CVE-2021-22205
published 2021-04-23CVE-2021-22205: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a…
PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
99.73%
100.0th percentile
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 11.9.0 < 13.8.8 | 13.8.8 |
| gitlab | gitlab | >= 13.10.0 < 13.10.3 | 13.10.3 |
| gitlab | gitlab | >= 13.9.0 < 13.9.6 | 13.9.6 |
| gitlab | gitlab_ce | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2021-22205 is exploited via unauthenticated file upload to GitLab; monitor for image file uploads that trigger ExifTool parsing, resulting in command execution as the 'git' user. ↗
- →GitLab servers exploited via CVE-2021-22205 have been observed being recruited into DDoS botnets capable of attacks over 1TB/s; monitor for anomalous outbound traffic from GitLab hosts. ↗
- →CVE-2021-22205 has been chained with CVE-2021-22204 in Cerber ransomware attacks to upload and execute code remotely on GitLab servers; monitor for unauthorized code execution in the context of the 'git' account. ↗
- →CVE-2021-22205 exploitation involves passing malicious image files to a file parser (ExifTool); alert on GitLab processes spawning unexpected child processes from image/file upload handling code paths. ↗
- →Cloudflare observed a Mirai-type DDoS attack involving GitLab servers infected through CVE-2021-22205; correlate GitLab server compromise indicators with Mirai botnet C2 traffic patterns. ↗
- ·The vulnerability affects all GitLab CE/EE versions starting from 11.9; only versions 13.10.3, 13.9.6, and 13.8.8 (and later) are patched. Ensure GitLab instances are upgraded to a patched version. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv10.0CRITICAL
vulncheck10.0CRITICAL
cisa10.0CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vgp2-3hxm-6x85: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11
ghsa_unreviewed·2022-05-24
CVE-2021-22205 [CRITICAL] CWE-20 GHSA-vgp2-3hxm-6x85: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
OSV
CVE-2021-22205: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11
osv·2021-04-23·CVSS 10.0
CVE-2021-22205 [CRITICAL] CVE-2021-22205: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
VulnCheck
GitLab Community and Enterprise Editions Remote Code Execution Vulnerability
vulncheck·2021·CVSS 10.0
CVE-2021-22205 [CRITICAL] CWE-20 GitLab Community and Enterprise Editions Remote Code Execution Vulnerability
GitLab Community and Enterprise Editions Remote Code Execution Vulnerability
GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse passes image file extensions through ExifTool, which improperly validates the image files.
Affected: GitLab Community and Enterprise Editions
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.bleepingcomputer.com/news/security/new-cerber-ransomware-targets-confluence-and-gitlab-servers/; https://cybersecurityworks.com/howdymanage/uploads/file/ransomware-_-2022-spotlight-report_compressed.pdf
CISA
GitLab Community and Enterprise Editions Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 10.0
CVE-2021-22205 [CRITICAL] CWE-20 GitLab Community and Enterprise Editions Remote Code Execution Vulnerability
Vulnerability: GitLab Community and Enterprise Editions Remote Code Execution Vulnerability
Affected: GitLab Community and Enterprise Editions
GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse passes image file extensions through ExifTool, which improperly validates the image files.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-22205
Remediation Due Date: 2021-11-17
GitLab
CVE-2021-22205: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passe
vendor_gitlab·2021-04-23·CVSS 10.0
CVE-2021-22205 [CRITICAL] CWE-94 CVE-2021-22205: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passe
CVE-2021-22205: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
CISA KEV: GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse passes image file extensions through ExifTool, which improperly validates the image files.
Required Action: Apply updates per vendor instructions.
Known ransomware campaign use.
