CVE-2017-0143
published 2017-03-17CVE-2017-0143: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT…
PriorityP198high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
93.31%
99.8th percentile
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | server_message_block | — | — |
| microsoft_corporation | windows_smb | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
| philips | intellispace_portal | — | — |
| philips | intellispace_portal | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p500_firmware | — | — |
| siemens | acuson_p500_firmware | — | — |
| siemens | acuson_sc2000_firmware | — | — |
| siemens | acuson_sc2000_firmware | >= 4.0 < 4.0e | 4.0e |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
42329-42332, 42340, 41978, 42256
- →Monitor network traffic for excessive SMB requests to TCP port 445; anomalous processes initiating SMB connections are a key behavioral indicator of CVE-2017-0143 exploitation via ETERNALBLUE. ↗
- →Network-based detection (NGIPS/NGFW) is effective against ETERNALBLUE/DOUBLEPULSAR exploitation regardless of final payload, as the exploit and delivery mechanism are consistent across campaigns. ↗
- →EternalRocks introduces a 24-hour sleep/delay before downloading its final payload; sandbox detections with short timeouts will miss this malware — extend sandbox dwell time beyond 24 hours. ↗
- →Look for manually crafted SMB packets with hardcoded, seemingly arbitrary field values (e.g., hardcoded UIDs in a specific numeric range) in network traffic, which is a fingerprint of the APT3 Bemstour/UPSynergy tool. ↗
- →Detect SMB packets that are constructed over plain TCP sockets rather than via standard SMB libraries — a characteristic of the APT3 Bemstour tool exploiting the EternalRomance/UPSynergy variant of this vulnerability. ↗
- →NGIPS/NGFW coverage for ETERNALBLUE/DOUBLEPULSAR exploitation of CVE-2017-0143 was available from mid-March 2017; ensure signatures are not older than that baseline. ↗
- ·Chinese actors claimed that the MS17-010 patches for CVE-2017-0143 through -0148 were insufficient because they did not address the underlying base code weaknesses — patching alone may not fully eliminate risk. ↗
- ·APT3's UPSynergy exploit variant targets a broader range of Windows versions than the original EternalRomance by incorporating an additional 0-day kernel information leak, meaning standard EternalRomance detections may not cover this variant. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Server Message Block (SMBv1) Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2017-0143 [HIGH] CWE-20 Microsoft Windows Server Message Block (SMBv1) Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Server Message Block (SMBv1) Remote Code Execution Vulnerability
Affected: Microsoft Windows
Microsoft Windows Server Message Block 1.0 (SMBv1) contains an unspecified vulnerability that allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0143
Remediation Due Date: 2022-05-03
Microsoft
Windows SMB Remote Code Execution Vulnerability
vendor_msrc·2017-03-14·CVSS 8.1
CVE-2017-0143 [HIGH] Windows SMB Remote Code Execution Vulnerability
Windows SMB Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.
To exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.
The security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.
Windows SMB Server: Windows SMB Server
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likel
GHSA
GHSA-fqgw-29m3-pwh5: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0143 [HIGH] CWE-20 GHSA-fqgw-29m3-pwh5: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
GHSA
GHSA-3c3r-82gp-wc94: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0146 [HIGH] CWE-20 GHSA-3c3r-82gp-wc94: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.
GHSA
GHSA-8w56-gqrj-2wfg: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0144 [HIGH] CWE-20 GHSA-8w56-gqrj-2wfg: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
GHSA
GHSA-jxmr-j43h-4x9p: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0145 [HIGH] CWE-20 GHSA-jxmr-j43h-4x9p: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.
GHSA
GHSA-mfj7-24mx-p6qj: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0148 [HIGH] CWE-20 GHSA-mfj7-24mx-p6qj: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.
