KEV 2021

Apple WebKit — Integer Overflow in Web Content Processing Enables Code Execution on iOS, iPadOS, macOS, tvOS, and watchOS; December 2021 Patch

VMware/Omnissa Workspace ONE UEM — Unauthenticated SSRF Enabling Internal Network Access and Sensitive Information Disclosure

ScadaBR SCADA/HMI Platform — Authenticated Arbitrary JSP File Upload via view_edit.shtm Enables Remote Code Execution on ICS/OT Systems

Linux Netfilter (Xtables) — Heap OOB Write via User Namespace Enables Container Escape and Local Privilege Escalation to Root; Kernel 2.6.19–5.12 Affected

Windows Common Log File System (CLFS) Driver — Local Privilege Escalation Enabling Low-Privileged User to Gain SYSTEM Access

Grafana 8.x — Unauthenticated Path Traversal via Plugin Static File Handler Enabling Arbitrary Local File Read; Emergency Patches Released December 2021

Adminer Database Management Tool — SSRF via Redirect Functionality Enables Unauthenticated Attacker to Reach Internal Services and Exfiltrate Sensitive Data

Acclaim USAHERDS — Hard-Coded ASP.NET MachineKey Enables ViewState Deserialization RCE; Exploited by APT41 Against US State Government Networks

Reolink RLC-410W — Authenticated OS Command Injection in Network Settings Enabling Root Code Execution; Potentially EOL Device

DrayTek VigorConnect — Unauthenticated Path Traversal in DownloadFileServlet Enables Arbitrary File Read with Root Privileges

DrayTek VigorConnect — Unauthenticated Path Traversal in WebServlet Endpoint Enables Arbitrary File Read with Root Privileges

Microsoft Exchange Server — Authenticated Admin Information Disclosure Enabling Remote Code Execution; July 2021 Patch Tuesday

D-Link DIR-605L (EOL) — Unauthenticated Credential Disclosure via Forged POST to /getcfg.php Exposes Admin Username and Password

Arm Mali GPU Kernel Driver — Use-After-Free Enables Non-Privileged User to Gain Root Privilege on Android and Linux Devices; Bifrost/Midgard Affected

Samsung Modem Interface Driver — OOB Read in set_skb_priv() Enables Local App to Achieve Code Execution via Invalid Function Pointer Dereference

Linux Polkit — Race Condition in D-Bus Authentication Enabling Local Privilege Escalation to Root; Affects RHEL, Ubuntu, Debian, and Most Linux Distributions

Veritas Backup Exec Agent — Authenticated Data Management Protocol Command Enables Arbitrary OS Command Execution on Backup Agent Host; Part of VTS21-001 Chain

Veritas Backup Exec Agent — SHA Authentication Bypass Enables Unauthenticated Network Access to Backup Agent Data; Part of VTS21-001 Exploitation Chain

Veritas Backup Exec Agent — SHA Authentication Flaw Enables Attacker to Access and Modify Files on Backup Agent; Exploited by Ransomware to Destroy Backups

XStream Java Library — Attacker-Controlled XML Input Triggers RCE via Deserialization; Affects XStream ≤1.4.17 and VMware Cloud Foundation

Apple GPU Drivers — Out-of-Bounds Write in GPU Driver Enables Malicious App to Execute Code with Kernel Privileges on iOS, iPadOS, and macOS

Ubuntu Linux Kernel — overlayfs File Capabilities Bypass in User Namespaces for Local Privilege Escalation

Delta Electronics DOPSoft 2 (EOL) — Out-of-Bounds Write via Malicious HMI Project File Enables Code Execution; ICS Advisory ICSA-21-252-02

Apple CoreTelephony — Deserialization Flaw Allows Sandboxed Process to Circumvent Sandbox Restrictions on iOS, macOS, and watchOS; Patched September 2021

Apple iOS and iPadOS — Buffer Overflow in Kernel Driver Enables Application to Execute Code with Kernel Privileges; Patched in iOS 15.2

Polkit pkexec 'PwnKit' — Out-of-Bounds Write in Argument Handling Permits Root Escalation on Every Major Linux Distribution

Apple WebKit — Type Confusion Zero-Day Enables Remote Code Execution via Malicious Web Content on iOS, iPadOS, macOS, and Other Apple Platforms

Android Kernel — Use-After-Free Enabling Local Privilege Escalation from App to Kernel; Used in Targeted Exploit Chains Against Android Devices

Apple IOMobileFrameBuffer — OOB Write Zero-Day Enables Kernel Code Execution on iOS, macOS, watchOS, and tvOS; Emergency Patch October 2021

