basicsecurity.net
Proof, not just disclosure.

The exploitability map of the known-exploited record.

Every vulnerability here is already being exploited in the wild. We break the 1,612-record CISA KEV catalog out by what it actually lets an attacker do — ransomware association, the attack surface it opens, the weakness behind it, and who it targets — and every number traces to a named public source you can open yourself.

Type to search the full corpus, or click any vendor or CWE below to filter it.

The exploitability funnel

— this catalog is the narrow end already
1,612
Known-exploited — listed in CISA KEV100% of the catalogevery record here is confirmed exploited in the wild
556
Modeled near-certain (EPSS ≥ 0.90)34% of the catalogFIRST EPSS ≥ 90% probability of exploitation activity
325
Flagged for ransomware use20% of the catalogCISA's known-ransomware-campaign flag

Basis · CISA KEV (exploited-in-wild + ransomware flag) and FIRST EPSS (modeled probability). Every record on this site has already cleared the top bar.

20%
of known-exploited bugs are ransomware-associated

325 of 1,612 KEV records carry CISA's known-ransomware-campaign flag.

Source · CISA KEV
74
edge / remote-access flaws are ransomware-associated

74 of 233 edge-infra records (32%) — the front-door class ransomware crews favor.

Source · CISA KEV
76
added to KEV in the last 90 days

New known-exploited entries since 2026-03-07 — the freshness signal, rebuilt daily from the public feeds.

Source · CISA KEV

From disclosure to decision — the attack-path view

— the sequence is what turns “patch this” into “fund this”
Attack path of the week2026-W23the hottest exploited path right now — walked end to end

One bug, walked end to end. A single known-exploited flaw, taken from the open internet to a ransom note — same facts told twice, once in the language of the adversary, once in the language of the board. Every step is cited on the record it links to.

CVE-2023-4966 “Citrix Bleed” · Citrix NetScaler ADC/Gateway
attack path 1 → 2 → 4 → 5 · run in the wild by LockBit 3.0 affiliates
1

Front door — unauthenticated access narrative 1

Attacker
No credentials, no phishing. I send crafted requests to an internet-facing NetScaler and read live session tokens out of memory.
Business
This is where the incident starts — at your own remote-access appliance. Assume-breach planning begins at this exact exposure.
2

Keys to the kingdom — identity takeover narrative 2

Attacker
I replay a hijacked session to authenticate as a real user — bypassing MFA entirely, because the session already cleared it — and pivot toward admin and domain control.
Business
Your MFA didn't fail; it was skipped. One exposed appliance becomes trusted access into the environment behind it.
4

Data at risk — exfiltration narrative 4

Attacker
With valid sessions and lateral reach, I locate and exfiltrate the data that defines your liability before anyone notices the foothold.
Business
Breach notification, regulatory exposure, and loss of customer or proprietary data — the part that outlives the incident.
5

Lights out — disruption & extortion narrative 5

Attacker
I deploy ransomware across what I now control and hold operations for ransom — the exact LockBit 3.0 playbook for this exploit.
Business
Downtime, ransom demand, and reputational damage. Because a named crew already runs this path against peer organizations, this is a forecast — not a hypothetical.
Walk the full record — every step cited to its public source →

How far do they get?

— how many of the 1,612 known-exploited records reach each stage
1Front door
1612reach this stage
2Keys to the kingdom
1609reach this stage
3Lateral reach
1455reach this stage
4Data at risk
208reach this stage
5Lights out
31reach this stage

Named adversary on the path: 1 of 1,612. The rest map the sequence from the flaw’s mechanism, not a named crew — shown, not hidden. Attacker→business framing present for 1,612 of 1,612 (100%).

Basis · reach across the five-narrative framing (audited, injection-guarded LLM pass over cited public evidence) — counts exact, the mapping is a model output; the ransomware overlay is the deterministic CISA flag. A record reaches more than one stage, so bars don’t sum to 1,612.

Where the path ends

— the deepest outcome each record reaches (counted once)
Front door
3
Keys to the kingdom
153
Lateral reach
1248
Data at risk
177
Lights out
31

Basis · furthest supported narrative per record. Almost everything clears the front door; 208 of 1,612 carry an attacker all the way to data-at-risk or lights-out — that tail is the fund-this signal.

