KEV 2020

Synacor Zimbra Collaboration Suite — Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability

Sophos XG Firewall — Sophos XG Firewall Buffer Overflow Vulnerability

Sophos CyberoamOS WebAdmin — Unauthenticated SQL Injection Enables Arbitrary Database Manipulation; EOL Product with No Patch, Added to KEV February 2025

Oracle WebLogic Server — Oracle WebLogic Server Unspecified Vulnerability

DrayTek Multiple Vigor Routers — DrayTek Multiple Vigor Routers OS Command Injection Vulnerability

Oracle WebLogic — Unauthenticated RCE via Java Deserialization over T3/IIOP Protocols; July 2020 CPU, Added to KEV September 2024 After Continued Exploitation

Oracle Fusion Middleware — Oracle Fusion Middleware Unspecified Vulnerability

Roundcube Roundcube Webmail — Roundcube Webmail Remote Code Execution Vulnerability

QNAP QTS and QuTS hero — Unauthenticated Command Injection in NAS Management Interface Enables Remote Code Execution as Root; Mass-Exploited by Ransomware and Botnets

Palo Alto Networks PAN-OS — Palo Alto Networks PAN-OS Authentication Bypass Vulnerability

Sophos SG UTM WebAdmin — Unauthenticated OS Command Injection in WebAdmin Interface Enables Remote Code Execution on Unified Threat Management Appliance

OpenBSD OpenSMTPD — OpenSMTPD Remote Code Execution Vulnerability

Zyxel Multiple Network-Attached Storage (NAS) Devices — Zyxel Multiple NAS Devices OS Command Injection Vulnerability

SonicWall SonicOS VPN Portal — Stack Buffer Overflow in HTTP/HTTPS Request Handling Enables Unauthenticated Remote Code Execution or DoS; Affects Thousands of Internet-Facing Firewalls

Apache Tomcat — Apache Tomcat Improper Privilege Management Vulnerability

Microsoft SMBv3 — Microsoft SMBv3 Remote Code Execution Vulnerability

Grandstream UCM6200 — Grandstream Networks UCM6200 Series SQL Injection Vulnerability

Apache Airflow Experimental API — Missing Authentication on /api/experimental Endpoints Allows Unauthenticated DAG Trigger and Arbitrary Code Execution on Workers

FUEL CMS — Unauthenticated SQL Injection via 'col' Parameter in Admin Panel Items Endpoints Enables Database Extraction and Potentially Remote Code Execution

SIGRed — Windows DNS Server Integer Overflow in SIG Record Parsing Enables Unauthenticated Wormable RCE; CVSS 10.0, CISA Emergency Directive ED 20-03

Oracle Solaris — Out-of-Bounds Write in PAM Authentication Framework Enables Unauthenticated Remote Code Execution via SunSSH; CVSS 10.0, Exploited by UNC1945 Against Financial Sector

WordPress File Manager Plugin (elFinder) — Unauthenticated File Upload via Exposed Connector Enables PHP Code Execution; 300,000+ Sites Targeted Within Hours of Disclosure

SAP NetWeaver AS Java — RECON: Unauthenticated Access to LM Config Wizard Enables Admin User Creation; CVSS 10.0, Affects 40,000+ SAP Systems, NSA/CISA Joint Alert

Microsoft .NET Framework — Microsoft .NET Framework Remote Code Execution Vulnerability

SolarWinds Orion API — Authentication Bypass via URL Path Parameter Manipulation Enables Unauthenticated API Command Execution; Disclosed During SUNBURST Supply Chain Crisis

Sumavision Enhanced Multimedia Router (EMR) — Sumavision EMR Cross-Site Request Forgery (CSRF) Vulnerability

Zoho ManageEngine — Zoho ManageEngine Desktop Central File Upload Vulnerability

Tenda AC15 — OS Command Injection via deviceName POST Parameter in SetOnlineDevName Enables Unauthenticated Remote Code Execution; No Patch Available

SaltStack Salt — SaltStack Salt Authentication Bypass Vulnerability

Sophos SFOS — Sophos SFOS SQL Injection Vulnerability

FortiOS SSL-VPN — Case-Sensitivity Bypass Allows MFA Skip When Username Case Is Changed; Exploited by Ransomware Groups Targeting FortiGate Devices