VulnCheck
Microsoft Windows Server Message Block (SMBv1) Remote Code Execution Vulnerability
vulncheck·2017·CVSS 8.8
CVE-2017-0143 [HIGH] CWE-20 Microsoft Windows Server Message Block (SMBv1) Remote Code Execution Vulnerability
Microsoft Windows Server Message Block (SMBv1) Remote Code Execution Vulnerability
Microsoft Windows Server Message Block 1.0 (SMBv1) contains an unspecified vulnerability that allows for remote code execution.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://digital.nhs.uk/cyber-alerts/2017/cc-1353; https://www.f5.com/labs/articles/threat-intelligence/from-nsa-exploit-to-widespread-ransomware-wannacry-is-on-the-loose-26847; https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_WannaCry_Ransomware_S508C.pdf; https://community.broadcom.com/symantecenterprise/communities/
Suricata
ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010
suricata·2017-05-16·CVSS 8.8
CVE-2017-0143 [HIGH] ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010
ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010
Rule: alert tcp any any -> any 445 (msg:"ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010"; flow:established,to_server; content:"|8000a80000000000000000000000000000000000ffff000000000000ffff0000000000000000000000000000000000000000000000f1dfff000000000000000020f0dfff00f1dfffffffffff600004100000000080efdfff|"; reference:cve,CVE-2017-0143; classtype:attempted-admin; sid:2024297; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)
Exploit-DB
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
exploitdb·2019-10-02
CVE-2017-0148 DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'DOUBLEPULSAR Payload Execution and Neutralization',
'Description' => %q{
This module executes a Metasploit payload against the Equation Group's
DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.
While this module primarily performs code execution against the implant,
the "Neutralize implant" target allows you to disable the implant.
},
'Author' => [
'Equation Group', # DOUBLEPULSAR implant
'Shadow Brokers', # Equation Group dump
'zerosum0x0', # DOPU analysis and detection
'Luke Jennings', # DOPU analysis and detection
'wvu', # Metasploit modul
Exploit-DB
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)
exploitdb·2018-02-05
CVE-2017-0147 Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# Windows XP systems that are not part of a domain default to treating all
# network logons as if they were Guest. This prevents SMB relay attacks from
# gaining administrative access to these systems. This setting can be found
# under:
#
# Local Security Settings >
# Local Policies >
# Security Options >
# Network Access: Sharing and security model for local accounts
class MetasploitModule 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',
'Description' => %q{
This module will exploit
Exploit-DB
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
exploitdb·2017-05-10
CVE-2017-0148 Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
---
# Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com
# Date and time of release: May, 9 2017 - 13:00PM
# Found this and more exploits on my open source security project: http://www.exploitpack.com
#
# MS17-010 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
# Tested on: Microsoft Windows Server 2008 x64 SP1 R2 Standard
#
# Description: SMBv1 SrvOs2FeaToNt OOB is prone to a remote code execution
# vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input. Srv.sys process SrvOs2FeaListSizeToNt
# and when the logic is not correct it leads to a cross-border copy. The vulnerability trigger point is as follows:
#
# Vu
Exploit-DB
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
exploitdb·2017-04-17
CVE-2017-0147 Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# auxiliary/scanner/smb/smb_ms_17_010
require 'msf/core'
class MetasploitModule 'MS17-010 SMB RCE Detection',
'Description' => %q{
Uses information disclosure to determine if MS17-010 has been patched or not.
Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0.
If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does
not have the MS17-010 patch.
This module does not require valid SMB credentials in default server
configurations. It can log on as the user "\" and connect to IPC$.
},
'Author' => [ 'Sean Dillon ' ],
'Referenc
Metasploit
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
metasploit
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous logi
Metasploit
MS17-010 SMB RCE Detection
metasploit
MS17-010 SMB RCE Detection
MS17-010 SMB RCE Detection
Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user "\" and connect to IPC$.
Metasploit
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
metasploit
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.
Metasploit
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
metasploit
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.
Metasploit
SMB DOUBLEPULSAR Remote Code Execution
metasploit
SMB DOUBLEPULSAR Remote Code Execution
SMB DOUBLEPULSAR Remote Code Execution
This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the "Neutralize implant" target allows you to disable the implant.
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Qualys
Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
#### Table of Contents
- Stats on the Top 20 Vulnerable Vendors & By-Products
- Top Twenty Most Targeted by Attackers
- TruRisk Dashboard
- Key Insights & Takeaways
- References
- Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the curre
Qualys
Qualys Top 20 Most Exploited Vulnerabilities
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Qualys Top 20 Most Exploited Vulnerabilities
## Table of Contents
Stats on the Top 20 Vulnerable Vendors & By-Products
Top Twenty Most Targeted by Attackers
TruRisk Dashboard
Key Insights & Takeaways
References
Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the current year.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Qualys
The Rise of Ransomware
blogs_qualys·2021-10-05
The Rise of Ransomware
## Table of Contents
Ransomware Infection Vectors
Ransomware Attacks and Exact CVEs To Prioritize for Monitoring
Unified View of Critical Ransomware Risk Exposures
Qualys Ransomware Risk Assessment & Remediation Service
Continuous detection & prioritization for Ransomware-specific vulnerabilities withVMDR
DiscoverandPrioritizeRansomware Vulnerabilities
Discover and Mitigate RansomwareMisconfigurationssuch as SMB, Insecure RDP
Automated Proactive & Reactive Patching for Ransomware vulnerabilities
Ready to Learn more and see for yourself?
