213 CISA Known Exploited Vulnerabilities from 2021
Metabase Metabase — Metabase GeoJSON API Local File Inclusion Vulnerability
CVSS 10QNAP Network Attached Storage (NAS) — QNAP NAS Improper Authorization Vulnerability
CVSS 10Apache Log4j2 'Log4Shell' — JNDI Injection via Logged Input Allows Unauthenticated Remote Code Execution
CVSS 10GitLab Community and Enterprise Editions — GitLab Community and Enterprise Editions Remote Code Execution Vulnerability
CVSS 10Ivanti Pulse Connect Secure — Ivanti Pulse Connect Secure Use-After-Free Vulnerability
CVSS 10Kaseya Virtual System/Server Administrator (VSA) — Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability
CVSS 10SAP NetWeaver — SAP NetWeaver Unrestricted File Upload Vulnerability
CVSS 9.9Rockwell Multiple Products — Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
CVSS 9.8ASUS Routers — ASUS Routers Improper Authentication Vulnerability
CVSS 9.8Dahua IP Camera Firmware — Dahua IP Camera Authentication Bypass Vulnerability
CVSS 9.8Dahua IP Camera Firmware — Dahua IP Camera Authentication Bypass Vulnerability
CVSS 9.8Ivanti EPM CSA — Unauthenticated Remote Code Execution via Backdoored csrf-magic PHP Library
CVSS 9.8Sunhillo SureLine — Sunhillo SureLine OS Command Injection Vulnerablity
CVSS 9.8Laravel Ignition — Laravel Ignition File Upload Vulnerability
CVSS 9.8Roundcube Roundcube Webmail — Roundcube Webmail SQL Injection Vulnerability
CVSS 9.8Oracle Fusion Middleware — Oracle Fusion Middleware Unspecified Vulnerability
CVSS 9.8Grafana Labs Grafana — Grafana Authentication Bypass Vulnerability
CVSS 9.8Checkbox Checkbox Survey — Checkbox Survey Deserialization of Untrusted Data Vulnerability
CVSS 9.8Microsoft HTTP Protocol Stack — Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability
CVSS 9.8D-Link Multiple Routers — D-Link Multiple Routers Remote Code Execution Vulnerability
CVSS 9.8SonicWall Secure Remote Access (SRA) — SonicWall Secure Remote Access (SRA) SQL Injection Vulnerability
CVSS 9.8Citrix ShareFile — Citrix ShareFile Improper Access Control Vulnerability
CVSS 9.8Sitecore XP — Sitecore XP Remote Command Execution Vulnerability
CVSS 9.8SonicWall SMA 100 Appliances — SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability
CVSS 9.8F5 BIG-IP Traffic Management Microkernel — F5 BIG-IP Traffic Management Microkernel Buffer Overflow
CVSS 9.8Aviatrix Aviatrix Controller — Aviatrix Controller Unrestricted Upload of File
CVSS 9.8FatPipe WARP, IPVPN, and MPVPN software — FatPipe WARP, IPVPN, and MPVPN Configuration Upload exploit
CVSS 9.8Hikvision Security cameras web server — Hikvision Improper Input Validation
CVSS 9.8Realtek Jungle Software Development Kit (SDK) — Realtek Jungle SDK Remote Code Execution Vulnerability
CVSS 9.8Zoho Desktop Central — Zoho Desktop Central Authentication Bypass Vulnerability
CVSS 9.8Zoho ManageEngine ServiceDesk Plus (SDP) — Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability
CVSS 9.8Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus — Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability
CVSS 9.8Cisco HyperFlex HX — Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability
CVSS 9.8Cisco HyperFlex HX — Cisco HyperFlex HX Data Platform Command Injection Vulnerability
CVSS 9.8Apple iOS, iPadOS, and macOS — Apple iOS, iPadOS, and macOS WebKit Remote Code Execution Vulnerability
