Exploitation Signals

Observed exploitation attempts against internet-facing services, mapped to CVEs and reviewed for confidence.

53

KEVs Observed

16,188

Exploitation Events

1,230

Unique Attacker IPs

25

Sensors Reporting

Top Observed KEVs

Most active exploited vulnerabilities in the selected window, ranked by observed exploitation attempts.

CVE-2026-10520 6,391 attempts

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to...

ivanti · Sentry

Unique Attacker IPs
149
Sensors
5

First seen 2026-06-10 09:03 UTC · Last seen 2026-07-15 16:38 UTC

CVE-2022-47945 1,844 attempts

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled...

ThinkPHP · ThinkPHP Framework

Unique Attacker IPs
325
Sensors
23

First seen 2026-06-08 22:26 UTC · Last seen 2026-07-15 20:32 UTC

CVE-2026-20253 1,118 attempts

Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise

Splunk · Splunk Enterprise

Unique Attacker IPs
56
Sensors
2

First seen 2026-06-12 21:36 UTC · Last seen 2026-07-10 02:59 UTC

CVE-2026-46817 1,001 attempts

Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are...

Oracle Corporation · Oracle Payments

Unique Attacker IPs
5
Sensors
1

First seen 2026-07-01 01:33 UTC · Last seen 2026-07-13 14:59 UTC

CVE-2026-35273 839 attempts

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions...

Oracle Corporation · PeopleSoft Enterprise PeopleTools

Unique Attacker IPs
83
Sensors
3

First seen 2026-06-14 13:47 UTC · Last seen 2026-07-14 05:10 UTC

CVE-2026-20230 802 attempts

Cisco Unified Communications Manager Server-Side Request Forgery Vulnerability

Cisco · Cisco Unified Communications Manager

Unique Attacker IPs
24
Sensors
1

First seen 2026-06-25 02:30 UTC · Last seen 2026-07-15 07:46 UTC

Telemetry-Backed Exploitation Intelligence

KEVIntel honeypots and sensors observe exploitation attempts targeting internet-facing services. Activity is mapped to CVEs where possible and reviewed for confidence. Per-CVE telemetry is available on individual CVE pages when observations exist.

Observed Exploitation Attempts

Telemetry mapped to KEV catalog CVEs in the selected window.

2026-06-15 21:04 UTC – 2026-07-15 21:04 UTC

CVE Attempts Unique Attacker IPs Sensors
CVE-2026-10520

Sentry

6,391 149 5
CVE-2022-47945

ThinkPHP Framework

1,844 325 23
CVE-2026-20253

Splunk Enterprise

1,118 56 2
CVE-2026-46817

Oracle Payments

1,001 5 1
CVE-2026-35273

PeopleSoft Enterprise PeopleTools

839 83 3
CVE-2026-20230

Cisco Unified Communications Manager

802 24 1
CVE-2025-55182

react-server-dom-webpack, react-server-dom-turbopack, react-server-dom-parcel

780 97 22
CVE-2026-8037

LoadMaster, ECS Connections Manager, Object Scale Connection Manager, MOVEit WAF

723 52 1
CVE-2025-61882

Oracle Concurrent Processing

276 1 1
CVE-2026-39808

FortiSandbox, FortiSandbox PaaS

265 43 1
CVE-2026-4020

Gravity SMTP

197 109 16
CVE-2017-18368

P660HN-T1A v1 TCLinux Fw

186 53 1
CVE-2026-52813

gogs

146 17 13
CVE-2018-10562

GPON home routers

130 86 21
CVE-2024-12847

DGN1000

126 84 23
CVE-2020-5902

BIG-IP

115 27 9
CVE-2017-10271

WebLogic Server

111 25 3
CVE-2026-39813

FortiSandbox, FortiSandbox Cloud

85 12 1
CVE-2023-1389

TP-Link Archer AX21 (AX1800)

84 10 13
CVE-2020-17518

Apache Flink

81 27 2
CVE-2023-26801

BL-AC1900_2.0, BL-WR9000, BL-X26, BL-LTE300

69 1 1
CVE-2021-24212

WooCommerce Help Scout

65 22 3
CVE-2026-48282

ColdFusion

61 11 1
CVE-2026-8451

ADC, Gateway

52 1 1
CVE-2023-20198

Cisco IOS XE Software

49 9 9
CVE-2020-14882

WebLogic Server

46 14 3
CVE-2026-55255

langflow

44 5 1
CVE-2020-14883

WebLogic Server

42 21 3
CVE-2026-3055

ADC, Gateway

41 17 2
CVE-2018-2894

WebLogic Server

40 17 3
CVE-2020-6287

SAP NetWeaver AS JAVA (LM Configuration Wizard)

39 19 2
CVE-2019-12989

SD-WAN

37 17 2
CVE-2021-31805

Apache Struts

37 18 3
CVE-2021-30128

Apache OFBiz

30 5 2
CVE-2026-9082

Drupal core

28 7 2
CVE-2024-20767

ColdFusion

28 17 9
CVE-2024-8181

Flowise

22 8 3
CVE-2017-12637

NetWeaver Application Server Java

21 5 3
CVE-2026-1207

Django

20 5 2
CVE-2025-26319

Flowise

16 8 3
CVE-2023-6567

LearnPress – WordPress LMS Plugin

15 8 3
CVE-2014-8361

SDK

13 11 1
CVE-2024-29972

NAS326 firmware, NAS542 firmware

13 6 2
CVE-2019-13608

StoreFront Server

11 5 2
CVE-2026-34910

UniFi OS Server, UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDM-Beast, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UNVR, UNVR-Pro, UNVR-Instant, UNVR-G2, UNVR-G2-Pro, ENVR, ENVR-Core, UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8, UCKP, UCK, UCK-Enterprise, UCG-Ultra, UCG-Max, UCG-Fiber, UCG-Industrial

11 4 3
CVE-2026-8054

dotCMS Core

10 5 3
CVE-2024-3721

DVR-4104, DVR-4216

8 5 3
CVE-2016-10372

D1000 modem

7 7 1
CVE-2025-5777

ADC, Gateway

6 3 2
CVE-2026-33017

langflow

2 1 2