Windows Win32k — Local Privilege Escalation Enabling Low-Privileged User to Gain SYSTEM Access via Kernel Driver Flaw

Windows Win32k — Local Privilege Escalation to SYSTEM via Win32k Kernel Driver Flaw; Exploited in Post-Compromise Attack Chains

Google Pixel — Out-of-Bounds Write in Kernel/Driver Component Enabling Local Privilege Escalation from Low-Privileged App to Kernel

Sudo 'Baron Samedit' — Heap-Based Buffer Overflow via Off-by-One Permits Root Escalation Without Any sudoers Entry

Active Directory — NoPac Stage 1: sAMAccountName Spoofing Allows Domain Account to Impersonate Domain Controller in Kerberos Requests

Active Directory — NoPac Stage 2: Kerberos PAC Missing Check Allows Spoofed DC Ticket to Yield Domain Admin Service Ticket

Dell dbutil_2_3.sys — Exposed IOCTL Interface in Firmware Update Driver Enables Low-Privileged User to Read/Write Kernel Memory and Escalate to SYSTEM

Windows User Profile Service — Junction Attack in Profile Copy Operation Allows Low-Privileged User to Escalate to SYSTEM; August 2021 Patch Tuesday

Windows Event Tracing for Windows (ETW) — Use-After-Free in Kernel Logging Subsystem Allows Low-Privileged User to Gain SYSTEM Privileges; August 2021 Patch Tuesday

Microsoft Office Access Connectivity Engine (ACE) — File-Based RCE Enabling Code Execution When Opening Malicious Database File; Exploited in Ransomware Campaigns

HiveNightmare / SeriousSAM — VSS Shadow Copies Expose SAM/SYSTEM/SECURITY Hives to Low-Privileged Users, Enabling Credential Extraction and SYSTEM Escalation

Nagios XI Network Monitoring — Authenticated OS Command Injection via Windows WMI Configuration Wizard Enables Root Code Execution on Monitoring Server

Nagios XI Network Monitoring — Authenticated OS Command Injection via LDAP Configuration Wizard Enables Root Code Execution on Monitoring Server

Nagios XI Network Monitoring — Authenticated OS Command Injection via SNMP/CGI Interface Enables Root Code Execution on Monitoring Server

October CMS — Password Reset Request Manipulation Allows Account Takeover Without Knowing Original Password

VMware vRealize Operations Manager — Unauthenticated SSRF in API Allows Attacker to Steal Administrative Credentials; Chained with CVE-2021-21983 for Full Compromise

ProxyToken — Unauthenticated Exchange Mailbox Configuration Manipulation Enables Attacker to Forward Victim Email to Attacker-Controlled Address

systeminformation npm Package — Command Injection via Unsanitized name Parameter Enables Host OS Command Execution and Container Escape; Fixed in v5.3.1

Google Chrome/Chromium V8 — Use-After-Free Zero-Day Enabling Heap Corruption via Crafted HTML; Chrome 96 Emergency Patch December 2021

Windows AppX Installer — Spoofing Enables Malicious MSIX Packages to Appear as Trusted Publishers; Exploited by Emotet and BazaLoader for Malware Delivery

Microsoft Exchange Server — Authenticated RCE via Improper Cmdlet Argument Validation; Zero-Day Demonstrated at Tianfu Cup, Exploited in Ransomware Campaigns

Adobe Acrobat and Reader — Heap Buffer Overflow in PDF Rendering Enables Remote Code Execution via Malicious PDF File; Zero-Day Exploited in Limited Targeted Attacks

Chrome V8 JavaScript Engine — Heap Buffer Overflow Zero-Day Enables Remote Code Execution via Malicious Web Page; First Chrome Zero-Day of 2021

Chrome Audio/Stream Component — Race Condition Zero-Day Enables Heap Corruption and Remote Code Execution; Second Chrome Zero-Day of Q1 2021

Chrome Blink Rendering Engine — Use-After-Free Zero-Day Enables Remote Code Execution via Malicious Web Page; Third Chrome Zero-Day of Q1 2021

Chrome Blink Rendering Engine — Use-After-Free Zero-Day Enables Remote Code Execution via Malicious Web Page; Patched April 2021 Alongside CVE-2021-21220

Chrome V8 Engine — Improper Input Validation Enables Heap Corruption and Remote Code Execution; Part of April 2021 Zero-Day Cluster Exploited Before Chrome 90 Patch

Chrome V8 Engine — Type Confusion Zero-Day Enables Sandbox Code Execution via Crafted Web Page; Used in PuzzleMaker Full Exploit Chain (Chrome + Windows Kernel)