CVSS 9.8Apple iOS, iPadOS, and macOS — Apple iOS, iPadOS, and macOS WebKit Remote Code Execution Vulnerability
CVSS 9.8SonicWall SSLVPN SMA100 — SonicWall SSLVPN SMA100 SQL Injection Vulnerability
CVSS 9.8SonicWall SonicWall Email Security — SonicWall Email Security Improper Privilege Management Vulnerability
CVSS 9.8Arcadyan Buffalo Firmware — Arcadyan Buffalo Firmware Path Traversal Vulnerability
CVSS 9.8VMware vCenter Server — VMware vCenter Server Remote Code Execution Vulnerability
CVSS 9.8VMware vCenter Server — VMware vCenter Server Improper Input Validation Vulnerability
CVSS 9.8VMware vCenter Server — VMware vCenter Server File Upload Vulnerability
CVSS 9.8Micro Focus Operation Bridge Reporter (OBR) — Micro Focus Operation Bridge Report (OBR) Remote Code Execution Vulnerability
CVSS 9.8F5 BIG-IP and BIG-IQ Centralized Management — F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability
CVSS 9.8Atlassian Confluence Server and Data Center — Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability
CVSS 9.8Accellion FTA — Accellion FTA SQL Injection Vulnerability
CVSS 9.8Accellion FTA — Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability
CVSS 9.8Accellion FTA — Accellion FTA OS Command Injection Vulnerability
CVSS 9.8Yealink Device Management — Yealink Device Management Server-Side Request Forgery (SSRF) Vulnerability
CVSS 9.8Tenda AC11 Router — Tenda AC11 Router Stack Buffer Overflow Vulnerability
CVSS 9.8Realtek AP-Router SDK — Realtek AP-Router SDK Buffer Overflow Vulnerability
CVSS 9.8ForgeRock Access Management (AM) — ForgeRock Access Management (AM) Core Server Remote Code Execution Vulnerability
CVSS 9.8Microsoft Open Management Infrastructure (OMI) — Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
CVSS 9.8Zoho ManageEngine — Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability
CVSS 9.8Apache HTTP Server — Apache HTTP Server Path Traversal Vulnerability
CVSS 9.8Apache HTTP Server — Apache HTTP Server Path Traversal Vulnerability
CVSS 9.8BQE BillQuick Web Suite — BQE BillQuick Web Suite SQL Injection Vulnerability
CVSS 9.8Google Chromium Indexed DB API — Google Chromium Indexed DB API Use-After-Free Vulnerability
CVSS 9.6Google Chromium Portals — Google Chromium Portals Use-After-Free Vulnerability
CVSS 9.6Microsoft Exchange Server 'ProxyLogon' — SSRF Authentication Bypass Enables Pre-Auth RCE; Exploited as Zero-Day by HAFNIUM
CVSS 9.1Microsoft Exchange Server — Microsoft Exchange Server Remote Code Execution Vulnerability
CVSS 9.1Apache Log4j2 — Apache Log4j2 Deserialization of Untrusted Data Vulnerability
CVSS 9Apache Apache — Apache HTTP Server-Side Request Forgery (SSRF)
CVSS 9Microsoft Exchange Server — Microsoft Exchange Server Privilege Escalation Vulnerability
CVSS 9SolarWinds Serv-U — SolarWinds Serv-U Remote Code Execution Vulnerability
CVSS 9OpenPLC ScadaBR — OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability
CVSS 8.8Arm Mali Graphics Processing Unit (GPU) — Arm Mali GPU Kernel Driver Use-After-Free Vulnerability
CVSS 8.8Veritas Backup Exec Agent — Veritas Backup Exec Agent Command Execution Vulnerability
CVSS 8.8Ubuntu Linux Kernel — overlayfs File Capabilities Bypass in User Namespaces for Local Privilege Escalation
