--- title: Findings --- Findings are groups of significant exposures with the same root cause. **30** findings from **201** queries. | Finding | Risk | Queries | Finding Code | |---------|------|---------|--------------| | Best Practice | Low | 1 | `rz-finding-best-practice` | | Best Practice Admin Interface | Info | 0 | `rz-finding-best-practice-admin-interface` | | Best Practice Insecure Authentication | Low | 1 | `rz-finding-best-practice-insecure-authentication` | | Best Practice Obsolete Protocol | Info | 2 | `rz-finding-best-practice-obsolete-protocol` | | Best Practice Service Misconfiguration | Low | 3 | `rz-finding-best-practice-service-misconfiguration` | | Certificates Expiration | Info | 2 | `rz-finding-certificates-expiration` | | Certificates IOASM Private Key Shared | Medium | 1 | `rz-finding-certificates-ioasm-private-key-shared` | | Compliance CISA BOD 26 02 | Critical | 1 | `rz-finding-compliance-cisa-bod-26-02` | | Compliance NDAA Section 889 | Info | 1 | `rz-finding-compliance-ndaa-section-889` | | Compliance Prohibited Software | Info | 2 | `rz-finding-compliance-prohibited-software` | | Compliance Secure Networks Act Section 2 | Info | 1 | `rz-finding-compliance-secure-networks-act-section-2` | | EOL Asset | Critical | 9 | `rz-finding-eol-asset` | | EOL OS | High | 1 | `rz-finding-eol-os` | | Internet Exposed Database | High | 4 | `rz-finding-internet-exposed-database` | | Internet Exposed IOASM Public Internal Asset | Medium | 10 | `rz-finding-internet-exposed-ioasm-public-internal-asset` | | Internet Exposed OT | Low | 1 | `rz-finding-internet-exposed-ot` | | Internet Exposed Service | Medium | 5 | `rz-finding-internet-exposed-service` | | Open Access Default Credentials | Info | 0 | `rz-finding-open-access-default-credentials` | | Open Access Unauth Admin Service | Critical | 6 | `rz-finding-open-access-unauth-admin-service` | | Open Access Unauth Database | Critical | 12 | `rz-finding-open-access-unauth-database` | | Open Access Unauth Files | Medium | 1 | `rz-finding-open-access-unauth-files` | | Rapid Response Assets | Info | 1 | `rz-finding-rapid-response-assets` | | Rapid Response Services | Critical | 5 | `rz-finding-rapid-response-services` | | TLS Risk | Low | 5 | `rz-finding-tls-risk` | | Vulnerability Auth Bypass | Critical | 16 | `rz-finding-vulnerability-auth-bypass` | | Vulnerability DoS | High | 8 | `rz-finding-vulnerability-dos` | | Vulnerability Info Disclosure | Critical | 7 | `rz-finding-vulnerability-info-disclosure` | | Vulnerability KEV | Info | 0 | `rz-finding-vulnerability-kev` | | Vulnerability Privilege Escalation | Critical | 8 | `rz-finding-vulnerability-privilege-escalation` | | Vulnerability RCE | Critical | 87 | `rz-finding-vulnerability-rce` | ### Best Practice Finding code: `rz-finding-best-practice` | Query | Risk | Query String | |-------|------|--------------| | HTTP Directory Indexing Enabled | Low | `_asset.protocol:=http AND protocol:=http AND has:html.title AND (html.title:="Index of /%" OR html.title:="HFS /%" OR html.title:="Directory listing%")` | ### Best Practice Insecure Authentication Finding code: `rz-finding-best-practice-insecure-authentication` | Query | Risk | Query String | |-------|------|--------------| | Authenticated Web Service Without Encryption | Low | `(_asset.protocol:http AND not _asset.protocol:tls) AND ( html.inputs:"password:" OR last.html.inputs:"password:" OR has:http.head.wwwAuthenticate