Exploit Public-Facing Application, Technique T1190 - Enterprise (original) (raw)
Agrius exploits public-facing applications for initial access to victim environments. Examples include widespread attempts to exploit CVE-2018-13379 in FortiOS devices and SQL injection activity.[12]
Anthropic AI-orchestrated Campaign
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to deploy a custom exploit payload targeting an identified SSRF vulnerability to gain initial access to a targeted environment.[13]
APT28 has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites.[14][15]
APT29 has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access.[16][17]
APT39 has used SQL injection for initial compromise.[18]
APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central through unsafe deserialization, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.[19] APT41 leveraged vulnerabilities such as ProxyLogon exploitation or SQL injection for initial access.[20] APT41 exploited CVE-2021-26855 against a vulnerable Microsoft Exchange Server to gain initial access to the victim network.[21]
APT5 has exploited vulnerabilities in externally facing software and devices including Pulse Secure VPNs and Citrix Application Delivery Controllers.[22][23][24] [25]
ArcaneDoor abused WebVPN traffic to targeted devices to achieve unauthorized remote code execution.[26]
Axiom has been observed using SQL injection to gain access to systems.[27][28]
BackdoorDiplomacy has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor. BackdoorDiplomacy has also exploited mis-configured Plesk servers.[29]
BlackByte exploited vulnerabilities such as ProxyLogon and ProxyShell for initial access to victim environments.[30][31][32][33]
BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server.[34]
Blue Mockingbird has gained initial access by exploiting CVE-2019-18935, a vulnerability within Telerik UI for ASP.NET AJAX.[35]
BOLDMOVE is associated with exploitation of CVE-2022-49475 in FortiOS.[36]
During C0017, APT41 exploited CVE-2021-44207 in the USAHerds application and CVE-2021-44228 in Log4j, as well as other .NET deserialization, SQL injection, and directory traversal vulnerabilities to gain initial access.[37]
During C0018, the threat actors exploited VMWare Horizon Unified Access Gateways that were vulnerable to several Log4Shell vulnerabilities, including CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832.[38]
During C0027, Scattered Spider exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access.[39]
Cinnamon Tempest has exploited multiple unpatched vulnerabilities for initial access including vulnerabilities in Microsoft Exchange, Manage Engine AdSelfService Plus, Confluence, and Log4j.[40][41][42][43]
COATHANGER is installed following exploitation of a vulnerable FortiGate device. [44]
During Cutting Edge, threat actors exploited CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN appliances to enable authentication bypass and command injection. A server-side request forgery (SSRF) vulnerability, CVE-2024-21893, was identified later and used to bypass mitigations for the initial two vulnerabilities by chaining with CVE-2024-21887.[45][46][47][48][49]
Dragonfly has conducted SQL injection attacks, exploited vulnerabilities CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379 for Fortinet VPNs.[50]
Earth Lusca has compromised victims by directly exploiting vulnerabilities of public-facing servers, including those associated with Microsoft Exchange and Oracle GlassFish.[51]
Ember Bear gains initial access to victim environments by exploiting external-facing services. Examples include exploitation of CVE-2021-26084 in Confluence servers; CVE-2022-41040, ProxyShell, and other vulnerabilities in Microsoft Exchange; and multiple vulnerabilities in open-source platforms such as content management systems.[52][53]
FIN13 has exploited known vulnerabilities such as CVE-2017-1000486 (Primefaces Application Expression Language Injection), CVE-2015-7450 (WebSphere Application Server SOAP Deserialization Exploit), CVE-2010-5326 (SAP NewWeaver Invoker Servlet Exploit), and EDB-ID-24963 (SAP NetWeaver ConfigServlet Remote Code Execution) to gain initial access.[54][55]
FIN7 has compromised targeted organizations through exploitation of CVE-2021-31207 in Exchange.[40]
FLORAHOX Activity has exploited and infected vulnerable routers to recruit additional network devices into the ORB.[56]
Fox Kitten has exploited known vulnerabilities in Fortinet, PulseSecure, and Palo Alto VPN appliances.[57][58][59][60][61]
FrostyGoop Incident was likely enabled by the adversary exploiting an unknown vulnerability in an external-facing router.[62]
GALLIUM exploited a publicly-facing servers including Wildfly/JBoss servers to gain access to the network.[63][64]
GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise.[65]
HAFNIUM has exploited multiple vulnerabilities to compromise edge devices and on-premises versions of Microsoft Exchange Server.[66][67][68][69][41][70]
Havij is used to automate SQL injection.[71]
For HomeLand Justice, threat actors exploited CVE-2019-0604 in Microsoft SharePoint for initial access.[72]
INC Ransom has exploited known vulnerabilities including CVE-2023-3519 in Citrix NetScaler for initial access.[73][74]
Ke3chang has compromised networks by exploiting Internet-facing applications, including vulnerable Microsoft Exchange and SharePoint servers.[75]
Kimsuky has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability CVE-2020-0688.[76]