CVSS 8.8Apple Multiple Products — Apple Multiple Products Type Confusion Vulnerability
CVSS 8.8Dell dbutil Driver — Dell dbutil Driver Insufficient Access Control Vulnerability
CVSS 8.8Nagios Nagios XI — Nagios XI OS Command Injection
CVSS 8.8Nagios Nagios XI — Nagios XI OS Command Injection
CVSS 8.8Nagios Nagios XI — Nagios XI OS Command Injection
CVSS 8.8Google Chromium V8 — Google Chromium V8 Use-After-Free Vulnerability
CVSS 8.8Microsoft Exchange — Microsoft Exchange Server Remote Code Execution Vulnerability
CVSS 8.8Adobe Acrobat and Reader — Adobe Acrobat and Reader Heap-based Buffer Overflow Vulnerability
CVSS 8.8Google Chromium V8 — Google Chromium V8 Heap Buffer Overflow Vulnerability
CVSS 8.8Google Chromium — Google Chromium Race Condition Vulnerability
CVSS 8.8Google Chromium Blink — Google Chromium Blink Use-After-Free Vulnerability
CVSS 8.8Google Chromium Blink — Google Chromium Blink Use-After-Free Vulnerability
CVSS 8.8Google Chromium V8 — Google Chromium V8 Improper Input Validation Vulnerability
CVSS 8.8Google Chromium V8 — Google Chromium V8 Type Confusion Vulnerability
CVSS 8.8Ivanti Pulse Connect Secure — Ivanti Pulse Connect Secure Collaboration Suite Buffer Overflow Vulnerability
CVSS 8.8Ivanti Pulse Connect Secure — Ivanti Pulse Connect Secure Command Injection Vulnerability
CVSS 8.8Microsoft Internet Explorer — Microsoft Internet Explorer Memory Corruption Vulnerability
CVSS 8.8Microsoft Internet Explorer — Microsoft Internet Explorer Remote Code Execution Vulnerability
CVSS 8.8Adobe Acrobat and Reader — Adobe Acrobat and Reader Use-After-Free Vulnerability
CVSS 8.8Arm Mali Graphics Processing Unit (GPU) — Arm Mali Graphics Processing Unit (GPU) Use-After-Free Vulnerability
CVSS 8.8Arm Mali Graphics Processing Unit (GPU) — Arm Mali Graphics Processing Unit (GPU) Unspecified Vulnerability
CVSS 8.8Google Chromium V8 — Google Chromium V8 Type Confusion Vulnerability
CVSS 8.8Google Chromium WebGL — Google Chromium WebGL Use-After-Free Vulnerability
CVSS 8.8Google Chromium V8 — Google Chromium V8 Type Confusion Vulnerability
CVSS 8.8Google Chromium V8 — Google Chromium V8 Out-of-Bounds Write Vulnerability
CVSS 8.8Apple Multiple Products — Apple Multiple Products WebKit Storage Use-After-Free Vulnerability
CVSS 8.8Apple Multiple Products — Apple Multiple Products WebKit Integer Overflow Vulnerability
CVSS 8.8Apple Multiple Products — Apple Multiple Products WebKit Memory Corruption Vulnerability
CVSS 8.8Apple iOS — Apple iOS WebKit Buffer Overflow Vulnerability
CVSS 8.8Apple iOS — Apple iOS WebKit Memory Corruption Vulnerability
CVSS 8.8Apple iOS — Apple iOS WebKit Use-After-Free Vulnerability
CVSS 8.8Apple iOS, iPadOS, and macOS — Apple iOS, iPadOS, macOS Use-After-Free Vulnerability
CVSS 8.8Microsoft Windows 'PrintNightmare' — Print Spooler Driver Installation Allows Authenticated Remote Code Execution as SYSTEM
CVSS 8.8Trend Micro Apex One, Apex One as a Service, and Worry-Free Business Security — Trend Micro Multiple Products Improper Input Validation Vulnerability
CVSS 8.8Google Chromium V8 — Google Chromium V8 Use-After-Free Vulnerability
CVSS 8.8Google Chromium V8 — Google Chromium V8 Memory Corruption Vulnerability
CVSS 8.8Microsoft MSHTML — Microsoft MSHTML Remote Code Execution Vulnerability
CVSS 8.8XStream XStream — XStream Remote Code Execution Vulnerability
