Notable CVEs#

Reference of high-impact CVEs an operator should recognize on sight. The CVE catalog contains 250,000+ entries; the ones below are the small set that defined the modern threat-and-patch cadence.

For real-time prioritization, consult CISA KEV (Known Exploited Vulnerabilities) and EPSS (Exploit Prediction Scoring System); they’re the live, action-guiding lists. For techniques and groups, see Hacking and Hacker Groups.

The classics (RCE / pre-auth)#

CVE

Notes

CVE-2014-0160

Heartbleed; OpenSSL TLS heartbeat memory-disclosure; pre-auth; one of the earliest mass-impact OSS bugs.

CVE-2014-6271

Shellshock; bash function parsing; pre-auth RCE via any CGI / DHCP / SSH ForceCommand.

CVE-2017-0144

EternalBlue (MS17-010); SMBv1 RCE; powered WannaCry, NotPetya, Bad Rabbit.

CVE-2017-5638

Apache Struts 2 OGNL; pre-auth RCE; Equifax breach.

CVE-2017-7494

SambaCry; SMB RCE on Linux Samba.

CVE-2017-9805

Struts 2 REST plugin RCE (XStream).

CVE-2018-7600

Drupalgeddon 2; Drupal pre-auth RCE.

CVE-2019-0708

BlueKeep; pre-auth RDP RCE on legacy Windows.

CVE-2019-19781

Citrix ADC / Gateway path traversal -> RCE.

CVE-2020-0796

SMBGhost; SMBv3 compression pre-auth RCE.

CVE-2020-1472

Zerologon; Netlogon AES-CFB8 zero-IV downgrade -> instant Domain Admin.

CVE-2020-5902

F5 BIG-IP TMUI RCE.

CVE-2021-3156

Sudo Baron Samedit; sudo heap overflow; local privesc to root.

CVE-2021-26855

ProxyLogon; Exchange Server pre-auth SSRF + auth bypass; HAFNIUM mass exploit.

CVE-2021-34527

PrintNightmare; Print Spooler RCE / privesc.

CVE-2021-34473

ProxyShell (chain with -34523 / -31207); Exchange RCE.

CVE-2021-44228

Log4Shell; JNDI lookup in log4j 2 -> RCE; “every Java app on the internet”; multi-year tail.

CVE-2021-45046

follow-up Log4j patch bypass.

CVE-2022-22965

Spring4Shell; Spring Framework RCE via class loader.

CVE-2022-30190

Follina / MSDT; Office document RCE via ms-msdt:.

CVE-2022-26134

Atlassian Confluence OGNL injection RCE.

CVE-2022-1388

F5 BIG-IP iControl auth bypass -> RCE.

CVE-2022-41040 + -41082

ProxyNotShell; Exchange post-auth chain.

CVE-2023-23397

Outlook NTLM credential leak via crafted appointment (no click).

CVE-2023-34362

MOVEit Transfer SQLi -> RCE; Cl0p mass exploit.

CVE-2023-3519

Citrix NetScaler ADC / Gateway pre-auth RCE.

CVE-2023-46805 + CVE-2024-21887

Ivanti Connect Secure pre-auth chain.

CVE-2024-3094

XZ Utils backdoor (sshd); supply-chain near-miss in liblzma, caught at build time.

CVE-2024-21412

Microsoft Defender SmartScreen bypass; in-the-wild abuse.

CVE-2024-21893

Ivanti SAML SSRF; 0-day.

Web app classics#

CVE

Notes

CVE-2017-5638

Struts (above).

CVE-2017-9805

Struts REST.

CVE-2018-1273

Spring Data Commons RCE.

CVE-2019-2725

Oracle WebLogic RCE.

CVE-2019-3396

Confluence Widget Connector RCE.

CVE-2021-22941

Citrix ShareFile pre-auth RCE.

CVE-2021-26084

Confluence OGNL pre-auth RCE.

CVE-2022-1040

Sophos Firewall pre-auth RCE.

CVE-2023-22515

Confluence Data Center / Server priv-esc.

CVE-2023-22518

Confluence broken access control.

CVE-2023-29298 + CVE-2023-38203

Adobe ColdFusion auth bypass + RCE.

CVE-2024-23897

Jenkins arbitrary file read via CLI.

Browser / client#

CVE

Notes

CVE-2021-30860

FORCEDENTRY; iMessage CoreGraphics zero-click; NSO Pegasus chain.

CVE-2022-22587

iOS WebKit + IOMobileFrameBuffer; Pegasus.

CVE-2023-41064

iOS BLASTPASS chain (with -41061); zero-click; Pegasus.

CVE-2023-32434

iOS triangulation operation chain (kernel).

CVE-2024-23222

Safari WebKit type confusion; in-the-wild iOS exploit.

CVE-2024-44131

Magnet GoldDigger iOS exploit chain.

CVE-2023-3079

Chrome V8 type confusion; in-the-wild.

CVE-2024-7965

Chrome V8 (mid-2024); in-the-wild.

CVE-2024-30056

Edge / Chromium spoofing.

Cloud / SaaS#

CVE

Notes

CVE-2019-5736

runc container escape (host root).

CVE-2022-0185

Linux fs context heap overflow; container escape.

