Latest Updates

Forrester’s recent blog by Eric Nost, Mitregeddon Averted, But Fragility in CVE Processes Remain, shines a much-needed spotlight on the systemic challenges facing the CVE and NVD ecosystem from the industry analyst perspective.

Exploit Intel 101 - Understanding Exploit Proof-of-Concept

Exploit Intel 101 - Understanding Initial Access Exploits

Exploit Intel 101 - Understanding Exploit Availability

Exploit Intel 101 - Understanding Exploit Maturity

Exploit Intel 101 - Understanding Software Dependency Graphs

Exploit Intel 101 - Understanding Software Supply Chain Security

This research aims to share experiences and observations to help others better understand how ENISA EUVD compares with existing vulnerablity sources and whether it can serve as a reliable alternative for these established services.

In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild.

Exploit Intel 101 - Understanding Command & Control (C2) Infrastructure

Exploit Intel 101 - Attacker Infrastructure

Exploit Intel 101 - Understanding APTs

VulnCheck treats every CVE as a forever-day, because we know exploitation doesn’t adhere to timelines or maintenance cycles.

Filigran and VulnCheck are proud to announce a strategic partnership that transforms enterprise threat intelligence capabilities through seamless integration. This collaboration brings together Filigran's market-leading OpenCTI platform with VulnCheck's comprehensive exploit intelligence solutions, creating a powerful joint offering that delivers immediate business value to security teams to enable scalable, automated response actioning.

VulnCheck integrates with OpenCTI - an open-source Threat Intelligence Platform by Filigran

VulnCheck identifies an unauthenticated remote code execution in the BigAnt chat server

Late last week, chat logs from Black Basta became available, offering rare insight into the operations of one of the most infamous ransomware groups. This research focuses on the vulnerabilities and CVEs mentioned in these logs, with the goal of providing defenders with actionable intelligence on the tactics of Black Basta.

VulnCheck now provides automated SSVC decisions for federal and enterprise agencies.

As a follow-up to our previous Zyxel Telnet Vulnerabilities blog, VulnCheck examines CVE-2024-40890, a recently disclosed vulnerability in the HTTP interface of many end-of-life Zyxel CPE routers.

VulnCheck and partner GreyNoise discovered Zyxel-related vulnerabilities being targeted in the wild. In this blog, VulnCheck describes the vulnerabilities CVE-2024-40891 and CVE-2025-0890.

In September, VulnCheck identified evidence of 78 CVEs that were publicly disclosed for the first time as exploited in the wild.

VulnCheck's new update enhances our CVE pages bringing actionable threat intelligence to the forefront.

In 2024, VulnCheck's Initial Access Intelligence (IAI) team delivered custom exploits and detection artifacts for 169 CVEs. Among these, 99 CVEs (58.6%) were actively exploited in the wild.

VulnCheck discovers that a new vulnerability affecting Four-Faith industrial routers has been exploited in the wild

In November, Mitre released the 2024 CWE Top 25 Most Dangerous Software Weaknesses list. Today, VulnCheck issued a report re-evaluating the rankings with a threat-centric approach.

Exploit Intel 101 - Active C2 Servers

Exploit Intel 101 - Common Vulnerability Scoring System (CVSS)

In November 2024, VulnCheck developed new Initial Access Intelligence (IAI) artifacts for 15 CVEs, covering 14 different vendors and products.

VulnCheck now provides an automated approach to providing broader visibility into differences between VulnCheck KEV and CISA KEV through a Jupyter Notebook publicly available on GitHub.

Exploit Intel 101 - Common Vulnerabilities and Exposures (CVE)

Exploit Intel 101 - Understanding Exploits

Exploit Intel 101 - Vulnerability Exchange Formats (CycloneDX, SPDX, VDR, and VEX)

Exploit Intel 101 - Vulnerability Prioritization

Exploit Intel 101 - Exploit Intelligence and the Role of Threat Actor Intelligence in Cybersecurity Products

VulnCheck discovers evidence that ProjectSend has been exploited in the wild and assigns CVE-2024-11680

In September, VulnCheck identified evidence of 78 CVEs that were publicly disclosed for the first time as exploited in the wild.

VulnCheck NVD++ provides CPE for 76.95% of CVEs published in 2024 while NIST NVD only provides CPE for 41.35% of CVEs

In October 2024, VulnCheck developed new Initial Access Intelligence (IAI) artifacts for 21 CVEs, covering 16 different vendors and products.

The latest feature to hit go-exploit is ShellTunnel. ShellTunnel captures reverse shell traffic and routes it through an intermediary attacker-controlled server before reaching the main command-and-control (C2) server.

We explore two key vulnerabilities in ABB's building automation and energy management software, ABB Cylon Aspect.

VulnCheck delivers intelligence to Your Python and Go Applications with our new SDKs

OEM Use Case Series: Reducing Attack Surface Risk - Know Who Your Adversaries Are and How Naming Conventions Matter in Vulnerability Management

VulnCheck delivers intelligence to the command line with VulnCheck’s new open source tool, VulnCheck CLI.