CVSS 8.5Qualcomm Multiple Chipsets — Qualcomm Multiple Chipsets Use-After-Free Vulnerability
CVSS 8.4Microsoft Windows — Microsoft Desktop Window Manager (DWM) Core Library Privilege Escalation Vulnerability
CVSS 8.4Linux Kernel — Linux Kernel Heap Out-of-Bounds Write Vulnerability
CVSS 8.3Veritas Backup Exec Agent — Veritas Backup Exec Agent Improper Authentication Vulnerability
CVSS 8.2October CMS October CMS — October CMS Improper Authentication
CVSS 8.2McAfee McAfee Total Protection (MTP) — McAfee Total Protection (MTP) Improper Privilege Management Vulnerability
CVSS 8.2Acclaim Systems USAHERDS — Acclaim Systems USAHERDS Use of Hard-Coded Credentials Vulnerability
CVSS 8.1Veritas Backup Exec Agent — Veritas Backup Exec Agent File Access Vulnerability
CVSS 8.1Apple Multiple Products — Apple Multiple Products Integer Overflow or Wraparound Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Privilege Escalation Vulnerability
CVSS 7.8Red Hat Polkit — Red Hat Polkit Incorrect Authorization Vulnerability
CVSS 7.8Apple iOS, iPadOS, and macOS — Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability
CVSS 7.8Delta Electronics DOPSoft 2 — Delta Electronics DOPSoft 2 Improper Input Validation Vulnerability
CVSS 7.8Apple iOS and iPadOS — Apple iOS and iPadOS Buffer Overflow Vulnerability
CVSS 7.8Polkit pkexec 'PwnKit' — Out-of-Bounds Write in Argument Handling Permits Root Escalation on Every Major Linux Distribution
CVSS 7.8Android Kernel — Android Kernel Use-After-Free Vulnerability
CVSS 7.8Apple Multiple Products — Apple Multiple Products Memory Corruption Vulnerability
CVSS 7.8Microsoft Win32k — Microsoft Win32k Privilege Escalation Vulnerability
CVSS 7.8Microsoft Win32k — Microsoft Win32k Privilege Escalation Vulnerability
CVSS 7.8Google Pixel — Google Pixel Out-of-Bounds Write Vulnerability
CVSS 7.8Sudo 'Baron Samedit' — Heap-Based Buffer Overflow via Off-by-One Permits Root Escalation Without Any sudoers Entry
CVSS 7.8Microsoft Windows — Microsoft Windows User Profile Service Privilege Escalation Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Event Tracing Privilege Escalation Vulnerability
CVSS 7.8Microsoft Office — Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows SAM Local Privilege Escalation Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Win32k Privilege Escalation Vulnerability
CVSS 7.8Microsoft Office — Microsoft Excel Security Feature Bypass
CVSS 7.8Microsoft Defender — Microsoft Defender Remote Code Execution Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Print Spooler Remote Code Execution Vulnerability
CVSS 7.8Microsoft Win32k — Microsoft Win32k Privilege Escalation Vulnerability
CVSS 7.8Microsoft Exchange Server — Microsoft Exchange Server Remote Code Execution Vulnerability
CVSS 7.8Microsoft Exchange Server — Microsoft Exchange Server Remote Code Execution Vulnerability
CVSS 7.8Microsoft Exchange Server — Microsoft Exchange Server Remote Code Execution Vulnerability
CVSS 7.8Accellion FTA — Accellion FTA OS Command Injection Vulnerability
CVSS 7.8Microsoft Win32k — Microsoft Win32k Privilege Escalation Vulnerability
CVSS 7.8Apple macOS — Apple macOS Unspecified Vulnerability
CVSS 7.8Apple Multiple Products — Apple Multiple Products Memory Corruption Vulnerability
