Exploitation Signals

Observed exploitation attempts against internet-facing services, mapped to CVEs and reviewed for confidence.

45

KEVs Observed

373

Exploitation Events

100

Unique Attacker IPs

24

Sensors Reporting

Exploitation Attempts Over Time (24h)

Loading...

Top Observed KEVs

Most active exploited vulnerabilities in the selected window, ranked by observed exploitation attempts.

CVE-2021-41773 95 attempts

Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

Apache Software Foundation · Apache HTTP Server

Unique Attacker IPs
63
Sensors
23

First seen 2026-07-09 15:16 UTC · Last seen 2026-07-19 09:48 UTC

CVE-2020-14882 85 attempts

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are...

Oracle Corporation · WebLogic Server

Unique Attacker IPs
2
Sensors
2

First seen 2026-06-10 21:20 UTC · Last seen 2026-07-19 06:26 UTC

CVE-2022-47945 74 attempts

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled...

ThinkPHP · ThinkPHP Framework

Unique Attacker IPs
25
Sensors
18

First seen 2026-06-08 22:26 UTC · Last seen 2026-07-19 08:48 UTC

CVE-2025-55182 13 attempts

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including...

Meta · react-server-dom-webpack, react-server-dom-turbopack, react-server-dom-parcel

Unique Attacker IPs
4
Sensors
4

First seen 2026-06-09 14:41 UTC · Last seen 2026-07-19 08:29 UTC

CVE-2026-46442 11 attempts

Flowise: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape

FlowiseAI · Flowise

Unique Attacker IPs
8
Sensors
1

First seen 2026-07-13 04:05 UTC · Last seen 2026-07-18 14:30 UTC

CVE-2026-15409 10 attempts

A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. A remote unauthenticated...

SonicWall · SMA1000

Unique Attacker IPs
2
Sensors
1

First seen 2026-07-17 15:14 UTC · Last seen 2026-07-19 09:19 UTC

Telemetry-Backed Exploitation Intelligence

KEVIntel honeypots and sensors observe exploitation attempts targeting internet-facing services. Activity is mapped to CVEs where possible and reviewed for confidence. Per-CVE telemetry is available on individual CVE pages when observations exist.

Observed Exploitation Attempts

Telemetry mapped to KEV catalog CVEs in the selected window.

2026-07-18 10:07 UTC – 2026-07-19 10:07 UTC

CVE Attempts Unique Attacker IPs Sensors
CVE-2021-41773

Apache HTTP Server

95 63 23
CVE-2020-14882

WebLogic Server

85 2 2
CVE-2022-47945

ThinkPHP Framework

74 25 18
CVE-2025-55182

react-server-dom-webpack, react-server-dom-turbopack, react-server-dom-parcel

13 4 4
CVE-2026-46442

Flowise

11 8 1
CVE-2026-15409

SMA1000

10 2 1
CVE-2023-1389

TP-Link Archer AX21 (AX1800)

6 2 6
CVE-2017-10271

WebLogic Server

5 1 1
CVE-2026-48282

ColdFusion

5 1 1
CVE-2018-10562

GPON home routers

5 4 4
CVE-2024-12847

DGN1000

4 4 3
CVE-2023-26801

BL-AC1900_2.0, BL-WR9000, BL-X26, BL-LTE300

4 1 1
CVE-2026-39808

FortiSandbox, FortiSandbox PaaS

4 3 1
CVE-2023-20198

Cisco IOS XE Software

3 2 2
CVE-2021-30128

Apache OFBiz

3 1 1
CVE-2020-5902

BIG-IP

3 1 1
CVE-2020-17518

Apache Flink

3 1 1
CVE-2017-18368

P660HN-T1A v1 TCLinux Fw

3 3 1
CVE-2026-8037

LoadMaster, ECS Connections Manager, Object Scale Connection Manager, MOVEit WAF

3 3 2
CVE-2026-10520

Sentry

2 2 2
CVE-2026-1207

Django

2 1 1
CVE-2024-8181

Flowise

2 1 1
CVE-2026-4020

Gravity SMTP

2 2 1
CVE-2024-20767

ColdFusion

2 2 2
CVE-2026-9082

Drupal core

2 1 1
CVE-2022-46169

cacti

2 1 2
CVE-2021-24212

WooCommerce Help Scout

2 1 1
CVE-2014-8361

SDK

1 1 1
CVE-2026-8054

dotCMS Core

1 1 1
CVE-2016-10372

D1000 modem

1 1 1
CVE-2017-12637

NetWeaver Application Server Java

1 1 1
CVE-2018-2894

WebLogic Server

1 1 1
CVE-2019-12989

SD-WAN

1 1 1
CVE-2019-13608

StoreFront Server

1 1 1
CVE-2026-35273

PeopleSoft Enterprise PeopleTools

1 1 1
CVE-2026-34910

UniFi OS Server, UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDM-Beast, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UNVR, UNVR-Pro, UNVR-Instant, UNVR-G2, UNVR-G2-Pro, ENVR, ENVR-Core, UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8, UCKP, UCK, UCK-Enterprise, UCG-Ultra, UCG-Max, UCG-Fiber, UCG-Industrial

1 1 1
CVE-2026-3055

ADC, Gateway

1 1 1
CVE-2020-14883

WebLogic Server

1 1 1
CVE-2020-6287

SAP NetWeaver AS JAVA (LM Configuration Wizard)

1 1 1
CVE-2021-31805

Apache Struts

1 1 1
CVE-2025-26319

Flowise

1 1 1
CVE-2024-36420

Flowise

1 1 1
CVE-2024-29972

NAS326 firmware, NAS542 firmware

1 1 1
CVE-2023-4966

NetScaler ADC, NetScaler Gateway

1 1 1
CVE-2023-6567

LearnPress – WordPress LMS Plugin

1 1 1