OR has:last.http.head.wwwAuthenticate )` | ### Best Practice Obsolete Protocol Finding code: `rz-finding-best-practice-obsolete-protocol` | Query | Risk | Query String | |-------|------|--------------| | Obsolete SSL Protocol | Info | `(_asset.protocol:=tls OR _asset.protocol:=ssl2) AND (protocol:="tls" OR protocol:="ssl2") AND tls.supportedVersionNames:"SSL"` | | SMB Version 1 Enabled | Info | `_asset.protocol:=smb1 protocol:=smb1` | ### Best Practice Service Misconfiguration Finding code: `rz-finding-best-practice-service-misconfiguration` | Query | Risk | Query String | |-------|------|--------------| | SNMP Default Community | Low | `_asset.protocol:snmp AND protocol:snmp AND has:snmp.defaultCommunities` | | Network Time Protocol Service With Skewed Clock | Info | `_asset.protocol:ntp and protocol:ntp and has:ntp.skew` | | SMB Signing Not Required | Info | `(_asset.protocol:=smb1 OR _asset.protocol:=smb2 OR _asset.protocol:=smb3) AND (protocol:=smb1 OR protocol:=smb2 OR protocol:=smb3) AND has:smb.signing AND NOT smb.signing:required` | ### Certificates Expiration Finding code: `rz-finding-certificates-expiration` | Query | Risk | Query String | |-------|------|--------------| | Certificate On TLS Service Expires Soon | Info | `_asset.protocol:tls AND tls.notAfterTS:<6weeks AND tls.notAfterTS:>now` | | Expired Certificate On TLS Service | Info | `_asset.protocol:tls AND tls.notAfterTS:0 AND os_eol_extended:<=now) AND has_public:t AND NOT (type:Server OR type:Desktop OR type:Laptop)` | ### Compliance NDAA Section 889 Finding code: `rz-finding-compliance-ndaa-section-889` | Query | Risk | Query String | |-------|------|--------------| | NDAA 2019 Section 889 Equipment | Info | `((mac_vendor:="zte corporation" OR mac_vendor:huawei OR mac_vendor:CRRC OR mac_vendor:dahua OR mac_vendor:hikvision OR mac_vendor:hisilicon OR mac_vendor:panda OR mac_vendor:dawning OR mac_vendor:hangzhou OR mac_vendor:hytera OR mac_vendor:inspur OR mac_vendor:"Aero Engine Corporation of China" OR mac_vendor:"Aviation Industry Corporation of China" OR mac_vendor:"China Aerospace" OR mac_vendor:"China Electronics" OR mac_vendor:"China General Nuclear Power" OR mac_vendor:"China Mobile" OR mac_vendor:"China National Nuclear Power" OR mac_vendor:"China North Industries Group" OR mac_vendor:"China Railway" OR mac_vendor:"China Shipbuilding" OR mac_vendor:"China South Industries Group" OR mac_vendor:"China State Shipbuilding" OR mac_vendor:"China Telecommunications" OR mac_vendor:ztec OR mac_vendor:ztek OR mac_vendor:"z-tec" OR mac_vendor:5shanghai OR mac_vendor:"Hella Sonnen" OR mac_vendor:anhui OR mac_vendor:"technology sdn bhd" OR mac_vendor:azteq) OR (hw:="ZTE%" OR hw:huawei OR hw:CRRC OR hw:dahua OR hw:hikvision OR hw:hisilicon OR hw:panda OR hw:dawning OR hw:hangzhou OR hw:hytera OR hw:inspur OR hw:"Aero Engine Corporation of China" OR hw:"Aviation Industry Corporation of China" OR hw:"China Aerospace" OR hw:"China Electronics" OR hw:"China General Nuclear Power" OR hw:"China Mobile" OR hw:"China National Nuclear Power" OR hw:"China North Industries Group" OR hw:"China Railway" OR hw:"China Shipbuilding" OR hw:"China South Industries Group" OR hw:"China State Shipbuilding" OR hw:"China Telecommunications" OR hw:ztec OR hw:ztek OR hw:"z-tec" OR hw:5shanghai OR hw:"Hella Sonnen" OR hw:anhui OR hw:"technology sdn bhd" OR hw:azteq))` | ### Compliance Prohibited Software Finding code: `rz-finding-compliance-prohibited-software` | Query | Risk | Query String | |-------|------|--------------| | Kaspersky Lab Security Software | Info | `edr.name:Kaspersky` | | Kaspersky Lab Software | Info | `vendor:=Kaspersky` | ### Compliance Secure Networks Act Section 2 Finding code: `rz-finding-compliance-secure-networks-act-section-2` | Query | Risk | Query String | |-------|------|--------------| | Secure Networks Act Section 2 Equipment | Info | `(hw:huawei OR hw:="zte%" OR hw:hytera OR hw:hikvision OR hw:dahua OR hw:"china mobile" OR hw:"china telecom" OR hw:"china unicom" OR hw:"pacific networks corp" OR hw:"comnet (usa) llc" OR hw:zhejiang) OR (mac_vendor:huawei OR mac_vendor:="zte%" OR mac_vendor:hytera OR mac_vendor:hikvision OR mac_vendor:dahua OR mac_vendor:"china mobile" OR mac_vendor:"china telecom" OR mac_vendor:"china unicom" OR mac_vendor:"pacific networks corp" OR mac_vendor:"comnet (usa) llc" OR mac_vendor:"zhejiang")` | ### EOL Asset Finding code: `rz-finding-eol-asset` | Query | Risk | Query String | |-------|------|--------------| | Sangoma FreePBX | Critical | `((vendor:=FreePBX AND product:=PBX) OR (vendor:=Sangoma AND product:=FreePBX)) AND ((version:>="2.0.0(%)" AND version:<"3.0.0(%)") OR (version:>="12.0.0(%)" AND version:<"15.0.0(%)"))` | | Accellion File Transfer Appliance | High | `hw:"Accellion File Transfer Appliance"` | | AutomationDirect MB-GATEWAY | High | `hw:="AutomationDirect Modbus Gateway" OR hw:="Automation Direct Modbus Gateway"` | | Cisco Small Business Routers | High | `hw:"Cisco RV0" OR hw:"Cisco RV110W" OR hw:"Cisco RV130" OR hw:"Cisco RV132W" OR hw:"Cisco RV134W" OR hw:"Cisco RV160" OR hw:"Cisco RV215" OR hw:"Cisco RV260" OR hw:"Cisco RV320" OR hw:"Cisco RV325" OR hw:"Cisco RV340" OR hw:"Cisco RV345" ` | | Cisco Small Business Switches | High | `hw:"Cisco" and type:"switch" and ( hw:"SRW224G4-K9-" OR hw:"SRW2016-K9-" OR hw:"SG500X-" OR hw:"SF300-" OR hw:"SRW208G-K9-" OR hw:"SG300-" OR hw:"SRW2048-K9-" OR hw:"SLM2048PT-" OR hw:"SRW208-K9-" OR hw:"SF302-" OR hw:"SLM2008PT-" OR hw:"SLM224PT-" OR hw:"SF500-" OR hw:"SLM2008T-" OR hw:"SG500-" OR hw:"SG200-" OR hw:"SF200-" OR hw:"SLM224GT-" OR hw:"SLM2016T-")` | | D-Link DNS Family NAS | Info | `fp.hw.product:="DNS-320L" OR fp.hw.product:="DNS-325" OR fp.hw.product:="DNS-327L" OR fp.hw.product:="DNS-340L"` | | Edimax IC-7100 IP Camera | Info | `hw:"EDIMAX IC-71%Camera"` | | PowerDNS Recursor | Info | `vendor:=PowerDNS AND product:=Recursor AND (version:>0 AND version:>=2 AND version:<5.1)` | | Zyxel CPE Remote Command Execution | Info | `hw:"VMG1312-B10A" OR hw:"VMG1312-B10B" OR hw:"VMG1312-B10E" OR hw:"VMG3312-B10A" OR hw:"VMG3313-B10A" OR hw:"VMG3926-B10B" OR hw:"VMG4325-B10A" OR hw:"VMG4380-B10A" OR hw:"VMG8324-B10A" OR hw:"VMG8924-B10A" OR hw:"SBG3300" OR hw:"SBG3500"` | ### EOL OS Finding code: `rz-finding-eol-os` | Query | Risk | Query String | |-------|------|--------------| | End-of-Life Operating System | High | `(os_eol_extended:>0 AND os_eol_extended:=16.0.4107.1002 AND version:<16.0.5535.1001)) OR (product:="SharePoint Server 2019" AND (version:>=16.0.10711.37301 AND version:<16.0.10417.20083)) OR (product:="SharePoint Server Subscription Edition" AND (version:>=16.0.0.1 AND version:<16.0.19127.20442)) )` | | Rapid Response: Cisco Integrated Management Controller Multiple Vulnerabilities (2026-04) | Info | `vendor:=Cisco AND product:="Integrated Management Controller"` | | Rapid