Debian
CVE-2021-22205: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
vendor_debian·2021·CVSS 10.0
CVE-2021-22205 [CRITICAL] CVE-2021-22205: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
Suricata
ET EXPLOIT GitLab Pre-Auth RCE Detected (CVE-2021-22205)
suricata·2023-02-14·CVSS 10.0
CVE-2021-22205 [CRITICAL] ET EXPLOIT GitLab Pre-Auth RCE Detected (CVE-2021-22205)
ET EXPLOIT GitLab Pre-Auth RCE Detected (CVE-2021-22205)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT GitLab Pre-Auth RCE Detected (CVE-2021-22205)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/uploads/user"; http.header_names; to_lowercase; content:"|0d 0a|x-csrf-token|0d 0a|"; http.request_body; content:"AT&TFORM"; fast_pattern; content:"DJV"; within:8; content:"ANT"; distance:0; content:"(metadata"; distance:0; content:"|5c 0a|"; distance:0; content:"|5c 0a|"; distance:0; reference:url,devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html,url,hackerone.com/reports/1154542; classtype:trojan-activity; sid:2044201; rev:5; metadata:attack_target Client_and_Server, created_at 2023_02_14, cve CVE_2021_2
Suricata
ET EXPLOIT Possible Gitlab CE/EE Image Parser RCE Inbound (CVE-2021-22205)
suricata·2021-11-13·CVSS 10.0
CVE-2021-22205 [CRITICAL] ET EXPLOIT Possible Gitlab CE/EE Image Parser RCE Inbound (CVE-2021-22205)
ET EXPLOIT Possible Gitlab CE/EE Image Parser RCE Inbound (CVE-2021-22205)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Gitlab CE/EE Image Parser RCE Inbound (CVE-2021-22205)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uploads/user"; http.request_body; content:"Content-Type|3a 20|image/jpeg"; content:"DJVMDIRM|00|"; content:"DJVIANT"; content:"|7b|"; content:"|7d|"; within:400; reference:cve,2021-22205; classtype:attempted-admin; sid:2034455; rev:3; metadata:attack_target Server, created_at 2021_11_13, cve CVE_2021_22205, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, m
Exploit-DB
GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)
exploitdb·2021-11-17·CVSS 6.8
CVE-2021-22205 [MEDIUM] GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)
GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)
---
# Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)
# Shodan Dork: https://www.shodan.io/search?query=title%3A%22GitLab%22+%2B%22Server%3A+nginx%22
# Date: 11/01/2021
# Exploit Author: Jacob Baines
# Vendor Homepage: https://about.gitlab.com/
# Software Link: https://gitlab.com/gitlab-org/gitlab
# Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8
# Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu)
# CVE : CVE-2021-22205
# Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/
# Root Cause Analysis: https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=activityFeed
Metasploit
GitLab Unauthenticated Remote ExifTool Command Injection
metasploit
GitLab Unauthenticated Remote ExifTool Command Injection
GitLab Unauthenticated Remote ExifTool Command Injection
This module exploits an unauthenticated file upload and command injection vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The patched versions are 13.10.3, 13.9.6, and 13.8.8. Exploitation will result in command execution as the git user.
Nuclei
GitLab CE/EE - Remote Code Execution
nuclei·CVSS 10.0
CVE-2021-22205 [CRITICAL] GitLab CE/EE - Remote Code Execution
GitLab CE/EE - Remote Code Execution
GitLab CE/EE starting from 11.9 does not properly validate image files that were passed to a file parser, resulting in a remote command execution vulnerability. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
Template:
id: CVE-2021-22205
info:
name: GitLab CE/EE - Remote Code Execution
author: GitLab Red Team
severity: critical
description: GitLab CE/EE starting from 11.9 does not properly validate image files tha
Nuclei
GitLab CE/EE Unauthenticated RCE Using ExifTool
nuclei·CVSS 10.0
CVE-2021-22205 [CRITICAL] GitLab CE/EE Unauthenticated RCE Using ExifTool
GitLab CE/EE Unauthenticated RCE Using ExifTool
GitLab CE/EE contains a vulnreability which allows a specially crafted image passed to a file parser to perform a command execution attack. Versions impacted are between 11.9-13.8.7, 13.9-13.9.5, and 13.10-13.10.2.
Template:
id: gitlab-rce
info:
name: GitLab CE/EE Unauthenticated RCE Using ExifTool
author: pdteam
severity: critical
description: GitLab CE/EE contains a vulnreability which allows a specially crafted image passed to a file parser to perform a command execution attack. Versions impacted are between 11.9-13.8.7, 13.9-13.9.5, and 13.10-13.10.2.
remediation: Upgrade to versions 13.10.3, 13.9.6, 13.8.8, or higher.
reference:
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
- https://hackerone.com/reports/
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Trendmicro
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
blogs_trendmicro·2025-05-27
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
APT & Targeted Attacks
# Earth Lamia Develops Custom Arsenal to Target Multiple Industries
Trend™ Research has been tracking an active APT threat actor named Earth Lamia, targeting multiple industries in Brazil, India and Southeast Asia countries at least since 2023. The threat actor primarily exploits vulnerabilities in web applications to gain access to targeted organizations.