Leviathan has used exploits against publicly-disclosed vulnerabilities for initial access into victim networks.[77]
Leviathan Australian Intrusions
Leviathan exploited public-facing web applications and appliances for initial access during Leviathan Australian Intrusions.[77]
Magic Hound has exploited the Log4j utility (CVE-2021-44228), on-premises MS Exchange servers via "ProxyShell" (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and Fortios SSL VPNs (CVE-2018-13379).[78][79][80][81][82][41]
Medusa Group has leveraged public facing vulnerabilities in their campaigns against victim organizations to gain initial access.[83][84] Medusa Group has also utilized CVE-2024-1709 in ScreenConnect, and CVE-2023-48788 in Fortinet EMS for initial access to victim environments.[85]
menuPass has leveraged vulnerabilities in Pulse Secure VPNs to hijack sessions.[86]
MirrorFace has exploited vulnerabilities in Fortigate and Array AG devices for initial access.[87]
Moses Staff has exploited known vulnerabilities in public-facing infrastructure such as Microsoft Exchange Servers.[88]
MuddyWater has exploited the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688).[89]
During Night Dragon, threat actors used SQL injection exploits against extranet web servers to gain access.[90]
During Operation CuckooBees, the threat actors exploited multiple vulnerabilities in externally facing servers.[91]
During Operation Digital Eye, threat actors used SQL injection to compromise publicly exposed web and database servers.[92]
During Operation MidnightEclipse, threat actors exploited CVE-2024-3400 in Palo Alto Networks GlobalProtect.[93][94]
During Operation Wocao, threat actors gained initial access by exploiting vulnerabilities in JBoss webservers.[95]
Play has exploited known vulnerabilities for initial access including CVE-2018-13379 and CVE-2020-12812 in FortiOS and CVE-2022-41082 and CVE-2022-41040 ("ProxyNotShell") in Microsoft Exchange.[96][97]
Qilin has been delivered through exploitation of exposed applications and interfaces including Citrix and RDP.[98]
Quad7 Activity has enabled the exploitation of vulnerabilities for remote code execution capabilities in SOHO routers including CVE-2023-50224 and CVE-2025-9377 in TP-Link devices.[99][100]
Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.[101][102]
Salt Typhoon has exploited CVE-2018-0171 in the Smart Install feature of Cisco IOS and Cisco IOS XE software for initial access.[103]
Sandworm Team exploits public-facing applications for initial access and to acquire infrastructure, such as exploitation of the EXIM mail transfer agent in Linux systems.[104][105]
Sea Turtle gained access to victim environments by exploiting multiple known vulnerabilities over several campaigns.[106][107]
During ShadowRay, threat actors exploited CVE-2023-48022 on publicly exposed Ray servers to steal computing power and to expose sensitive data.[108]
SharePoint ToolShell Exploitation
During SharePoint ToolShell Exploitation, threat actors exploited authentication bypass and remote code execution vulnerabilities (CVE-2025-49706 and CVE-2025-49704) against on-premises SharePoint servers. This activity was characterized by crafted POST requests to the ToolPane endpoint /_layouts/15/ToolPane.aspx.[109][110][111][112][113][114]
Siloscape is executed after the attacker gains initial access to a Windows container using a known vulnerability.[115]
During the SolarWinds Compromise, APT29 exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.[116][16]
SoreFang can gain access by exploiting a Sangfor SSL VPN vulnerability that allows for the placement and delivery of malicious update binaries.[117]
SPACEHOP Activity has enabled the exploitation of CVE-2022-27518 and CVE-2022-27518 for illegitimate access.[24][56]
sqlmap can be used to automate exploitation of SQL injection vulnerabilities.[118]
Storm-0501 has exploited N-day vulnerabilities associated with public facing services to gain initial access to victim environments to include Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler "Citrix Bleed" (CVE-2023-4966), and Adobe ColdFusion 2016 (CVE-2023-29300 or CVE-2023-38203).[119]
Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604 and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Exchange Server.[120]
ToddyCat has exploited the ProxyLogon vulnerability (CVE-2021-26855) to compromise Exchange Servers at multiple organizations.[121]
UNC3886 has exploited CVE-2022-42475 in FortiOS SSL VPNs to obtain access.[122][8]
Versa Director Zero Day Exploitation
Versa Director Zero Day Exploitation involved exploitation of a vulnerability in Versa Director servers, since identified as CVE-2024-39717, for initial access and code execution.[123]
VOID MANTICORE has exploited public facing vulnerabilities within victim environments to include SharePoint CVE-2019-0604.[124]
Volatile Cedar has targeted publicly facing web servers, with both automatic and manual vulnerability discovery.[125] [126]
Volt Typhoon has gained initial access through exploitation of multiple vulnerabilities in internet-facing software and appliances such as Fortinet, Ivanti (formerly Pulse Secure), NETGEAR, Citrix, and Cisco.[127][128]
Winter Vivern has exploited known and zero-day vulnerabilities in software usch as Roundcube Webmail servers and the "Follina" vulnerability.[129][130]
ZxShell has been dropped through exploitation of CVE-2011-2462, CVE-2013-3163, and CVE-2014-0322.[131]