basicsecurity.net
Proof, not just disclosure.

The exploitability map of the known-exploited record.

Every vulnerability here is already being exploited in the wild. We break the 1,612-record CISA KEV catalog out by what it actually lets an attacker do — ransomware association, the attack surface it opens, the weakness behind it, and who it targets — and every number traces to a named public source you can open yourself.

Type to search the full corpus, or click any vendor or CWE below to filter it.

The exploitability funnel

— this catalog is the narrow end already
1,612
Known-exploited — listed in CISA KEV100% of the catalogevery record here is confirmed exploited in the wild
556
Modeled near-certain (EPSS ≥ 0.90)34% of the catalogFIRST EPSS ≥ 90% probability of exploitation activity
325
Flagged for ransomware use20% of the catalogCISA's known-ransomware-campaign flag

Basis · CISA KEV (exploited-in-wild + ransomware flag) and FIRST EPSS (modeled probability). Every record on this site has already cleared the top bar.

20%
of known-exploited bugs are ransomware-associated

325 of 1,612 KEV records carry CISA's known-ransomware-campaign flag.

Source · CISA KEV
74
edge / remote-access flaws are ransomware-associated

74 of 233 edge-infra records (32%) — the front-door class ransomware crews favor.

Source · CISA KEV
76
added to KEV in the last 90 days

New known-exploited entries since 2026-03-07 — the freshness signal, rebuilt daily from the public feeds.

Source · CISA KEV

What’s being targeted

— attack surface the known-exploited record opens
Application / other
768
Operating system / kernel
332
Edge / remote-access infra
233
Server / web platform
123
Browser
123
Hypervisor / virtualization
33

Basis · heuristic mapping of the NVD/feed vendor & product strings to attack surface. Toggle overlays the 325 ransomware-flagged records.

Weakness class

— how the flaw is reached
Memory safety
402
Injection
314
Other
282
Authorization / access control
154
Path traversal / file
137
Authentication
119
Web / client
50
Resource / availability
33
Cryptography
13

Basis · NVD CWE mapping (1,441 of 1,612 records carry a CWE).

Top weaknesses

— click a count to filter
CWE-20 · Improper Input Validation ↗
116
CWE-78 · OS Command Injection ↗
101
CWE-787 · Out-of-bounds Write ↗
99
CWE-416 · Use After Free ↗
92
CWE-119 · Memory Buffer Bounds Error ↗
84
CWE-22 · Path Traversal ↗
73
CWE-502 · Deserialization of Untrusted Data ↗
65
CWE-94 · Code Injection ↗
64
CWE-287 · Improper Authentication ↗
38
CWE-843 · Type Confusion ↗
37
CWE-306 · Missing Authentication ↗
34
CWE-79 · Cross-site Scripting (XSS) ↗
33

Basis · NVD CWE mapping. Each CWE links to its MITRE definition. Bar length is √-scaled for readability; counts are exact.

Most-exploited vendors

— click to filter

Basis · affected-vendor field from the public feed. Bar length is √-scaled for readability; counts are exact.

The evidence behind the record

— researchers & vendors cited
Microsoft
142
Apple
51
GitHub Security Advisories
48
Google Chrome
32
Cisco (PSIRT)
28
Ivanti
22
Adobe
18
Android Security
18
Oracle
16
Linux kernel
14
D-Link
13
Palo Alto Networks
13
Zimbra
13
Samsung
13
Fortinet (FortiGuard)
9
SonicWall
6

Records crediting each advisory/research source. The universal feeds — NVD, CVE.org, CISA KEV, FIRST EPSS — back every record and are the shared backbone.

Who’s doing the work

— find it, catalog it, credit it

Three different jobs sit behind every known-exploited CVE — who found the bug, who assigned the CVE (the CNA), and who gets credited. The public record documents them very unevenly, and that gap is itself a finding.

92%
of known-exploited bugs name no public finder

1,476 of 1,612 CVE records ship with no machine-readable credit. Who found them is simply not recorded.

