Observed Exploitation
Observed exploitation attempts against internet-facing services, mapped to CVEs and reviewed for confidence.
51
KEVs Observed
16,243
Exploitation Events
—
Unique Attacker IPs
—
Sensors Reporting
Top Observed KEVs
Most active exploited vulnerabilities in the selected window, ranked by observed exploitation attempts.
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to...
ivanti · Sentry
- Unique Attacker IPs
- —
- Sensors
- —
First seen 2026-06-10 15:02 UTC · Last seen 2026-07-13 12:56 UTC
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled...
ThinkPHP · ThinkPHP Framework
- Unique Attacker IPs
- —
- Sensors
- —
First seen 2026-06-09 03:19 UTC · Last seen 2026-07-14 11:15 UTC
Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise
Splunk · Splunk Enterprise
- Unique Attacker IPs
- —
- Sensors
- —
First seen 2026-06-15 05:15 UTC · Last seen 2026-07-10 02:59 UTC
Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are...
Oracle Corporation · Oracle Payments
- Unique Attacker IPs
- —
- Sensors
- —
First seen 2026-07-01 01:33 UTC · Last seen 2026-07-13 14:59 UTC
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions...
Oracle Corporation · PeopleSoft Enterprise PeopleTools
- Unique Attacker IPs
- —
- Sensors
- —
First seen 2026-06-14 13:47 UTC · Last seen 2026-07-14 05:10 UTC
OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Progress Software · LoadMaster, ECS Connections Manager, Object Scale Connection Manager, MOVEit WAF
- Unique Attacker IPs
- —
- Sensors
- —
First seen 2026-06-30 07:54 UTC · Last seen 2026-07-14 03:57 UTC
Telemetry-Backed Exploitation Intelligence
KEVIntel honeypots and sensors observe exploitation attempts targeting internet-facing services. Activity is mapped to CVEs where possible and reviewed for confidence. Per-CVE telemetry is available on individual CVE pages when observations exist.
Observed Exploitation Attempts
Telemetry mapped to KEV catalog CVEs in the selected window.
2026-04-15 12:35 UTC – 2026-07-14 12:35 UTC
| CVE | Product / Vendor | Attempts | Unique Attacker IPs | Sensors | First Seen | Last Seen |
|---|---|---|---|---|---|---|
|
CVE-2026-10520
Sentry |
Sentry / ivanti | 6,782 | — | — | 2026-06-10 15:02 UTC | 2026-07-13 12:56 UTC |
|
CVE-2022-47945
ThinkPHP Framework |
ThinkPHP Framework / ThinkPHP | 1,728 | — | — | 2026-06-09 03:19 UTC | 2026-07-14 11:15 UTC |
|
CVE-2026-20253
Splunk Enterprise |
Splunk Enterprise / Splunk | 1,173 | — | — | 2026-06-15 05:15 UTC | 2026-07-10 02:59 UTC |
|
CVE-2026-46817
Oracle Payments |
Oracle Payments / Oracle Corporation | 1,001 | — | — | 2026-07-01 01:33 UTC | 2026-07-13 14:59 UTC |
|
CVE-2026-35273
PeopleSoft Enterprise PeopleTools |
PeopleSoft Enterprise PeopleTools / Oracle Corporation | 992 | — | — | 2026-06-14 13:47 UTC | 2026-07-14 05:10 UTC |
|
CVE-2026-8037
LoadMaster, ECS Connections Manager, Object Scale Connection Manager, MOVEit WAF |
LoadMaster, ECS Connections Manager, Object Scale Connection Manager, MOVEit WAF / Progress Software | 718 | — | — | 2026-06-30 07:54 UTC | 2026-07-14 03:57 UTC |
|
CVE-2025-55182
react-server-dom-webpack, react-server-dom-turbopack, react-server-dom-parcel |
