Exploitation Signals

Observed exploitation attempts against internet-facing services, mapped to CVEs and reviewed for confidence.

54

KEVs Observed

17,625

Exploitation Events

Unique Attacker IPs

Sensors Reporting

Top Observed KEVs

Most active exploited vulnerabilities in the selected window, ranked by observed exploitation attempts.

CVE-2026-10520 7,196 attempts

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to...

ivanti · Sentry

Unique Attacker IPs
Sensors

First seen 2026-06-10 09:03 UTC · Last seen 2026-07-15 16:38 UTC

CVE-2022-47945 2,002 attempts

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled...

ThinkPHP · ThinkPHP Framework

Unique Attacker IPs
Sensors

First seen 2026-06-08 22:26 UTC · Last seen 2026-07-15 20:32 UTC

CVE-2026-20253 1,174 attempts

Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise

Splunk · Splunk Enterprise

Unique Attacker IPs
Sensors

First seen 2026-06-12 21:36 UTC · Last seen 2026-07-10 02:59 UTC

CVE-2026-35273 1,022 attempts

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions...

Oracle Corporation · PeopleSoft Enterprise PeopleTools

Unique Attacker IPs
Sensors

First seen 2026-06-14 13:47 UTC · Last seen 2026-07-14 05:10 UTC

CVE-2026-46817 1,001 attempts

Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are...

Oracle Corporation · Oracle Payments

Unique Attacker IPs
Sensors

First seen 2026-07-01 01:33 UTC · Last seen 2026-07-13 14:59 UTC

CVE-2025-55182 823 attempts

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including...

Meta · react-server-dom-webpack, react-server-dom-turbopack, react-server-dom-parcel

Unique Attacker IPs
Sensors

First seen 2026-06-09 14:41 UTC · Last seen 2026-07-15 18:34 UTC

Telemetry-Backed Exploitation Intelligence

KEVIntel honeypots and sensors observe exploitation attempts targeting internet-facing services. Activity is mapped to CVEs where possible and reviewed for confidence. Per-CVE telemetry is available on individual CVE pages when observations exist.

Observed Exploitation Attempts

Telemetry mapped to KEV catalog CVEs in the selected window.

2026-04-16 21:04 UTC – 2026-07-15 21:04 UTC

CVE Attempts Unique Attacker IPs Sensors
CVE-2026-10520

Sentry

7,196
CVE-2022-47945

ThinkPHP Framework

2,002
CVE-2026-20253

Splunk Enterprise

1,174
CVE-2026-35273

PeopleSoft Enterprise PeopleTools

1,022
CVE-2026-46817

Oracle Payments

1,001
CVE-2025-55182

react-server-dom-webpack, react-server-dom-turbopack, react-server-dom-parcel

823
CVE-2026-20230

Cisco Unified Communications Manager

802
CVE-2026-8037

LoadMaster, ECS Connections Manager, Object Scale Connection Manager, MOVEit WAF

723
CVE-2025-61882

Oracle Concurrent Processing

276
CVE-2026-39808

FortiSandbox, FortiSandbox PaaS

274
CVE-2026-4020

Gravity SMTP

228
CVE-2017-18368

P660HN-T1A v1 TCLinux Fw

219
CVE-2026-52813

gogs

146
CVE-2018-10562

GPON home routers

140
CVE-2024-12847

DGN1000

129
CVE-2020-5902

BIG-IP

118
CVE-2017-10271

WebLogic Server

116
CVE-2023-1389

TP-Link Archer AX21 (AX1800)

92
CVE-2026-39813

FortiSandbox, FortiSandbox Cloud

86
CVE-2020-17518

Apache Flink

84
CVE-2023-26801

BL-AC1900_2.0, BL-WR9000, BL-X26, BL-LTE300

69
CVE-2021-24212

WooCommerce Help Scout

67
CVE-2026-48282

ColdFusion

61
CVE-2020-14882

WebLogic Server

56
CVE-2023-20198

Cisco IOS XE Software

52
CVE-2026-8451

ADC, Gateway

52
CVE-2026-55255

langflow

44
CVE-2017-12637

NetWeaver Application Server Java

43
CVE-2020-14883

WebLogic Server

43
CVE-2026-3055

ADC, Gateway

42
CVE-2018-2894

WebLogic Server

41
CVE-2020-6287

SAP NetWeaver AS JAVA (LM Configuration Wizard)

40
CVE-2021-31805

Apache Struts

39
CVE-2019-12989

SD-WAN

38
CVE-2021-30128

Apache OFBiz

33
CVE-2026-8054

dotCMS Core

32
CVE-2026-9082

Drupal core

30
CVE-2024-20767

ColdFusion

29
CVE-2024-8181

Flowise

24
CVE-2026-1207

Django

22
CVE-2025-26319

Flowise

17
CVE-2023-6567

LearnPress – WordPress LMS Plugin

16
CVE-2024-29972

NAS326 firmware, NAS542 firmware

14
CVE-2014-8361

SDK

13
CVE-2026-34910

UniFi OS Server, UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDM-Beast, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UNVR, UNVR-Pro, UNVR-Instant, UNVR-G2, UNVR-G2-Pro, ENVR, ENVR-Core, UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8, UCKP, UCK, UCK-Enterprise, UCG-Ultra, UCG-Max, UCG-Fiber, UCG-Industrial

12
CVE-2019-13608

StoreFront Server

12
CVE-2024-3721

DVR-4104, DVR-4216

8
CVE-2016-10372

D1000 modem

7
CVE-2025-5777

ADC, Gateway

6
CVE-2020-6286

SAP NetWeaver AS JAVA (LM Configuration Wizard)

4