Known Exploited Vulnerabilities Catalog

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.

How to use the KEV Catalog

The KEV catalog is also available in these formats:

CSV
JSON
JSON Schema (updated 06-25-2024)
Print View
License

SolarWinds | Web Help Desk

CVE-2024-28987

SolarWinds Web Help Desk Hardcoded Credential Vulnerability: SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data.

Related CWE: CWE-798

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2024-10-15
Due Date: 2024-11-05

Additional Notes

Mozilla | Firefox

CVE-2024-9680

Mozilla Firefox Use-After-Free Vulnerability: Mozilla Firefox and Firefox ESR contain a use-after-free vulnerability in Animation timelines that allows for code execution in the content process.

Related CWE: CWE-416

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2024-10-15
Due Date: 2024-11-05

Additional Notes

SolarWinds | Web Help Desk

CVE-2024-28986

SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability: SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could allow for remote code execution.

Related CWE: CWE-502

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2024-08-15
Due Date: 2024-09-05

Additional Notes

SolarWinds | Serv-U

CVE-2024-28995

SolarWinds Serv-U Path Traversal Vulnerability : SolarWinds Serv-U contains a path traversal vulnerability that allows an attacker access to read sensitive files on the host machine.

Related CWE: CWE-22

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2024-07-17
Due Date: 2024-08-07

Additional Notes

Mozilla | Firefox, Firefox ESR, and Thunderbird

CVE-2016-9079

Mozilla Firefox, Firefox ESR, and Thunderbird Use-After-Free Vulnerability: Mozilla Firefox, Firefox ESR, and Thunderbird contain a use-after-free vulnerability in SVG Animation, targeting Firefox and Tor browser users on Windows.

Related CWE: CWE-416

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2023-06-22
Due Date: 2023-07-13

Additional Notes

Mozilla | Firefox

CVE-2015-4495

Mozilla Firefox Security Feature Bypass Vulnerability: Moxilla Firefox allows remote attackers to bypass the Same Origin Policy to read arbitrary files or gain privileges.

Related CWE: CWE-200

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-05-25
Due Date: 2022-06-15

Additional Notes

Mozilla | Firefox and Thunderbird

CVE-2019-11707

Mozilla Firefox and Thunderbird Type Confusion Vulnerability: Mozilla Firefox and Thunderbird contain a type confusion vulnerability that can occur when manipulating JavaScript objects due to issues in Array.pop, allowing for an exploitable crash.

Related CWE: CWE-843

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-05-23
Due Date: 2022-06-13

Additional Notes

Mozilla | Firefox and Thunderbird

CVE-2019-11708

Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability: Mozilla Firefox and Thunderbird contain a sandbox escape vulnerability that could result in remote code execution.

Related CWE: CWE-20

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-05-23
Due Date: 2022-06-13

Additional Notes

Mozilla | Firefox and Thunderbird

CVE-2013-1690

Mozilla Firefox and Thunderbird Denial-of-Service Vulnerability: Mozilla Firefox and Thunderbird do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial-of-service (DoS) or possibly execute malicious code via a crafted web site.

Related CWE: CWE-119

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-03-28
Due Date: 2022-04-18

Additional Notes

Mozilla | Firefox

CVE-2022-26485

Mozilla Firefox Use-After-Free Vulnerability: Mozilla Firefox contains a use-after-free vulnerability in XSLT parameter processing which can be exploited to perform arbitrary code execution.

Related CWE: CWE-416

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-03-07
Due Date: 2022-03-21

Additional Notes

Mozilla | Firefox

CVE-2022-26486

Mozilla Firefox Use-After-Free Vulnerability: Mozilla Firefox contains a use-after-free vulnerability in WebGPU IPC Framework which can be exploited to perform arbitrary code execution.

Related CWE: CWE-416

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-03-07
Due Date: 2022-03-21

Additional Notes

Mozilla | Firefox

CVE-2013-1675

Mozilla Firefox Information Disclosure Vulnerability: Mozilla Firefox does not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sensitive information from process memory via a crafted web site.

Related CWE: CWE-119

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-03-03
Due Date: 2022-03-24

Additional Notes

SolarWinds | Serv-U

CVE-2021-35247

SolarWinds Serv-U Improper Input Validation Vulnerability: SolarWinds Serv-U versions 15.2.5 and earlier contain an improper input validation vulnerability that allows attackers to build and send queries without sanitization.

Related CWE: CWE-20

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-01-21
Due Date: 2022-02-04

Additional Notes

Mozilla | Firefox and Thunderbird

CVE-2020-6819

Mozilla Firefox And Thunderbird Use-After-Free Vulnerability: Mozilla Firefox and Thunderbird contain a race condition vulnerability when running the nsDocShell destructor under certain conditions. The race condition creates a use-after-free vulnerability, causing unspecified impacts.

Related CWEs: CWE-362| CWE-416

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2021-11-03
Due Date: 2022-05-03

Additional Notes

SolarWinds | Orion

CVE-2020-10148

SolarWinds Orion Authentication Bypass Vulnerability: SolarWinds Orion API contains an authentication bypass vulnerability that could allow a remote attacker to execute API commands.

Related CWE: CWE-288

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2021-11-03
Due Date: 2022-05-03

Additional Notes

SolarWinds | Serv-U

CVE-2021-35211

SolarWinds Serv-U Remote Code Execution Vulnerability: SolarWinds Serv-U contains an unspecified memory escape vulnerability which can allow for remote code execution.

Related CWE: CWE-787

Known To Be Used in Ransomware Campaigns? Known

Action: Apply updates per vendor instructions.

Date Added: 2021-11-03
Due Date: 2021-11-17

Additional Notes

SolarWinds | Virtualization Manager

CVE-2016-3643

SolarWinds Virtualization Manager Privilege Escalation Vulnerability: SolarWinds Virtualization Manager allows for privilege escalation through leveraging a misconfiguration of sudo.

Related CWE: CWE-264

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2021-11-03
Due Date: 2022-05-03

Additional Notes

Mozilla | Firefox and Thunderbird

CVE-2019-17026

Mozilla Firefox And Thunderbird Type Confusion Vulnerability: Mozilla Firefox and Thunderbird contain a type confusion vulnerability due to incorrect alias information in the IonMonkey JIT compiler when setting array elements.

Related CWE: CWE-843

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2021-11-03
Due Date: 2022-05-03

Additional Notes

Mozilla | Firefox and Thunderbird

CVE-2020-6820

Mozilla Firefox And Thunderbird Use-After-Free Vulnerability: Mozilla Firefox and Thunderbird contain a race condition vulnerability when handling a ReadableStream under certain conditions. The race condition creates a use-after-free vulnerability, causing unspecified impacts.

Related CWE: CWE-362

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2021-11-03
Due Date: 2022-05-03

Additional Notes

Known Exploited Vulnerabilities Catalog

Subscribe to the KEV Catalog Updates