KEV 2023

Microsoft Exchange Server — Authenticated RCE via PowerShell SOAP Deserialization

Windows CLFS Driver — Kernel Pool Corruption via BLF File Parsing Leading to Privilege Escalation

PaperCut NG/MF — Pre-Auth Authentication Bypass via SecurityRequestFilter Enabling Information Disclosure

Apple WebKit — Use-After-Free in Maliciously Crafted Web Content Leads to Code Execution; Fixed iOS 16.6 (July 2023); NVD Registration Delayed 2 Years; Exploited in Coruna Exploit Kit Targeting Legacy iPhones

Apple iOS/iPadOS — Local Use-After-Free in Kernel Enables App-to-Kernel Privilege Escalation; Patched in iOS 17; KEV Added March 2026

Digiever DS-2105 Pro NVR — Missing Auth Enables OS Command Injection via time_tzsetup.cgi; Mirai Botnet Targeting CCTV/NVR Devices; KEV December 2025

PaperCut NG/MF — CSRF Allowing Admin-Level Security Setting Modification or Code Execution

TP-Link TL-WR Series — Authenticated Command Injection via WlanNetworkRpm; Likely EoL Devices

ASUS RT-AX55 — Authenticated OS Command Injection via Router Management Interface

Linux Kernel OverlayFS — FUSE setuid File Copy Bypasses nosuid; Local Root Privilege Escalation; KEV Added June 2025 Reflecting Ongoing Exploitation

ZKTeco BioTime — Unauthenticated Path Traversal in iclock API Enabling Arbitrary File Read

SonicWall SMA100 SSL VPN — Admin-Auth Command Injection Executes as 'nobody'; Chained with CVE-2021-20035 in Active 2025 Exploitation Campaign; KEV May 2025

North Grid Proself — Unauthenticated XXE Enabling File Read and SSRF, Exploited by China-Linked APT

SharePoint Server — Site Owner Code Injection; Chained with CVE-2023-29357 EoP for Unauthenticated RCE; Ransomware Campaigns

Chromium V8 — Type Confusion in JavaScript Engine Enabling Remote Code Execution via Crafted Web Page

Windows Streaming Service — No-Auth Local Privilege Escalation via Untrusted Pointer Dereference; Used by Lazarus Group

Apache Superset — Well-Known Default SECRET_KEY Allows Session Cookie Forgery and Admin Takeover; ~3,000 Exposed Instances

Google Chrome WebRTC — Zero-Day Heap Buffer Overflow Enables RCE via Crafted HTML; Chrome 120 Emergency Patch; Eighth Chrome Zero-Day of 2023

Citrix NetScaler ADC/Gateway — Pre-Auth Buffer Overflow Causes DoS When Configured as Gateway or AAA Server; Companion to CVE-2023-6548; January 2024 Emergency KEV

Ivanti Connect Secure/Policy Secure — Zero-Day Auth Bypass Chains with CVE-2024-21887 for Pre-Auth RCE; UNC5221 (China-Nexus) Mass Exploitation; CISA Emergency Directive ED-24-01

Apple iOS/macOS — Font Parser Code Execution via Undocumented CPU Feature, Used in Operation Triangulation

Spreadsheet::ParseExcel Perl Library — Eval Injection via Malicious Number Format Strings in XLS Files; UNC4841 (China-Nexus) Exploited via Barracuda ESG; KEV January 2024

FXC AE1021/AE1021PE Wall-Outlet WiFi APs — Authenticated Command Injection via Management Interface; InfectedSlurs Mirai Botnet Zero-Day; JPCERT/CC Disclosure

Apple WebKit — Memory Corruption Enables RCE via Malicious Web Content; Zero-Day Chained with CVE-2023-42916 for Full Exploit; iOS 17.1.2 / macOS Sonoma 14.1.2

Qualcomm GPU Driver — Out-of-Range Pointer Offset in GPU AUX Command IOCTL Enables Kernel Privilege Escalation on Android; Limited Targeted Exploitation Acknowledged

Qualcomm GPU Driver — Integer Overflow During Shared Virtual Memory IOCTL Assignment Enables Kernel Privilege Escalation on Android; Limited Targeted Exploitation Acknowledged

Qlik Sense Enterprise — Unauthenticated Path Traversal Enabling Anonymous Session Creation, Exploited by Cactus Ransomware