Resources
References
With most employees still working from remote locations, ransomware attacks have increased steadily since the early months of the Covid-19 pandemic. According to the FBI’s 2020 Internet Crime Report 2400+ ransomware-related
Trendmicro
Cross Platform Modular Glupteba Malware Uses ManageX
blogs_trendmicro·2020-09-29
Cross Platform Modular Glupteba Malware Uses ManageX
Malware
# Cross-Platform / Modular Glupteba Malware Uses ManageX
This entry features the analysis of a variant of Glupteba, emphasizing the modularity and the cross-platform features of the malware as seen through the examination of its code. Notable in this variant is the use of ManageX.
By: Juan Carlos David Paglinawan
2020/09/29
Read time: ( words)
Save to Folio
We recently encountered a variant of Glupteba (detected by Trend Micro as Trojan.Win32.GLUPTEBA.WLDR). Glupteba is a trojan type that has been involved with Operation Windigo in the past. We also reported its attacks on MikroTik routers and updates on its command and control (C&C) servers.
With regard to its behavior, the variant shares many similarities with other Glupteba variants. Notable in this newly uncovered strain
Unit42
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
blogs_unit42·2020-08-26
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
Threat Research Center
Threat Research
Vulnerabilities
## The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
Jay Chen
Published: August 26, 2020
Threat Research
Vulnerabilities
Exploit
## Executive Summary
With the ever-increasing number of new vulnerabilities, vulnerability management becomes one of the most critical processes in ensuring continuous business operation. While it is clear that timely patching is essential, it’s also important to know quantitatively how a delay could increase risk. What is the chance that attackers breach my organization using a CVE just disclosed or using an unknown (zero-day) vulnerability? To understand the state of vulnerability disclosure and exploit development, Unit 42 researchers analyzed 45,450 publicly availabl
Unit42
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
blogs_unit42·2020-08-26
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
## Executive Summary
With the ever-increasing number of new vulnerabilities, vulnerability management becomes one of the most critical processes in ensuring continuous business operation. While it is clear that timely patching is essential, it’s also important to know quantitatively how a delay could increase risk. What is the chance that attackers breach my organization using a CVE just disclosed or using an unknown (zero-day) vulnerability? To understand the state of vulnerability disclosure and exploit development, Unit 42 researchers analyzed 45,450 publicly available exploits in Exploit Database at the time of this writing. The research correlated the exploit data with vulnerability and patch information to study exploit development in multiple facets.
The research reveals that:
-
Qualys
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
blogs_qualys·2019-12-27·CVSS 8.8
[HIGH] Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
A recent report identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.
The list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.
No.
CVE
Products Affected by CVE
CVSS Score (NVD)
Examples of Threat Actors
1
CVE-2017-11882
Microsoft Office
7.8
APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia)
2
Qualys
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking | Qualys
blogs_qualys·2019-12-27·CVSS 8.8
[HIGH] Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking | Qualys
A recent report identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.
The list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.
No.
CVE
Products Affected by CVE
CVSS Score (NVD)
Examples of Threat Actors
1
CVE-2017-11882
Microsoft Office
7.8
APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia)
2
CVE-2018-
Checkpoint
UPSynergy: Chinese-American Spy vs. Spy Story
blogs_checkpoint·2019-09-05
CVE-2019-0703 UPSynergy: Chinese-American Spy vs. Spy Story
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## UPSynergy: Chinese-American Spy vs. Spy Story
Research By : Mark Lechtik & Nadav Grossman
Introduction
Earlier this year, our colleagues at Symantec uncovered an interesting story about
Sentinelone
EternalBlue Exploit: What It Is And How It Works
blogs_sentinelone·2019-05-27·CVSS 8.8
CVE-2017-0143 [HIGH] EternalBlue Exploit: What It Is And How It Works
You will undoubtedly recall the names Shadow Brokers, who back in 2017 were dumping software exploits widely believed to be stolen from the US National Security Agency, and WannaCry , the notorious ransomware attack that struck only a month later.
