Known Exploited Vulnerabilities

Curated + enriched signals for rapid prioritization

{ } JSON RSS Email PRO

0.7%

actively
exploited

Focus on what’s exploited

Out of 353,134 known CVEs, only 0.7% show real-world exploitation signals.

Data from public sources (including CISA) plus private honeypots, enriched with prioritization metadata.

View stats Report a KEV

2,562

Total Known exploited

943

Total beyond CISA KEV

Added this week

Search

Results update as you type.

⌘K

Added

CISA KEV

Exploitability

Type to search. Filters apply instantly.

CVE	Severity	Title	Vendor	Product	Added
CVE-2013-5223	5.4 Medium	Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2760U Gateway (Rev. E1) allow remote authenticated users to inject arbitrary web... Remote Low complexity	D-Link	DSL-2760U Gateway	about 4 years ago
CVE-2013-4810	9.8 Critical	HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote... Remote Low complexity No user interaction	HP	ProCurve Manager	about 4 years ago
CVE-2013-2251	9.8 Critical	Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2)... Remote Low complexity No user interaction	Apache	Struts	about 4 years ago
CVE-2012-1823	9.8 Critical	sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query... Remote Low complexity No user interaction	PHP	PHP	about 4 years ago
CVE-2010-4345	7.8 High	Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate... Low complexity No user interaction	Exim	Exim	about 4 years ago
CVE-2010-4344	9.8 Critical	Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an... Remote Low complexity No user interaction	Exim	Exim	about 4 years ago
CVE-2010-3035	7.5 High	Cisco IOS XR 3.4.0 through 3.9.1, when BGP is enabled, does not properly handle unrecognized transitive attributes, which allows remote attackers... Remote Low complexity No user interaction	Cisco	IOS XR	about 4 years ago
CVE-2010-2861	9.8 Critical	Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read... Malware Remote Low complexity No user interaction	Adobe	ColdFusion	about 4 years ago
CVE-2009-2055	5.9 Medium	Cisco IOS XR 3.4.0 through 3.8.1 allows remote attackers to cause a denial of service (session reset) via a BGP UPDATE message with an invalid... Remote No user interaction	Cisco	IOS XR	about 4 years ago
CVE-2009-1151	9.8 Critical	Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject... Remote Low complexity No user interaction	phpMyAdmin	phpMyAdmin	about 4 years ago
CVE-2009-0927	8.8 High	Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute... Remote Low complexity	Adobe	Reader and Acrobat	about 4 years ago
CVE-2005-2773	9.8 Critical	HP OpenView Network Node Manager 6.2 through 7.50 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) node... Remote Low complexity No user interaction	HP	OpenView Network Node Manager	about 4 years ago
CVE-2022-26318	9.8 Critical	On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. This vulnerability impacts Fireware OS... Remote Low complexity No user interaction	WatchGuard	Firebox and XTM appliances	about 4 years ago
CVE-2022-26143	9.8 Critical	The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain... Remote Low complexity No user interaction	Mitel	MiCollab, MiVoice Business Express	about 4 years ago
CVE-2022-21999	7.8 High	Windows Print Spooler Elevation of Privilege Vulnerability Malware Low complexity No user interaction	Microsoft	Windows 10 Version 1809, Windows Server 2019, Windows Server 2019 (Server Core installation), Windows 10 Version 1909, Windows 10 Version 21H1, Windows Server 2022, Windows 10 Version 20H2, Windows Server version 20H2, Windows 11 version 21H2, Windows 10 Version 21H2, Windows 10 Version 1507, Windows 10 Version 1607, Windows Server 2016, Windows Server 2016 (Server Core installation), Windows 7, Windows 7 Service Pack 1, Windows 8.1, Windows Server 2008 Service Pack 2, Windows Server 2008 Service Pack 2 (Server Core installation), Windows Server 2008 Service Pack 2, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Server Core installation), Windows Server 2012, Windows Server 2012 (Server Core installation), Windows Server 2012 R2, Windows Server 2012 R2 (Server Core installation)	about 4 years ago
CVE-2021-42237	9.8 Critical	Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve... Malware Remote Low complexity No user interaction	Sitecore	Sitecore XP	about 4 years ago
CVE-2021-22941	9.8 Critical	Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise... Malware Remote Low complexity No user interaction	Citrix	Citrix ShareFile storage zones controller	about 4 years ago
CVE-2020-9377	8.8 High	D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php. NOTE: This vulnerability only affects products that are... Remote Low complexity No user interaction	D-Link	DIR-610	about 4 years ago
CVE-2020-9054	9.8 Critical	ZyXEL NAS products running firmware version 5.21 and earlier are vulnerable to pre-authentication command injection in weblogin.cgi Remote Low complexity No user interaction	ZyXEL	NAS326, NAS520, NAS540, NAS542, NSA210, NSA220, NSA220+, NSA221, NSA310, NSA320, NSA320S, NSA325, NSA325v2	about 4 years ago
CVE-2020-7247	9.8 Critical	smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands... Remote Low complexity No user interaction	OpenBSD	OpenSMTPD	about 4 years ago
CVE-2020-5410	7.5 High	Directory Traversal with spring-cloud-config-server Remote Low complexity No user interaction	Spring by VMware	Spring Cloud Config	about 4 years ago
CVE-2020-25223	9.8 Critical	A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11 Remote Low complexity No user interaction	Sophos	SG UTM	about 4 years ago
CVE-2020-2506	7.3 High	improper access control vulnerability in Helpdesk Remote Low complexity No user interaction	QNAP Systems Inc.	Helpdesk	about 4 years ago
CVE-2020-2021	10.0 Critical	PAN-OS: Authentication Bypass in SAML Authentication Malware Remote Low complexity No user interaction	Palo Alto Networks	PAN-OS	about 4 years ago
CVE-2020-1956	8.8 High	Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user... Remote Low complexity No user interaction	Apache	Kylin	about 4 years ago

