Search
On this page ▾

KEV 2024

163 CISA Known Exploited Vulnerabilities from 2024

Critical 68

April 2026

CVE-2024-57726

SimpleHelp RMM — Low-Privilege Technician to Server Admin via API Key Privilege Escalation

CVSS 9.9

February 2026

CVE-2024-43468

Microsoft Configuration Manager — Microsoft Configuration Manager SQL Injection Vulnerability

CVSS 9.8

January 2026

CVE-2024-37079

Broadcom VMware vCenter Server — Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability

CVSS 9.8

June 2025

CVE-2024-54085

AMI MegaRAC SPx — AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability

CVSS 9.8
CVE-2024-56145

Craft CMS Craft CMS — Craft CMS Code Injection Vulnerability

CVSS 9.8
CVE-2024-42009

Roundcube Webmail — RoundCube Webmail Cross-Site Scripting Vulnerability

CVSS 9.3

May 2025

CVE-2024-11120

GeoVision Multiple Devices — GeoVision Devices OS Command Injection Vulnerability

CVSS 9.8
CVE-2024-6047

GeoVision Multiple Devices — GeoVision Devices OS Command Injection Vulnerability

CVSS 9.8
CVE-2024-38475

Apache HTTP Server — Apache HTTP Server Improper Escaping of Output Vulnerability

CVSS 9.1
CVE-2024-58136

Yiiframework Yii — Yiiframework Yii Improper Protection of Alternate Path Vulnerability

CVSS 9

March 2025

CVE-2024-57968

Advantive VeraCore — Advantive VeraCore Unrestricted File Upload Vulnerability

CVSS 9.9
CVE-2024-20439

Cisco Smart Licensing Utility — Cisco Smart Licensing Utility Static Credential Vulnerability

CVSS 9.8
CVE-2024-13159

Ivanti EPM — Unauthenticated Credential Coercion via Path Traversal in GetHashForWildcardRecursive

CVSS 9.8
CVE-2024-13160

Ivanti EPM — Unauthenticated Credential Coercion via Path Traversal in GetHashForWildcard

CVSS 9.8
CVE-2024-13161

Ivanti EPM — Unauthenticated Credential Coercion via Path Traversal in GetHashForSingleFile

CVSS 9.8
CVE-2024-4885

Progress WhatsUp Gold — Progress WhatsUp Gold Path Traversal Vulnerability

CVSS 9.8

February 2025

CVE-2024-53704

SonicWall SonicOS — SonicWall SonicOS SSLVPN Improper Authentication Vulnerability

CVSS 9.8
CVE-2024-21413

Microsoft Office Outlook — Microsoft Outlook Improper Input Validation Vulnerability

CVSS 9.8

January 2025

CVE-2024-50603

Aviatrix Controllers — Aviatrix Controllers OS Command Injection Vulnerability

CVSS 10
CVE-2024-55591

Fortinet FortiOS and FortiProxy — Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability

CVSS 9.8
CVE-2024-41713

Mitel MiCollab — Mitel MiCollab Path Traversal Vulnerability

CVSS 9.1

December 2024

CVE-2024-51378

CyberPersons CyberPanel — CyberPanel Incorrect Default Permissions Vulnerability

CVSS 10
CVE-2024-12356

BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) — BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability

CVSS 9.8
CVE-2024-55956

Cleo Multiple Products — Cleo Multiple Products Unauthenticated File Upload Vulnerability

CVSS 9.8
CVE-2024-50623

Cleo Multiple Products — Cleo Multiple Products Unrestricted File Upload Vulnerability

CVSS 9.8
CVE-2024-11680

ProjectSend ProjectSend — ProjectSend Improper Authentication Vulnerability

CVSS 9.8

November 2024

CVE-2024-1212

Progress Kemp LoadMaster — Progress Kemp LoadMaster OS Command Injection Vulnerability

CVSS 10
CVE-2024-51567

CyberPersons CyberPanel — CyberPanel Incorrect Default Permissions Vulnerability

CVSS 10
CVE-2024-38812

VMware vCenter Server — VMware vCenter Server Heap-Based Buffer Overflow Vulnerability

CVSS 9.8
CVE-2024-0012

Palo Alto Networks PAN-OS — Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability

CVSS 9.8
CVE-2024-5910

Palo Alto Networks Expedition — Palo Alto Networks Expedition Missing Authentication Vulnerability

CVSS 9.8
CVE-2024-9465

Palo Alto Networks Expedition — Palo Alto Networks Expedition SQL Injection Vulnerability

