KEVIntel

Observed Exploitation

Observed exploitation attempts against internet-facing services, mapped to CVEs and reviewed for confidence.

Last 24 hours Last 7 days Last 30 days

9

KEVs Observed

301

Exploitation Events

53

Unique Attacker IPs

6

Sensors Reporting

Top Observed KEVs

Most active exploited vulnerabilities in the selected window, ranked by observed exploitation attempts.

CVE-2026-35273 102 attempts

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions...

Oracle Corporation · PeopleSoft Enterprise PeopleTools

Unique Attacker IPs
12
Sensors
1
Top Target Path
/PSIGW/HttpListeningConnector

First seen 2026-06-17 01:01 UTC · Last seen 2026-06-17 20:03 UTC

CVE-2026-20253 83 attempts

Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise

Splunk · Splunk Enterprise

Unique Attacker IPs
4
Sensors
1
Top Target Path
/en-US/splunkd/__raw/v1/postgres/recovery/backup

First seen 2026-06-17 03:14 UTC · Last seen 2026-06-17 14:49 UTC

CVE-2026-10520 73 attempts

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to...

ivanti · Sentry

Unique Attacker IPs
6
Sensors
1
Top Target Path
/mics/api/v2/sentry/mics-config/handleMessage

First seen 2026-06-17 01:18 UTC · Last seen 2026-06-17 17:07 UTC

CVE-2022-47945 19 attempts

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled...

ThinkPHP · ThinkPHP Framework

Unique Attacker IPs
18
Sensors
6
Top Target Path
/index.php

First seen 2026-06-16 21:26 UTC · Last seen 2026-06-17 19:04 UTC

CVE-2026-39813 12 attempts

A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to...

Fortinet · FortiSandbox, FortiSandbox Cloud

Unique Attacker IPs
2
Sensors
1
Top Target Path
/jsonrpc/

First seen 2026-06-17 07:57 UTC · Last seen 2026-06-17 09:24 UTC

CVE-2017-18368 7 attempts

The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the...

ZyXEL · P660HN-T1A v1 TCLinux Fw

Unique Attacker IPs
7
Sensors
1
Top Target Path
/cgi-bin/ViewLog.asp

First seen 2026-06-17 04:35 UTC · Last seen 2026-06-17 17:43 UTC

Observed Exploitation Attempts

Telemetry mapped to KEV catalog CVEs in the selected window.

2026-06-16 20:46 UTC – 2026-06-17 20:46 UTC

CVE Attempts Unique Attacker IPs Sensors
CVE-2026-35273

PeopleSoft Enterprise PeopleTools

 102 12 1
CVE-2026-20253

Splunk Enterprise

 83 4 1
CVE-2026-10520

Sentry

 73 6 1
CVE-2022-47945

ThinkPHP Framework

 19 18 6
CVE-2026-39813

FortiSandbox, FortiSandbox Cloud

 12 2 1
CVE-2017-18368

P660HN-T1A v1 TCLinux Fw

 7 7 1
CVE-2026-39808

FortiSandbox, FortiSandbox PaaS

 3 3 1
CVE-2023-1389

TP-Link Archer AX21 (AX1800)

 1 1 1
CVE-2018-10562

GPON home routers

 1 1 1

Telemetry-Backed Exploitation Intelligence

KEVIntel honeypots and sensors observe exploitation attempts targeting internet-facing services. Activity is mapped to CVEs where possible and reviewed for confidence. Per-CVE telemetry is available on individual CVE pages when observations exist.

View Live Feed Request Pro API Access