Pulse Connect Secure — Authenticated Buffer Overflow in Collaboration Suite Enables Root Code Execution; Part of April 2021 APT Exploitation Cluster

Pulse Connect Secure — Authenticated Command Injection via Windows File Resource Profiles Enables Root Code Execution; Part of April 2021 APT Exploitation Cluster

Internet Explorer MSHTML — Use-After-Free Zero-Day Exploited by North Korean Lazarus Group to Target Security Researchers; March 2021 Patch Tuesday

Internet Explorer Scripting Engine — Remote Code Execution Zero-Day via Crafted Web Page Enables Code Execution in IE Process; March 2021 Patch Tuesday

Adobe Acrobat and Reader — Use-After-Free Zero-Day Enables Code Execution When Opening Malicious PDF; Actively Exploited Before May 2021 Patch

Arm Mali GPU Kernel Driver — Use-After-Free in GPU Memory Management Enables Non-Privileged App to Gain Root and Disclose Information on Android Devices

Arm Mali GPU Kernel Driver — Memory Safety Flaw Enables Non-Privileged User to Write to Read-Only Memory, Gain Root, and Corrupt Kernel State on Android Devices

Chrome V8 Engine — Type Confusion Zero-Day Enables Remote Code Execution via Malicious Web Page; Discovered by Google TAG, Patched June 2021

Chrome WebGL — Use-After-Free Zero-Day Enables Remote Code Execution via Malicious Web Content; Actively Exploited Before June 2021 Patch

Chrome V8 Engine — Type Confusion Zero-Day Enables Remote Code Execution via Malicious Web Page; Patched in Chrome 92 July 2021

Google Chrome V8 Engine — Out-of-Bounds Write Zero-Day Enables Remote Code Execution via Malicious Web Page; Patched September 2021

Apple WebKit — Use-After-Free in WebKit Storage Enables Code Execution via Malicious Web Content; Zero-Day Patched May 2021

Apple WebKit — Integer Overflow Enables Code Execution via Malicious Web Content on iOS, iPadOS, macOS, and Safari

Apple WebKit — Memory Corruption Enables Code Execution via Malicious Web Content on iOS, iPadOS, macOS, watchOS, and tvOS

Apple iOS WebKit — Buffer Overflow Enables Code Execution via Malicious Web Content; Zero-Day Patched in Emergency iOS Update

Apple iOS WebKit — Out-of-Bounds Write Zero-Day Enables Code Execution via Malicious Web Content on Legacy iOS 12 Devices

Apple iOS WebKit — Use-After-Free Zero-Day Enables Code Execution via Malicious Web Content on Legacy iOS 12 Devices

Apple WebKit — Use-After-Free Zero-Day Patched in iOS 14.8 Alongside FORCEDENTRY (CVE-2021-30860); Confirmed Active Exploitation

Microsoft Windows 'PrintNightmare' — Print Spooler Driver Installation Allows Authenticated Remote Code Execution as SYSTEM

Trend Micro Apex One — Unrestricted File Upload via Agent Communication Endpoint Allows Web Shell Deployment; Disclosed with CVE-2021-36742 Agent LPE

Google Chrome V8 Engine — Use-After-Free Zero-Day Exploited Alongside CVE-2021-37976 for Full Browser Compromise; Patched October 2021

Google Chrome V8 Engine — JSON.stringify TheHole Value Leak Causes Memory Corruption; Zero-Day Exploited Before CVE Publication

Windows MSHTML — Zero-Day RCE via Malicious Office Document Loading ActiveX Control from Remote .cab File; Exploited Before September 2021 Patch

Qualcomm Adreno GPU Driver — Use-After-Free in Graphics Memory Mapping Enables SYSTEM Escalation on Android Devices with Snapdragon SoCs

Windows DWM Core Library — No-Auth Local Privilege Escalation Enables Any User to Execute Code as SYSTEM; Used in PuzzleMaker Campaign; June 2021 Zero-Day

McAfee Total Protection — Self-Defense Bypass via Improper Privilege Management Escalates to SYSTEM; Security Tool's Own Anti-Tamper Mechanism Becomes the Escalation Vector

Windows Win32k — MysterySnail Zero-Day Use-After-Free Exploited by IronHusky APT for SYSTEM Escalation in Targeted Espionage Campaigns

Microsoft Excel — Zero-Day Security Feature Bypass Allows Malicious Excel Files to Execute Content Without Security Prompts