CVSS 9.1
CVE-2024-8956

PTZOptics PT30X-SDI/NDI Cameras — PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability

CVSS 9.1

October 2024

CVE-2024-45519

Zimbra ZCS — Unauthenticated OS Command Injection via postjournal popen() Call, Mass Exploitation September 2024

CVSS 10
CVE-2024-47575

Fortinet FortiManager — Fortinet FortiManager Missing Authentication Vulnerability

CVSS 9.8
CVE-2024-9537

ScienceLogic SL1 — ScienceLogic SL1 Unspecified Vulnerability

CVSS 9.8
CVE-2024-40711

Veeam Backup & Replication — Veeam Backup and Replication Deserialization Vulnerability

CVSS 9.8
CVE-2024-9680

Mozilla Firefox — Mozilla Firefox Use-After-Free Vulnerability

CVSS 9.8
CVE-2024-23113

Fortinet Multiple Products — Fortinet Multiple Products Format String Vulnerability

CVSS 9.8
CVE-2024-28987

SolarWinds Web Help Desk — SolarWinds Web Help Desk Hardcoded Credential Vulnerability

CVSS 9.1

September 2024

CVE-2024-7593

Ivanti Virtual Traffic Manager — Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability

CVSS 9.8
CVE-2024-27348

Apache HugeGraph-Server — Apache HugeGraph-Server Improper Access Control Vulnerability

CVSS 9.8
CVE-2024-6670

Progress WhatsUp Gold — Progress WhatsUp Gold SQL Injection Vulnerability

CVSS 9.8
CVE-2024-40766

SonicWall SonicOS — SonicWall SonicOS Improper Access Control Vulnerability

CVSS 9.8
CVE-2024-8963

Ivanti Cloud Services Appliance (CSA) — Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability

CVSS 9.4

August 2024

CVE-2024-38856

Apache OFBiz — Apache OFBiz Incorrect Authorization Vulnerability

CVSS 9.8
CVE-2024-23897

Jenkins Jenkins Command Line Interface (CLI) — Jenkins Command Line Interface (CLI) Path Traversal Vulnerability

CVSS 9.8
CVE-2024-28986

SolarWinds Web Help Desk — SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability

CVSS 9.8
CVE-2024-32113

Apache OFBiz — Apache OFBiz Path Traversal Vulnerability

CVSS 9.8
CVE-2024-7971

Google Chromium V8 — Google Chromium V8 Type Confusion Vulnerability

CVSS 9.6

July 2024

CVE-2024-4879

ServiceNow Utah, Vancouver, and Washington DC Now Platform — ServiceNow Improper Input Validation Vulnerability

CVSS 9.8
CVE-2024-5217

ServiceNow Utah, Vancouver, and Washington DC Now Platform — ServiceNow Incomplete List of Disallowed Inputs Vulnerability

CVSS 9.8
CVE-2024-34102

Adobe Commerce and Magento Open Source — Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability

CVSS 9.8
CVE-2024-36401

OSGeo GeoServer — OSGeo GeoServer GeoTools Eval Injection Vulnerability

CVSS 9.8
CVE-2024-23692

Rejetto HTTP File Server — Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability

CVSS 9.8

June 2024

CVE-2024-4358

Progress Telerik Report Server — Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability

CVSS 9.8
CVE-2024-4577

PHP Group PHP — PHP-CGI OS Command Injection Vulnerability

CVSS 9.8

May 2024

CVE-2024-5274

Google Chromium V8 — Google Chromium V8 Type Confusion Vulnerability

CVSS 9.6
CVE-2024-4947

Google Chromium V8 — Google Chromium V8 Type Confusion Vulnerability

CVSS 9.6
CVE-2024-4671

Google Chromium — Google Chromium Visuals Use-After-Free Vulnerability

CVSS 9.6

April 2024

CVE-2024-3400

Palo Alto Networks PAN-OS GlobalProtect — Two-Bug Chain Enables Unauthenticated Root Command Execution; Zero-Day Exploited by UTA0218

CVSS 10
CVE-2024-4040

CrushFTP CrushFTP — CrushFTP VFS Sandbox Escape Vulnerability

CVSS 9.8
CVE-2024-3272

D-Link Multiple NAS Devices — D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability

CVSS 9.8

March 2024

CVE-2024-27198

JetBrains TeamCity — JetBrains TeamCity Authentication Bypass Vulnerability

CVSS 9.8

February 2024

CVE-2024-1709

ConnectWise ScreenConnect — ConnectWise ScreenConnect Authentication Bypass Vulnerability

