Known Exploited Vulnerabilities Catalog

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.

How to use the KEV Catalog

The KEV catalog is also available in these formats:

CSV
JSON
JSON Schema (updated 06-25-2024)
Print View
License

Synacor | Zimbra Collaboration Suite (ZCS)

CVE-2023-34192

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.

Related CWE: CWE-79

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Date Added: 2025-02-25
Due Date: 2025-03-18

Additional Notes

Array Networks | AG/vxAG ArrayOS

CVE-2023-28461

Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability: Array Networks AG and vxAG ArrayOS contain a missing authentication for critical function vulnerability that allows an attacker to read local files and execute code on the SSL VPN gateway.

Related CWE: CWE-306

Known To Be Used in Ransomware Campaigns? Known

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2024-11-25
Due Date: 2024-12-16

Additional Notes

Synacor | Zimbra Collaboration Suite (ZCS)

CVE-2024-45519

Synacor Zimbra Collaboration Suite (ZCS) Command Execution Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) contains an unspecified vulnerability in the postjournal service that may allow an unauthenticated user to execute commands.

Related CWE: CWE-284

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2024-10-03
Due Date: 2024-10-24

Additional Notes

Synacor | Zimbra Collaboration Suite (ZCS)

CVE-2023-37580

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability impacting the confidentiality and integrity of data.

Related CWE: CWE-79

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Date Added: 2023-07-27
Due Date: 2023-08-17

Additional Notes

Synacor | Zimbra Collaboration Suite (ZCS)

CVE-2022-27926

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability by allowing an endpoint URL to accept parameters without sanitizing.

Related CWEs: CWE-79| CWE-138

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2023-04-03
Due Date: 2023-04-24

Additional Notes

Synacor | Zimbra Collaboration Suite (ZCS)

CVE-2022-41352

Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other user accounts.

Related CWE: CWE-22

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-10-20
Due Date: 2022-11-10

Additional Notes

Synacor | Zimbra Collaboration Suite (ZCS)

CVE-2022-27925

Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution.

Related CWE: CWE-22

Known To Be Used in Ransomware Campaigns? Known

Action: Apply updates per vendor instructions.

Date Added: 2022-08-11
Due Date: 2022-09-01

Additional Notes

Synacor | Zimbra Collaboration Suite (ZCS)

CVE-2022-37042

Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated remote code execution.

Related CWE: CWE-23

Known To Be Used in Ransomware Campaigns? Known

Action: Apply updates per vendor instructions.

Date Added: 2022-08-11
Due Date: 2022-09-01

Additional Notes

Synacor | Zimbra Collaboration Suite (ZCS)

CVE-2022-27924

Synacor Zimbra Collaboration Suite (ZCS) Command Injection Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to inject memcache commands into a targeted instance which causes an overwrite of arbitrary cached entries.

Related CWE: CWE-93

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-08-04
Due Date: 2022-08-25

Additional Notes

Synacor | Zimbra Collaboration Suite (ZCS)

CVE-2018-6882

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that might allow remote attackers to inject arbitrary web script or HTML.

Related CWE: CWE-79

Known To Be Used in Ransomware Campaigns? Known

Action: Apply updates per vendor instructions.

Date Added: 2022-04-19
Due Date: 2022-05-10

Additional Notes

Crestron | Multiple Products

CVE-2019-3929

Crestron Multiple Products Command Injection Vulnerability: Multiple Crestron products are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.

Related CWE: CWE-79

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-04-15
Due Date: 2022-05-06

Additional Notes

Synacor | Zimbra Collaborate Suite (ZCS)

CVE-2022-24682

Synacor Zimbra Collaborate Suite (ZCS) Cross-Site Scripting Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability in the Calendar feature that allows an attacker to execute arbitrary code.

Related CWEs: CWE-79| CWE-116

Known To Be Used in Ransomware Campaigns? Known

Action: Apply updates per vendor instructions.

Date Added: 2022-02-25
Due Date: 2022-03-11

Additional Notes

Synacor | Zimbra Collaboration Suite (ZCS)

CVE-2019-9670

Synacor Zimbra Collaboration Suite (ZCS) Improper Restriction of XML External Entity Reference: Synacor Zimbra Collaboration Suite (ZCS) contains an improper restriction of XML external entity (XXE) vulnerability in the mailboxd component.

Related CWE: CWE-611

Known To Be Used in Ransomware Campaigns? Unknown

Action: Apply updates per vendor instructions.

Date Added: 2022-01-10
Due Date: 2022-07-10

Additional Notes

Known Exploited Vulnerabilities Catalog

Subscribe to the KEV Catalog Updates