Oracle WebLogic — Unauthenticated RCE via Console Authentication Bypass; Emergency Patch for Incomplete Fix of CVE-2020-14882, Mass-Exploited Within Days of Disclosure

Oracle WebLogic — Unauthenticated Console Authentication Bypass via Path Traversal Enables Admin Panel Access; Mass-Exploited Within 48 Hours, Chained with CVE-2020-14883 for Code Execution

MobileIron Core / Sentry / Connector — Unauthenticated RCE via Apache/Tomcat ACL Bypass and Hessian Java Deserialization

SaltStack Salt — Unauthenticated RCE via Salt API SSH Client

vBulletin — Unauthenticated RCE via Crafted subWidgets Data in Widget Render Endpoint; Bypass of Incomplete CVE-2019-16759 Patch, Exploited Within Hours of Disclosure

Apache Struts S2-061 — Forced OGNL Evaluation in Tag Attributes Enables Unauthenticated Remote Code Execution; Bypass of S2-059 Fix in Struts 2.5.26

D-Link DNS-320 NAS — Unauthenticated OS Command Injection in system_mgr.cgi Enables Remote Code Execution; No Patch Available for End-of-Life Device

Oracle Multiple Products — Oracle Multiple Products Remote Code Execution Vulnerability

NETGEAR JGS516PE ProSAFE Plus — Unauthenticated Access to Switch Management Functions via Missing Access Control; Enables Full Switch Takeover and Network Manipulation

D-Link DIR-825 R1 Router — Buffer Overflow in Web Interface Enables Unauthenticated Remote Code Execution; No Patch Available for Revision 1 Hardware

Zyxel Firewalls and AP Controllers — Hardcoded 'zyfwp' Admin Account with Fixed Password Enables Unauthenticated Network Takeover; Discovered by Eye Control

Cisco Cisco IP Phones — Cisco IP Phones Web Server Remote Code Execution and Denial-of-Service Vulnerability

VMware vCenter Server — VMware vCenter Server Information Disclosure Vulnerability

VMware ESXi OpenSLP — Use-After-Free in Service Location Protocol Daemon Enables Unauthenticated RCE from Management Network; Exploited by ESXiArgs and BlackBasta Ransomware

IBM Data Risk Manager — IBM Data Risk Manager Security Bypass Vulnerability

Unraid Unraid — Unraid Remote Code Execution Vulnerability

F5 BIG-IP — F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability

SAP Solution Manager — SAP Solution Manager Missing Authentication for Critical Function Vulnerability

Liferay Liferay Portal — Liferay Portal Deserialization of Untrusted Data Vulnerability

DrayTek Multiple Vigor Routers — Multiple DrayTek Vigor Routers Web Management Page Vulnerability

Trend Micro Apex One and OfficeScan — Critical Unauthenticated Auth Bypass via Vulnerable EXE Grants Admin Access Without Credentials; Enables CVE-2020-8467 RCE Chain

PlaySMS PlaySMS — PlaySMS Server-Side Template Injection Vulnerability

EyesOfNetwork EyesOfNetwork — EyesOfNetwork Use of Hard-Coded Credentials Vulnerability

Chrome FreeType — Heap Buffer Overflow in PNG-in-Font Processing Enables Renderer Code Execution; Zero-Day Chained with CVE-2020-17087 (Windows) and CVE-2020-16010 (Android)

Chrome for Android — Heap Buffer Overflow in Chrome UI Enables Compromised Renderer to Escape Android Sandbox; Zero-Day Chained with CVE-2020-15999 for Full Device Compromise

Chrome Site Isolation — Use-After-Free in Site Isolation Enables Compromised Renderer to Escape Sandbox; Zero-Day Used with V8 Bug CVE-2020-16013

VMware Workspace ONE Access — Command Injection in Admin Configurator Enables OS Command Execution; NSA-Attributed Russian SVR Exploitation for SAML Token Forgery

IBM Data Risk Manager — IBM Data Risk Manager Remote Code Execution Vulnerability

Hyper-V RemoteFX vGPU — Authenticated Guest VM User Achieves Host Hypervisor Code Execution via Crafted Input; VM Escape Patched July 2020, RemoteFX vGPU Subsequently Removed