure pre-auth RCE. |
CVE-2022-1388 |
F5 BIG-IP iControl auth bypass. |
CVE-2022-30190 |
Follina (already listed). |
CVE-2022-40684 |
Fortinet FortiOS / FortiProxy auth bypass. |
CVE-2023-20198 |
Cisco IOS XE web UI privesc + cred theft (mass exploit). |
CVE-2023-27997 |
Fortinet FortiOS heap overflow pre-auth RCE. |
CVE-2024-3400 |
Palo Alto GlobalProtect pre-auth RCE; in-the-wild. |
CVE-2024-23113 |
Fortinet fortiOS format-string pre-auth RCE. |
Privilege escalation#
CVE |
Notes |
|---|---|
CVE-2016-5195 |
Dirty COW; Linux kernel COW race; local privesc. |
CVE-2017-1000405 |
Huge Dirty COW. |
CVE-2019-13272 |
PTRACE_TRACEME local privesc. |
CVE-2021-3156 |
Baron Samedit sudo (above). |
CVE-2021-4034 |
PwnKit; pkexec (polkit) heap overflow; local root. |
CVE-2022-0847 |
Dirty Pipe; Linux kernel splice() pipe overwrite. |
CVE-2022-2588 |
CONFIG_NF_TABLES netfilter UAF. |
CVE-2023-32233 |
Stacked VLAN netfilter use-after-free. |
CVE-2023-2640 + CVE-2023-32629 |
GameOver(lay) Ubuntu kernel privesc. |
CVE-2024-1086 |
Linux nf_tables UAF privesc. |
Cryptographic / protocol#
CVE |
Notes |
|---|---|
CVE-2014-3566 |
POODLE; SSL 3.0 padding-oracle. |
CVE-2014-0224 |
CCS Injection in OpenSSL. |
CVE-2015-0204 |
FREAK; export-grade RSA downgrade. |
CVE-2015-4000 |
Logjam; weak DH parameters. |
CVE-2016-2107 |
DROWN; SSLv2 cross-protocol. |
CVE-2017-13099 |
ROBOT; PKCS#1 v1.5 oracle. |
CVE-2018-12404 |
CryptoAPI CMS validation. |
CVE-2018-0886 |
CredSSP / RDP MITM. |
CVE-2020-0601 |
CurveBall / ChainOfFools; CryptoAPI ECDSA cert verification flaw. |
CVE-2017-15361 |
ROCA; Infineon RSA key generation flaw. |
CVE-2023-50868 |
NSEC3 DoS. |
Supply chain#
Event |
Notes |
|---|---|
SolarWinds SUNBURST |
trojanised Orion update (2020); APT29. |
Codecov bash-upload er |
CI script tampering (2021). |
Kaseya VSA RCE + ransomware |
REvil ransomware on ~1500 MSPs (2021). |
3CX Desktop App |
trojanised installer (Mar 2023); Lazarus / Trading Technologies link. |
Polyfill.io |
attacker-controlled CDN (Jun 2024). |
ctx / phpass typo |
PyPI / Packagist typosquats. |
xz-utils CVE-2024-3 |
094 backdoored sshd build chain; near-miss. |
Ledger Connect Kit |
npm-account compromise; injected wallet drainer (2023). |
event-stream |
npm; supply-chain crypto theft (2018). |
ua-parser-js, coa, rc |
npm typosquat / hijack incidents (2021). |
Catalogs#
Source |
Notes |
|---|---|
NVD |
NIST National Vulnerability Database; CVE + CVSS. |
CVE |
MITRE; the standard identifier list. |
CISA KEV |
Known Exploited Vulnerabilities; the actionable patch list. |
EPSS |
Exploit Prediction Scoring System (FIRST.org). |
GitHub Advisory |
Open-source-package vulnerabilities. |
GitHub Security Lab |
CodeQL-based research output. |
OSV.dev |
Open-source vulnerability database. |
ExploitDB |
Public PoCs (Offensive Security). |
Packet Storm |
Public PoCs. |
Vulners.com |
Vulnerability search engine. |
0day.today |
PoC marketplace. |
Zerodium / Crowdfen se |
Public-bid 0day brokers. |
ZDI (Trend Micro) |
ZDI advisories. |
Operator notes#
CISA KEV first, patch what’s being exploited, not what scores high on CVSS.
EPSS is the live exploit-probability score; combine with exposure for prioritization.
Mass-exploit windows, after public PoC, the typical internet-wide scanning kicks in within hours; assume your exposed services are being probed.
CVSS != risk, CVSS is severity in a vacuum; risk requires context (exposure, compensating controls, asset value).
Beyond patches, some CVEs require config or upgrade, not patch (Log4Shell mitigations included formatMsgNoLookups, removing JndiLookup class, upgrade to 2.17+).
Authentication is not protection, many of the worst bugs are pre-auth; auth-required bugs are still routinely reachable by initial-access brokers.
Embedded / firmware, IoT / appliance CVEs often go unpatched because the vendor is gone or the firmware is immutable; track separately.
References#
Citizen Lab, mobile spyware / zero-click research.
Hacking, techniques.
Hacker Groups, attribution.
Malware, payloads delivered via these.
Data Breaches, breaches caused by these.