What’s being targeted

— attack surface the known-exploited record opens
Application / other
768
Operating system / kernel
332
Edge / remote-access infra
233
Server / web platform
123
Browser
123
Hypervisor / virtualization
33

Basis · heuristic mapping of the NVD/feed vendor & product strings to attack surface. Toggle overlays the 325 ransomware-flagged records.

Where the paths cluster

— attack surface × how far the path goes
1Front door
2Keys to the kingdom
3Lateral reach
4Data at risk
5Lights out
Application / other
·
63
605
85
15
Operating system / kernel
2
60
235
31
4
Edge / remote-access infra
·
11
178
36
8
Server / web platform
1
5
94
20
3
Browser
·
14
108
1
·
Hypervisor / virtualization
·
·
28
4
1

Basis · heuristic surface mapping × furthest narrative per record (triage). Each row is a surface; columns are the five outcomes; darker = more records. Click a surface to filter the corpus. Read the edge concentration as directional, not unit-precise.

Weakness class

— how the flaw is reached
Memory safety
402
Injection
314
Other
282
Authorization / access control
154
Path traversal / file
137
Authentication
119
Web / client
50
Resource / availability
33
Cryptography
13

Basis · NVD CWE mapping (1,441 of 1,612 records carry a CWE).

Top weaknesses

— click a count to filter
CWE-20 · Improper Input Validation ↗
116
CWE-78 · OS Command Injection ↗
101
CWE-787 · Out-of-bounds Write ↗
99
CWE-416 · Use After Free ↗
92
CWE-119 · Memory Buffer Bounds Error ↗
84
CWE-22 · Path Traversal ↗
73
CWE-502 · Deserialization of Untrusted Data ↗
65
CWE-94 · Code Injection ↗
64
CWE-287 · Improper Authentication ↗
38
CWE-843 · Type Confusion ↗
37
CWE-306 · Missing Authentication ↗
34
CWE-79 · Cross-site Scripting (XSS) ↗
33

Basis · NVD CWE mapping. Each CWE links to its MITRE definition. Bar length is √-scaled for readability; counts are exact.

Most-exploited vendors

— click to filter

Basis · affected-vendor field from the public feed. Bar length is √-scaled for readability; counts are exact.

The evidence behind the record

— researchers & vendors cited
Microsoft
142
Apple
51
GitHub Security Advisories
48
Google Chrome
32
Cisco (PSIRT)
28
Ivanti
22
Adobe
18
Android Security
18
Oracle
16
Linux kernel
14
D-Link
13
Palo Alto Networks
13
Zimbra
13
Samsung
13
Fortinet (FortiGuard)
9
SonicWall
6

Records crediting each advisory/research source. The universal feeds — NVD, CVE.org, CISA KEV, FIRST EPSS — back every record and are the shared backbone.

Fund the fix here

— products whose known-exploited flaws most often reach data-at-risk or lights-out

Basis · affected-vendor field × records whose path reaches narrative ≥ 4 (data-at-risk / lights-out). 208 of 1,612 records reach that depth; this ranks where they concentrate.

Who’s doing the work

— find it, catalog it, credit it

Three different jobs sit behind every known-exploited CVE — who found the bug, who assigned the CVE (the CNA), and who gets credited. The public record documents them very unevenly, and that gap is itself a finding.

92%
of known-exploited bugs name no public finder

1,476 of 1,612 CVE records ship with no machine-readable credit. Who found them is simply not recorded.

8%
name the researcher who found it

136 records carry named credits — concentrated in a small set of offensive-research and threat-intel teams.

26%
catalogued by a third party, not the vendor

415 assigned by an independent CNA (MITRE, VulnCheck, ZDI, HackerOne, GitHub, CERTs) rather than the affected vendor.

