Observed Exploitation
Observed exploitation attempts against internet-facing services, mapped to CVEs and reviewed for confidence.
17
KEVs Observed
1,638
Exploitation Events
206
Unique Attacker IPs
6
Sensors Reporting
Top Observed KEVs
Most active exploited vulnerabilities in the selected window, ranked by observed exploitation attempts.
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to...
ivanti · Sentry
- Unique Attacker IPs
- 42
- Sensors
- 1
- Top Target Path
- /mics/api/v2/sentry/mics-config/handleMessage
First seen 2026-06-11 02:01 UTC · Last seen 2026-06-17 17:07 UTC
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions...
Oracle Corporation · PeopleSoft Enterprise PeopleTools
- Unique Attacker IPs
- 37
- Sensors
- 1
- Top Target Path
- /PSIGW/HttpListeningConnector
First seen 2026-06-14 13:47 UTC · Last seen 2026-06-17 18:23 UTC
Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise
Splunk · Splunk Enterprise
- Unique Attacker IPs
- 23
- Sensors
- 2
- Top Target Path
- /en-US/splunkd/__raw/v1/postgres/recovery/backup
First seen 2026-06-15 05:15 UTC · Last seen 2026-06-17 14:49 UTC
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled...
ThinkPHP · ThinkPHP Framework
- Unique Attacker IPs
- 68
- Sensors
- 6
- Top Target Path
- /index.php
First seen 2026-06-10 20:02 UTC · Last seen 2026-06-17 17:36 UTC
The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the...
ZyXEL · P660HN-T1A v1 TCLinux Fw
- Unique Attacker IPs
- 14
- Sensors
- 1
- Top Target Path
- /cgi-bin/ViewLog.asp
First seen 2026-06-11 00:46 UTC · Last seen 2026-06-17 17:43 UTC
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are...
Oracle Corporation · WebLogic Server
- Unique Attacker IPs
- 5
- Sensors
- 2
- Top Target Path
- /console/images/%2e%2e%2fconsole.portal
First seen 2026-06-12 00:32 UTC · Last seen 2026-06-16 11:17 UTC
Observed Exploitation Attempts
Telemetry mapped to KEV catalog CVEs in the selected window.
2026-06-10 18:35 UTC – 2026-06-17 18:35 UTC
| CVE | Product / Vendor | Attempts | Unique Attacker IPs | Sensors | Top Target Path | First Seen | Last Seen |
|---|---|---|---|---|---|---|---|
|
CVE-2026-10520
Sentry |
Sentry / ivanti | 882 | 42 | 1 |
/mics/api/v2/sentry/mics-config/handleMessage
|
2026-06-11 02:01 UTC | 2026-06-17 17:07 UTC |
|
CVE-2026-35273
PeopleSoft Enterprise PeopleTools |
PeopleSoft Enterprise PeopleTools / Oracle Corporation | 305 | 37 | 1 |
/PSIGW/HttpListeningConnector
|
2026-06-14 13:47 UTC | 2026-06-17 18:23 UTC |
|
CVE-2026-20253
Splunk Enterprise |
Splunk Enterprise / Splunk | 213 | 23 | 2 |
/en-US/splunkd/__raw/v1/postgres/recovery/backup
|
2026-06-15 05:15 UTC | 2026-06-17 14:49 UTC |
|
CVE-2022-47945
ThinkPHP Framework |
ThinkPHP Framework / ThinkPHP | 94 | 68 | 6 |
/index.php
|
2026-06-10 20:02 UTC | 2026-06-17 17:36 UTC |
|
CVE-2017-18368
P660HN-T1A v1 TCLinux Fw |
P660HN-T1A v1 TCLinux Fw / ZyXEL | 37 | 14 | 1 |
/cgi-bin/ViewLog.asp
|
2026-06-11 00:46 UTC | 2026-06-17 17:43 UTC |
|
CVE-2020-14882
WebLogic Server |
WebLogic Server / Oracle Corporation | 22 | 5 | 2 |