Eternalblue
## What is Eternalblue?
CVE-2017-0143 to CVE-2017-0148 are a family of critical vulnerabilities in Microsoft SMBv1 server used in Windows 7, Windows Server 2008, Windows XP and even Windows 10 running on port 445. Hardcoded strings in the original Eternalblue executable reveal the targeted Windows versions:

The vulnerability doesn’t just apply to Microsoft Windows, though; in fact, anything that uses the Microsoft SMBv1 server protocol, such as Siemens ultrasound medical equipment , is potentially vulnerable.
Eternalchampion
Sentinelone
EternalBlue Exploit: What It Is And How It Works
blogs_sentinelone·2019-05-27·CVSS 8.8
[HIGH] EternalBlue Exploit: What It Is And How It Works
You will undoubtedly recall the names Shadow Brokers, who back in 2017 were dumping software exploits widely believed to be stolen from the US National Security Agency, and WannaCry, the notorious ransomware attack that struck only a month later.
Two years is a long-time in cybersecurity, but `Eternalblue` (aka “EternalBlue”, “Eternal Blue”), the critical exploit leaked by the Shadow Brokers and deployed in the WannaCry and NotPetya attacks, is still making the headlines. Although a recent claim by the New York Times that Eternalblue was involved in the Baltimore attack seems wide of the mark, there’s no doubt that the exploit is set to be a potent weapon for many years to come. In this post, we explain why and take a closer look at Eternalblue.
## What is Eternalblue?
CVE-2017-0143 to
Checkpoint
2017-7-24 Global Cyber Attack Reports
blogs_checkpoint·2017-07-24
CVE-2017-0143 2017-7-24 Global Cyber Attack Reports
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2017-7-24 Global Cyber Attack Reports
TOP ATTACKS AND BREACHES
A vulnerability in Parity’s Ethereum wallet software has led to the theft of $30M worth of Ethereum cryptocurrency coins. Parity’s wallet software provides Ethereum coins holders the ability to access their wallet comfortably via a web-browser. The vulnerability that was exploited in the attack allowed threat actors to hijack victims’ wallets and conduct fraudulent transactions using them. In a different event, a threat actor has managed to steal $7M
Checkpoint
BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
blogs_checkpoint·2017-05-25
CVE-2017-0144 BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
Background
Rarely does the release of an exploit have such a large impact across the
Talos
Cisco Coverage for Adylkuzz, Uiwix, and EternalRocks
blogs_talos·2017-05-22
Cisco Coverage for Adylkuzz, Uiwix, and EternalRocks
When the WannaCry attack was launched a little over a week ago, it was one of the first large scale attacks leveraging the data that was leaked by the Shadow Brokers. At the time the real concern was how quickly we would begin to see other threats leverage the same vulnerabilities. Over the past couple of weeks, Talos has observed other malware variants that are using the ETERNALBLUE and DOUBLEPULSAR exploits from the Shadow Brokers release as part of their campaigns. Among them were Adylkuzz, Uiwix, and EternalRocks.
Adylkuzz is a piece of malware that uses ETERNALBLUE and DOUBLEPULSAR to install cryptocurrency mining software on the infected system. This attack actually pre-dates the WannaCry attack and has continued to deliver the cryptocurrency miner.
Uiwix uses a similar technique t
Talos
Cisco Coverage for Adylkuzz, Uiwix, and EternalRocks
blogs_talos·2017-05-22
Cisco Coverage for Adylkuzz, Uiwix, and EternalRocks
## Cisco Coverage for Adylkuzz, Uiwix, and EternalRocks
When the WannaCry attack was launched a little over a week ago, it was one of the first large scale attacks leveraging the data that was leaked by the Shadow Brokers. At the time the real concern was how quickly we would begin to see other threats leverage the same vulnerabilities. Over the past couple of weeks, Talos has observed other malware variants that are using the ETERNALBLUE and DOUBLEPULSAR exploits from the Shadow Brokers release as part of their campaigns. Among them were Adylkuzz, Uiwix, and EternalRocks.