By: Joseph C Chen
2025/05/27
Read time: ( words)
Save to Folio
Summary
- Trend Research has identified Earth Lamia as an APT threat actor that exploits vulnerabilities in web applications to gain access to organizations, using various techniques for data exfiltration.
- Earth Lamia develops and customizes hacking tools to evade detection, such as PULSEPACK and BypassBoss.
- Earth Lamia has primarily targeted
Sentinelone
Prioritizing CVEs in the Cloud
blogs_sentinelone·2025-05-15
Prioritizing CVEs in the Cloud
## Foreword & Guest Bio
As part of this ongoing series, SentinelOne is excited to present a series of guest blogs from cloud security experts covering their views on cloud security best practices. Following on from blogs from Teri Radichel who focused on what AWS security gotchas to avoid and how to address the risk of faulty logic. We now have Rami McCarthy providing his view on cloud CVEs, and approach to vulnerability prioritization.
Rami is a self-proclaimed “security wonk”. Most recently, he helped build the Infrastructure Security program at Figma. Before that, he worked as a security consultant and helped scale security for a health-tech unicorn. He writes extensively about security over at ramimac.me and elsewhere.
## Introduction
Common Vulnerabilities and Exposures (CVEs) are
Sentinelone
Prioritizing CVEs in the Cloud
blogs_sentinelone·2025-05-15
Prioritizing CVEs in the Cloud
## Foreword & Guest Bio
As part of this ongoing series, SentinelOne is excited to present a series of guest blogs from cloud security experts covering their views on cloud security best practices. Following on from blogs from Teri Radichel who focused on what AWS security gotchas to avoid and how to address the risk of faulty logic. We now have Rami McCarthy providing his view on cloud CVEs, and approach to vulnerability prioritization.
Rami is a self-proclaimed “security wonk”. Most recently, he helped build the Infrastructure Security program at Figma. Before that, he worked as a security consultant and helped scale security for a health-tech unicorn. He writes extensively about security over at ramimac.me and elsewhere.
## Introduction
Common Vulnerabilities and Exposures (CVEs) are
Trendmicro
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
blogs_trendmicro·2023-09-18
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
Malware
## Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actor's server — a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which we've dubbed SprySOCKS due to its swift behavior and SOCKS implementation.
By: Joseph C Chen 2023/09/18 Read time: ( words)
Save to Folio
In early 2021, we published a research paper discussing the operation of a China-linked threat actor we tracked as Earth Lusca . Since our initial research, the group has remained active and has even extended its operations, targeting countries around the world during the first half of 2023.
While monitoring the group, we managed to obtain an interestin
Trendmicro
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
blogs_trendmicro·2023-09-18
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
Malware
# Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actor's server — a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which we've dubbed SprySOCKS due to its swift behavior and SOCKS implementation.
By: Joseph C Chen
2023/09/18
Read time: ( words)
Save to Folio
In early 2021, we published a research paper discussing the operation of a China-linked threat actor we tracked as Earth Lusca. Since our initial research, the group has remained active and has even extended its operations, targeting countries around the world during the first half of 2023.
While monitoring the group, we managed to obtain an interesting
Trendmicro
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
blogs_trendmicro·2023-09-18
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
Malware
## Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actor's server — a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which we've dubbed SprySOCKS due to its swift behavior and SOCKS implementation.
By: Joseph C Chen Sep 18, 2023 Read time: ( words)
Save to Folio
In early 2021, we published a research paper discussing the operation of a China-linked threat actor we tracked as Earth Lusca . Since our initial research, the group has remained active and has even extended its operations, targeting countries around the world during the first half of 2023.
While monitoring the group, we managed to obtain an interest
Wiz
Crying Out Cloud - August Newsletter | Wiz
blogs_wiz·2023-08-30·CVSS 6.5
[MEDIUM] Crying Out Cloud - August Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's delve in.
