Exploitation Signals

Observed exploitation attempts against internet-facing services, mapped to CVEs and reviewed for confidence.

58

KEVs Observed

17,139

Exploitation Events

1,479

Unique Attacker IPs

25

Sensors Reporting

Exploitation Attempts Over Time (30d)

Loading...

Top Observed KEVs

Most active exploited vulnerabilities in the selected window, ranked by observed exploitation attempts.

CVE-2026-10520 6,096 attempts

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to...

ivanti · Sentry

Unique Attacker IPs
152
Sensors
5

First seen 2026-06-10 09:03 UTC · Last seen 2026-07-19 02:12 UTC

CVE-2022-47945 1,974 attempts

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled...

ThinkPHP · ThinkPHP Framework

Unique Attacker IPs
344
Sensors
23

First seen 2026-06-08 22:26 UTC · Last seen 2026-07-19 08:48 UTC

CVE-2021-41773 1,013 attempts

Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

Apache Software Foundation · Apache HTTP Server

Unique Attacker IPs
299
Sensors
23

First seen 2026-07-09 15:16 UTC · Last seen 2026-07-19 09:48 UTC

CVE-2026-46817 1,004 attempts

Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are...

Oracle Corporation · Oracle Payments

Unique Attacker IPs
6
Sensors
1

First seen 2026-07-01 01:33 UTC · Last seen 2026-07-17 23:03 UTC

CVE-2025-55182 955 attempts

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including...

Meta · react-server-dom-webpack, react-server-dom-turbopack, react-server-dom-parcel

Unique Attacker IPs
114
Sensors
23

First seen 2026-06-09 14:41 UTC · Last seen 2026-07-19 08:29 UTC

CVE-2026-20253 913 attempts

Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise

Splunk · Splunk Enterprise

Unique Attacker IPs
57
Sensors
2

First seen 2026-06-12 21:36 UTC · Last seen 2026-07-17 05:42 UTC

Telemetry-Backed Exploitation Intelligence

KEVIntel honeypots and sensors observe exploitation attempts targeting internet-facing services. Activity is mapped to CVEs where possible and reviewed for confidence. Per-CVE telemetry is available on individual CVE pages when observations exist.

Observed Exploitation Attempts

Telemetry mapped to KEV catalog CVEs in the selected window.

2026-06-19 10:06 UTC – 2026-07-19 10:06 UTC

CVE Attempts Unique Attacker IPs Sensors
CVE-2026-10520

Sentry

6,096 152 5
CVE-2022-47945

ThinkPHP Framework

1,974 344 23
CVE-2021-41773

Apache HTTP Server

1,013 299 23
CVE-2026-46817

Oracle Payments

1,004 6 1
CVE-2025-55182

react-server-dom-webpack, react-server-dom-turbopack, react-server-dom-parcel

955 114 23
CVE-2026-20253

Splunk Enterprise

913 57 2
CVE-2026-20230

Cisco Unified Communications Manager

807 24 1
CVE-2026-8037

LoadMaster, ECS Connections Manager, Object Scale Connection Manager, MOVEit WAF

730 57 2
CVE-2026-35273

PeopleSoft Enterprise PeopleTools

633 84 4
CVE-2025-61882

Oracle Concurrent Processing

276 1 1
CVE-2026-39808

FortiSandbox, FortiSandbox PaaS

272 47 4
CVE-2026-4020

Gravity SMTP

209 122 18
CVE-2026-52813

gogs

172 24 16
CVE-2017-18368

P660HN-T1A v1 TCLinux Fw

172 56 1
CVE-2018-10562

GPON home routers

148 103 22
CVE-2024-12847

DGN1000

145 104 23
CVE-2020-5902

BIG-IP

118 28 9
CVE-2020-14882

WebLogic Server

117 16 4
CVE-2017-10271

WebLogic Server

116 26 4
CVE-2026-48282

ColdFusion

106 13 2
CVE-2023-1389

TP-Link Archer AX21 (AX1800)

99 11 14
CVE-2023-26801

BL-AC1900_2.0, BL-WR9000, BL-X26, BL-LTE300

87 1 1
CVE-2020-17518

Apache Flink

84 28 3
CVE-2021-24212

WooCommerce Help Scout

67 23 4
CVE-2023-20198

Cisco IOS XE Software

56 10 14
CVE-2026-39813

FortiSandbox, FortiSandbox Cloud

54 12 1
CVE-2026-8451

ADC, Gateway

52 1 1
CVE-2026-55255

langflow

44 5 1
CVE-2020-14883

WebLogic Server

43 22 4
CVE-2024-8181

Flowise

42 11 4
CVE-2018-2894

WebLogic Server

41 18 4
CVE-2026-3055

ADC, Gateway

41 18 3
CVE-2020-6287

SAP NetWeaver AS JAVA (LM Configuration Wizard)

40 20 3
CVE-2021-31805

Apache Struts

38 19 3
CVE-2019-12989

SD-WAN

38 18 3
CVE-2026-46442

Flowise

36 17 1
CVE-2021-30128

Apache OFBiz

33 6 3
CVE-2024-20767

ColdFusion

32 20 10
CVE-2026-9082

Drupal core

28 8 3
CVE-2017-12637

NetWeaver Application Server Java

22 6 4
CVE-2024-36420

Flowise

20 11 4
CVE-2026-1207

Django

20 6 3
CVE-2025-26319

Flowise

18 10 4
CVE-2023-6567

LearnPress – WordPress LMS Plugin

16 9 4
CVE-2024-29972

NAS326 firmware, NAS542 firmware

14 7 3
CVE-2014-8361

SDK

14 12 1
CVE-2026-15409

SMA1000

13 5 1
CVE-2019-13608

StoreFront Server

12 6 3
CVE-2026-34910

UniFi OS Server, UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDM-Beast, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UNVR, UNVR-Pro, UNVR-Instant, UNVR-G2, UNVR-G2-Pro, ENVR, ENVR-Core, UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8, UCKP, UCK, UCK-Enterprise, UCG-Ultra, UCG-Max, UCG-Fiber, UCG-Industrial

12 5 4
CVE-2026-8054

dotCMS Core

11 6 4