Who finds the exploited bugs

— credited research teams
1Horizon3.ai
6
2Trend Micro Zero Day Initiative
5
3watchTowr
5
4DEVCORE Internship Program
4
5Deep Product Security Research Team
4
6Independent Security Evaluators
3
7netsecfish
3
8xjm
2
9vakzz
2
10Thomas Chauchefoin from SonarSource
2
11Harry Withington, Aura Information Secur
2
12ESET
2
13Legendsec at Qi'anxin Group
2
14Adam Kues
2
15Assetnote Attack Surface Management
2
16GreyNoise
2
LYS, working with DEVCORE Internship ProgramDeep Product Security Research TeamnetsecfishIndependent Security EvaluatorsSina Kheirkhah (@SinSinology) of Summoning Team Piotr Bazydlo (watchTowr)David RothsteinAlex PottHeine DeelstraJasper MattssonvakzzThomas Chauchefoin from SonarSource

Basis · the credits field in the public CVE.org record (roles: 127 finder · 42 unspecified · 23 remediation developer · 16 reporter · 14 coordinator · 4 analyst). Sparse by nature — most entries name no one.

Who catalogs them

— CNA assigner
microsoft
368
mitre3rd-party
315
apple
93
cisco
89
adobe
73
Chrome
73
oracle
41
apache
34
GitHub_M3rd-party
34
vmware
31
redhat
30
fortinet
26
hackerone3rd-party
24
VulnCheck3rd-party
18
ivanti
16
sonicwall
15

Basis · CVE.org assigner (CNA). 3rd-party = assigned by an independent CNA (MITRE, VulnCheck, ZDI, HackerOne, GitHub, CERTs), not the affected vendor. Bar length √-scaled; counts exact.

Recently added to KEV

— newest known-exploited
CVE-2026-28318SolarWinds2026-06-05KEVCVE-2026-45247Mirasvit2026-06-03KEVCVE-2022-0492Linux2026-06-02KEVCVE-2025-48595Android2026-06-02KEVCVE-2024-21182Oracle2026-06-01KEVCVE-2026-0257Palo Alto Networks2026-05-29KEVCVE-2026-45321TanStack2026-05-27RANSOMWAREKEVCVE-2026-48027Nx2026-05-27RANSOMWAREKEVCVE-2026-8398Daemon2026-05-27KEVCVE-2026-48172LiteSpeed2026-05-26KEVCVE-2026-9082Drupal2026-05-22KEVCVE-2025-34291Langflow2026-05-21KEV

Highest exploit risk

— top EPSS probability
CVE-2023-23752Joomla!95%KEVCVE-2018-7600Drupal94%RANSOMWAREKEVCVE-2018-1000861Jenkins94%KEVCVE-2021-22986F594%RANSOMWAREKEVCVE-2017-1000353Jenkins94%KEVCVE-2018-13379Fortinet94%RANSOMWAREKEVCVE-2019-3396Atlassian94%RANSOMWAREKEVCVE-2019-17558Apache94%KEVCVE-2020-1938Apache94%KEVCVE-2022-46169Cacti94%KEVCVE-2019-2725Oracle94%RANSOMWAREKEVCVE-2024-6670Progress94%RANSOMWAREKEV

KEV additions by year

— red = ransomware-associated share
311
2021
555
2022
187
2023
186
2024
245
2025
128
2026

Basis · CISA KEV date-added field. Bar height = entries added that year; red segment = ransomware-flagged share.

Are the paths getting deeper?

— share of each year’s additions reaching data-at-risk or beyond
41/311
2021
63/555
2022
20/187
2023
31/186
2024
33/245
2025
20/128
2026

Basis · KEV date-added × furthest narrative (triage). Label = deep / total for the year; shaded segment = the deep share. Read as directional: narrative depth is a model output, so a year-over-year trend conflates real escalation with triage recency — stated, not hidden.

From narrative to technique

— named where the record names it

Where a public source names the MITRE ATT&CK technique, the path stops being abstract. Sourced on 1 of 1,612 records today — an empty map is an unfilled record, never “not happening.” Coverage grows as named threat-actor reporting is folded in.