CVE-2022-0492

cgroups v1 release_agent escape.

CVE-2024-21626

runc /proc fd leak; container escape.

CVE-2023-2640 + CVE-2023-32629

Ubuntu OverlayFS local privesc (“GameOver(lay)”).

CVE-2023-50387

KeyTrap; DNSSEC validator algorithmic complexity DoS.

CVE-2024-3661

TunnelVision; DHCP option 121 to bypass VPN routing.

Network appliances#

CVE

Notes

CVE-2020-3452

Cisco ASA / FTD path traversal.

CVE-2021-22893

Pulse Connect Secure pre-auth RCE.

CVE-2022-1388

F5 BIG-IP iControl auth bypass.

CVE-2022-30190

Follina (already listed).

CVE-2022-40684

Fortinet FortiOS / FortiProxy auth bypass.

CVE-2023-20198

Cisco IOS XE web UI privesc + cred theft (mass exploit).

CVE-2023-27997

Fortinet FortiOS heap overflow pre-auth RCE.

CVE-2024-3400

Palo Alto GlobalProtect pre-auth RCE; in-the-wild.

CVE-2024-23113

Fortinet fortiOS format-string pre-auth RCE.

Privilege escalation#

CVE

Notes

CVE-2016-5195

Dirty COW; Linux kernel COW race; local privesc.

CVE-2017-1000405

Huge Dirty COW.

CVE-2019-13272

PTRACE_TRACEME local privesc.

CVE-2021-3156

Baron Samedit sudo (above).

CVE-2021-4034

PwnKit; pkexec (polkit) heap overflow; local root.

CVE-2022-0847

Dirty Pipe; Linux kernel splice() pipe overwrite.

CVE-2022-2588

CONFIG_NF_TABLES netfilter UAF.

CVE-2023-32233

Stacked VLAN netfilter use-after-free.

CVE-2023-2640 + CVE-2023-32629

GameOver(lay) Ubuntu kernel privesc.

CVE-2024-1086

Linux nf_tables UAF privesc.

Cryptographic / protocol#

CVE

Notes

CVE-2014-3566

POODLE; SSL 3.0 padding-oracle.

CVE-2014-0224

CCS Injection in OpenSSL.

CVE-2015-0204

FREAK; export-grade RSA downgrade.

CVE-2015-4000

Logjam; weak DH parameters.

CVE-2016-2107

DROWN; SSLv2 cross-protocol.

CVE-2017-13099

ROBOT; PKCS#1 v1.5 oracle.

CVE-2018-12404

CryptoAPI CMS validation.

CVE-2018-0886

CredSSP / RDP MITM.

CVE-2020-0601

CurveBall / ChainOfFools; CryptoAPI ECDSA cert verification flaw.

CVE-2017-15361

ROCA; Infineon RSA key generation flaw.

CVE-2023-50868

NSEC3 DoS.

Supply chain#

Event

Notes

SolarWinds SUNBURST

trojanised Orion update (2020); APT29.

Codecov bash-upload er

CI script tampering (2021).

Kaseya VSA RCE + ransomware

REvil ransomware on ~1500 MSPs (2021).

3CX Desktop App

trojanised installer (Mar 2023); Lazarus / Trading Technologies link.

Polyfill.io

attacker-controlled CDN (Jun 2024).

ctx / phpass typo

PyPI / Packagist typosquats.

xz-utils CVE-2024-3

094 backdoored sshd build chain; near-miss.

Ledger Connect Kit

npm-account compromise; injected wallet drainer (2023).

event-stream

npm; supply-chain crypto theft (2018).

ua-parser-js, coa, rc

npm typosquat / hijack incidents (2021).

Catalogs#

Source

Notes

NVD

NIST National Vulnerability Database; CVE + CVSS.

CVE

MITRE; the standard identifier list.

CISA KEV

Known Exploited Vulnerabilities; the actionable patch list.

EPSS

Exploit Prediction Scoring System (FIRST.org).

GitHub Advisory

Open-source-package vulnerabilities.

GitHub Security Lab

CodeQL-based research output.

OSV.dev

Open-source vulnerability database.

ExploitDB

Public PoCs (Offensive Security).

Packet Storm

Public PoCs.

Vulners.com

Vulnerability search engine.

0day.today

PoC marketplace.

Zerodium / Crowdfen se

Public-bid 0day brokers.

ZDI (Trend Micro)

ZDI advisories.

Operator notes#

  • CISA KEV first, patch what’s being exploited, not what scores high on CVSS.

  • EPSS is the live exploit-probability score; combine with exposure for prioritization.

  • Mass-exploit windows, after public PoC, the typical internet-wide scanning kicks in within hours; assume your exposed services are being probed.

  • CVSS != risk, CVSS is severity in a vacuum; risk requires context (exposure, compensating controls, asset value).

  • Beyond patches, some CVEs require config or upgrade, not patch (Log4Shell mitigations included formatMsgNoLookups, removing JndiLookup class, upgrade to 2.17+).

  • Authentication is not protection, many of the worst bugs are pre-auth; auth-required bugs are still routinely reachable by initial-access brokers.

  • Embedded / firmware, IoT / appliance CVEs often go unpatched because the vendor is gone or the firmware is immutable; track separately.

References#