/console/images/%2e%2e%2fconsole.portal
|
2026-06-12 00:32 UTC | 2026-06-16 11:17 UTC |
|
CVE-2017-12637
NetWeaver Application Server Java |
NetWeaver Application Server Java / SAP | 22 | 2 | 2 |
/scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS
|
2026-06-12 00:36 UTC | 2026-06-12 18:08 UTC |
|
CVE-2026-39813
FortiSandbox, FortiSandbox Cloud |
FortiSandbox, FortiSandbox Cloud / Fortinet | 20 | 5 | 1 |
/jsonrpc/
|
2026-06-15 12:48 UTC | 2026-06-17 09:24 UTC |
|
CVE-2026-39808
FortiSandbox, FortiSandbox PaaS |
FortiSandbox, FortiSandbox PaaS / Fortinet | 16 | 10 | 1 |
/fortisandbox/job-detail/tracer-behavior
|
2026-06-12 13:59 UTC | 2026-06-17 15:34 UTC |
|
CVE-2023-1389
TP-Link Archer AX21 (AX1800) |
TP-Link Archer AX21 (AX1800) / TP-Link | 9 | 2 | 3 |
/cgi-bin/luci/;stok=/locale
|
2026-06-11 06:25 UTC | 2026-06-16 22:59 UTC |
|
CVE-2018-10562
GPON home routers |
GPON home routers / Dasan | 7 | 6 | 4 |
/GponForm/diag_Form
|
2026-06-12 00:32 UTC | 2026-06-17 06:53 UTC |
|
CVE-2020-6286
SAP NetWeaver AS JAVA (LM Configuration Wizard) |
SAP NetWeaver AS JAVA (LM Configuration Wizard) / SAP SE | 4 | 1 | 1 |
/CTCWebService/CTCWebServiceBean
|
2026-06-12 17:20 UTC | 2026-06-12 17:20 UTC |
|
CVE-2021-31805
Apache Struts |
Apache Struts / Apache Software Foundation | 2 | 2 | 2 |
/
|
2026-06-12 00:32 UTC | 2026-06-15 08:44 UTC |
|
CVE-2026-9082
Drupal core |
Drupal core / Drupal | 2 | 1 | 1 |
/jsonapi/node/article
|
2026-06-12 00:34 UTC | 2026-06-12 00:34 UTC |
|
CVE-2026-34910
UniFi OS Server, UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDM-Beast, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UNVR, UNVR-Pro, UNVR-Instant, UNVR-G2, UNVR-G2-Pro, ENVR, ENVR-Core, UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8, UCKP, UCK, UCK-Enterprise, UCG-Ultra, UCG-Max, UCG-Fiber, UCG-Industrial |
UniFi OS Server, UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDM-Beast, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UNVR, UNVR-Pro, UNVR-Instant, UNVR-G2, UNVR-G2-Pro, ENVR, ENVR-Core, UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8, UCKP, UCK, UCK-Enterprise, UCG-Ultra, UCG-Max, UCG-Fiber, UCG-Industrial / Ubiquiti Inc | 1 | 1 | 1 |
/api/auth/validate-sso/../../../proxy/users/api/v2/ucs/update/latest_package
|
2026-06-11 12:15 UTC | 2026-06-11 12:15 UTC |
|
CVE-2020-6287
SAP NetWeaver AS JAVA (LM Configuration Wizard) |
SAP NetWeaver AS JAVA (LM Configuration Wizard) / SAP SE | 1 | 1 | 1 |
/CTCWebService/CTCWebServiceBean/ConfigServlet
|
2026-06-12 00:32 UTC | 2026-06-12 00:32 UTC |
|
CVE-2020-14883
WebLogic Server |
WebLogic Server / Oracle Corporation | 1 | 1 | 1 |
/console/images/%2e%2e%2fconsole.portal
|
2026-06-12 00:32 UTC | 2026-06-12 00:32 UTC |
Telemetry-Backed Exploitation Intelligence
KEVIntel honeypots and sensors observe exploitation attempts targeting internet-facing services. Activity is mapped to CVEs where possible and reviewed for confidence. Per-CVE telemetry is available on individual CVE pages when observations exist.