Known Exploited Vulnerabilities Catalog

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.

How to use the KEV Catalog

The KEV catalog is also available in these formats:

CSV
JSON
JSON Schema (updated 06-25-2024)
Print View
License

SAP | NetWeaver

CVE-2025-42999

SAP NetWeaver Deserialization Vulnerability: SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.

Related CWE: CWE-502

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Date Added: 2025-05-15
Due Date: 2025-06-05

Additional Notes

DrayTek | Vigor Routers

CVE-2024-12987

DrayTek Vigor Routers OS Command Injection Vulnerability: DrayTek Vigor2960, Vigor300B, and Vigor3900 routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web management interface.

Related CWE: CWE-78

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Date Added: 2025-05-15
Due Date: 2025-06-05

Additional Notes

SAP | NetWeaver

CVE-2025-31324

SAP NetWeaver Unrestricted File Upload Vulnerability: SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.

Related CWE: CWE-434

Known To Be Used in Ransomware Campaigns? Known

Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Date Added: 2025-04-29
Due Date: 2025-05-20

Additional Notes

SAP | NetWeaver

CVE-2017-12637

SAP NetWeaver Directory Traversal Vulnerability: SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string.

Related CWE: CWE-22

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Date Added: 2025-03-19
Due Date: 2025-04-09

Additional Notes

DrayTek | Multiple Vigor Routers

CVE-2020-15415

DrayTek Multiple Vigor Routers OS Command Injection Vulnerability: DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacters in a filename when the text/x-python-script content type is used.

Related CWE: CWE-78

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2024-09-30
Due Date: 2024-10-21

Additional Notes

SAP | Commerce Cloud

CVE-2019-0344

SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability: SAP Commerce Cloud (formerly known as Hybris) contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection.

Related CWE: CWE-502

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2024-09-30
Due Date: 2024-10-21

Additional Notes

DrayTek | VigorConnect

CVE-2021-20124

Draytek VigorConnect Path Traversal Vulnerability : Draytek VigorConnect contains a path traversal vulnerability in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

Related CWE: CWE-22

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2024-09-03
Due Date: 2024-09-24

Additional Notes

DrayTek | VigorConnect

CVE-2021-20123

Draytek VigorConnect Path Traversal Vulnerability : Draytek VigorConnect contains a path traversal vulnerability in the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

Related CWE: CWE-22

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2024-09-03
Due Date: 2024-09-24

Additional Notes

F5 | BIG-IP Configuration Utility

CVE-2023-46748

F5 BIG-IP Configuration Utility SQL Injection Vulnerability: F5 BIG-IP Configuration utility contains an SQL injection vulnerability that may allow an authenticated attacker with network access through the BIG-IP management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46747.

Related CWE: CWE-89

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2023-10-31
Due Date: 2023-11-21

Additional Notes

F5 | BIG-IP Configuration Utility

CVE-2023-46747

F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability: F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46748.

Related CWE: CWE-288

Known To Be Used in Ransomware Campaigns? Known

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2023-10-31
Due Date: 2023-11-21

Additional Notes

SAP | Multiple Products

CVE-2022-22536

SAP Multiple Products HTTP Request Smuggling Vulnerability: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches.

Related CWE: CWE-444

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-08-18
Due Date: 2022-09-08

Additional Notes

SAP | NetWeaver

CVE-2016-2388

SAP NetWeaver Information Disclosure Vulnerability: The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request.

Related CWE: CWE-200

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-06-09
Due Date: 2022-06-30

Additional Notes

SAP | NetWeaver

CVE-2021-38163

SAP NetWeaver Unrestricted File Upload Vulnerability: SAP NetWeaver contains a vulnerability that allows unrestricted file upload.

Related CWE: CWE-23

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-06-09
Due Date: 2022-06-30

Additional Notes

SAP | NetWeaver

CVE-2016-2386

SAP NetWeaver SQL Injection Vulnerability: SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Related CWE: CWE-89

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-06-09
Due Date: 2022-06-30

Additional Notes

F5 | BIG-IP

CVE-2022-1388

F5 BIG-IP Missing Authentication Vulnerability: F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services.

Related CWE: CWE-306

Known To Be Used in Ransomware Campaigns? Known

Action: Apply updates per vendor instructions.

Date Added: 2022-05-10
Due Date: 2022-05-31

Additional Notes

F5 | BIG-IP Traffic Management Microkernel

CVE-2021-22991

F5 BIG-IP Traffic Management Microkernel Buffer Overflow: The Traffic Management Microkernel of BIG-IP ASM Risk Engine has a buffer overflow vulnerability, leading to a bypassing of URL-based access controls.

Related CWE: CWE-119

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-01-18
Due Date: 2022-02-01

Additional Notes

DrayTek | Multiple Vigor Routers

CVE-2020-8515

Multiple DrayTek Vigor Routers Web Management Page Vulnerability: DrayTek Vigor3900, Vigor2960, and Vigor300B routers contain an unspecified vulnerability that allows for remote code execution.

Related CWE: CWE-78

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2021-11-03
Due Date: 2022-05-03

Additional Notes

F5 | BIG-IP

CVE-2020-5902

F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability: F5 BIG-IP Traffic Management User Interface (TMUI) contains a remote code execution vulnerability in undisclosed pages.

Related CWE: CWE-22

Known To Be Used in Ransomware Campaigns? Known

Action: Apply updates per vendor instructions.

Date Added: 2021-11-03
Due Date: 2022-05-03

Additional Notes

F5 | BIG-IP and BIG-IQ Centralized Management

CVE-2021-22986

F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability: F5 BIG-IP and BIG-IQ Centralized Management contain a remote code execution vulnerability in the iControl REST interface that allows unauthenticated attackers with network access to execute system commands, create or delete files, and disable services.

Related CWE: CWE-863

Known To Be Used in Ransomware Campaigns? Known

Action: Apply updates per vendor instructions.

Date Added: 2021-11-03
Due Date: 2021-11-17

Additional Notes

SAP | NetWeaver

CVE-2016-3976

SAP NetWeaver Directory Traversal Vulnerability: SAP NetWeaver Application Server Java Platforms contains a directory traversal vulnerability via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet. This allows remote attackers to read files.

Related CWE: CWE-22

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2021-11-03
Due Date: 2022-05-03

Additional Notes

Known Exploited Vulnerabilities Catalog

Subscribe to the KEV Catalog Updates