KEV 2016

ImageMagick "ImageTragick" — Shell Metacharacters in Image URLs Passed to Coders (EPHEMERAL, HTTPS, MVG, MSL) Enable Unauthenticated RCE on Web Servers Processing User-Uploaded Images

Microsoft Win32k.sys — Kernel-Mode Driver LPE Enables SYSTEM Access via Crafted Application; Patched MS16-039 (April 2016)

Firefox / Tor Browser — SVG Animation Use-After-Free Exploited to De-Anonymize Tor Users on Windows; MFSA2016-92 (November 2016)

Cisco IOS/IOS XR/IOS XE — IKEv1 Fragmentation Handler Leaks Heap Memory; 'BENIGNCERTAIN' Shadow Brokers Tool; Enables VPN Credential Extraction from Routers and Firewalls

Chromium V8 Engine — Out-of-Bounds Array Read in JavaScript Enables RCE in Chrome Renderer; Fixed Chrome 49.0.2623.108 (March 2016)

Google Chromium V8 — Out-of-Bounds Read/Write via Crafted HTML Page Enables Remote Code Execution in Chrome Renderer; Patched Chrome 54.0.2840.100 (November 2016)

Microsoft Silverlight — Negative Offset Decoding Error Enables RCE via Crafted Media; Angler Exploit Kit Delivery; Ransomware Use Confirmed; Patched MS16-006 (January 2016)

Adobe Flash Player and AIR — Use-After-Free Enables Heap-Based RCE via Crafted SWF; Exploit Kit Target in Early 2016; Patched APSB16-04 (February 2016)

Adobe Flash Player and AIR — Integer Overflow Leads to Heap Corruption and RCE via Crafted SWF; Exploit Kit Vector in 2016; Patched APSB16-08 (March 2016)

Windows Font Library — Malformed OpenType Font in Web Page or Document Triggers Memory Corruption Enabling RCE; Patched MS16-132 (November 2016)

Apple iOS WebKit — Memory Corruption via Crafted Web Page Enables Remote Code Execution; Stage 1 Entry Point of 'Trident' Pegasus Chain; Patched iOS 9.3.5 (August 2016)

Cisco ASA — SNMP Packet Processing Buffer Overflow Enables RCE or DoS; 'ExtraBacon' Shadow Brokers Leak; Patched cisco-sa-20160817-asa-snmp (August 2016)

Microsoft Windows GDI — Memory Object Handling Flaw Enables Code Execution via Crafted Document or Malicious Web Page; Patched MS16-120 (October 2016)

Apple iOS Kernel — Memory Corruption Enables Full Kernel Control / Jailbreak; Stage 3 of 'Trident' Pegasus Chain; Patched iOS 9.3.5 (August 2016)

Cisco ASA — Authenticated CLI Parser Buffer Overflow Enables Local Privilege Escalation or Code Execution; Companion to ExtraBacon (CVE-2016-6366); Patched August 2016

Trihedral VTScada WAP Interface — Out-of-Bounds Read via Crafted HTTP Packet Crashes SCADA Server; ICS/OT Infrastructure Disruption Risk

Microsoft Edge Chakra — Out-of-Bounds Write in JavaScript Engine Enables Remote Code Execution via Malicious Web Page; Patched MS16-145 (November 2016)

Microsoft Edge Chakra — Type Confusion in JavaScript Engine Enables Remote Code Execution via Malicious Web Page; Patched MS16-145 (November 2016)

Adobe Flash Player — TextField Class Use-After-Free Enables Remote Code Execution via Malicious Web Content; Patched APSB16-39 (December 2016)

NETGEAR R7000/R6400 and Others — Web Interface Command Injection via CSRF Enables Unauthenticated RCE on Home/SMB Routers; Widely Exploited by Botnets

Adobe Flash Player — Use-After-Free Zero-Day Exploited in Targeted Attacks Before Patch; Emergency APSB16-37 (October 2016)

Microsoft Windows Kernel — Local Privilege Escalation to SYSTEM via Crafted Application; Patched MS16-014 (February 2016)

Windows CSRSS — Process Token Mismanagement Enables Privilege Escalation; Ransomware Use Confirmed; Patched MS16-048 (April 2016)

Microsoft Windows — Kernel Object Handling Flaw Enables Local Privilege Escalation to SYSTEM; Exploited in Ransomware Chains; Patched MS16-098 (August 2016)

Windows Secondary Logon Service — Handle Management Flaw Enables LPE to SYSTEM; Widely Used by Ransomware Operators; Patched MS16-032 (March 2016)

Microsoft Word — RTF File Format Memory Corruption Enables Remote Code Execution via Malicious Document; Patched MS16-121 (October 2016)

Microsoft Excel — Security Feature Bypass via Malformed File Enables Arbitrary Command Execution Without Macro Prompts; Patched MS16-148 (December 2016)

Internet Explorer JScript/VBScript — Scripting Engine Memory Corruption Enables RCE via Crafted Web Page; Targeted APT Exploitation; Patched MS16-051 (May 2016)

Ruby on Rails Action View — render :file Path Traversal Allows Unauthenticated Arbitrary File Read; Fixed Rails 3.2.22.2 / 4.x / 5.0 (January 2016)

Siemens SIMATIC CP 1543-1 — Industrial Ethernet Communications Processor Allows Authenticated Low-Privilege Remote Denial of Service; Patched via Firmware Update

D-Link DCS-930L Network Camera — setSystemCommand Function Allows Authenticated Admin OS Command Injection; End-of-Life Device with No Patch Available

Linux Kernel 'Dirty COW' — Copy-on-Write Race Condition Permits Unprivileged Write to Read-Only Memory-Mapped Files

Microsoft Win32k.sys — Zero-Day LPE Used in Dridex Campaigns; Ransomware Use Confirmed; Inaugural CISA KEV; Patched MS16-039 (April 2016)

Windows Media Center — Crafted .MCL File References Malicious Code Enabling RCE; Inaugural CISA KEV; Patched MS16-059 (May 2016)

Microsoft Office — OLE Component Loads Attacker-Controlled DLL from Current Working Directory; Enables Code Execution via Malicious Document on Network Share or Removable Media

SolarWinds Virtualization Manager — Misconfigured sudo Permissions Allow Low-Privilege User to Execute Arbitrary Commands as Root; Patched 2016

Microsoft Win32k — Kernel UAF in Win32k.sys Enables Local Privilege Escalation; APT28 Zero-Day in Active Exploitation Before Patch; Patched MS16-135 (November 2016)

SAP NetWeaver AS JAVA — Unauthenticated Path Traversal in CrashFileDownloadServlet via fileName Parameter Enables Arbitrary File Read Including SAP Configuration and Credentials