top of page
Search

713 IOCs Tied to Actively-Exploited CVEs in Our Index. Patch These First.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 23 minutes ago
  • 7 min read

We just closed an attribution gap in our threat-intel index. Until today, only one of the 1.14 million IOCs in our iocs index had a CVE attached. Tonight, 1,431 do — extracted from existing source descriptions and cross-referenced against the CISA Known Exploited Vulnerabilities catalog. 713 of those IOCs are tied to CVEs that CISA confirms are actively exploited in the wild right now. Twenty of the 366 adversary profiles we track are named users of those KEV-listed vulnerabilities.


This post is the customer-facing version: the top exploited CVEs across our index, who exploits them, what they target, and exactly what to do about each.


If you operate any of the affected products and you have not patched, patch tonight. Not Monday. Tonight.


How to read this list



Each entry below has four fields:


  • CVE — the vulnerability identifier

  • Product / vendor — what's vulnerable

  • Threat actors — who has been observed exploiting this CVE in the wild, per our adversary index

  • Action — exactly what to do, in the order to do it


These come from our enriched IOC + adversary data, cross-referenced against the CISA KEV catalog (1,590 entries as of today). Cross-references are not theoretical; they are present in our index. You can verify each by querying our public search API with q=<CVE-ID>.


The top exploited CVEs in our index right now



These are the fifteen KEV-listed CVEs with the most associated indicators in our database, ranked by IOC count. Total: 78 unique KEV CVEs across 715 IOC occurrences in our enriched data. These represent active campaigns where our threat-intel feeds have indicators tied to specific exploitation infrastructure for these CVEs.


1. CVE-2026-31431 — Linux Kernel (271 IOCs). Linux Kernel Incorrect Resource Transfer Between Spheres. Privilege-escalation class vulnerability. Action: update Linux kernel to the patched version on every internet-exposed VM and container host. Audit container escape paths if you operate Kubernetes.


2. CVE-2026-41940 — WebPros cPanel & WHM (110 IOCs). Missing Authentication for Critical Function across cPanel, WHM, and WP2 (WordPress Squared). Action: emergency patch. cPanel deployments running on shared-hosting providers expose every customer site at once when this is unpatched. Run cpanel --version and confirm against the patched build immediately.


3. CVE-2025-55182 — Meta React Server Components (44 IOCs). Remote Code Execution via React Server Components rendering pipeline. Action: upgrade React framework dependency in any production app using RSC. Audit Next.js / Remix / similar stacks. Until patched, restrict server-side render endpoints to authenticated users only.


4. CVE-2026-33017 — Langflow (36 IOCs). Code Injection in Langflow LLM workflow builder. Action: never run Langflow on a public IP. Move it behind a VPN or private network. Patch to the latest release. Audit any Langflow workspace that has public-facing API endpoints.


5. CVE-2026-34197 — Apache ActiveMQ (24 IOCs). Improper Input Validation. Action: patch ActiveMQ to the latest. Close port 61616 to the public internet — message brokers should never be internet-exposed. Search Shodan: port:61616 country:US to find your own exposed brokers.


6. CVE-2026-35616 — Fortinet FortiClient EMS (16 IOCs). Improper Access Control. Action: emergency Fortinet patch. FortiClient EMS is the central management server — compromise here gives attacker control over every endpoint enrolled. Pair with CVE-2026-21643 below (same product, also active).


7. CVE-2026-39987 — Marimo (16 IOCs). Remote Code Execution in Marimo notebook server (a Jupyter alternative). Action: patch immediately. If you run notebook servers internet-exposed for your data team, that practice should change anyway. Behind VPN at minimum.


8. CVE-2025-8110 — Gogs (16 IOCs). Path Traversal in self-hosted Git server. Action: upgrade Gogs. Audit who has admin tokens. If your Gogs has been internet-exposed and unpatched for any length of time, treat as compromised — rotate every SSH key and personal access token issued from that instance.


9. CVE-2025-32463 — Sudo (12 IOCs). Inclusion of Functionality from Untrusted Control Sphere. Action: patch sudo on every Linux host. This is local privilege escalation but trivially weaponizable post-foothold. The patch is distro-package-level: apt update && apt upgrade sudo or equivalent. No reboot required.


10. CVE-2026-42208 — BerriAI LiteLLM (9 IOCs). SQL Injection in the LiteLLM AI gateway. Action: upgrade LiteLLM. If you run LiteLLM as an internal AI proxy with API key storage, this CVE puts those keys at risk. Rotate all proxied API keys (OpenAI, Anthropic, etc) after patching.


11. CVE-2024-4577 — PHP-CGI (9 IOCs). OS Command Injection. Year-old vuln still landing IOCs. Action: stop running PHP-CGI on Windows specifically — it is the unsafe configuration. Migrate to PHP-FPM. If you cannot, ensure your PHP build is at the patched version and your CGI handler has the explicit fix applied.


12. CVE-2026-0300 — Palo Alto Networks PAN-OS (9 IOCs). Out-of-bounds Write. Action: emergency PAN-OS update. PAN-OS bugs are critical because the device sits at the edge — compromise of the firewall is compromise of everything behind it. Subscribe to Palo Alto's security advisories if you don't already.


13. CVE-2026-20131 — Cisco Secure Firewall Management Center (7 IOCs). Same architectural pattern as #12 — management plane for the firewall itself. Action: Cisco FMC patch. Audit who has admin access. Restrict the FMC management interface to a jump host, never directly internet-exposed.