8%
name the researcher who found it

136 records carry named credits — concentrated in a small set of offensive-research and threat-intel teams.

26%
catalogued by a third party, not the vendor

415 assigned by an independent CNA (MITRE, VulnCheck, ZDI, HackerOne, GitHub, CERTs) rather than the affected vendor.

Who finds the exploited bugs

— credited research teams
1Horizon3.ai
6
2Trend Micro Zero Day Initiative
5
3watchTowr
5
4DEVCORE Internship Program
4
5Deep Product Security Research Team
4
6Independent Security Evaluators
3
7netsecfish
3
8xjm
2
9vakzz
2
10Thomas Chauchefoin from SonarSource
2
11Harry Withington, Aura Information Secur
2
12ESET
2
13Legendsec at Qi'anxin Group
2
14Adam Kues
2
15Assetnote Attack Surface Management
2
16GreyNoise
2
LYS, working with DEVCORE Internship ProgramDeep Product Security Research TeamnetsecfishIndependent Security EvaluatorsSina Kheirkhah (@SinSinology) of Summoning Team Piotr Bazydlo (watchTowr)David RothsteinAlex PottHeine DeelstraJasper MattssonvakzzThomas Chauchefoin from SonarSource

Basis · the credits field in the public CVE.org record (roles: 127 finder · 42 unspecified · 23 remediation developer · 16 reporter · 14 coordinator · 4 analyst). Sparse by nature — most entries name no one.

Who catalogs them

— CNA assigner
microsoft
368
mitre3rd-party
315
apple
93
cisco
89
adobe
73
Chrome
73
oracle
41
apache
34
GitHub_M3rd-party
34
vmware
31
redhat
30
fortinet
26
hackerone3rd-party
24
VulnCheck3rd-party
18
ivanti
16
sonicwall
15

Basis · CVE.org assigner (CNA). 3rd-party = assigned by an independent CNA (MITRE, VulnCheck, ZDI, HackerOne, GitHub, CERTs), not the affected vendor. Bar length √-scaled; counts exact.

Recently added to KEV

— newest known-exploited
CVE-2026-28318SolarWinds2026-06-05KEVCVE-2026-45247Mirasvit2026-06-03KEVCVE-2022-0492Linux2026-06-02KEVCVE-2025-48595Android2026-06-02KEVCVE-2024-21182Oracle2026-06-01KEVCVE-2026-0257Palo Alto Networks2026-05-29KEVCVE-2026-45321TanStack2026-05-27RANSOMWAREKEVCVE-2026-48027Nx2026-05-27RANSOMWAREKEVCVE-2026-8398Daemon2026-05-27KEVCVE-2026-48172LiteSpeed2026-05-26KEVCVE-2026-9082Drupal2026-05-22KEVCVE-2025-34291Langflow2026-05-21KEV

Highest exploit risk

— top EPSS probability
CVE-2023-23752Joomla!95%KEVCVE-2018-7600Drupal94%RANSOMWAREKEVCVE-2018-1000861Jenkins94%KEVCVE-2021-22986F594%RANSOMWAREKEVCVE-2017-1000353Jenkins94%KEVCVE-2018-13379Fortinet94%RANSOMWAREKEVCVE-2019-3396Atlassian94%RANSOMWAREKEVCVE-2019-17558Apache94%KEVCVE-2020-1938Apache94%KEVCVE-2022-46169Cacti94%KEVCVE-2019-2725Oracle94%RANSOMWAREKEVCVE-2024-6670Progress94%RANSOMWAREKEV

KEV additions by year

— red = ransomware-associated share
311
2021
555
2022
187
2023
186
2024
245
2025
128
2026

Basis · CISA KEV date-added field. Bar height = entries added that year; red segment = ransomware-flagged share.

Featured analysis

— the attacker→business story, in full

1,612 of 1,612 records now carry the five-narrative breakdown — what an attacker does at each step (front door → keys → lateral → data → lights out) and the business consequence, written by an audited, injection-guarded LLM pass over the public evidence, with the deterministic facts and citations untouched. Here are the highest-stakes ones.