In September, VulnCheck identified evidence of 78 CVEs that were publicly disclosed for the first time as exploited in the wild.

In September 2024, we developed new Initial Access Intelligence (IAI) artifacts for 16 CVEs, covering 14 different vendors and products.

A newly disclosed vulnerability, CVE-2024-9441, affects the Linear Emerge E3 series. The vulnerability has not yet been patched by the vendor, and exploits are already circulating, raising concerns of imminent exploitation.

A look into the real dangers of exploitation still lurking in the NVD Backlog

Last week, Five Eyes agencies issued a Joint Cybersecurity Advisory titled, “People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations” which we explore in this blog post.

Discover 5 ways VulnCheck enhances your security product offering with real-time intelligence, detection capabilities, and expanded vulnerability visibility.

Recorded Future was acquired by Mastercard today for $2.65B, which is an encouraging macro indicator for the threat intelligence market and adjacent markets.

During June, July, and August, we captured exploitation evidence for 158 vulnerabilities, with initial evidence emerging within this period for the first time. The evidence was collected from over 35 different sources.

Adding support for external C2 channels and payloads in the go-exploit framework to enable flexible exploitation interaction and platform integration.

In August 2024, we developed new Initial Access Intelligence (IAI) artifacts for 20 CVEs, covering 17 different vendors and products.

To help security practitioners prioritize vulnerabilities using exploit evidence, we've outlined why weaponized vulnerabilities should be prioritized by mapping Metasploit modules and VulnCheck Known Exploited Vulnerabilities.

VulnCheck is partnering with ThreatConnect to deliver a new level of vulnerability prioritization to joint customers with VulnCheck exploit and vulnerability data integrated into ThreatConnect’s industry-leading TI Ops Platform.

A Look into the Last 6-months of Vulnerability Exploitation… January-June 2024

In July 2024, we developed new Initial Access Intelligence (IAI) artifacts for 14 CVEs, covering 13 different vendors and 10 different products.

Sevco is a market leader. Through this collaboration, Sevco has integrated VulnCheck data to roll out a significant set of enhancements to its existing vulnerability prioritization and exposure management capabilities.

Demonstrating the new scanless feature in the go-exploit exploit framework.

In June 2024, we developed new Initial Access Intelligence (IAI) artifacts for 15 CVEs, covering 13 different vendors and 13 different products.

VulnCheck Community delivers timely and valuable vulnerability intelligence at machine speeds

To help security practitioners prioritize vulnerabilities using exploit evidence, we've outlined key considerations and strategies in this blog. Alongside exploit intelligence, it’s crucial to incorporate environmental and asset context using decision-based frameworks such as Stakeholder-Specific Vulnerability Categorization.

In May, VulnCheck identified evidence of 103 CVEs that were publicly disclosed for the first time as exploited in the wild, marking a 90.7% increase over April.

In May 2024, we developed new Initial Access Intelligence (IAI) artifacts for 20 CVEs, covering 16 different vendors and 18 different products.

A look into the real dangers of exploitation lurking in the NVD Backlog

Given the security community's ongoing concerns about the reliability and performance of NIST's National Vulnerability Database, we recognized a growing need to address these challenges with alternative sources.

A Look into the Last Decade of Vulnerability Exploitation… 2014 - 2023

Verizon's 2024 annual DBIR report incident classification patterns mapped to the Mitre Att&CK tactics and techniques.

Verizon's annual DBIR report incident classification patterns mapped to the Center for Internet Security's (CIS) Critical Security Controls.

To help close the enrichment gap for CVEs in the “Awaiting Analysis" status, VulnCheck generates CPEs from reliable sources and has made them available through our NVD++ service as “vcConfigurations”.

To help close the enrichment gap for CVEs in the “Awaiting Analysis’ status, VulnCheck prioritized the generation of CPEs from reliable sources and has started adding them into the JSON available through our NVD++ service as “vcConfigurations”.

Given the security community's ongoing concerns about the reliability, rate limits, and performance of NIST's National Vulnerability Database (NVD) 2.0 API, we recognized a growing need to address these challenges.

Examining memory resident payloads landed with CVE-2023-22527.

Using VulnCheck KEV, we explore the anatomy of an exploited CVE. We map publicly available exploitation evidence to Atlassian Confluence CVE-2023-22527 to create a visual timeline of exploitation.

VulnCheck uncovers the truth behind the recently published Zyxel pre-auth remote code execution: limited to specific configurations, limitations on repeated exploitation, and no evidence of active exploitation.

Taking a data-driven approach to visualizing the profile of threat actors can provide meaningful information without the time-consuming process of sifting through lengthy reports of information.

VulnCheck faces a horde of honeypots while assessing the potential impact of Atlassian Confluence's CVE-2023-22527. This blog delves into Shodan queries to filter out honeypots and uncover the actual on-premise Confluence install base.

