KEV 2024

Oracle WebLogic Server — Unauthenticated Data Disclosure via T3/IIOP (July 2024 CPU)

Samsung MagicINFO 9 Server — Unauthenticated File Write to Remote Code Execution via Path Traversal

ConnectWise ScreenConnect — Zip Slip Path Traversal Enabling RCE as SYSTEM (SlashAndGrab)

JetBrains TeamCity — Pre-Auth Path Traversal Bypassing Authentication on Limited Admin Endpoints

SimpleHelp RMM — Admin Zip Slip Enables Arbitrary File Write and Remote Code Execution

TeamT5 ThreatSonar Anti-Ransomware — Admin-Auth Malicious File Upload Enables Arbitrary OS Command Execution on Server

Citrix Session Recording — Privilege Escalation to NetworkService Account; Chained with CVE-2024-8069 for RCE

Citrix Session Recording — Deserialization RCE as NetworkService Account; Chained with CVE-2024-8068

DrayTek Vigor 2960/300B/3900 — Unauthenticated OS Command Injection via Web Management CGI

Linux Kernel USB Audio Driver — OOB Write via Malicious USB Device; Exploited on Android by Forensic Tooling

Linux Kernel USB Audio Driver — OOB Read via Malicious USB Device; Chained with CVE-2024-53197 in Android Forensic Exploits

NAKIVO Backup and Replication — Unauthenticated Absolute Path Traversal Enables Arbitrary File Read Including Credentials

Oracle Agile PLM — Low-Privilege Authenticated Java Deserialization Enables Full System Compromise via HTTP

Zyxel DSL CPE Devices — Post-Auth CGI Command Injection on EOL Devices Exploited by Botnets

Zyxel DSL CPE Devices — Post-Auth Telnet Command Injection on EOL Devices, No Patch Available

Microsoft Partner Center — Improper Access Control Allows Privilege Escalation in Cloud MSP Platform

Linux Kernel UVC Driver — Out-of-Bounds Write via Malicious USB Video Device; Exploited on Android

SimpleHelp Remote Support — Unauthenticated Path Traversal Exposes Config Files and Hashed Passwords; Ransomware Confirmed

Microsoft .NET Framework — ObjRef URI Leak via Error Message Enables Remote Code Execution via Deserialization

Apache OFBiz — Unauthenticated Forced Browsing Bypasses Auth Checks; Final in a Series of 2024 OFBiz Auth Bypasses

Mitel 6800/6900 Series SIP Phones — Argument Injection During Boot Process Allows Admin-Auth Remote Code Execution

Windows Kernel Streaming Service — Untrusted Pointer Dereference in ks.sys Enables SYSTEM LPE; DEVCORE Pwn2Own Discovery

Windows CLFS Driver — Heap-Based Buffer Overflow Enables Local Privilege Escalation to SYSTEM

Palo Alto Networks PAN-OS — Unauthenticated DNS Packet Causes Firewall Reboot and Maintenance Mode Loop

Zyxel USG FLEX / ATP Firewalls — Unauthenticated Path Traversal Enables File Upload/Download; Exploited by Helldown Ransomware

Adobe ColdFusion — Unauthenticated Admin Panel Access Allows Arbitrary File Read/Write When Admin Panel is Internet-Exposed

Apple JavaScriptCore — Zero-Day Remote Code Execution via Malicious Web Content; Reported by Google TAG

Microsoft Windows Task Scheduler — AppContainer Sandbox Escape via Privileged RPC (RomCom Zero-Day)

Oracle Agile PLM — Unauthenticated File Disclosure via Incorrect Authorization in Process Extension SDK

VMware vCenter Server — Privilege Escalation to Root via Crafted Network Packet; Paired with CVE-2024-38812 Heap Overflow

Palo Alto Networks Expedition — Unauthenticated Root OS Command Injection Exposes Firewall Credentials and Configs

Android Framework — Privilege Escalation via Unicode Handling Flaw; KEV Added Before NVD Publication

Palo Alto Networks PAN-OS — Admin-to-Root OS Command Injection; Second Half of Operation Lunar Peek Chain with CVE-2024-0012

PTZOptics PT30X Cameras — Admin-Auth OS Command Injection; Second Half of Chain with CVE-2024-8956 Auth Bypass

Ivanti EPM — Unauthenticated SQL Injection Leading to Remote Code Execution via xp_cmdshell

Qualcomm DSP FastRPC Driver — Use-After-Free in Kernel DSP Services; Confirmed Exploitation by Google TAG and Amnesty International

Windows Management Console — RCE via Malicious .MSC File; Zero-Day Patched on October 2024 Patch Tuesday

Microsoft SharePoint — Site Owner-Auth .NET Deserialization Enables Remote Code Execution; Ransomware Exploitation Confirmed

Ivanti CSA 4.6.x — Admin-Authenticated OS Command Injection; EOL Product in Actively Exploited Ivanti Chaining Campaigns

Windows Kernel — TOCTOU Race Condition in Object Manager Enables SYSTEM Privilege Escalation; Ransomware Exploitation Confirmed

Windows MSHTML — Zero-Day File Extension Spoofing Used by Void Banshee APT to Bypass CVE-2024-38112 Patch