Response: Cisco Smart Software Manager On-Prem Multiple Vulnerabilities (2026-04) | Info | `_asset.protocol:http AND protocol:http AND html.title:="On-Prem License Workspace"` | | Rapid Response: Fortinet FortiClient Endpoint Management Server API Auth Bypass (CVE-2026-35616) | Info | `_asset.protocol:http AND protocol:http AND favicon.ico.image.mmh3:=-800551065` | | Rapid Response: Progress ShareFile Storage Zones Controller Multiple Vulnerabilities (2026-04) | Info | `(vendor:="Progress Software" OR vendor:=Citrix OR vendor:=ShareFile) AND (product:="ShareFile Storage Zones Controller" OR product:="ShareFile StorageZones Controller")` | ### TLS Risk Finding code: `rz-finding-tls-risk` | Query | Risk | Query String | |-------|------|--------------| | Certificate With Insecure Public Key | Low | `public_key_insecure:true` | | Certificate With Insecure Signature Algorithm | Low | `signature_algorithm_insecure:true is_ca:false` | | Services Supporting TLS 1.0 | Low | `_asset.protocol:=tls AND tls.supportedVersionNames:TLSv1.0` | | Services Supporting TLS 1.1 | Low | `_asset.protocol:=tls AND tls.supportedVersionNames:TLSv1.1` | | Services Without HSTS | Low | `_asset.protocol:=tls AND protocol:=http protocol:=tls NOT has:http.head.strictTransportSecurity` | ### Vulnerability Auth Bypass Finding code: `rz-finding-vulnerability-auth-bypass` | Query | Risk | Query String | |-------|------|--------------| | Atlassian Confluence Cross-Site Scripting (CVE-2024-4367) | Critical | `vendor:=Atlassian AND product:Confluence AND ( (version:>0 AND version:<7.19.25) OR (version:>=7.20.0 AND version:<8.5.11) OR (version:>=8.6.0 AND version:<8.9.3)) ` | | Atlassian Confluence Server-Side Request Forgery (CVE-2019-3395) | Critical | `vendor:=Atlassian AND product:Confluence AND ( (version:>0 AND version:<6.6.7) OR (version:>=6.7.0 AND version:<6.8.5) OR (version:>=6.9.0 AND version:<6.9.3))` | | HPE iLO 4 Authentication Bypass | Critical | `os:"iLO 4" and os_version:>0 AND os_version:<2.53` | | IPMI 1.5 Legacy Null Authentication | Critical | `_asset.protocols:ipmi AND ipmi.passAuth:none` | | IPMI Cipher Zero Authentication Bypass (CVE-2013-4782) | Critical | `_asset.protocols:ipmi AND has:ipmi.cipherZero` | | IPMI RAKP+ Weak Or Default Passwords (CVE-2013-4786) | Critical | `_asset.protocols:ipmi AND has:ipmi.rakp.cracked` | | Microsoft OMI WSMAN Authentication Bypass | Critical | `_asset.protocol:wsman AND wsman.productVendor:="Open Management Infrastructure" AND (wsman.productVersion:=0.% or wsman.productVersion:=1.0.% or wsman.productVersion:=1.1.% or wsman.productVersion:1.2.% or wsman.productVersion:=1.3.% or wsman.productVersion:=1.4.% or wsman.productVersion:=1.5.% or wsman.productVersion:=1.6.0-% or wsman.productVersion:=1.6.1-% or wsman.productVersion:=1.6.2-% or wsman.productVersion:=1.6.3-% or wsman.productVersion:=1.6.4-% or wsman.productVersion:=1.6.5-% or wsman.productVersion:=1.6.6-% or wsman.productVersion:=1.6.7-% or wsman.productVersion:=1.6.8-0)` | | Palo Alto Networks PAN-OS Authentication Bypass | Critical | `os:="Palo Alto Networks PAN-OS" AND (osversion:>"11.1.6-h1" AND osversion:<11.2.4-h4) AND (osversion:>"10.2.13-h3" AND osversion:<11.1.6-h1) AND (osversion:>"10.1.14-h9" AND osversion:<"10.2.13-h3") AND (osversion:>"10.1.0" AND osversion:<"10.1.14-h9")` | | SonicWall SSLVPN Authentication Bypass (CVE-2024-53704) | Critical | `os:SonicOS AND ( (osversion:>"6.0" AND