react-server-dom-webpack, react-server-dom-turbopack, react-server-dom-parcel / Meta | 605 | — | — | 2026-06-15 12:54 UTC | 2026-07-14 12:27 UTC |
|
CVE-2026-20230
Cisco Unified Communications Manager |
Cisco Unified Communications Manager / Cisco | 496 | — | — | 2026-06-25 02:30 UTC | 2026-07-14 10:09 UTC |
|
CVE-2025-61882
Oracle Concurrent Processing |
Oracle Concurrent Processing / Oracle Corporation | 276 | — | — | 2026-07-01 01:33 UTC | 2026-07-01 03:19 UTC |
|
CVE-2026-39808
FortiSandbox, FortiSandbox PaaS |
FortiSandbox, FortiSandbox PaaS / Fortinet | 262 | — | — | 2026-06-12 13:59 UTC | 2026-07-14 05:03 UTC |
|
CVE-2026-4020
Gravity SMTP |
Gravity SMTP / RocketGenius | 219 | — | — | 2026-06-12 00:35 UTC | 2026-07-12 20:25 UTC |
|
CVE-2017-18368
P660HN-T1A v1 TCLinux Fw |
P660HN-T1A v1 TCLinux Fw / ZyXEL | 214 | — | — | 2026-06-09 16:18 UTC | 2026-07-14 07:22 UTC |
|
CVE-2018-10562
GPON home routers |
GPON home routers / Dasan | 130 | — | — | 2026-06-12 00:32 UTC | 2026-07-14 10:09 UTC |
|
CVE-2024-12847
DGN1000 |
DGN1000 / NETGEAR | 126 | — | — | 2026-06-09 10:18 UTC | 2026-07-14 07:23 UTC |
|
CVE-2026-52813
gogs |
gogs / gogs | 125 | — | — | 2026-06-26 16:33 UTC | 2026-07-12 04:48 UTC |
|
CVE-2020-5902
BIG-IP |
BIG-IP / F5 | 118 | — | — | 2026-06-12 00:32 UTC | 2026-07-13 05:25 UTC |
|
CVE-2017-10271
WebLogic Server |
WebLogic Server / Oracle Corporation | 111 | — | — | 2026-06-12 00:32 UTC | 2026-07-03 08:24 UTC |
|
CVE-2023-1389
TP-Link Archer AX21 (AX1800) |
TP-Link Archer AX21 (AX1800) / TP-Link | 88 | — | — | 2026-06-11 06:25 UTC | 2026-07-14 07:49 UTC |
|
CVE-2026-39813
FortiSandbox, FortiSandbox Cloud |
FortiSandbox, FortiSandbox Cloud / Fortinet | 86 | — | — | 2026-06-15 12:48 UTC | 2026-07-03 08:23 UTC |
|
CVE-2020-17518
Apache Flink |
Apache Flink / Apache Software Foundation | 84 | — | — | 2026-06-12 00:32 UTC | 2026-07-03 08:24 UTC |
|
CVE-2021-24212
WooCommerce Help Scout |
WooCommerce Help Scout / Unknown | 67 | — | — | 2026-06-12 00:32 UTC | 2026-07-09 05:31 UTC |
|
CVE-2023-26801
BL-AC1900_2.0, BL-WR9000, BL-X26, BL-LTE300 |
BL-AC1900_2.0, BL-WR9000, BL-X26, BL-LTE300 / LB-LINK | 64 | — | — | 2026-06-25 17:17 UTC | 2026-07-14 05:24 UTC |
|
CVE-2026-48282
ColdFusion |
ColdFusion / Adobe | 59 | — | — | 2026-07-02 16:52 UTC | 2026-07-13 05:34 UTC |
|
CVE-2020-14882
WebLogic Server |
WebLogic Server / Oracle Corporation | 54 | — | — | 2026-06-12 00:32 UTC | 2026-07-10 10:29 UTC |
|
CVE-2026-8451
ADC, Gateway |
ADC, Gateway / NetScaler | 52 | — | — | 2026-07-05 20:47 UTC | 2026-07-05 20:47 UTC |
|
CVE-2023-20198
Cisco IOS XE Software |
Cisco IOS XE Software / Cisco | 50 | — | — | 2026-06-12 00:33 UTC | 2026-07-14 11:04 UTC |
|
CVE-2026-55255
langflow |
langflow / langflow-ai | 44 | — | — | 2026-07-13 01:43 UTC | 2026-07-14 01:27 UTC |
|
CVE-2020-14883
WebLogic Server |
WebLogic Server / Oracle Corporation | 43 | — | — | 2026-06-12 00:32 UTC | 2026-07-03 12:55 UTC |
|
CVE-2017-12637
NetWeaver Application Server Java |
NetWeaver Application Server Java / SAP | 43 | — | — | 2026-06-12 00:36 UTC | 2026-07-03 08:38 UTC |
|
CVE-2026-3055
ADC, Gateway |