CVSS 10
CVE-2024-21410

Microsoft Exchange Server — Microsoft Exchange Server Privilege Escalation Vulnerability

CVSS 9.8
CVE-2024-21762

Fortinet FortiOS — Fortinet FortiOS Out-of-Bound Write Vulnerability

CVSS 9.8

January 2024

CVE-2024-21887

Ivanti Connect Secure and Policy Secure — Ivanti Connect Secure and Policy Secure Command Injection Vulnerability

CVSS 9.1

High 76

April 2026

CVE-2024-7399

Samsung MagicINFO 9 Server — Unauthenticated File Write to Remote Code Execution via Path Traversal

CVSS 8.8
CVE-2024-1708

ConnectWise ScreenConnect — Zip Slip Path Traversal Enabling RCE as SYSTEM (SlashAndGrab)

CVSS 8.4
CVE-2024-27199

JetBrains TeamCity — Pre-Auth Path Traversal Bypassing Authentication on Limited Admin Endpoints

CVSS 7.3
CVE-2024-57728

SimpleHelp RMM — Admin Zip Slip Enables Arbitrary File Write and Remote Code Execution

CVSS 7.2

February 2026

CVE-2024-7694

TeamT5 ThreatSonar Anti-Ransomware — TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability

CVSS 7.2

August 2025

CVE-2024-8068

Citrix Session Recording — Citrix Session Recording Improper Privilege Management Vulnerability

CVSS 8
CVE-2024-8069

Citrix Session Recording — Citrix Session Recording Deserialization of Untrusted Data Vulnerability

CVSS 8

May 2025

CVE-2024-12987

DrayTek Vigor Routers — DrayTek Vigor Routers OS Command Injection Vulnerability

CVSS 7.3

April 2025

CVE-2024-53197

Linux Kernel — Linux Kernel Out-of-Bounds Access Vulnerability

CVSS 7.8
CVE-2024-53150

Linux Kernel — Linux Kernel Out-of-Bounds Read Vulnerability

CVSS 7.1

March 2025

CVE-2024-48248

NAKIVO Backup and Replication — NAKIVO Backup and Replication Absolute Path Traversal Vulnerability

CVSS 8.6

February 2025

CVE-2024-20953

Oracle Agile Product Lifecycle Management (PLM) — Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability

CVSS 8.8
CVE-2024-40890

Zyxel DSL CPE Devices — Zyxel DSL CPE OS Command Injection Vulnerability

CVSS 8.8
CVE-2024-40891

Zyxel DSL CPE Devices — Zyxel DSL CPE OS Command Injection Vulnerability

CVSS 8.8
CVE-2024-49035

Microsoft Partner Center — Microsoft Partner Center Improper Access Control Vulnerability

CVSS 8.7
CVE-2024-53104

Linux Kernel — Linux Kernel Out-of-Bounds Write Vulnerability

CVSS 7.8
CVE-2024-57727

SimpleHelp SimpleHelp — SimpleHelp Path Traversal Vulnerability

CVSS 7.5
CVE-2024-29059

Microsoft .NET Framework — Microsoft .NET Framework Information Disclosure Vulnerability

CVSS 7.5
CVE-2024-45195

Apache OFBiz — Apache OFBiz Forced Browsing Vulnerability

CVSS 7.5
CVE-2024-41710

Mitel SIP Phones — Mitel SIP Phones Argument Injection Vulnerability

CVSS 7.2

December 2024

CVE-2024-35250

Microsoft Windows — Microsoft Windows Kernel-Mode Driver Untrusted Pointer Dereference Vulnerability

CVSS 7.8
CVE-2024-49138

Microsoft Windows — Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability

CVSS 7.8
CVE-2024-3393

Palo Alto Networks PAN-OS — Palo Alto Networks PAN-OS Malicious DNS Packet Vulnerability

CVSS 7.5
CVE-2024-11667

Zyxel Multiple Firewalls — Zyxel Multiple Firewalls Path Traversal Vulnerability

CVSS 7.5
CVE-2024-20767

Adobe ColdFusion — Adobe ColdFusion Improper Access Control Vulnerability

CVSS 7.4

November 2024

CVE-2024-44308

Apple Multiple Products — Apple Multiple Products Code Execution Vulnerability

CVSS 8.8
CVE-2024-49039

Microsoft Windows — Microsoft Windows Task Scheduler Privilege Escalation Vulnerability

CVSS 8.8
CVE-2024-21287

Oracle Agile Product Lifecycle Management (PLM) — Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability

