Not Simon 🐐

Software vendors make it extremely difficult (by design) to understand when a vulnerability affecting their product is either publicly known (proof of concept) or exploited in the wild (possibly as a zero-day). Everyone's language is different from each other. I have compiled a list of messages (sorted by vendor name) from official security advisories that either imply or explicitly state proof of concept or evidence of exploitation. I have included a link and date for reference, in case these vendors change their verbiage in the future.

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

A

Adobe:

• Proof of Concept: “Adobe is aware that CVE-2024-53961 has a known proof-of-concept...” Link (December 23, 2024)
• Exploited in the Wild:
  • “Adobe is aware that CVE-2023-29298 has been exploited in the wild in limited attacks targeting Adobe ColdFusion.” Link (July 19, 2023)
  • “As of September 28, Adobe is aware of a report that CVE-2018-15961 is being actively exploited in the wild.” Link (September 28, 2018)
  • “Adobe is aware that CVE-2024-34102 has been exploited in the wild in limited attacks targeting Adobe Commerce merchants.” (Link: June 26, 2024)

Apple:

• Exploited in the wild:
  • “Apple is aware of a report that this issue may have been exploited.” (Link: January 22, 2024)
  • “Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.” (Link: November 19, 2024)

Arm:

• Exploited in the Wild:
  • “Arm is aware of reports of this vulnerability being exploited in the wild.” (Link: June 07, 2024)
  • “There is evidence that this vulnerability may be under limited, targeted exploitation.” (Link: October 02, 2023)

Atlassian:

• Exploited in the Wild:
  • “Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.” “UPDATE: We have evidence to suggest that a known nation-state actor is actively exploiting CVE-2023-22515 and continue to work closely with our partners and customers to investigate.” (Link: October 05, 2023)
  • “As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware.” (Link: November 06, 2023)
  • “Atlassian is aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server.” (Link: June 03, 2022)

B

Barracuda:

• Exploited in the Wild:
  • “Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances.” (Link: May 23, 2023)
  • “Earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.” (Link: May 30, 2023)
  • ”...including that exploitation occurred on a subset of compromised Barracuda Email Security Gateway (ESG) appliances by an aggressive and highly skilled actor conducting targeted activity...” (Link: June 15, 2023)

C

Check Point:

• Exploited in the Wild:
  • “Following our security update on May 27, 2024, Check Point's dedicated task force continues investigating attempts to gain unauthorized access to VPN products used by our customers. On May 28, 2024 we discovered a vulnerability in Security Gateways with IPsec VPN in Remote Access VPN community and the Mobile Access software blade (CVE-2024-24919). Exploiting this vulnerability can result in accessing sensitive information on the Security Gateway.” (Link: May 29, 2024)
  • “Yesterday (May 27, 2024) we delivered a solution that addresses attempts we saw on a small number of customers’ VPN remote access networks as referenced below. Today, we found the root cause for these and are now releasing a fix.” (Link: May 28, 2024)

Cisco:

• Proof of Concept: “The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory.” (Link: September 04, 2024)
• Exploited in the Wild:
  • “Cisco is aware of active exploitation of these vulnerabilities.” (Link: October 16, 2023)
  • “The Cisco Product Security Incident Response Team (PSIRT) is aware of malicious use of the vulnerability that is described in this advisory.” (Link: October 23, 2024)
  • “In November 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of this vulnerability in the wild.” (Link: December 02, 2024)

Citrix:

• Exploited in the Wild:
  • “Exploits of these CVEs on unmitigated appliances have been observed.” (Link: January 16, 2024)
  • “Exploits of CVE-2023-3519 on unmitigated appliances have been observed.” (Link: July 18, 2023)
  • “We are aware of a small number of targeted attacks in the wild using this vulnerability” (Link: June 07, 2023)

D

D-Link:

• Proof of Concept:
  • “0-day Vulnerability” (Link: September 06, 2022)
  • “On May 15th, 2024, a 3rd party security researcher, publically 0-day disclosed the D-Link Router DIR-X4860 (firmware ver. 1.04b03) with potential vulnerabilities.” (Link: May 16, 2024)