Adylkuzz is a piece of malware that uses ETERNALBLUE and DOUBLEPULSAR to install cryptocurrency mining software on the infected system. This attack actually pre-dates the WannaCry attack and has continued to deliver th
Checkpoint
Global Outbreak of WannaCry
blogs_checkpoint·2017-05-12·CVSS 8.8
CVE-2017-0143 [HIGH] Global Outbreak of WannaCry
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Global Outbreak of WannaCry
[Updated May 17, 2017]
On May 12, 2017 the Check Point Incident Response Team started tracking a wide spread outbreak of the WannaCryp ransomware . We have rep
Recorded Future
What Is WannaCry? Analyzing the Global Ransomware Attack
blogs_recorded_future
What Is WannaCry? Analyzing the Global Ransomware Attack
# What Is WannaCry? Analyzing the Global Ransomware Attack
### Key Takeaways
- WannaCry ransomware is a new variant of WanaCypt0r, which uses the ETERNALBLUE SMBv1 exploit to infect connected systems.
- Over 100 countries were affected by the ransomware.
- Three Bitcoin wallets are associated with the WannaCry 2.0 ransomware, which have received almost $26,000 in transfers since the beginning of the latest infection, a small sum considering the scope of damage.
- As of this posting, no money appears to have been moved from the Bitcoin wallets.
- Criminals behind WannaCry piggybacked on publicly dumped Equation Group exploits in an attempt to abuse free tools for easy money.
- We believe the criminals behind WannaCry didn’t intend for such a widespread attack, nor did they possess the exp
Recorded Future
Chinese and Russian Communities Analyze Shadow Brokers Malware Release
blogs_recorded_future·CVSS 8.8
[HIGH] Chinese and Russian Communities Analyze Shadow Brokers Malware Release
# Chinese and Russian Cyber Communities Dig Into Malware From April Shadow Brokers Release
As of April 15, the Chinese cyber community had begun to investigate the most recent release of malware from the Shadow Brokers group. Security researchers and cyber actors reversed several of the tools and were particularly interested in the exploit framework (named FUZZBUNCH), the SMB malware (ETERNALBLUE), and the privilege escalation tool (ETERNALROMANCE).
Chinese-speaking actors additionally focused on the unique malware trigger point and some claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses.
Mentions of one of the tools, ETERNALBLUE, on the Chinese language web over time.
Mentions of Shadow Brokers-released malw
Recorded Future
What Is WannaCry? Analyzing the Global Ransomware Attack | Recorded Future
blogs_recorded_future
What Is WannaCry? Analyzing the Global Ransomware Attack | Recorded Future
## What Is WannaCry? Analyzing the Global Ransomware Attack
## Key Takeaways
WannaCry ransomware is a new variant of WanaCypt0r, which uses the ETERNALBLUE SMBv1 exploit to infect connected systems.
Over 100 countries were affected by the ransomware .
Three Bitcoin wallets are associated with the WannaCry 2.0 ransomware, which have received almost $26,000 in transfers since the beginning of the latest infection, a small sum considering the scope of damage.
As of this posting, no money appears to have been moved from the Bitcoin wallets.
Criminals behind WannaCry piggybacked on publicly dumped Equation Group exploits in an attempt to abuse free tools for easy money.
We believe the criminals behind WannaCry didn’t intend for such a widespread attack, nor did they possess the expertise
Huntress
CVE-2017-0143 Vulnerability: Analysis, Impact, Mitigation | Huntress
blogs_huntress·CVSS 8.8
CVE-2017-0143 [HIGH] CVE-2017-0143 Vulnerability: Analysis, Impact, Mitigation | Huntress
## CVE-2017-0143 Vulnerability
Published: 12/05/2025
Written by: Lizzie Danielson
## What is CVE-2017-0143 vulnerability?
CVE-2017-0143 is a Remote Code Execution (RCE) vulnerability within the Server Message Block (SMBv1) protocol, part of the infamous “EternalBlue” exploit. This vulnerability allows attackers to corrupt memory and execute arbitrary code, targeting Microsoft Windows systems. Discovered as part of the Shadow Brokers leak, it was pivotal in the spread of ransomware campaigns like WannaCry.
## When was it discovered?
CVE-2017-0143 was publicly disclosed on March 14, 2017, through Microsoft’s MS17-010 security bulletin. It was initially identified by the U.S. National Security Agency (NSA) and later exposed in the Shadow Brokers leak. Systems remained vulnerable until p
Recorded Future
Chinese and Russian Communities Analyze Shadow Brokers Malware Release | Recorded Future
blogs_recorded_future·CVSS 8.8
[HIGH] Chinese and Russian Communities Analyze Shadow Brokers Malware Release | Recorded Future
## Chinese and Russian Cyber Communities Dig Into Malware From April Shadow Brokers Release
As of April 15, the Chinese cyber community had begun to investigate the most recent release of malware from the Shadow Brokers group. Security researchers and cyber actors reversed several of the tools and were particularly interested in the exploit framework (named FUZZBUNCH), the SMB malware (ETERNALBLUE), and the privilege escalation tool (ETERNALROMANCE).