T1190 Exploit Public-Facing App 1T1539 Steal Web Session Cookie 1T1078 Valid Accounts 1

Featured analysis

— the attacker→business story, in full

1,612 of 1,612 records now carry the five-narrative breakdown — what an attacker does at each step (front door → keys → lateral → data → lights out) and the business consequence, written by an audited, injection-guarded LLM pass over the public evidence, with the deterministic facts and citations untouched. Here are the highest-stakes ones.

FEATURED ANALYSIS · CVE-2023-4966
Citrix NetScaler session-token disclosure “Citrix Bleed”
An unauthenticated attacker reads valid session tokens straight out of NetScaler ADC/Gateway memory — then logs in as your users, MFA and all.
FEATURED ANALYSIS · CVE-2018-7600
Drupal Core vulnerability
Drupal Core remote code execution vulnerability allowing complete site compromise through multiple attack vectors. Actively exploited in the wild and leveraged in ransomware campaigns.
FEATURED ANALYSIS · CVE-2021-22986
F5 BIG-IP and BIG-IQ Centralized Management vulnerability
F5 BIG-IP and BIG-IQ Centralized Management contain an unauthenticated remote code execution vulnerability in the iControl REST interface allowing attackers to execute commands, manipulate files, and disable services.
FEATURED ANALYSIS · CVE-2018-13379
Fortinet FortiOS vulnerability
Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability allowing unauthenticated attackers to download system files via specially crafted HTTP requests.
FEATURED ANALYSIS · CVE-2019-3396
Atlassian Confluence Server and Data vulnerability
Atlassian Confluence Server and Data Center contain a server-side template injection vulnerability enabling path traversal and remote code execution.
FEATURED ANALYSIS · CVE-2019-2725
Oracle WebLogic Server vulnerability
Injection vulnerability in Oracle WebLogic Server Web Services component allows remote code execution. Actively exploited in ransomware campaigns.