E

F

F5:

• Exploited in the Wild:
  • “F5 has observed threat actors using this vulnerability to exploit CVE-2023-46748.” (Link: October 30, 2023)
  • “This information is based on the evidence F5 has seen on compromised devices, which appear to be reliable indicators.” (Link: October 30, 2023)

Fortinet:

• Exploited in the Wild:
  • “Reports have shown this vulnerability to be exploited in the wild.” (Link: November 27, 2024)
  • “Note: This is potentially being exploited in the wild.” (Link: February 08, 2024)
  • “A third-party report is indicating this may be exploited in the wild.” (Link: October 11, 2024)

G

Google (Android):

• Exploited in the Wild:
  • “Note: There are indications that the following may be under limited, targeted exploitation.” (Link: November 04, 2024)
  • “Note: There are indications that CVE-2024-36971 may be under limited, targeted exploitation.” (Link: August 05, 2024)

Google (Chrome):

• Exploited in the Wild:
  • “Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild.” (Link: January 16, 2024)
  • “Updated on 26 August 2024 to reflect the in the wild exploitation of CVE-2024-7965 which was reported after this release.” (Link: August 26, 2024)

H

I

Ivanti:

• Proof of Concept: “However, a Proof of Concept is publicly available...” (Link: August 12, 2024)
• Exploited in the Wild:
  • ”...at time of disclosure we were aware of a limited number of customers impacted by CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893.” “We are aware of less than 20 customers impacted by the vulnerabilities prior to public disclosure.” (Link: January 10, 2024)
  • “We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379 or CVE-2024-9380 are chained with CVE-2024-8963” (Link: October 08, 2024)

J

JetBrains:

• Exploited in the Wild:
  • “On October 17, 2023, the Microsoft Threat Intelligence Center team reached out to JetBrains to inform us they have observed multiple North Korean nation-state threat actors actively exploiting the CVE-2023-42793 vulnerability since early October 2023.” (Link: October 18, 2023)
  • “On December 13, 2023 the Cybersecurity & Infrastructure Security Agency of the U.S. Department of Homeland Security (CISA) released a public advisory, in which they shared new ways in which this vulnerability (CVE-2023-42793) has been exploited by Russian nation-state threat actors as of September 2023.” (Link: December 14, 2023)
  • “Customer A ... Believed they were impacted by the CVE-2024-27198 vulnerability.” “They noticed several unauthorized admin accounts created on the server.” “Their TeamCity environment had been compromised through the recent vulnerabilities.” “Several unknown user accounts had been created on their TeamCity server.” (Link: March 11, 2024)

Juniper:

• Proof of Concept: “However, a proof-of-concept exploit does exist in the wild.” (Link: June 28, 2021)
• Exploited in the Wild: “Juniper SIRT is aware of successful malicious exploitation of these vulnerabilities.” (Link: November 08, 2023)

K

L

M

Microsoft:

• Proof of Concept: “Publicly disclosed: Yes” (Link: December 10, 2024)
• Exploited in the Wild: “Exploited: Yes” ; “Exploitability assessment: Exploitation Detected” (Link: December 10, 2024)

Mozilla Foundation:

• Exploited in the Wild:
  • “We have had reports of this vulnerability being exploited in the wild.” (Link: October 09, 2024)
  • “An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.” (Link: November 30, 2016)

N

O

Oracle:

• Exploited in the Wild: “It was reported as being actively exploited “in the wild” by CrowdStrike.” (Link: November 18, 2024)

P

Palo Alto Networks:

• Proof of Concept:
  • “We are aware of a publicly available conference talk and blog posts discussing this issue. A proof of concept for this issue is also publicly available.” (Link: November 25, 2024)
  • “However, a proof of concept for this issue is publicly available.” (Link: October 09, 2024)
  • “Proof of concepts for this vulnerability have been publicly disclosed by third parties.” (Link: April 29, 2024)
• Exploited in the Wild:
  • “Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability.” (Link: November 18, 2024)
  • “Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability.” (Link: April 29, 2024)
  • “Palo Alto Networks recently learned that an attempted reflected denial-of-service (RDoS) attack was identified by a service provider. This attempted attack took advantage of susceptible firewalls from multiple vendors, including Palo Alto Networks.” (Link: August 10, 2022)