CVSS 7.8Apple Multiple Products — Apple Multiple Products Integer Overflow Vulnerability
CVSS 7.8Apple iOS, iPadOS, and macOS — Apple iOS, iPadOS, and macOS Type Confusion Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows NTFS Privilege Escalation Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Kernel Privilege Escalation Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Kernel Privilege Escalation Vulnerability
CVSS 7.8Trend Micro Apex One, Apex One as a Service, and Worry-Free Business Security — Trend Micro Multiple Products Improper Input Validation Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Update Medic Service Privilege Escalation Vulnerability
CVSS 7.8Microsoft Windows — Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability
CVSS 7.8Microsoft Open Management Infrastructure (OMI) — Microsoft Open Management Infrastructure (OMI) Privilege Escalation Vulnerability
CVSS 7.8Microsoft Open Management Infrastructure (OMI) — Microsoft Open Management Infrastructure (OMI) Privilege Escalation Vulnerability
CVSS 7.8Microsoft Office — Microsoft Office Remote Code Execution Vulnerability
CVSS 7.6Omnissa Workspace One UEM — Omnissa Workspace ONE Server-Side Request Forgery
CVSS 7.5Grafana Labs Grafana — Grafana Path Traversal Vulnerability
CVSS 7.5DrayTek VigorConnect — Draytek VigorConnect Path Traversal Vulnerability
CVSS 7.5DrayTek VigorConnect — Draytek VigorConnect Path Traversal Vulnerability
CVSS 7.5D-Link DIR-605 Router — D-Link DIR-605 Router Information Disclosure Vulnerability
CVSS 7.5Apple iOS, macOS, watchOS — Apple iOS, macOS, watchOS Sandbox Bypass Vulnerability
CVSS 7.5Microsoft Active Directory — Microsoft Active Directory Domain Services Privilege Escalation Vulnerability
CVSS 7.5Microsoft Active Directory — Microsoft Active Directory Domain Services Privilege Escalation Vulnerability
CVSS 7.5VMware vRealize Operations Manager API — VMware Server Side Request Forgery in vRealize Operations Manager API
CVSS 7.5Micro Focus Micro Focus Access Manager — Micro Focus Access Manager Information Leakage Vulnerability
CVSS 7.5Microsoft Windows — Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability
CVSS 7.5Microsoft Windows — Microsoft Windows Local Security Authority (LSA) Spoofing Vulnerability
CVSS 7.5Samsung Mobile Devices — Samsung Mobile Devices Out-of-Bounds Read Vulnerability
CVSS 7.3Microsoft Exchange Server — Microsoft Exchange Server Information Disclosure
CVSS 7.3Adminer Adminer — Adminer Server-Side Request Forgery Vulnerability
CVSS 7.2Reolink RLC-410W IP Camera — Reolink RLC-410W IP Camera OS Command Injection Vulnerability
CVSS 7.2Microsoft Exchange Server — Microsoft Exchange Server Information Disclosure Vulnerability
CVSS 7.2SonicWall SonicWall Email Security — SonicWall Email Security Unrestricted Upload of File Vulnerability
CVSS 7.2Ivanti Pulse Connect Secure — Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability
CVSS 7.2Npm package System Information Library for Node.JS — System Information Library for Node.JS Command Injection
CVSS 7.1Microsoft Windows — Microsoft Windows AppX Installer Spoofing Vulnerability
CVSS 7.1Apple Multiple Products — Apple Multiple Products Race Condition Vulnerability
CVSS 7Microsoft Open Management Infrastructure (OMI) — Microsoft Open Management Infrastructure (OMI) Privilege Escalation Vulnerability