Chinese-speaking actors additionally focused on the unique malware trigger point and some claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses.
Mentions of one of the tools, ETERNALBLUE, on the Chinese language web over time.
Mentions of Shadow Brokers-released mal
arXiv
RapidPen: Fully Automated IP-to-Shell Penetration Testing with LLM-based Agents
arxiv_fulltext·2026-02-14
RapidPen: Fully Automated IP-to-Shell Penetration Testing with LLM-based Agents
RapidPen: Fully Automated IP-to-Shell Penetration Testing with LLM-based Agents
Sho Nakatani
SecDevLab Inc.
## Abstract
We present RapidPen, a fully automated penetration testing (pentesting) framework that addresses
the challenge of achieving an initial foothold (IP-to-Shell) without human intervention. Unlike prior
approaches that focus primarily on post-exploitation or require a human-in-the-loop, RapidPen
leverages large language models (LLMs) to autonomously discover and exploit vulnerabilities, starting from
a single IP address. By integrating advanced ReAct-style task planning (Re) with retrieval-augmented
knowledge bases of successful exploits, along with a command-generation and direct execution feedback loop
(Act), RapidPen systematically scans services, identifies viable att
arXiv
VulRG: Multi-Level Explainable Vulnerability Patch Ranking for Complex Systems Using Graphs
arxiv_fulltext·2025-02-16
VulRG: Multi-Level Explainable Vulnerability Patch Ranking for Complex Systems Using Graphs
VulRG: Multi-Level Explainable Vulnerability Patch Ranking for Complex Systems Using Graphs
Yuning Jiang
[email protected]
0000-0003-4791-8452
National University of Singapore
Singapore
Nay Oo
[email protected]
NCS Cyber Special Ops R&D
Singapore
Qiaoran Meng
[email protected]
National University of Singapore
Singapore
Hoon Wei Lim
[email protected]
NCS Cyber Special Ops R&D
Singapore
Biplab Sikdar
[email protected]
National University of Singapore
Singapore
Jiang et al.
## Abstract
As interconnected systems proliferate, safeguarding complex infrastructures against an escalating array of cyber threats has become an urgent challenge. The growing number of vulnerabilities, coupled with resource constraints, makes addressing every vulnerability impractical, thereby rende
arXiv
Dynamic Vulnerability Criticality Calculator for Industrial Control Systems
arxiv_fulltext·2024-03-20
Dynamic Vulnerability Criticality Calculator for Industrial Control Systems
Dynamic Vulnerability Criticality Calculator for Industrial Control Systems
Pavlos Cheimonidis addr1,e1
Kontantinos Rantos addr1,e2
e1e-mail: [email protected]
e2e-mail: [email protected]
Department of Computer Science, International Hellenic University, 654 04 Kavala, Greece
Received: date / Accepted: date
## Abstract
The convergence of information and communication technologies has introduced new and advanced capabilities to Industrial Control Systems. However, concurrently, it has heightened their vulnerability to cyber attacks. Consequently, the imperative for new security methods has emerged as a critical need for these organizations to effectively identify and mitigate potential threats. This paper introduces an innovative approach by proposing a dynamic vulnerability critical
arXiv
Cybersecurity as a Service
arxiv_fulltext·2024-02-21
Cybersecurity as a Service
Cybersecurity as a Service
John Morris^* Stefan Tatschner^* Michael P. Heinl Patrizia Heinl Thomas Newe Sven Plaga
*These authors contributed equally to this work.
