CVE & Exploit Intelligence Database

CVE-2026-1731 9.8 CRITICAL KEV RANSOMWARE 8 PoCs Analysis NUCLEI EPSS 0.65

BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.

CWE-78 Feb 06, 2026

CVE-2026-24423 9.8 CRITICAL KEV RANSOMWARE 1 PoC Analysis EPSS 0.29

SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application.

CWE-306 Jan 23, 2026

CVE-2026-23760 9.8 CRITICAL KEV RANSOMWARE 2 PoCs Analysis NUCLEI EPSS 0.65

SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.

CWE-288 Jan 22, 2026

CVE-2025-68947 4.7 MEDIUM EXPLOITED RANSOMWARE 1 Writeup EPSS 0.00

NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver.

CWE-862 Jan 13, 2026

CVE-2025-40602 6.6 MEDIUM KEV RANSOMWARE 2 PoCs Analysis EPSS 0.00

A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).

CWE-862 Dec 18, 2025

CVE-2025-55182 10.0 CRITICAL KEV RANSOMWARE 473 PoCs Analysis NUCLEI EPSS 0.70

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

CWE-502 Dec 03, 2025

CVE-2025-64446 9.8 CRITICAL KEV RANSOMWARE 17 PoCs Analysis NUCLEI EPSS 0.89

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

CWE-23 Nov 14, 2025

CVE-2025-61155 5.5 MEDIUM EXPLOITED RANSOMWARE 1 PoC Analysis EPSS 0.00

The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process can open a handle to the driver device and send specially crafted IOCTL requests. These requests are executed in kernel-mode context without proper authentication or access validation, allowing the attacker to terminate arbitrary processes, including critical system and security services, without requiring administrative privileges.

CWE-400 Oct 28, 2025

CVE-2025-59287 9.8 CRITICAL KEV RANSOMWARE 25 PoCs Analysis NUCLEI EPSS 0.76

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

CWE-502 Oct 14, 2025

CVE-2025-61884 7.5 HIGH KEV RANSOMWARE 4 PoCs Analysis NUCLEI EPSS 0.30

Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CWE-93 Oct 12, 2025

CVE-2025-61882 9.8 CRITICAL KEV RANSOMWARE 17 PoCs Analysis NUCLEI EPSS 0.87

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE-287 Oct 05, 2025

CVE-2025-49844 9.9 CRITICAL EXPLOITED RANSOMWARE 19 PoCs Analysis NUCLEI EPSS 0.12

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

CWE-416 Oct 03, 2025

CVE-2025-10035 10.0 CRITICAL KEV RANSOMWARE 4 PoCs Analysis NUCLEI EPSS 0.52

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

CWE-502 Sep 18, 2025

CVE-2025-8088 8.8 HIGH KEV RANSOMWARE 39 PoCs Analysis EPSS 0.07

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.

CWE-35 Aug 08, 2025

CVE-2025-7771 EXPLOITED RANSOMWARE 11 PoCs Analysis EPSS 0.00

ThrottleStop.sys, a legitimate driver, exposes two IOCTL interfaces that allow arbitrary read and write access to physical memory via the MmMapIoSpace function. This insecure implementation can be exploited by a malicious user-mode application to patch the running Windows kernel and invoke arbitrary kernel functions with ring-0 privileges. The vulnerability enables local attackers to execute arbitrary code in kernel context, resulting in privilege escalation and potential follow-on attacks, such as disabling security software or bypassing kernel-level protections. ThrottleStop.sys version 3.0.0.0 and possibly others are affected. Apply updates per vendor instructions.

CWE-782 Aug 06, 2025

CVE-2025-53771 6.5 MEDIUM EXPLOITED RANSOMWARE NUCLEI EPSS 0.40

Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.

CWE-287 Jul 20, 2025

CVE-2025-53770 9.8 CRITICAL KEV RANSOMWARE 49 PoCs Analysis NUCLEI EPSS 0.90

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.

CWE-502 Jul 20, 2025

CVE-2025-49706 6.5 MEDIUM KEV RANSOMWARE 3 PoCs Analysis NUCLEI EPSS 0.63

Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.

CWE-287 Jul 08, 2025

CVE-2025-49704 8.8 HIGH KEV RANSOMWARE EPSS 0.66

Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

CWE-94 Jul 08, 2025

CVE-2025-6264 5.5 MEDIUM EXPLOITED RANSOMWARE EPSS 0.00

Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.  To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch. The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration. This can lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role).

CWE-276 Jun 20, 2025