CVSS 7.5
CVE-2024-38813

VMware vCenter Server — VMware vCenter Server Privilege Escalation Vulnerability

CVSS 7.5
CVE-2024-9463

Palo Alto Networks Expedition — Palo Alto Networks Expedition OS Command Injection Vulnerability

CVSS 7.5
CVE-2024-43093

Android Framework — Android Framework Privilege Escalation Vulnerability

CVSS 7.3
CVE-2024-9474

Palo Alto Networks PAN-OS — Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability

CVSS 7.2
CVE-2024-8957

PTZOptics PT30X-SDI/NDI Cameras — PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability

CVSS 7.2

October 2024

CVE-2024-29824

Ivanti EPM — Unauthenticated SQL Injection Leading to Remote Code Execution via xp_cmdshell

CVSS 8.8
CVE-2024-43047

Qualcomm Multiple Chipsets — Qualcomm Multiple Chipsets Use-After-Free Vulnerability

CVSS 7.8
CVE-2024-43572

Microsoft Windows — Microsoft Windows Management Console Remote Code Execution Vulnerability

CVSS 7.8
CVE-2024-38094

Microsoft SharePoint — Microsoft SharePoint Deserialization Vulnerability

CVSS 7.2
CVE-2024-9380

Ivanti Cloud Services Appliance (CSA) — Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability

CVSS 7.2
CVE-2024-30088

Microsoft Windows — Microsoft Windows Kernel TOCTOU Race Condition Vulnerability

CVSS 7

September 2024

CVE-2024-43461

Microsoft Windows — Microsoft Windows MSHTML Platform Spoofing Vulnerability

CVSS 8.8
CVE-2024-38014

Microsoft Windows — Microsoft Windows Installer Improper Privilege Management Vulnerability

CVSS 7.8
CVE-2024-7262

Kingsoft WPS Office — Kingsoft WPS Office Path Traversal Vulnerability

CVSS 7.8
CVE-2024-38226

Microsoft Publisher — Microsoft Publisher Protection Mechanism Failure Vulnerability

CVSS 7.3
CVE-2024-8190

Ivanti Cloud Services Appliance — Ivanti Cloud Services Appliance OS Command Injection Vulnerability

CVSS 7.2

August 2024

CVE-2024-7965

Google Chromium V8 — Google Chromium V8 Inappropriate Implementation Vulnerability

CVSS 8.8
CVE-2024-38189

Microsoft Project — Microsoft Project Remote Code Execution Vulnerability

CVSS 8.8
CVE-2024-38107

Microsoft Windows — Microsoft Windows Power Dependency Coordinator Privilege Escalation Vulnerability

CVSS 7.8
CVE-2024-38193

Microsoft Windows — Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability

CVSS 7.8
CVE-2024-36971

Android Kernel — Android Kernel Remote Code Execution Vulnerability

CVSS 7.8
CVE-2024-38178

Microsoft Windows — Microsoft Windows Scripting Engine Memory Corruption Vulnerability

CVSS 7.5
CVE-2024-39717

Versa Director — Versa Director Dangerous File Type Upload Vulnerability

CVSS 7.2
CVE-2024-38106

Microsoft Windows — Microsoft Windows Kernel Privilege Escalation Vulnerability

CVSS 7

July 2024

CVE-2024-28995

SolarWinds Serv-U — SolarWinds Serv-U Path Traversal Vulnerability

CVSS 8.6
CVE-2024-38080

Microsoft Windows — Microsoft Windows Hyper-V Privilege Escalation Vulnerability

CVSS 7.8
CVE-2024-38112

Microsoft Windows — Microsoft Windows MSHTML Platform Spoofing Vulnerability

CVSS 7.5

June 2024

CVE-2024-26169

Microsoft Windows — Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability

CVSS 7.8
CVE-2024-32896

Android Pixel — Android Pixel Privilege Escalation Vulnerability

CVSS 7.8
CVE-2024-4610

Arm Mali GPU Kernel Driver — Arm Mali GPU Kernel Driver Use-After-Free Vulnerability

CVSS 7.8

May 2024

CVE-2024-4761

Google Chromium V8 — Google Chromium V8 Out-of-Bounds Memory Write Vulnerability

CVSS 8.8
CVE-2024-30040

Microsoft Windows — Microsoft Windows MSHTML Platform Security Feature Bypass Vulnerability

CVSS 8.8
CVE-2024-24919

Check Point Quantum Security Gateways — Check Point Quantum Security Gateways Information Disclosure Vulnerability

CVSS 8.6
CVE-2024-4978

Justice AV Solutions Viewer — Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability

CVSS 8.4
CVE-2024-1086

Linux Kernel nf_tables 'notselwyn' — Use-After-Free in Netfilter Verdict Handling Permits Local Privilege Escalation

CVSS 7.8
CVE-2024-30051

Microsoft DWM Core Library — Microsoft DWM Core Library Privilege Escalation Vulnerability

CVSS 7.8

April 2024

CVE-2024-29988

Microsoft SmartScreen Prompt — Microsoft SmartScreen Prompt Security Feature Bypass Vulnerability

CVSS 8.8
CVE-2024-20353

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) — Cisco ASA and FTD Denial of Service Vulnerability

CVSS 8.6
CVE-2024-29748

Android Pixel — Android Pixel Privilege Escalation Vulnerability

CVSS 7.8
CVE-2024-3273

D-Link Multiple NAS Devices — D-Link Multiple NAS Devices Command Injection Vulnerability

CVSS 7.3

March 2024

CVE-2024-23225

Apple Multiple Products — Apple Multiple Products Memory Corruption Vulnerability

CVSS 7.8
CVE-2024-23296

Apple Multiple Products — Apple Multiple Products Memory Corruption Vulnerability

CVSS 7.8
CVE-2024-21338

Microsoft Windows — Microsoft Windows Kernel Exposed IOCTL with Insufficient Access Control Vulnerability

CVSS 7.8

February 2024

CVE-2024-21412

Microsoft Windows — Microsoft Windows Internet Shortcut Files Security Feature Bypass Vulnerability

CVSS 8.1
CVE-2024-21351

Microsoft Windows — Microsoft Windows SmartScreen Security Feature Bypass Vulnerability

CVSS 7.6

January 2024

CVE-2024-23222

Apple Multiple Products — Apple Multiple Products WebKit Type Confusion Vulnerability

CVSS 8.8
CVE-2024-0519

Google Chromium V8 — Google Chromium V8 Out-of-Bounds Memory Access Vulnerability

CVSS 8.8
CVE-2024-21893

Ivanti Connect Secure, Policy Secure, and Neurons — Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability

CVSS 8.2

Medium 18

June 2025

CVE-2024-0769

D-Link DIR-859 Router — D-Link DIR-859 Router Path Traversal Vulnerability

CVSS 5.3

May 2025

CVE-2024-11182

MDaemon Email Server — MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability

CVSS 6.1
CVE-2024-27443

Zimbra ZCS — Stored XSS via X-Zimbra-Calendar-Intended-For Header, Exploited by APT28 in Operation RoundPress

CVSS 6.1

March 2025

CVE-2024-50302

Linux Kernel — Linux Kernel Use of Uninitialized Resource Vulnerability

CVSS 5.5

January 2025

CVE-2024-12686

BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) — BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) OS Command Injection Vulnerability

CVSS 6.6

November 2024

CVE-2024-43451

Microsoft Windows — Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability

CVSS 6.5
CVE-2024-44309

Apple Multiple Products — Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability

CVSS 6.3

October 2024

CVE-2024-9379

Ivanti Cloud Services Appliance (CSA) — Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability

CVSS 6.5
CVE-2024-43573

Microsoft Windows — Microsoft Windows MSHTML Platform Spoofing Vulnerability

CVSS 6.5
CVE-2024-37383

Roundcube Webmail — RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability

CVSS 6.1
CVE-2024-20481

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) — Cisco ASA and FTD Denial-of-Service Vulnerability

CVSS 5.8

September 2024

CVE-2024-38217

Microsoft Windows — Microsoft Windows Mark of the Web (MOTW) Protection Mechanism Failure Vulnerability

CVSS 5.4

August 2024

CVE-2024-38213

Microsoft Windows — Microsoft Windows SmartScreen Security Feature Bypass Vulnerability

CVSS 6.5

July 2024

CVE-2024-37085

VMware ESXi — VMware ESXi Authentication Bypass Vulnerability

CVSS 6.8
CVE-2024-20399

Cisco NX-OS — Cisco NX-OS Command Injection Vulnerability

CVSS 6
CVE-2024-39891

Twilio Authy — Twilio Authy Information Disclosure Vulnerability

CVSS 5.3

April 2024

CVE-2024-20359

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) — Cisco ASA and FTD Privilege Escalation Vulnerability

CVSS 6
CVE-2024-29745

Android Pixel — Android Pixel Information Disclosure Vulnerability

CVSS 5.5

Low 1

January 2025

CVE-2024-55550

Mitel MiCollab — Mitel MiCollab Path Traversal Vulnerability

CVSS 2.7
Gavin Hollinger & AI assembled this air-gap friendly HTML