Editor’s note: some of you may have noticed that we accidentally resent last month’s edition (July) – this was due to a technical issue for which we apologize.
Moving on – here are our top picks of cloud security highlights!
## 🐞 High Profile Vulnerabilities
## High severity vulnerabilities in Kubernetes on Windows nodes
Three high severity Kubernetes vulnerabilities were published on August 23. All three are flaws related to insufficient sanitization that could lead to privilege escalation. Kubernetes clusters are only affected by these vulnerabilities if they include Windows nodes. The vulnerabilities were assigned CVE-2023-3676
Qualys
NSA Alert: Topmost CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
blogs_qualys·2022-10-07·CVSS 10.0
[CRITICAL] NSA Alert: Topmost CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
## Table of Contents
Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0
Identify Vulnerable Assets using Qualys Threat Protection
Recommendations & Mitigations
Contributors
On October 6, 2022, the United States National Security Agency (NSA) released a cybersecurity advisory on the Chinese government—officially known as the People’s Republic of China (PRC) states-sponsored cyber actors’ activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People’s Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurity and I
Qualys
NSA Alert: Topmost CVEs Actively Exploited By PRC Sponsored Cyber Actors | Qualys
blogs_qualys·2022-10-07
NSA Alert: Topmost CVEs Actively Exploited By PRC Sponsored Cyber Actors | Qualys
#### Table of Contents
- Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0
- Identify Vulnerable Assets using Qualys Threat Protection
- Recommendations & Mitigations
- Contributors
On October 6, 2022, the United States National Security Agency (NSA) released a cybersecurity advisory on the Chinese government—officially known as the People’s Republic of China (PRC) states-sponsored cyber actors’ activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People’s Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurit
Tenable
Top 20 CVEs Exploited by People's Republic of China State-Sponsored Actors (AA22-279A)
blogs_tenable·2022-10-07
Top 20 CVEs Exploited by People's Republic of China State-Sponsored Actors (AA22-279A)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Network Security Trends: November 2021 to January 2022
blogs_unit42·2022-05-31
Network Security Trends: November 2021 to January 2022
Threat Research Center
Threat Research
Vulnerabilities
## Network Security Trends: November 2021 to January 2022
Yue Guan
Published: May 31, 2022
Threat Research
Vulnerabilities
Apache Log4j
Attack analysis
Denial of service
Exploit in Wild
Network security trends
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
Cross-site scripting stood out as a commonly used t
Unit42
Network Security Trends: November 2021 to January 2022
blogs_unit42·2022-05-31·CVSS 9.8
[CRITICAL] Network Security Trends: November 2021 to January 2022
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
Cross-site scripting stood out as a commonly used technique. Among around 6,443 newly published vulnerabilities, we found that a large portion (almost 10.6%) still involve this technique. However, by evaluating around 167 million attack sessions and focusing on the latest exploits in the wild, we conclude that remote code execution
Talos
Quarterly Report: Incident Response trends in Q1 2022
blogs_talos·2022-04-26
Quarterly Report: Incident Response trends in Q1 2022
### Ransomware continues as the top threat, while a novel increase in APT activity emerges
Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020. As mentioned in the 2021 year-in-review report, CTIR continues to deal with an expanding set of ransomware adversaries and major cybersecurity incidents affecting organizations worldwide.
The first quarter of 2022 also featured an increase in engagements involving advanced persistent threat (APT) activity. This included Iranian state-sponsored MuddyWater APT activity, China-based Mustang Panda activity leveraging USB drives to deliver the PlugX remote access trojan (RAT), and a suspected Chinese adversary dubbed “Deep Panda” exploiting Log4j.
##
Talos
Quarterly Report: Incident Response trends in Q1 2022
blogs_talos·2022-04-26
Quarterly Report: Incident Response trends in Q1 2022
## Quarterly Report: Incident Response trends in Q1 2022
## Ransomware continues as the top threat, while a novel increase in APT activity emerges
Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020. As mentioned in the 2021 year-in-review report , CTIR continues to deal with an expanding set of ransomware adversaries and major cybersecurity incidents affecting organizations worldwide.