PaperCut:

• Exploited in the Wild: “We have evidence to suggest that unpatched servers are being exploited in the wild.” “PaperCut received our first report from a customer of suspicious activity on their PaperCut server on the 18th April at 03:30 AEST / 17th April 17:30 UTC.” (Link: April 18, 2023)

Progress Software (MOVEit):

• Exploited in the Wild: “NOTE: this is exploited in the wild in May and June 2023” (Link: June 16, 2023)

Q

Qlik:

• Exploited in the Wild: “Qlik has received reports that this vulnerability may be being used by malicious actors.” (Link: May 15, 2024)

QNAP:

• Exploited in the Wild: “QNAP detected a new DeadBolt ransomware campaign on the morning of September 3rd, 2022 (GMT+8). The campaign appears to target QNAP NAS devices running Photo Station with internet exposure.” (Link: September 03, 2022)

Qualcomm:

• Exploited in the Wild: “There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation.” (Link: October 07, 2024)

R

S

SolarWinds:

• Exploited in the Wild: “This is being exploited in the wild.” (Link: June 06, 2024)

SonicWall:

• Proof of Concept: “SonicWall PSIRT is aware that a proof of concept (PoC) exploit for this vulnerabilities is publicly available” (Link: September 27, 2024)
• Exploited in the Wild: “This vulnerability is potentially being exploited in the wild.” (Link: September 06, 2024)

Sophos:

• Exploited in the Wild:
  • “Sophos has observed this vulnerability being used in the wild.” (Link: October 20, 2022)
  • “In December 2023, we delivered an updated fix after identifying new exploit attempts against this same vulnerability in older, unsupported versions of the Sophos Firewall.” (Link: December 11, 2023)

SysAid:

• Exploited in the Wild: “The investigation determined that there was a zero-day vulnerability in the SysAid on-premises software.”“The vulnerability was exploited by a group known as DEV-0950 (Lace Tempest), as identified by the Microsoft Threat Intelligence team.” (Link: November 08, 2023)

T

TP-Link:

• Exploited in the Wild: “TP-Link is aware of reports that the Remote Code Execution (REC) vulnerability detailed in CVE-2023-1389 in AX21 has been added to the Mirai botnet Arsenal.” (Link: April 27, 2023)

Trend Micro:

• Exploited in the Wild: “ITW Alert: Trend Micro has observed at least one active attempt of potential exploitation of this vulnerability in the wild.” (Link: September 13, 2022)

U

V

Veritas:

• Exploited in the Wild: “March 2023: A known exploit is available in the wild for the vulnerabilities below and could be used as part of a ransomware attack.” (Link: March ?? 2023)

Versa:

• Proof of Concept: “A proof of concept exists in the lab environment.” (Link: September 20, 2024)
• Exploited in the Wild: “This vulnerability has been exploited in at least one known instance by an Advanced Persistent Threat actor.” (Link: August 26, 2024)

VMware (Broadcom):

• Proof of Concept: “VMware has confirmed that exploit code leveraging CVE-2021-39144 against impacted products has been published.” (Link: October 27, 2022)
• Exploited in the Wild:
  • “VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812.” (Link: November 18, 2024) (Link: August 26, 2024)
  • “VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild.” (Link: June 20, 2023)

W

X

Y

Z

Zimbra:

• Exploited in the Wild: “Important: This vulnerability has been actively exploited, making it imperative to take immediate action.” (Link: July 13, 2023)

Zoho (ManageEngine):

• Proof of Concept: “The exploit POC for the above vulnerability is available in public.” (Link: July 19, 2022)

Zyxel:

• Exploited in the Wild: “Zyxel is aware of recent attempts by threat actors to target Zyxel firewalls through previously disclosed vulnerabilities” (Link: November 27, 2024)