Authors:
- John Morris^*; Department of Electronic and Computer Engineering, University of Limerick, Ireland; [email protected]; ORCID: https://orcid.org/0000-0003-2811-1055
- Stefan Tatschner^* Fraunhofer AISEC, Department Product Protection and Industrial Security, Germany; Department of Electronic and Computer Engineering, University of Limerick, Ireland; Confirm, the SFI Centre for Smart Manufacturing, Ireland;
[email protected]; ORCID: https://orcid.org/0000-0002-2288-9010
- Michael P. Heinl; Fraunhofer AISEC, Department Product Protection and Industrial Security, Germany; [email protected]
arXiv
Linking Threat Tactics, Techniques, and Patterns with Defensive Weaknesses, Vulnerabilities and Affected Platform Configurations for Cyber Hunting
arxiv_fulltext·2021-02-10·CVSS 8.8
CVE-2017-11882 [HIGH] Linking Threat Tactics, Techniques, and Patterns with Defensive Weaknesses, Vulnerabilities and Affected Platform Configurations for Cyber Hunting
Top 10 Most Exploited Vulnerabilities 2016-2019
(https://us-cert.cisa.gov/ncas/alerts/aa20-133a)
.83fcdec8a329824466f140a2e6cdfeec473a9ee2 .0
longtable[]@lllllll@
& CVSS Score & Number of Tactics & Number of Techniques &
Number of CAPECs & Number of CWEs & Number of CPEs
CVE-2017-11882 & 8.55 & 0 & 0 & 12 & 1 & 4
CVE-2017-0199 & 8.55 & 0 & 0 & 0 & 0 & 9
CVE-2017-5638 & 10.0 & 1 & 3 & 51 & 1 & 53
CVE-2012-0158 & 9.3 & 0 & 0 & 3 & 1 & 29
CVE-2019-0604 & 8.65 & 1 & 3 & 51 & 1 & 4
CVE-2017-0143 & 0.0 (not listed in BRON but NVD says high severity)
& 0 & 0 & 0 & 0 & 0
CVE-2018-4878 & 8.65 & 0 & 0 & 0 & 1 & 3
CVE-2017-8759 & 8.55 & 1 & 3 & 51 & 1 & 8
CVE-2015-1641 & 9.3 & 0 & 0 & 0 & 1 & 11
CVE-2018-7600 & 8.65 & 1 & 3 & 51 & 1 & 4
longtable
4 out of Top 10 Vulnerabilities share the follow
arXiv
Evaluating the Performance of Twitter-based Exploit Detectors
arxiv_fulltext·2020-11-05
Evaluating the Performance of Twitter-based Exploit Detectors
Graygray0.9
g>Grayr
G>Grayc
## Abstract
Patch prioritization is a crucial aspect of information systems security, and knowledge of which vulnerabilities were exploited in the wild is a powerful tool to help systems administrators accomplish this task. The analysis of social media for this specific application can enhance the results and bring more agility by collecting data from online discussions and applying machine learning techniques to detect real-world exploits. In this paper, we use a technique that combines Twitter data with public database information to classify vulnerabilities as exploited or not-exploited. We analyze the behavior of different classifying algorithms, investigate the influence of different antivirus data as ground truth, and experiment with various time window
arXiv
On the Effectiveness of Type-based Control Flow Integrity
arxiv_fulltext·2020-02-14
On the Effectiveness of Type-based Control Flow Integrity
2018
2018
acmcopyright
[ACSAC '18]2018 Annual Computer Security Applications ConferenceDecember 3--7, 2018San Juan, PR, USA
2018 Annual Computer Security Applications Conference (ACSAC '18), December 3--7, 2018, San Juan, PR, USA
15.00
10.1145/3274694.3274739
978-1-4503-6569-7/18/12
On the Effectiveness of Type-based Control Flow Integrity
Reza Mirzazade farkhani
Northeastern University
[email protected]
Saman Jafari
Northeastern University
[email protected]
Sajjad Arshad
Northeastern University
[email protected]
William Robertson
Northeastern University
[email protected]
Engin Kirda
Northeastern University
[email protected]
Hamed Okhravi
MIT Lincoln Laboratory
[email protected]
## Abstract
Control flow integrity (CFI) has received significant attention in the community
arXiv
Security of Medical Cyber-physical Systems: An Empirical Study on Imaging Devices
arxiv_fulltext·2020-01-05
Security of Medical Cyber-physical Systems: An Empirical Study on Imaging Devices
Security of Medical Cyber-physical Systems: \ Empirical Study on Imaging Devices
The authors would like to thank the vendors and developers for their help in the research. This research was financially supported by the National Key Research and Development Plan (2018YFB1004101), Key Lab of Information Network Security, Ministry of Public Security (C19614), Special fund on education and teaching reform of Besti (jy201805), the Fundamental Research Funds for the Central Universities(328201910), China Postdoctoral Science Foundation funded project, 2019 Beijing Common Construction Project-Teaching Reform and Innovation Project for Universities in Beijing, Key Laboratory of Network Assessment Technology of Institute of Information Engineering, Chinese Academy of Sciences.