Microsoft Defender Malware Protection Engine — Malicious File Triggers RCE in MMPE Scanning Routine; Actively Exploited January 2021 Patch Tuesday Zero-Day

PrintNightmare (LPE Component) — Windows Print Spooler Local Privilege Escalation Zero-Day; Patched June 2021, Exploited in Ransomware Campaigns

Windows Win32k Kernel Driver — Out-of-Bounds Write Zero-Day Enables Low-Privileged User to Escalate to SYSTEM; Exploited in Targeted Campaigns Before February 2021 Patch

ProxyLogon — Exchange Unified Messaging Deserialization Enables SYSTEM Code Execution After Authentication via CVE-2021-26855 SSRF; CISA ED 21-02

ProxyLogon — Post-Auth Arbitrary File Write Enables Web Shell Deployment on Exchange Server After Authentication via CVE-2021-26855; CISA ED 21-02

ProxyLogon — Path Traversal File Write Enables Web Shell Deployment After Authentication via CVE-2021-26855; Second Exchange File Write in ProxyLogon Cluster

Accellion FTA File Transfer Appliance — Local Web Service OS Command Injection Enables Root Code Execution; Part of UNC2546/CLOP Four-CVE Mass Data Theft Campaign

Windows Win32k — Out-of-Bounds Write Zero-Day Exploited by BITTER APT for SYSTEM Escalation; April 2021 Patch Tuesday

Apple macOS TCC — Missing Authorization Check Allows Malicious App to Bypass Privacy Preferences and Access Camera, Microphone, and Screen

Apple iOS/iPadOS/macOS — IOMobileFrameBuffer OOB Write Enables Malicious App to Execute Code with Kernel Privileges; Emergency Zero-Day Patch

Apple CoreGraphics — FORCEDENTRY: Integer Overflow in PDF/JBIG2 Parsing Enables Zero-Click iMessage Exploitation by NSO Group Pegasus Spyware

Apple XNU Kernel — Type Confusion Enables Malicious App to Execute Code with Kernel Privileges; Kernel Escalation Component of FORCEDENTRY Chain

Windows NTFS — Integer Underflow in Kernel NTFS Driver Enables Local Code Execution with SYSTEM Privileges; Used in PuzzleMaker Waterhole Campaign

Windows Kernel — Memory Safety Vulnerability Enables Low-Privileged User to Execute Code with SYSTEM Privileges; July 2021 Patch Tuesday Zero-Day

Windows Kernel — Privilege Escalation Zero-Day Exploited Alongside CVE-2021-31979 in Targeted Campaigns; July 2021 Patch Tuesday

Trend Micro Apex One — Agent Improper Input Validation Enables Local Privilege Escalation to SYSTEM; Disclosed with CVE-2021-36741 Server File Upload

Windows Update Medic Service — Local Privilege Escalation to SYSTEM via Service Misconfiguration; Zero-Day Patched August 2021

Windows CLFS Driver — Local Privilege Escalation to SYSTEM; Actively Exploited in Ransomware Campaigns; September 2021 Patch Tuesday

Azure OMI (OMIGOD) — Local Privilege Escalation to Root via Silently-Installed Linux Management Agent on Azure VMs; September 2021

Azure OMI (OMIGOD) — Second Local Privilege Escalation Variant in Silently-Installed Azure Linux Management Agent; September 2021

Microsoft Office — Privileged Admin Remote Code Execution in Server-Side Office Component via Crafted Request; March 2021 Patch Tuesday

Micro Focus Access Manager — SAML ACS URL Redirect Flaw Enables Unauthenticated Attacker to Capture Authentication Tokens and Compromise Accounts

Windows MSHTML (Trident) — Out-of-Bounds Write in Legacy IE Rendering Engine Enables RCE via Crafted Web Content; June 2021 Patch Tuesday

PetitPotam — Unauthenticated NTLM Coercion Forces Domain Controller to Authenticate Against Attacker Server; Chained with AD CS Relay for Domain Takeover

SonicWall Email Security — Post-Auth Admin File Upload Enables Web Shell Deployment; Used in Three-CVE Chain (CVE-2021-20021 + CVE-2021-20022 + CVE-2021-20023) by UNC2682

Pulse Connect Secure — Admin-Authenticated Malicious Archive Upload Enables File Write and Code Execution; Part of April 2021 APT Exploitation Cluster

Apple XNU Kernel — Race Condition Enables Malicious App to Elevate Privileges to Root; Zero-Day Patched in iOS 14.4 January 2021

Azure OMI (OMIGOD) — Third Local Privilege Escalation Variant (AC:H) in Silently-Installed Azure Linux Management Agent