VulnCheck recently announced an IP Intelligence product that tracks attacker command & control (C2) infrastructure, as well as internet-facing potentially vulnerable systems. Using this data, we’ll explore the vulnerabilities that the 7777-Botnet is likely using to infect new hosts.

VulnCheck bypasses the Apache OFBiz Groovy sandbox to land a memory resident reverse shell.

In our last blog of 2023, we highlight the top 10 VulnCheck research blogs that explored new exploit techniques or exploitation in the wild.

Log4Shell was proclaimed one of the most critical vulnerabilities, but in this blog, VulnCheck challenges that perspective, revealing the limited number of vulnerable systems still present two years after the initial disclosure.

Managing vulnerabilities at scale is something the entire cybersecurity ecosystem has struggled with for a long time.

VulnCheck scans the Go module ecosystem for module repositories affected by repojacking, and discover hundreds of thousands of affected module-versions.

VulnCheck finds a new way to exploit ActiveMQ CVE-2023-46604 that allows the attacker to hide in memory and avoid process-based detections.

VulnCheck scanned the internet for implanted Cisco IOS XE systems and found thousands of results.

VulnCheck was excited to breach ICS networks when CVE-2023-43261 was first disclosed. However, there is more to this than the CVE description would lead you to believe. Follow VulnCheck’s journey from CVE description to exploitation in the wild

VulnCheck is excited to announce four new leadership team additions!

Learn about VulnCheck's development of an exploit for CVE-2023-36845, leading to stealthy code execution on Juniper firewalls, while also assessing the prevalence of unpatched systems in the wild.

VulnCheck demonstrates the use of the RocketMQ remoting protocol to retrieve the broker configuration file, and shares attacker payloads used in the wild for exploitation with CVE-2023-33246.

CVE-2023-32315 was first exploited in the wild in June 2023. However, VulnCheck has discovered an new approach to exploiting this vulnerability, streamlining the attack process and adeptly bypassing the generation of log entries. In addition, VulnCheck analyzes the remaining indicators of compromise and shares network detections.

VulnCheck provides additional insight into CISA's 2022 Top Routinely Exploited Vulnerabilities by looking at the availability of exploits and examining which threat actors, botnets, and ransomware crews used the vulnerabilities.

VulnCheck develops an exploit that gets a root shell on MikroTik RouterOS.

VulnCheck analyzes four CVEs that impact SolarView, a solar power monitoring system. We discover the number of internet-facing systems and the likelihood of exploitation in the wild.

VulnCheck discovers a network of fake security researcher accounts promoting hidden malware.

VulnCheck is excited to announce the open-source release of our in-house exploit framework, go-exploit. Designed with simplicity and portability in mind, go-exploit empowers exploit developers to create compact, self-contained, and consistent exploits.

Public exploits and detections for CVE-2023-27350 focus on code execution using the PaperCut print scripting interface. In this blog, VulnCheck shares a new code execution vector and demonstrates how existing detections aren't robust enough to flag the new activity.

CVE-2023-1671 is a pre-authenticated command injection in Sophos Web Appliance. In this blog post, VulnCheck researchers analyze the vulnerability and develop a proof of concept (PoC) for it.

In search of an interesting new detail about CVE-2022-1388, VulnCheck researchers pore over open source intelligence. The researchers detail exploit variants, find signature bypasses, and publish a novel exploit variant.

Following reader suggestions, we take a deeper look at the types of vulnerabilities in the Exploit-DB and 0day.today exploit databases. We also examine exploit attack vectors and find out how many of the exploits have been used in the wild.

Exploit-DB and 0day.today are two of the largest public exploit databases. In this blog, we compare the databases to determine which one is the most relevant today.

CVE-2023-23752 is an information leak affecting Joomla! 4.0 - 4.7. How can an attacker use this vulnerability to achieve code execution? How many internet-facing systems are at risk?

A review of the vulnerabilities that should have been added to the CISA KEV Catalog in 2022, but weren't.

A review of the vulnerabilities added to the CISA KEV Catalog in 2022. VulnCheck examines which vulnerabilities were added in 2022, who exploited them, and how long it took to add them to the Catalog.

Examining previous exploits for Grafana's CVE-2021-43798 and looking for a path to establish initial access.

Exploring a memory resident payload for CVE-2022-47966.

The National Vulnerability Database contains thousands of CVSS vectors. How accurate are those vectors and does accuracy matter?

Sophos Firewalls were exploited using CVE-2022-3236 in September, 2022. Few details have been published about this vulnerability. In this blog, we look at log entries the exploit creates and determine how many vulnerable internet-facing firewalls still exist.

Taking a look at the timeline leading up to exploitation of CVE-2022-35914 and the current state of attacks in the wild.

An investigation into CVE-2022-28958 finds the vulnerability doesn't actually exist.

An examination of vulnerabilities affecting Xiongmai IoT devices, including exploit development and an analysis of exploitation in the wild.

The CISA Known Exploited Vulnerabilities (KEV) Catalog tracks vulnerabilities that have been exploited in the wild, and it currently has more than 800 entries.

We've been around, supporting our customers since 2021, but only recently launched our website.