Zhiqiang Wang^1,*,
arXiv
Cognitive Techniques for Early Detection of Cybersecurity Events
arxiv_fulltext·2018-08-01
Cognitive Techniques for Early Detection of Cybersecurity Events
Cognitive Techniques for Early Detection\ Cybersecurity Events
Sandeep Narayanan, Ashwinkumar Ganesan, Karuna Joshi, Tim Oates, Anupam Joshi and Tim Finin
Department of Computer Science & Electrical Engineering
University of Maryland, Baltimore County, Baltimore, MD, USA
\sand7, gashwin1, kjoshi1, oates, joshi, finin\@umbc.edu
## Abstract
The early detection of cybersecurity events such as attacks is challenging given the constantly evolving threat landscape. Even with advanced monitoring, sophisticated attackers can spend as many as 146 days (https://thebestvpn.com/cybersecurity-statistics-2018/) in a system before being detected. This paper describes a novel, cognitive framework that assists a security analyst by exploiting the power of semantically rich knowledge representation and
CTF
Legacy / README
ctf_writeups
Legacy / README
# Legacy
> Write-up author: jon-brandy
## STEPS:
> PORT SCANNING
```
┌──(brandy㉿bread-yolk)-[~]
└─$ nmap -p- -sVC 10.10.10.4 --min-rate 1000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-07 19:02 PDT
Nmap scan report for 10.10.10.4
Host is up (0.025s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_clock-skew: mean: 5d00h27m38s, deviation: 2h07m16s, median: 4d22h57m38s
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: LEGACY, NetBIOS user: , NetBIOS MAC: 00505
CTF
README
ctf_writeups·CVSS 9.8
[CRITICAL] README
# Boot to root CTFs
Walkthroughs and notes of 'boot to root' CTFs mostly from VulnHub that I did for fun. I like to use vulnerable VMs from VulnHub (in addition to the ones I create) to organize hands-on penetration testing training sessions for junior security auditors/consultants :-)
### >> Classic pentest methodology to do a Boot2root CTF upload a Webshell)
➤ Clear-text passwords stored in 'public' website pages, configuration files, log files
➤ ...
2. Exploiting unpatched known vulnerabilities
➤ Web server (e.g. Apache Struts RCE: CVE-2017-12611/CVE-2017-9805/CVE-2017-9791, JBoss Java Deserialization RCE)
➤ Bash & web server CGI (e.g. Shellshock RCE CVE-2014-6271/CVE-2014-7169)
➤ Web CMS (e.g. Drupalgeddon2 RCE CVE-2018-7600)
➤ Web framework (e.g. PHP CGI RCE CVE-2012-1823)
➤ FTP s
CTF
17. Using the Metasploit-Framework / Using the Metasploit-Framework
ctf_writeups
17. Using the Metasploit-Framework / Using the Metasploit-Framework
# Using the Metasploit-Framework
Tags: #🧑🎓
Related to: [[metasploit framework]]
See also:
Previous: [[HTB Academy]]
![[logo_using_the_metasploit_framework.png]]
The Metasploit Framework is an open-source set of tools used for network enumeration, attacks, testing security vulnerabilities, evading detection, performing privilege escalation attacks, and performing post-exploitation.
### Cheatsheet
#### MSFconsole Commands
| **Command** | **Description** |
| :--------------- | :----------------------------------------------------------- |
| `show exploits` | Show all exploits within the Framework. |
| `show payloads` | Show all payloads within the Framework. |
| `show auxiliary` | Show all auxiliary modules within the Framework. |
| `search ` | Search for exploits or modules within the
http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.htmlhttp://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/96703http://www.securitytracker.com/id/1037991https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdfhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143https://www.exploit-db.com/exploits/41891/https://www.exploit-db.com/exploits/41987/https://www.exploit-db.com/exploits/43970/http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.htmlhttp://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/96703http://www.securitytracker.com/id/1037991https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdfhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143https://www.exploit-db.com/exploits/41891/https://www.exploit-db.com/exploits/41987/https://www.exploit-db.com/exploits/43970/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0143
2017-03-17
Published
2021-11-03
Added to CISA KEV
Exploited in the wild