FEATURED ANALYSIS · CVE-2023-4966
Citrix NetScaler session-token disclosure “Citrix Bleed”
An unauthenticated attacker reads valid session tokens straight out of NetScaler ADC/Gateway memory — then logs in as your users, MFA and all.
FEATURED ANALYSIS · CVE-2018-7600
Drupal Core vulnerability
Drupal Core remote code execution vulnerability allowing complete site compromise through multiple attack vectors. Actively exploited in the wild and leveraged in ransomware campaigns.
FEATURED ANALYSIS · CVE-2021-22986
F5 BIG-IP and BIG-IQ Centralized Management vulnerability
F5 BIG-IP and BIG-IQ Centralized Management contain an unauthenticated remote code execution vulnerability in the iControl REST interface allowing attackers to execute commands, manipulate files, and disable services.
FEATURED ANALYSIS · CVE-2018-13379
Fortinet FortiOS vulnerability
Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability allowing unauthenticated attackers to download system files via specially crafted HTTP requests.
FEATURED ANALYSIS · CVE-2019-3396
Atlassian Confluence Server and Data vulnerability
Atlassian Confluence Server and Data Center contain a server-side template injection vulnerability enabling path traversal and remote code execution.
FEATURED ANALYSIS · CVE-2019-2725
Oracle WebLogic Server vulnerability
Injection vulnerability in Oracle WebLogic Server Web Services component allows remote code execution. Actively exploited in ransomware campaigns.