QNAP VioStor NVR — Adjacent-Network Command Injection via Low-Privilege Auth; InfectedSlurs Mirai Botnet Exploitation; Fixed in QVR 5.x Firmware

Qualcomm DSP Services — Use-After-Free During HLOS-to-DSP Remote Call Enables Kernel Privilege Escalation on Android; Limited Targeted Exploitation Acknowledged

Windows SmartScreen — Zero-Day .url Shortcut Bypass Silently Skips SmartScreen Prompts; Phemedrone Stealer Delivery; November 2023 Patch Tuesday

glibc ld.so — 'Looney Tunables' GLIBC_TUNABLES Heap Buffer Overflow for Local Root

Windows DWM Core Library — Zero-Day LPE via Uninitialized Memory in dwm.exe Escalates to SYSTEM; Exploited Alongside CVE-2023-36025; November 2023 Patch Tuesday

Windows Cloud Files Mini Filter Driver — Heap Buffer Overflow for SYSTEM Privilege Escalation

IETF Service Location Protocol (SLP) — Up to 2,200x UDP Reflection Amplification; Affects Enterprise Printers, ESXi, and Hundreds of Other Products

F5 BIG-IP — Authenticated SQL Injection Chained with CVE-2023-46747 for Unauthenticated RCE

Chromium libvpx — VP8 Encoding Heap Overflow Exploited by Commercial Spyware Operators

Adobe Acrobat and Reader — Use-After-Free in PDF Parser → Code Execution; APSB23-01 January 2023 Patch; KEV Added October 2023

Apple iOS/iPadOS — XNU Kernel Local Privilege Escalation Exploited in the Wild

HTTP/2 Protocol — Protocol-Level Denial of Service

Cisco IOS XE — Web UI Command Injection Chained with CVE-2023-20198 to Deploy Persistent Implant

Windows CNG Key Isolation Service — Sensitive Data Exposure Enabling Limited SYSTEM Privilege Escalation; High Complexity; KEV October 2023

Apple WebKit — Zero-Click iMessage Code Execution via PassKit Attachment in BLASTPASS Pegasus Chain

MinIO — Authenticated Bucket Name Bypass via PostPolicyBucket; Chained with CVE-2023-28432 Credential Leak for Unauthenticated Admin Object Write

libwebp — Critical WebP Image Heap Overflow Affecting Chrome, Firefox, Safari, Android, and Electron Apps

Apple iOS/iPadOS/macOS/watchOS — Kernel LPE in BLASTPASS Chain, Attributed to NSO Group Pegasus

Adobe Acrobat/Reader — Out-of-Bounds Write in Document Parsing Enabling Code Execution via Malicious PDF

Android Framework — Local Privilege Escalation Zero-Day in September 2023 Security Bulletin

Microsoft Streaming Service Proxy — Use-After-Free Kernel Zero-Day Exploited for SYSTEM Privilege Escalation

Apple Wallet — Validation Flaw Used as Second Stage in BLASTPASS Zero-Click Pegasus Chain

Apple ImageIO — Buffer Overflow Triggered by PassKit Image Attachment; BLASTPASS Zero-Click Entry Point

Trend Micro Apex One — Admin-Accessible Third-Party AV Uninstaller Executes Arbitrary Attacker-Specified Binary on Managed Endpoints; Zero-Day KEV Addition 48 Hours After Advisory

Openfire XMPP Server — Unauthenticated Path Traversal to Admin Console; Exploited to Deploy Web Shells

WinRAR — ZIP Archive Spoofing Triggers Executable When User Views Apparently Benign File; Exploited Since April 2023

Veeam Backup & Replication — Unauthenticated Credential Extraction from Backup Database; Exploited by FIN7 and Akira Ransomware for Backup Infrastructure Takeover

Microsoft .NET Core / ASP.NET Core — Unauthenticated DoS in Kestrel Web Server via Crafted HTTP Requests

Apple WebKit — Actively Exploited Zero-Day Patched via Rapid Security Response in July 2023

Windows SmartScreen — Security Warning Bypass Enabling Drive-by Download Without User Prompt

Microsoft Outlook — Security Notice Bypass via Crafted URL; Zero-Day in July 2023 Patch Tuesday

Windows MSHTML — Privilege Escalation via Crafted File; July 2023 Patch Tuesday Zero-Day