osversion:<"6.5.5.1-6n") OR (osversion:>"7.0" AND osversion:<"7.0.1-5165") OR (osversion:>"7.1" AND osversion:<"7.1.3-7015") OR (hw:TZ80 AND osversion:>"8.0" AND osversion:<"8.0.0-8037"))` | | SonicWall SonicOS Improper Access Control Vulnerability (CVE-2024-40766) | Critical | `hw:="SonicWall%" AND ((os_version:>0 AND os_version:<"5.9.2.14-13o") OR (os_version:>"6.0" AND os_version:<"6.5.4.15.116n") OR (os_version:>"7.0" AND os_version:<"7.0.1-5035") OR (os_version:>"6.0" AND os_version:<"6.5.2.8-2n" AND (hw:"SM9800" OR hw:"NSsp 12400" OR hw:"NSsp 12800")))` | | Multiple Fortinet Products Authentication Bypass (CVE-2025-59718 and CVE-2025-59719) | High | `os:="Fortinet FortiOS" AND os_version:>0 AND ((os_version:>="7.6.0" AND os_version:<="7.6.3") OR (os_version:>="7.4.0" AND os_version:<="7.4.8") OR (os_version:>="7.2.0" AND os_version:<="7.2.11") OR (os_version:>="7.0.0" AND os_version:<="7.0.17"))` | | PowerDNS Recursor Multiple Vulnerabilities (2025-10) | High | `vendor:=PowerDNS AND product:=Recursor AND (version:>0 AND ( (version:>=5.1 AND version:<5.1.8) OR (version:>=5.2 AND version:<5.2.6) OR (version:>=5.3 AND version:<5.3.1)))` | | Juniper Junos OS EX Series Missing Authentication For Critical Function Vulnerability (CVE-2023-36847) | Medium | `hw:="Juniper EX%" AND os:="Juniper Junos OS" AND ((os_version:>"0" AND os_version:<"20.4R3-S8") OR (os_version:>="21.1" AND os_version:<"21.2R3-S6") OR (os_version:>="21.3" AND os_version:<"21.3R3-S5") OR (os_version:>="21.4" AND os_version:<"21.4R3-S4") OR (os_version:>="22.1" AND os_version:<"22.1R3-S3") OR (os_version:>="22.2" AND os_version:<"22.2R3-S1") OR (os_version:>="22.3" AND os_version:<"22.3R2-S2") OR (os_version:>="22.4" AND os_version:<"22.4R2-S1"))` | | Juniper Junos OS SRX Series Missing Authentication For Critical Function Vulnerability (CVE-2023-36846) | Medium | `hw:="Juniper SRX%" AND os:="Juniper Junos OS" AND ((os_version:>"0" AND os_version:<"20.4R3-S8") OR (os_version:>="21.1R1" AND os_version:<"21.2R3-S6") OR (os_version:>="21.3" AND os_version:<"21.3R3-S5") OR (os_version:>="21.4" AND os_version:<"21.4R3-S5") OR (os_version:>="22.1" AND os_version:<"22.1R3-S3") OR (os_version:>="22.2" AND os_version:<"22.2R3-S2") OR (os_version:>="22.3" AND os_version:<"22.3R2-S2") OR (os_version:>="22.4" AND os_version:<"22.4R2-S1"))` | | Juniper Junos OS SRX Series Missing Authentication For Critical Function Vulnerability (CVE-2023-36851) | Medium | `hw:="Juniper SRX%" AND os:="Juniper Junos OS" AND ((os_version:>="21.2" AND os_version:<"21.2R3-S8") OR (os_version:>="21.4" AND os_version:<"21.4R3-S6") OR (os_version:>="22.1" AND os_version:<"22.1R3-S5") OR (os_version:>="22.2" AND os_version:<"22.2R3-S3") OR (os_version:>="22.3" AND os_version:<"22.3R3-S2") OR (os_version:>="22.4" AND os_version:<"22.4R2-S2") OR (os_version:>="23.2" AND os_version:<"23.2R1-S2"))` | | Microsoft SharePoint Improper Authentication Vulnerability (CVE-2025-49705) | Medium | `vendor:=Microsoft AND product:="SharePoint Server%" AND ((version:>=16.0.4366.1000 AND version:<16.0.5508.1000) OR (version:>=16.0.10338.12107 AND version:<16.0.10417.20059) OR (version:>=16.0.14326.20620 AND version:<16.0.18526.20424))` | ### Vulnerability DoS Finding code: `rz-finding-vulnerability-dos` | Query | Risk | Query String | |-------|------|--------------| | Apache Tomcat 10.1.0-M1 < 10.1.43 Multiple Vulnerabilities | High | `product:Tomcat