Latest ransomware-associated

— 325 flagged · search for any of 1,612
CVE-2026-45321 · TanStack
TanStack vulnerability
TanStack vulnerability allowed malicious versions to be published to npm registry, distributing credential-stealing malware under a trusted identity.
CISA KEV: Yes · 2026-05-27Ransomware use: FlaggedEPSS: 0.17051 (verify live)
CVE-2026-48027 · Nx
Nx Console vulnerability
Nx Console contained embedded malicious code that allowed a compromised version to harvest credentials from disk and memory via obfuscated payloads.
CISA KEV: Yes · 2026-05-27Ransomware use: FlaggedEPSS: 0.32065 (verify live)
CVE-2026-41940 · WebPros
WebPros cPanel & WHM and WP2 (WordPress Squared) vulnerability
WebPros cPanel & WHM and WP2 contain an authentication bypass vulnerability allowing unauthenticated remote attackers to gain unauthorized access to hosting control panels.
CISA KEV: Yes · 2026-04-30Ransomware use: FlaggedEPSS: 0.90762 (verify live)
CVE-2024-1708 · ConnectWise
ConnectWise ScreenConnect vulnerability
ConnectWise ScreenConnect contains a path traversal vulnerability (CWE-22) enabling remote code execution and unauthorized access to sensitive data. Active exploitation and ransomware campaigns documented.
CISA KEV: Yes · 2026-04-28Ransomware use: FlaggedEPSS: 0.8481 (verify live)
CVE-2024-57726 · SimpleHelp
SimpleHelp vulnerability
SimpleHelp contains a missing authorization vulnerability allowing low-privileged technicians to create API keys with excessive permissions, enabling privilege escalation to server admin role.
CISA KEV: Yes · 2026-04-24Ransomware use: FlaggedEPSS: 0.39414 (verify live)
CVE-2024-57728 · SimpleHelp
SimpleHelp vulnerability
SimpleHelp contains a path traversal vulnerability allowing authenticated administrators to upload arbitrary files via crafted zip archives, enabling remote code execution on the server.
CISA KEV: Yes · 2026-04-24Ransomware use: FlaggedEPSS: 0.5464 (verify live)
CVE-2023-27351 · PaperCut
PaperCut NG/MF vulnerability
PaperCut NG/MF contains an improper authentication vulnerability in the SecurityRequestFilter class that allows remote attackers to bypass authentication controls.
CISA KEV: Yes · 2026-04-20Ransomware use: FlaggedEPSS: 0.83284 (verify live)
CVE-2024-27199 · JetBrains
JetBrains TeamCity vulnerability
JetBrains TeamCity contains a relative path traversal vulnerability enabling limited admin actions. Actively exploited in ransomware campaigns.
CISA KEV: Yes · 2026-04-20Ransomware use: FlaggedEPSS: 0.90931 (verify live)
CVE-2023-21529 · Microsoft
Microsoft Exchange Server vulnerability
Microsoft Exchange Server deserialization vulnerability allows authenticated attackers to execute arbitrary code remotely via untrusted data processing.
CISA KEV: Yes · 2026-04-13Ransomware use: FlaggedEPSS: 0.27044 (verify live)
CVE-2026-20131 · Cisco
Cisco Secure Firewall Management Center (FMC) vulnerability
Cisco Secure Firewall Management Center contains a deserialization vulnerability in its web management interface allowing unauthenticated remote code execution as root.
CISA KEV: Yes · 2026-03-19Ransomware use: FlaggedEPSS: 0.01403 (verify live)
CVE-2026-1731 · BeyondTrust
BeyondTrust Remote Support (RS) and Privileged Access (PRA) vulnerability
BeyondTrust Remote Support and Privileged Remote Access contain an unauthenticated OS command injection vulnerability allowing remote attackers to execute arbitrary system commands and compromise affected systems.
CISA KEV: Yes · 2026-02-13Ransomware use: FlaggedEPSS: 0.80065 (verify live)
CVE-2026-24423 · SmarterTools
SmarterTools SmarterMail vulnerability
SmarterMail's ConnectToHub API method lacks authentication for critical functions, allowing unauthenticated attackers to redirect the service to malicious servers and execute arbitrary OS commands.
CISA KEV: Yes · 2026-02-05Ransomware use: FlaggedEPSS: 0.83401 (verify live)
CVE-2025-52691 · SmarterTools
SmarterTools SmarterMail vulnerability
SmarterMail contains an unrestricted file upload vulnerability allowing unauthenticated attackers to upload arbitrary files, potentially enabling remote code execution on mail servers.
CISA KEV: Yes · 2026-01-26Ransomware use: FlaggedEPSS: 0.8966 (verify live)
CVE-2026-23760 · SmarterTools
SmarterTools SmarterMail vulnerability
SmarterMail password reset API allows unauthenticated attackers to reset administrator accounts without verification, enabling full administrative compromise.
CISA KEV: Yes · 2026-01-26Ransomware use: FlaggedEPSS: 0.81651 (verify live)
CVE-2025-55182 · Meta
Meta React Server Components vulnerability
Meta React Server Components contains an unauthenticated remote code execution vulnerability in payload decoding for React Server Function endpoints. The flaw is actively exploited in the wild and associated with ransomware campaigns.
CISA KEV: Yes · 2025-12-05Ransomware use: FlaggedEPSS: 0.84489 (verify live)
CVE-2025-61884 · Oracle
Oracle E-Business Suite vulnerability
Oracle E-Business Suite Runtime component in Oracle Configurator contains an unauthenticated server-side request forgery vulnerability enabling remote exploitation.
CISA KEV: Yes · 2025-10-20Ransomware use: FlaggedEPSS: 0.51081 (verify live)
CVE-2025-61882 · Oracle
Oracle E-Business Suite vulnerability
Oracle E-Business Suite BI Publisher Integration contains an unspecified vulnerability allowing unauthenticated network attackers to compromise Concurrent Processing, potentially enabling full system takeover.
CISA KEV: Yes · 2025-10-06Ransomware use: FlaggedEPSS: 0.90862 (verify live)
CVE-2025-10035 · Fortra
Fortra GoAnywhere MFT vulnerability
Fortra GoAnywhere MFT contains a deserialization vulnerability allowing attackers with forged license signatures to inject arbitrary commands through untrusted object deserialization.
CISA KEV: Yes · 2025-09-29Ransomware use: FlaggedEPSS: 0.62239 (verify live)