ADC, Gateway / NetScaler | 42 | — | — | 2026-06-12 00:34 UTC | 2026-07-03 08:24 UTC |
|
CVE-2018-2894
WebLogic Server |
WebLogic Server / Oracle Corporation | 41 | — | — | 2026-06-12 00:32 UTC | 2026-07-06 16:26 UTC |
|
CVE-2020-6287
SAP NetWeaver AS JAVA (LM Configuration Wizard) |
SAP NetWeaver AS JAVA (LM Configuration Wizard) / SAP SE | 40 | — | — | 2026-06-12 00:32 UTC | 2026-07-03 08:24 UTC |
|
CVE-2021-31805
Apache Struts |
Apache Struts / Apache Software Foundation | 39 | — | — | 2026-06-12 00:32 UTC | 2026-07-03 08:24 UTC |
|
CVE-2019-12989
SD-WAN |
SD-WAN / Citrix | 38 | — | — | 2026-06-12 00:32 UTC | 2026-07-03 08:24 UTC |
|
CVE-2021-30128
Apache OFBiz |
Apache OFBiz / Apache Software Foundation | 33 | — | — | 2026-06-12 00:32 UTC | 2026-07-03 08:24 UTC |
|
CVE-2026-9082
Drupal core |
Drupal core / Drupal | 30 | — | — | 2026-06-12 00:34 UTC | 2026-07-03 08:24 UTC |
|
CVE-2024-20767
ColdFusion |
ColdFusion / Adobe | 28 | — | — | 2026-06-12 00:33 UTC | 2026-07-12 04:45 UTC |
|
CVE-2024-8181
Flowise |
Flowise / FlowiseAI | 24 | — | — | 2026-06-12 00:34 UTC | 2026-07-10 15:38 UTC |
|
CVE-2026-1207
Django |
Django / djangoproject | 22 | — | — | 2026-06-12 00:35 UTC | 2026-07-03 08:24 UTC |
|
CVE-2025-26319
Flowise |
Flowise / FlowiseAI | 17 | — | — | 2026-06-12 00:34 UTC | 2026-07-10 16:09 UTC |
|
CVE-2023-6567
LearnPress – WordPress LMS Plugin |
LearnPress – WordPress LMS Plugin / thimpress | 16 | — | — | 2026-06-12 00:33 UTC | 2026-07-09 09:32 UTC |
|
CVE-2019-13608
StoreFront Server |
StoreFront Server / Citrix | 12 | — | — | 2026-06-12 00:32 UTC | 2026-07-03 08:24 UTC |
|
CVE-2026-34910
UniFi OS Server, UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDM-Beast, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UNVR, UNVR-Pro, UNVR-Instant, UNVR-G2, UNVR-G2-Pro, ENVR, ENVR-Core, UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8, UCKP, UCK, UCK-Enterprise, UCG-Ultra, UCG-Max, UCG-Fiber, UCG-Industrial |
UniFi OS Server, UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDM-Beast, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UNVR, UNVR-Pro, UNVR-Instant, UNVR-G2, UNVR-G2-Pro, ENVR, ENVR-Core, UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8, UCKP, UCK, UCK-Enterprise, UCG-Ultra, UCG-Max, UCG-Fiber, UCG-Industrial / Ubiquiti Inc | 12 | — | — | 2026-06-11 12:15 UTC | 2026-07-03 08:24 UTC |
|
CVE-2014-8361
SDK |
SDK / Realtek | 10 | — | — | 2026-06-27 01:44 UTC | 2026-07-13 01:32 UTC |
|
CVE-2026-8054
dotCMS Core |
dotCMS Core / dotCMS | 9 | — | — | 2026-06-27 10:28 UTC | 2026-07-03 08:24 UTC |
|
CVE-2025-5777
ADC, Gateway |
ADC, Gateway / NetScaler | 6 | — | — | 2026-07-01 07:49 UTC | 2026-07-07 03:30 UTC |
|
CVE-2016-10372
D1000 modem |
D1000 modem / Eir | 5 | — | — | 2026-06-26 01:16 UTC | 2026-07-05 14:56 UTC |
|
CVE-2020-6286
SAP NetWeaver AS JAVA (LM Configuration Wizard) |
SAP NetWeaver AS JAVA (LM Configuration Wizard) / SAP SE | 4 | — | — | 2026-06-12 17:20 UTC | 2026-06-12 17:20 UTC |
|
CVE-2026-5027
langflow |
langflow / langflow-ai | 2 | — | — | 2026-07-10 15:10 UTC | 2026-07-10 15:37 UTC |
|
CVE-2022-46169
cacti |
cacti / Cacti | 2 | — | — | 2026-07-10 03:21 UTC | 2026-07-10 15:35 UTC |