The first quarter of 2022 also featured an increase in engagements involving advanced persistent threat (APT) activity. This included Iranian state-sponsored MuddyWater APT activity , China-based Mustang Panda activity leveraging USB drives to deliver the PlugX remote access trojan (RAT), and a suspected C
Securelist
Kaspersky Q4 2021 DDoS attack report
blogs_securelist·2022-02-10·CVSS 9.8
[CRITICAL] Kaspersky Q4 2021 DDoS attack report
Table of Contents
- News roundup
- Quarter and year trends
- DDoS attack statistics
- Conclusion
Authors
- Alexander Gutnikov
- Oleg Kupreev
- Yaroslav Shmelev
## News roundup
Q4 2021 saw the appearance of several new DDoS botnets. A zombie network, named Abcbot by researchers, first hit the radar in July, but at the time it was little more than a simple scanner attacking Linux systems by brute-forcing weak passwords and exploiting known vulnerabilities. In October, the botnet was upgraded with DDoS functionality. Then in December, researchers at Cado Security linked the botnet to the Xanthe cryptojacking group. This is further evidence that the same botnets are often used for mining and DDoS.
The EwDoor botnet, which first came to researchers’ attention in late October, turned out
Securelist
DDoS attacks in Q4 2021
blogs_securelist·2022-02-10·CVSS 9.8
[CRITICAL] DDoS attacks in Q4 2021
Table of Contents
News roundup
Quarter and year trends
DDoS attack statistics
Methodology
Quarter summary
DDoS attacks geography
Dynamics of the number of DDoS attacks
Duration and types of DDoS attacks
Geographic distribution of botnets
Attacks on IoT honeypots
Conclusion
Authors
Alexander Gutnikov
Oleg Kupreev
Yaroslav Shmelev
## News roundup
Q4 2021 saw the appearance of several new DDoS botnets. A zombie network, named Abcbot by researchers, first hit the radar in July, but at the time it was little more than a simple scanner attacking Linux systems by brute-forcing weak passwords and exploiting known vulnerabilities. In October, the botnet was upgraded with DDoS functionality. Then in December, researchers at Cado Security linked the botnet to the Xanthe cryptojacking
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Greynoiseio
Malicious Tag Roundup (October 2021)
blogs_greynoiseio·CVSS 10.0
[CRITICAL] Malicious Tag Roundup (October 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
Towards Agentic Honeynet Configuration
arxiv_fulltext·2026-03-14
Towards Agentic Honeynet Configuration
Towards Agentic Honeynet Configuration
Federico Mirra, Matteo Boffa, Danilo Giordano, Marco Mellia
Politecnico di Torino
\first.last\@polito.it
Idilio Drago
Università di Torino
[email protected]
## Abstract
Honeypots are deception systems that emulate vulnerable services to collect threat intelligence. While deploying many honeypots increases the opportunity to observe attacker behaviour, in practise network and computational resources limit the number of honeypots that can be exposed. Hence, practitioners must select the assets to deploy, a decision that is typically made statically despite attacker’ tactics evolving over time.
This work investigates an AI-driven agentic architecture that autonomously manages honeypot exposure in response to ongoing attacks. The proposed agent
CWE
Improper Input Validation
mitre_cwe
CWE-20 Improper Input Validation
CWE-20: Improper Input Validation
The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly.
Input validation is a frequently-used technique
for checking potentially dangerous inputs in order to
ensure that the inputs are safe for processing within the
code, or when communicating with other components. Input can consist of: raw data - strings, numbers, parameters, file contents, etc. metadata - information about the raw data, such as headers or size Data can be simple or structured. Structured data
can be composed of many nested layers, composed of
combinations of metadata and raw data, with other simple or
structured data. Many properties of raw data or metadata may n
CWE
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
mitre_cwe
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Phase: Implementation
Note: This weakness is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.
Common Consequences:
Scope: Confidentiality. Impact: Read Files or Directories, Read Application Data. The injected code could access restricted data / files.
Scope: Access Control. Impact:
http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.htmlhttp://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.htmlhttps://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/327121https://hackerone.com/reports/1154542http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.htmlhttp://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.htmlhttps://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/327121https://hackerone.com/reports/1154542https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22205
2021-04-23
Published
2021-11-03
Added to CISA KEV
Exploited in the wild