Windows Error Reporting — Symlink Attack Enabling Local Privilege Escalation to SYSTEM

Adobe ColdFusion — URL Filter Bypass Allowing Unauthenticated Admin Panel Access; Patch Later Bypassed by CVE-2023-38205

Adobe ColdFusion — Authentication Bypass Patch Bypass Enabling Unauthenticated Admin Panel Access

Office/Windows HTML — MOTW Bypass and RCE via Malicious Office Document; Used by Storm-0978 at NATO Summit

Ivanti EPMM — Authenticated Arbitrary File Write via Path Traversal, Enabling Webshell Deployment

Apple WebKit — Memory Corruption Enabling Code Execution; Component of Operation Triangulation Chain

Apple WebKit — Type Confusion Enabling Code Execution via Malicious Web Content; June 2023 Rapid Security Response

Chromium V8 — First Chrome Zero-Day of 2023; Type Confusion Enabling Heap Corruption via Crafted Web Page

Apple Kernel — Integer Overflow Enabling Kernel Code Execution; Component of Operation Triangulation Chain

Apple WebKit — Use-After-Free Enabling Code Execution via Malicious Web Content; May 2023 Rapid Security Response Zero-Day

TP-Link Archer AX21 — Unauthenticated Command Injection in Locale API; Pwn2Own Toronto Discovery; Exploited by Mirai Botnet Variants

Apple WebKit — Sandbox Escape Enabling Breakout from Web Content Process; Chained with CVE-2023-32373

Windows Win32k — Use-After-Free SYSTEM Privilege Escalation; May 2023 Patch Tuesday Zero-Day; Discovered by Avast

Oracle WebLogic Server — Unauthenticated Deserialization via T3/IIOP → Sensitive Data Disclosure; January 2023 Critical Patch Update

Chromium V8 — First Chrome Zero-Day of 2023; Type Confusion via Crafted HTML Page; Discovered by Google TAG

Apple iOS/iPadOS/macOS/Safari WebKit — Use-After-Free for Code Execution; April 2023 Zero-Day; Chained with CVE-2023-28206 for Full Device Compromise

Apple IOSurfaceAccelerator — Out-of-Bounds Write → Kernel Code Execution; April 2023 Zero-Day; Chained with CVE-2023-28205 WebKit for Full Device Compromise

Android Framework — WorkSource Privilege Escalation via Target SDK Update; Exploited by Pinduoduo Malicious App to Gain Persistent Device Access

Windows CLFS — Heap Buffer Overflow → SYSTEM; April 2023 Zero-Day Exploited by Nokoyawa Ransomware; Third CLFS Zero-Day in Six Months

MinIO — Unauthenticated Endpoint Returns All Environment Variables Including Admin Credentials; Chained with CVE-2023-28434 for Full Admin Takeover

Adobe ColdFusion — Unauthenticated Improper Access Control Enabling Server-Side Code Execution; Emergency Out-of-Band Patch; KEV Added Before NVD Publication

Linux Kernel ALSA — Use-After-Free in snd_ctl_elem_read → Ring0 Privilege Escalation via Race Condition; Adjacent Network Vector

Apple iOS/iPadOS/macOS/Safari WebKit — Type Confusion for Code Execution via Malicious Web Content; February 2023 Zero-Day; KEV Added Before NVD Publication

SugarCRM Multiple Products — PHP Code Injection via EmailTemplates Module → Authenticated RCE; SA-2023-001; February 2023 KEV

Windows Graphics Component — Integer Overflow → SYSTEM Privilege Escalation; February 2023 Zero-Day; Patched on Same Day as CLFS LPE CVE-2023-23376

Windows CLFS — Heap Buffer Overflow → SYSTEM; February 2023 Zero-Day; Ransomware Exploitation; Second in a Series of CLFS Zero-Days

Microsoft Office Publisher — Macro Policy Bypass Allowing VBA Execution Despite Office Macro Restrictions; February 2023 Zero-Day

Fortra GoAnywhere MFT — Pre-Auth Deserialization RCE in License Response Servlet; Cl0p Ransomware Mass-Exploited 130+ Organizations

Windows ALPC — Use-After-Free → Sandbox Escape and SYSTEM Privilege Escalation; January 2023 Zero-Day; Discovered by Avast