Windows Installer — Zero-Day Local Privilege Escalation to SYSTEM via MSI Repair Operation

Kingsoft WPS Office — Malicious Document Loads Arbitrary DLL via promecefpluginhost.exe; Used by APT-C-60 to Deploy SpyGlace

Microsoft Publisher — Zero-Day Macro Policy Bypass Allows Malicious .pub Files to Execute Code Without Warning

Ivanti CSA 4.6.x — Admin-Auth OS Command Injection on EOL Appliance; First in Multi-CVE Exploit Chain

Google Chromium V8 — Zero-Day Inappropriate Implementation Enables Heap Corruption; Part of August 2024 North Korea Browser Campaign

Microsoft Project — Zero-Day Macro Execution via Malicious .mpp File When VBA Macro Notification Is Disabled

Windows PDC Driver — Zero-Day Use-After-Free Enables SYSTEM Privilege Escalation; August 2024 Patch Tuesday

Windows AFD.sys — Zero-Day Use-After-Free Used by North Korea Lazarus Group to Deploy FudModule Rootkit

Android / Linux Kernel — Use-After-Free in IPv6 Routing Table (fib6_info) Enables RCE; Google TAG Confirmed Exploitation

Windows Scripting Engine — Zero-Day Type Confusion Enables RCE via IE Mode; Reported by AhnLab and NCSC Korea

Versa Networks Director — PNG File Upload Delivers Malicious JAR; Exploited by Volt Typhoon for SD-WAN Infrastructure Compromise

Windows Kernel — Zero-Day Race Condition Enables SYSTEM Privilege Escalation; Patched August 2024 Patch Tuesday

SolarWinds Serv-U FTP/MFT — Unauthenticated Path Traversal Enables Arbitrary File Read; Rapid7 PoC Published Within Days

Windows Hyper-V — Zero-Day Integer Overflow Enables Local User to Gain SYSTEM on Hyper-V Host; July 2024 Patch Tuesday

Windows MSHTML — Zero-Day URL File Trick Forces IE Mode to Execute jscript9.dll; Void Banshee APT Deployed Atlantida Stealer

Windows Error Reporting (WER) — Improper Privilege Management Enables Local SYSTEM Escalation; Black Basta Ransomware Exploitation

Android Pixel Firmware — Improper Logic in Firmware Enables Local Privilege Escalation; Limited Targeted Exploitation Confirmed

Arm Bifrost/Valhall GPU Kernel Driver — Use-After-Free Enables Local Privilege Escalation; Limited Targeted Exploitation Confirmed

Chrome V8 Engine — Zero-Day OOB Write via Crafted HTML; Second Chrome Zero-Day in One Week in May 2024

Windows MSHTML — Zero-Day OLE/COM Protection Bypass via Malicious Document Enables Code Execution Without User Warnings

Check Point Quantum / CloudGuard — Unauthenticated Arbitrary File Read on VPN Gateways Exposes Password Hashes and Credentials

JAVS Viewer Supply Chain Attack — Trojanized Installer with Backdoored FFmpeg Deploys C2 Malware to Court and Government Systems

Linux Kernel nf_tables 'notselwyn' — Use-After-Free in Netfilter Verdict Handling Permits Local Privilege Escalation

Windows DWM Core Library — Zero-Day Heap Buffer Overflow Enables SYSTEM LPE; Used by QakBot Operators to Deploy Cobalt Strike

Windows SmartScreen — Zero-Day MotW Bypass Chained with CVE-2024-21412; Water Hydra APT Delivered DarkMe RAT

Cisco ASA/FTD — Zero-Day Infinite Loop in WebVPN/Management Interface; ArcaneDoor Campaign by China-Nexus UAT4356

Android Pixel — Improper Error Handling Allows Interruption of MDM-Triggered Factory Reset; Forensic Tool Exploitation Context

D-Link DNS-320L/325/327L/340L NAS — Unauthenticated RCE via Hardcoded Credentials + Command Injection; EOL, No Patch

Apple iOS/iPadOS/macOS/tvOS/watchOS/visionOS Kernel — Zero-Day Memory Corruption Bypasses Kernel Memory Protections; Paired with CVE-2024-23296

Apple RTKit — Zero-Day Memory Corruption in Real-Time Coprocessor Bypasses Kernel Memory Protections; Paired with CVE-2024-23225

Windows AppLocker Driver (appid.sys) — IOCTL Access Control Flaw Enables SYSTEM LPE; Lazarus Group FudModule Rootkit Deployment

Windows Internet Shortcut (.url) — Zero-Day MotW Bypass Chains with SmartScreen Bypasses; Water Hydra APT Delivered DarkMe RAT

Windows SmartScreen — Zero-Day Code Injection Bypasses SmartScreen Warning; Water Hydra APT February 2024 Campaign

Apple WebKit — Zero-Day Type Confusion in JavaScript Engine Enables RCE via Malicious Web Content; First iOS Zero-Day of 2024

Chrome V8 Engine — Zero-Day Out-of-Bounds Access via Crafted HTML Page; First Chrome Zero-Day of 2024

Ivanti Connect Secure/Policy Secure — Unauthenticated SSRF in SAML Component; Third Zero-Day in January 2024 Ivanti Crisis