Displaying vulnerabilities 1851 - 1875 of 2562 in total

KEVIntel

Known Exploited Vulnerability Intelligence Beyond CISA KEV

Prioritize the vulnerabilities attackers are actually exploiting—before they impact your organization.

KEVIntel is known exploited vulnerability intelligence that aggregates, attests, enriches, and distributes exploited-CVE data. It is not a CISA KEV mirror alone. The service includes the official catalog as a baseline and extends coverage with additional exploited-CVE attestations, evidence links, enrichment, and automation-ready delivery through the live feed above, RSS, JSON, and the Pro API.

Aggregated & attested

Exploitation signals from 60+ public sources, vendor advisories, and private honeypots—validated against credible evidence.

Enriched for prioritization

Every CVE joined with EPSS, CVSS, CWE, proof-of-concept references, and Nuclei/Metasploit context.

Automation-ready delivery

Live feed, RSS, JSON, and Pro API for VM, CTI, SOC, and MSSP workflows.

The AI vulnerability tsunami is accelerating disclosure

Hundreds of thousands of CVEs exist in the National Vulnerability Database and vendor advisories, and AI-assisted discovery is accelerating that volume further. CVSS scores describe theoretical severity, but severity is not the same as exploitation. Many high-severity vulnerabilities are never exploited in the wild, while some actively exploited flaws may be under-prioritized if teams rely on CVSS-only prioritization.

Only a small fraction of published CVEs ever show real-world exploitation signals. Security teams cannot remediate everything at once. Exploitation-led prioritization focuses limited patching, detection, and analyst time on CVEs with evidence-backed exploitation—not on vulnerability noise.

Disclosed vulnerabilities Actively exploited

353,134+ and growing

Only 0.7% of disclosed CVEs show real-world exploitation signals — and that sliver is the operationally urgent work.

Focus on the signal, not the noise. KEVIntel helps you identify the vulnerabilities attackers are actually using—so vulnerability management, CTI, SOC, MSSP, and exposure-management teams can prioritize remediation on real exploitation, not scanner volume alone.

CISA KEV is essential. It is not the whole picture.

KEVIntel extends your visibility beyond CISA KEV. CISA KEV is authoritative and valuable; KEVIntel complements it with additional exploited-CVE coverage, RSS delivery, global honeypot telemetry, enrichment, and automation-ready Pro API access. See the full KEVIntel vs CISA KEV comparison.

CISA KEV

No RSS feed
Tracks vulnerabilities in CISA KEV
Curated by CISA

KEVIntel

RSS feed for real-time updates
CISA KEV plus 943+ exploited CVEs beyond CISA KEV
Independent intelligence from global honeypots, EPSS, CVSS, CWE, PoCs, and Nuclei/Metasploit context

Use CISA KEV. Go further with KEVIntel. Complete visibility, faster prioritization, stronger defenses—with exploitation timelines, source evidence, and platform statistics to back every decision.

From global telemetry to actionable intelligence

KEVIntel follows a simple pipeline: Collect, Attest, Enrich, Deliver. Each exploited CVE links to source material so analysts can verify why it was included and move from signal to action faster.

Collect

Global honeypot networks, CISA KEV, vendor advisories, cyber RSS feeds, and public reporting observe real-world exploitation attempts around the clock.
Attest

Validate exploitation with credible evidence—CISA KEV listings, advisories documenting active exploitation, honeypot observations, and defensible references—to separate signal from noise.
Enrich

Correlate each CVE with EPSS, CVSS, CWE, proof-of-concept references, Nuclei and Metasploit scanner context, online mentions, vendor metadata, and exploitation timelines.
Deliver

Actionable intelligence via this live feed, RSS, JSON, and the Pro API—ready for vulnerability management, CTI, SOC, SIEM/SOAR, MSSP, and exposure-management workflows.

Email alerts

Get high-impact KEV alerts by email

KEVIntel tracks known exploited vulnerabilities beyond CISA KEV. Subscribe for occasional, curator-picked alerts when exploitation warrants attention. For every update, use the RSS feed or Pro API.

Prioritize what matters

Reduce false positives

Strengthen defenses

Stay ahead of attackers