CVSS 7GitLab GitLab — GitLab Server-Side Request Forgery (SSRF) Vulnerability
CVSS 6.8GitLab Community and Enterprise Editions — GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
CVSS 6.8Perl Exiftool — ExifTool Remote Code Execution Vulnerability
CVSS 6.8Microsoft Windows — Microsoft Windows Scripting Engine Memory Corruption Vulnerability
CVSS 6.8Linux Kernel — Linux Kernel Privilege Escalation Vulnerability
CVSS 6.6Microsoft Exchange Server — Microsoft Exchange Server Security Feature Bypass Vulnerability
CVSS 6.6SonicWall SMA100 Appliances — SonicWall SMA100 Appliances OS Command Injection Vulnerability
CVSS 6.5Google Chromium PopupBlocker — Google Chromium PopupBlocker Security Bypass Vulnerability
CVSS 6.5Google Chromium — Google Chromium Information Disclosure Vulnerability
CVSS 6.5Samsung Mobile Devices — Samsung Mobile Devices Race Condition Vulnerability
CVSS 6.4Samsung Mobile Devices — Samsung Mobile Devices Race Condition Vulnerability
CVSS 6.4Android Kernel — Android Kernel Race Condition Vulnerability
CVSS 6.4Samsung Mobile Devices — Samsung Mobile Devices Improper Access Control Vulnerability
CVSS 6.2Qualcomm Multiple Chipsets — Qualcomm Multiple Chipsets Detection of Error Condition Without Action Vulnerability
CVSS 6.2Samsung Mobile Devices — Samsung Mobile Devices Unspecified Vulnerability
CVSS 6.1Samsung Mobile Devices — Samsung Mobile Devices Improper Boundary Check Vulnerability
CVSS 6.1Samsung Mobile Devices — Samsung Mobile Devices Memory Corruption Vulnerability
CVSS 6.1Apple iOS, iPadOS, and watchOS — Apple iOS, iPadOS, and watchOS WebKit Cross-Site Scripting (XSS) Vulnerability
CVSS 6.1Google Chromium Intents — Google Chromium Intents Improper Input Validation Vulnerability
CVSS 6.1Microsoft Windows — Microsoft Windows Installer Privilege Escalation Vulnerability
CVSS 5.5Arm Trusted Firmware — Arm Trusted Firmware Out-of-Bounds Write Vulnerability
CVSS 5.5Apple macOS — Apple macOS Unspecified Vulnerability
CVSS 5.5Microsoft Windows — Microsoft Windows Kernel Information Disclosure Vulnerability
CVSS 5.5OpenPLC ScadaBR — OpenPLC ScadaBR Cross-site Scripting Vulnerability
CVSS 5.4Atlassian Jira Server and Data Center — Atlassian Jira Server and Data Center Path Traversal Vulnerability
CVSS 5.3Atlassian Confluence Server — Atlassian Confluence Server Pre-Authorization Arbitrary File Read Vulnerability
CVSS 5.3VMware vCenter Server and Cloud Foundation — VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability
CVSS 5.3VMware vCenter Server — VMware vCenter Server Improper Access Control
CVSS 5.3Microsoft Enhanced Cryptographic Provider — Microsoft Enhanced Cryptographic Provider Privilege Escalation Vulnerability
CVSS 5.2Microsoft Enhanced Cryptographic Provider — Microsoft Enhanced Cryptographic Provider Privilege Escalation Vulnerability
CVSS 5.2SonicWall SonicWall Email Security — SonicWall Email Security Path Traversal Vulnerability
CVSS 4.9Samsung Mobile Devices — Samsung Mobile Devices Improper Access Control Vulnerability
CVSS 4.4SolarWinds Serv-U — SolarWinds Serv-U Improper Input Validation Vulnerability
CVSS 4.3Samsung Mobile Devices — Samsung Mobile Devices Improper Input Validation Vulnerability
CVSS 3.3Fortinet FortiOS — Fortinet FortiOS Arbitrary File Download
CVSS 3.3