14. CVE-2026-21643 — Fortinet FortiClient EMS (7 IOCs). SQL Injection. Same product as #6, different bug. Action: same emergency patch — multiple vulns in the same product class is the signal that this product is being heavily researched by attackers right now.


15. CVE-2025-24813 — Apache Tomcat (7 IOCs). Path Equivalence Vulnerability. Action: upgrade Tomcat. If you run Tomcat for legacy Java apps, this is the CVE that gets you. Combined with default management port exposure, this is RCE.


The shape: the top three CVEs alone account for 425 of 715 IOC occurrences in our enriched data — about 59 percent. The vendors most-represented in the top fifteen are Apache (2), Fortinet (2), and the rest are single-product hits. Patch priority order: cPanel and Linux Kernel first, then Fortinet, then Cisco/Palo Alto edge devices, then everything else.


What every defender should do tonight



Independent of the specific CVE list above, three actions apply to most environments:


1. Inventory your internet-exposed devices. Most of the actively-exploited CVEs in our index target equipment that should never have been internet-exposed in the first place: Hikvision and Dahua surveillance NVRs, Rockwell Automation Allen-Bradley PLCs, Unitronics PLCs, MOVEit Transfer servers, Citrix NetScaler appliances, and similar. Use Shodan, Censys, or your perimeter scanner to enumerate what your organization has on a public IP. The first action against most of these vulnerabilities is removing the device from direct internet exposure entirely. Patching is the second action.


2. Pull the CISA KEV catalog and bulk-prioritize. CISA publishes the KEV catalog as a single CSV at https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv and as a JSON feed. Federal agencies are required to remediate KEV entries within deadlines specified per-CVE. Your private organization is not legally bound by those deadlines, but they are the right operational target. If you are not currently tracking your CVE remediation status against KEV, that is the first dashboard to build.


3. Pull our STIX feed. The IOCs we just enriched are publicly available in our STIX 2.1 feed at https://analytics.dugganusa.com/api/v1/stix-feed. STIX is the standard format that SIEMs, EDR platforms, and threat-intel platforms ingest. Our feed currently has 275 organizational consumers in 46 countries. Microsoft and AT&T are top consumers. There is no per-seat pricing. If your security team consumes external threat intel and is not on our feed, that is a same-day fix.


What our customers can do specifically



If you are a current DugganUSA STIX feed consumer, the new cves_exploited and kev_listed fields are now filterable on the IOCs we publish. Your ingestion code can filter to KEV-only indicators with a single filter expression. Your alert rules can elevate priority when an indicator carries kev_listed: true.


If you operate Hikvision NVRs, Dahua cameras, Rockwell PLCs, Citrix NetScaler, Ivanti VPN appliances, Fortinet FortiOS, MOVEit Transfer, Cisco IOS, Microsoft Exchange, or similar — the actively-exploited list is what needs your attention this week.


If you are not yet a customer: the data we used to write this post is in our public index. Search at https://analytics.dugganusa.com/api/v1/search/iocs?q=<CVE-ID> returns every IOC in our database tagged to that CVE. The search is rate-limited to 500 queries per day on the free tier, which is enough to validate everything in this post yourself.


Why we wrote this



The CVE attribution gap is the kind of data-quality problem that does not show up in a dashboard until you go look for it. Today, we ran a clinical sweep across our threat-intel platform to surface defects, and the CVE coverage gap was the largest one. Closing it took a single-pass enrichment script — sub-five-minutes of compute — but the result is that 713 indicators in our index are now correctly flagged as tied to actively-exploited vulnerabilities, when this morning they were untagged.


Our position is that threat intelligence should be a public good for defenders, with the depth-of-attribution and cross-referencing that paid platforms charge five-figure sums for, available free at the API level. The enrichment that landed today is part of that bet. The customers who pay us are paying for the productized layers above the data — managed onboarding, alert tuning, custom feeds, the AI Presence Management product — not gatekeeping the data itself.


Verifying any claim in this post



Each CVE listed above has a corresponding query you can run. Examples:


  • https://analytics.dugganusa.com/api/v1/search/iocs?q=CVE-2021-36260 — returns every IOC in our index tied to the Hikvision RCE

  • https://analytics.dugganusa.com/api/v1/search/adversaries?q=CVE-2021-22681 — returns adversaries observed exploiting the Logix Controllers authentication bypass

  • https://analytics.dugganusa.com/api/v1/search?q=KEV-listed — surfaces records flagged as KEV-listed across all indexes


If a query returns zero results, our index does not have that data. If it returns hits, you can verify each one independently against the original source — every IOC has a source field that names where the indicator came from. We do not aggregate anonymously; the trail to primary attribution is preserved.


Patch tonight, not Monday



The two-month-old advisory you ignored is the one being exploited tonight. CVE-2021-22681 — Logix Controllers authentication bypass — is five years old and still working because a non-trivial number of utilities run their water plants on PLCs that have a public IP and a default login. CVE-2017-7921 is eight years old. Tonight is when those operators get their PLCs taken offline, not next quarter.


If you are a defender at a US critical-infrastructure operator and you patched a KEV entry between today and Monday because of this post, please tell us. We collect that telemetry as outcome data for future enrichment. The platform exists to help you, but we cannot measure success unless you tell us when something landed.





Her name was Renee Nicole Good.


His name was Alex Jeffery Pretti.

 
 
 
bottom of page