Latest ransomware-associated

— 325 flagged · search for any of 1,612
CVE-2026-45321 · TanStack
TanStack vulnerability
TanStack vulnerability allowed malicious versions to be published to npm registry, distributing credential-stealing malware under a trusted identity.
CISA KEV: Yes · 2026-05-27Ransomware use: FlaggedEPSS: 0.17051 (verify live)
CVE-2026-48027 · Nx
Nx Console vulnerability
Nx Console contained embedded malicious code that allowed a compromised version to harvest credentials from disk and memory via obfuscated payloads.
CISA KEV: Yes · 2026-05-27Ransomware use: FlaggedEPSS: 0.32065 (verify live)
CVE-2026-41940 · WebPros
WebPros cPanel & WHM and WP2 (WordPress Squared) vulnerability
WebPros cPanel & WHM and WP2 contain an authentication bypass vulnerability allowing unauthenticated remote attackers to gain unauthorized access to hosting control panels.
CISA KEV: Yes · 2026-04-30Ransomware use: FlaggedEPSS: 0.90762 (verify live)
CVE-2024-1708 · ConnectWise
ConnectWise ScreenConnect vulnerability
ConnectWise ScreenConnect contains a path traversal vulnerability (CWE-22) enabling remote code execution and unauthorized access to sensitive data. Active exploitation and ransomware campaigns documented.
CISA KEV: Yes · 2026-04-28Ransomware use: FlaggedEPSS: 0.8481 (verify live)
CVE-2024-57726 · SimpleHelp
SimpleHelp vulnerability
SimpleHelp contains a missing authorization vulnerability allowing low-privileged technicians to create API keys with excessive permissions, enabling privilege escalation to server admin role.
CISA KEV: Yes · 2026-04-24Ransomware use: FlaggedEPSS: 0.39414 (verify live)
CVE-2024-57728 · SimpleHelp
SimpleHelp vulnerability
SimpleHelp contains a path traversal vulnerability allowing authenticated administrators to upload arbitrary files via crafted zip archives, enabling remote code execution on the server.
CISA KEV: Yes · 2026-04-24Ransomware use: FlaggedEPSS: 0.5464 (verify live)
CVE-2023-27351 · PaperCut
PaperCut NG/MF vulnerability
PaperCut NG/MF contains an improper authentication vulnerability in the SecurityRequestFilter class that allows remote attackers to bypass authentication controls.
CISA KEV: Yes · 2026-04-20Ransomware use: FlaggedEPSS: 0.83284 (verify live)
CVE-2024-27199 · JetBrains
JetBrains TeamCity vulnerability
JetBrains TeamCity contains a relative path traversal vulnerability enabling limited admin actions. Actively exploited in ransomware campaigns.
CISA KEV: Yes · 2026-04-20Ransomware use: FlaggedEPSS: 0.90931 (verify live)
CVE-2023-21529 · Microsoft
Microsoft Exchange Server vulnerability
Microsoft Exchange Server deserialization vulnerability allows authenticated attackers to execute arbitrary code remotely via untrusted data processing.
CISA KEV: Yes · 2026-04-13Ransomware use: FlaggedEPSS: 0.27044 (verify live)
CVE-2026-20131 · Cisco
Cisco Secure Firewall Management Center (FMC) vulnerability
Cisco Secure Firewall Management Center contains a deserialization vulnerability in its web management interface allowing unauthenticated remote code execution as root.
CISA KEV: Yes · 2026-03-19Ransomware use: FlaggedEPSS: 0.01403 (verify live)
CVE-2026-1731 · BeyondTrust
BeyondTrust Remote Support (RS) and Privileged Access (PRA) vulnerability
BeyondTrust Remote Support and Privileged Remote Access contain an unauthenticated OS command injection vulnerability allowing remote attackers to execute arbitrary system commands and compromise affected systems.
CISA KEV: Yes · 2026-02-13Ransomware use: FlaggedEPSS: 0.80065 (verify live)
CVE-2026-24423 · SmarterTools
SmarterTools SmarterMail vulnerability
SmarterMail's ConnectToHub API method lacks authentication for critical functions, allowing unauthenticated attackers to redirect the service to malicious servers and execute arbitrary OS commands.
CISA KEV: Yes · 2026-02-05Ransomware use: FlaggedEPSS: 0.83401 (verify live)
CVE-2025-52691 · SmarterTools
SmarterTools SmarterMail vulnerability
SmarterMail contains an unrestricted file upload vulnerability allowing unauthenticated attackers to upload arbitrary files, potentially enabling remote code execution on mail servers.
CISA KEV: Yes · 2026-01-26Ransomware use: FlaggedEPSS: 0.8966 (verify live)
CVE-2026-23760 · SmarterTools
SmarterTools SmarterMail vulnerability
SmarterMail password reset API allows unauthenticated attackers to reset administrator accounts without verification, enabling full administrative compromise.
CISA KEV: Yes · 2026-01-26Ransomware use: FlaggedEPSS: 0.81651 (verify live)
CVE-2025-55182 · Meta
Meta React Server Components vulnerability
Meta React Server Components contains an unauthenticated remote code execution vulnerability in payload decoding for React Server Function endpoints. The flaw is actively exploited in the wild and associated with ransomware campaigns.
CISA KEV: Yes · 2025-12-05Ransomware use: FlaggedEPSS: 0.84489 (verify live)
CVE-2025-61884 · Oracle
Oracle E-Business Suite vulnerability
Oracle E-Business Suite Runtime component in Oracle Configurator contains an unauthenticated server-side request forgery vulnerability enabling remote exploitation.
CISA KEV: Yes · 2025-10-20Ransomware use: FlaggedEPSS: 0.51081 (verify live)
CVE-2025-61882 · Oracle
Oracle E-Business Suite vulnerability
Oracle E-Business Suite BI Publisher Integration contains an unspecified vulnerability allowing unauthenticated network attackers to compromise Concurrent Processing, potentially enabling full system takeover.
CISA KEV: Yes · 2025-10-06Ransomware use: FlaggedEPSS: 0.90862 (verify live)
CVE-2025-10035 · Fortra
Fortra GoAnywhere MFT vulnerability
Fortra GoAnywhere MFT contains a deserialization vulnerability allowing attackers with forged license signatures to inject arbitrary commands through untrusted object deserialization.
CISA KEV: Yes · 2025-09-29Ransomware use: FlaggedEPSS: 0.62239 (verify live)