AND (version:>10.1.0-M1 AND version:<10.1.43)` | | Apache Tomcat 10.1.0-M1 < 10.1.44 HTTP/2 MadeYouReset DoS | High | `product:Tomcat AND (version:>10.1.0-M1 AND version:<10.1.44)` | | Apache Tomcat 11.0.0-M1 < 11.0.10 Multiple Vulnerabilities | High | `product:Tomcat AND (version:>11.0.0-M1 AND version:<11.0.10)` | | Apache Tomcat 11.0.0-M1 < 11.0.9 Multiple Vulnerabilities | High | `product:Tomcat AND (version:>11.0.0-M1 AND version:<11.0.9)` | | Apache Tomcat 9.0.0-M1 < 9.0.107 Multiple Vulnerabilities | High | `product:Tomcat AND (version:>9.0.0-M1 AND version:<9.0.107)` | | Apache Tomcat 9.0.0-M1 < 9.0.108 HTTP/2 MadeYouReset DoS | High | `product:Tomcat AND (version:>9.0.0-M1 AND version:<9.0.108)` | | Eclipse Jetty 12.0 < 12.0.25 HTTP/2 MadeYouReset DoS | High | `(vendor:=Eclipse OR vendor:="Mort Bay") AND product:Jetty AND (version:>12 AND version:<12.0.25)` | | OpenSSH 9.1p1 Double-Free | Medium | `_asset.protocol:=ssh AND protocol:=ssh AND (_service.product:="OpenBSD:OpenSSH:9.1" OR _service.product:="OpenBSD:OpenSSH:9.1p1")` | ### Vulnerability Info Disclosure Finding code: `rz-finding-vulnerability-info-disclosure` | Query | Risk | Query String | |-------|------|--------------| | Apache 2.4.49 < 2.4.51 Information Disclosure | Critical | `_asset.protocol:=http product:HTTPD AND version:>=2.4.49 AND version:<2.4.51` | | Atlassian Confluence Path Traversal (CVE-2019-3396) | Critical | `vendor:=Atlassian AND product:Confluence AND NOT type:=Mobile AND ( (version:>0 AND version:<6.6.12) OR (version:>=6.7.0 AND version:<6.12.3) OR (version:>=6.13.0 AND version:<6.13.3) OR (version:>=6.14.0 AND version:<6.14.2))` | | Zyxel Multiple Firewalls Path Traversal Vulnerability (CVE-2024-11667) | Critical | `(os:="Zyxel ATP%" AND (os_version:>="5.00" AND os_version:<"5.39")) OR (os:="Zyxel USG20W-VPN" AND (os_version:>="5.10" AND os_version:<"5.39")) OR (os:="Zyxel USG Flex 50W" AND (os_version:>="5.10" AND os_version:<"5.39")) OR (os:="Zyxel USG Flex%" AND (os_version:>="5.00" AND os_version:<"5.39"))` | | IPMI RAKP+ Password Hash Disclosure (CVE-2013-4786) | High | `_asset.protocols:ipmi AND has:ipmi.rakp.hashes` | | Cisco IOS XR Open Port Vulnerability (CVE-2022-20821) | Medium | `((hw:="Cisco NCS%" OR hw:="Cisco 8201" OR hw:="Cisco 8202" OR hw:="Cisco 8208" OR hw:="Cisco 8212" OR hw:="Cisco 8218") AND tcp_port:=6379)` | | MongoDB Pre-Authentication Memory Leak (CVE-2025-14847) | Medium | `(vendor:=MongoDB AND (product:=MongoDB OR product:="MongoDB MongoDB")) AND (version:>0 AND ( (version:>=3.6.0 AND version:<3.7) OR (version:>=4.0.0 AND version:<4.1) OR (version:>=4.2.0 AND version:<4.3) OR (version:>=4.4.0 AND version:<4.4.30) OR (version:>=5.0.0 AND version:<5.0.32) OR (version:>=6.0.0 AND version:<6.0.27) OR (version:>=7.0.0 AND version:<7.0.28) OR (version:>=8.0.0 AND version:<8.0.17) OR (version:>=8.2.0 AND version:<8.2.3)))` | | Squid Information Disclosure (CVE-2025-62168) | Medium | `vendor:="Squid Cache" AND product:=Squid AND (version:>0 AND version:<7.2)` | ### Vulnerability Privilege Escalation Finding code: `rz-finding-vulnerability-privilege-escalation` | Query | Risk | Query String | |-------|------|--------------| | Adobe Commerce & Magento Session Takeover With Unconfirmed RCE (CVE-2025-54236) | Critical | `vendor:=Adobe AND product:=Magento AND (version:>0 AND version:<="2.4.9-alpha2")` | | Atlassian Confluence Privilege Escalation (CVE-2023-22515) | Critical | `vendor:=Atlassian AND product:Confluence AND ( (version:>=8.0 AND version:<8.3.3) OR (version:>=8.4.0 AND version:<8.4.3) OR (version:>=8.5.0 AND version:<8.5.2))` | | Broadcom VMware ESXi Guest Escape | Critical | `os:"vmware esxi" AND ((os_version:>0 AND os_version:<6) OR (os_version:>6 AND os_version:<"6.7.0 build-24514018") OR (os_version:>7 AND os_version:<"7.0.3 build-24585291") OR (os_version:>8 AND os_version:<"8.0.2") OR (os_version:>"8.0.2" AND os_version:<"8.0.2 build-24585300") OR (os_version:>"8.0.3" AND os_version:<"8.0.3 build-24585383"))` | | Cisco Small Business RV Series Routers Stack-Based Buffer Overflow Vulnerability (CVE-2022-20700) | Critical | `((hw:="Cisco RV160%" OR hw:="Cisco RV260%") AND (os_version:>0 AND os_version:<="1.0.01.05")) OR ((hw:="Cisco RV340%" OR hw:="Cisco RV345%") AND (os_version:>0 AND os_version:<="1.0.03.24"))` | | UniFi Network Application Multiple Vulnerabilities (2026-03) | Critical | `vendor:=Ubiquiti AND product:="UniFi Network" AND version:>0 AND (version:<9.0.118 OR (version:>=10.1.0 AND version:<10.1.89) OR (version:>=10.2.0 AND version:<10.2.97))` | | ISC BIND Multiple Vulnerabilities (2025-10) | High | `vendor:=ISC AND product:=BIND AND (version:>0 AND ( (version:>=9 AND version:<9.11.0) OR (version:>=9.11.0 AND version:<=9.16.50) OR (version:>=9.18.0 AND version:<=9.18.39) OR (version:>=9.20.0 AND version:<=9.20.13) OR (version:>=9.21.0 AND version:<=9.21.12) OR (version:>="9.11.3-S1" AND version:<="9.16.50-S1") OR (version:>="9.18.11-S1" AND version:<="9.18.39-S1") OR (version:>="9.20.9-S1" AND version:<="9.20.13-S1")))` | | GitLab SAML Authentication Bypass | Medium | `vendor:=GitLab AND product:gitlab AND ((version:>17.9 AND version:<17.9.2) OR (version:>17.8 AND version:<17.8.5) OR (version:>17.7 AND version:<17.7.7))` | | Plex Media Server 1.41.7.X To 1.42.0.X < 1.42.1 Undisclosed Vulnerability (CVE-2025-34158) | Medium | `vendor:=Plex AND product:"Media Server" AND (version:>0 AND version:<"1.42.1")` | ### Vulnerability RCE Finding code: `rz-finding-vulnerability-rce` | Query | Risk | Query String | |-------|------|--------------| | AirPlay Protocol Remote Code Execution (AirBorne) | Critical | `hw:="apple%" AND protocol:airplay AND ( (os:="apple macos" AND ((osversion:>"13.0" AND osversion:<"13.7.5") OR (osversion:>"14.0" AND osversion:<"14.7.5") OR (osversion:>"15.0" AND osversion:<"15.4"))) OR (os:="apple ipados" AND ((osversion:>"17.0" AND osversion:<"17.7.6") OR (osversion:>"18.0" AND osversion:<"18.4"))) OR ((os:="apple tvos" OR os:="apple audioos") AND osversion:>0 AND osversion:<"18.4") OR (os:="apple ios" AND osversion:>0 AND osversion:<"18.4") OR (os:="apple visionos" AND osversion:>0 AND osversion:<"2.4") )` | | Apache ActiveMQ Remote Code Execution (CVE-2023-46604) | Critical | `_asset.protocol:=activemq AND product:ActiveMQ AND ((version:>0 AND version:<5.15.16) OR (version:>=5.16.0 AND version:<5.16.7) OR (version:>=5.17.0 AND version:<5.17.6) OR (version:>=5.18.0 AND version:<5.18.3))` | | Apache Solr Log4Shell Remote Code Execution | Critical | `vendor:=Apache AND product:Solr AND ((version:>=7.4.0 AND version:<7.7.3) OR (version:>=8.0.0 AND version:<8.11.0))` | | Apache Tomcat 10.1.0-M1 < 10.1.34 Multiple Vulnerabilities | Critical | `product:Tomcat AND (version:>10.1.0-M1 AND version:<10.1.34)` | | Apache Tomcat 11.0.0-M1 < 11.0.2 Multiple Vulnerabilities | Critical | `product:Tomcat AND (version:>11.0.0-M1 AND version:<11.0.2)` | | Apache Tomcat 9.0.0-M1 < 9.0.98 Multiple Vulnerabilities | Critical | `product:Tomcat AND (version:>9.0.0-M1 AND version:<9.0.98)` | | Apple tvOS < 16.2 Multiple Vulnerabilities | Critical | `os:"Apple tvOS" AND osversion:>0 AND osversion:<16.2` | | Apple tvOS < 18.6 Multiple Vulnerabilities | Critical | `os:"Apple tvOS" AND osversion:>0 AND osversion:<18.6` | | Apple tvOS < 26 Multiple Vulnerabilities | Critical | `os:"Apple tvOS" AND osversion:>0 AND osversion:<26` | | Atlassian Confluence 8.0 < 8.5.4 Remote Code Execution | Critical | `vendor:=Atlassian AND product:Confluence AND (version:>=8.0 AND version:<8.5.4)` | | Atlassian Confluence Remote Code Execution (CVE-2021-26084) | Critical | `vendor:=Atlassian AND product:Confluence AND ( (version:>0 AND version:<6.13.23) OR (version:>=6.14.0 AND version:<7.4.11) OR (version:>=7.5.0 AND version:<7.11.6) OR (version:>=7.12.0 AND version:<7.12.5)) ` | | Atlassian Confluence Remote Code Execution (CVE-2022-26134) | Critical | `vendor:=Atlassian AND product:Confluence AND ( (version:>=1.3.0 AND version:<7.4.17) OR (version:>=7.13.0 AND version:<7.13.7) OR (version:>=7.14.0 AND version:<7.14.3) OR (version:>=7.15.0 AND version:<7.15.2) OR (version:>=7.16.0 AND version:<7.16.4) OR (version:>=7.17.0 AND version:<7.17.4) OR (version:>=7.18.0 AND version:<7.18.1) OR )` | | Broadcom VMware ESXi VM Escape | Critical | `os:"vmware esxi" AND ((os_version:>7 AND os_version:<"7.0.3 build-24784741") OR (os_version:>8 AND (os_version:<"8.0.2 build-24789317" OR os_version:<"8.0.3 build-24784735")))` | | Cacti < 1.2.23 Remote Code Execution | Critical | `_asset.products:Cacti AND vendor:=Cacti AND product:Cacti AND (version:>0 AND version:<1.2.23)` | | Cisco Secure Firewall Management Center Multiple Vulnerabilities (2026-03) | Critical | `os:="Cisco FMC%" AND os_version:>0 AND ((os_version:>="6.4.0.13" AND os_version:<="6.4.0.18") OR (os_version:>="7.0.0" AND os_version:<"7.0.9") OR (os_version:>="7.1.0" AND os_version:<"7.2.11") OR (os_version:>="7.3.0" AND os_version:<"7.4.6") OR (os_version:>="7.6.0" AND os_version:<"7.6.5") OR (os_version:>="7.7.0" AND os_version:<"7.7.12") OR (os_version:="10.0.0"))` | | Cisco Small Business RV Series VPN Routers Remote Code Execution Vulnerability (CVE-2022-20699) | Critical | `(hw:="Cisco RV340%" OR hw:="Cisco RV345%") AND (os_version:>0 AND os_version:<="1.0.03.24")` | | Cleo Harmony < 5.8.0.21 Unrestricted File Upload/Download | Critical | `vendor:=Cleo AND product:harmony AND (version:>0 AND version:<5.8.0.21)` | | Cleo Lexicom < 5.8.0.21 Unrestricted File Upload/Download | Critical | `vendor:=Cleo AND product:lexicom AND (version:>0 AND version:<5.8.0.21)` | | Cleo VLTrader < 5.8.0.21 Unrestricted File Upload/Download | Critical | `vendor:=Cleo AND product:vltrader AND (version:>0 AND version:<5.8.0.21)` | | ConnectWise ScreenConnect < 23.9.8 Remote Code Execution | Critical | `vendor:=ConnectWise AND product:ScreenConnect AND (version:>0 AND version:<23.9.8)` | | Elastic Kibana 8.15.0 < 8.17.3 Remote Code Execution | Critical | `vendor:=Elastic AND product:kibana AND (version:>8.14 AND version:<8.17.3)` | | Elasticsearch < 1.2 Remote Code Execution | Critical | `vendor:=Elastic AND (product:=Search OR product:=Elasticsearch) AND ( (version:>0 AND version:<1.2 AND NOT version:"0:%") OR (version:"0:%" AND version:>"0:0" AND version:<"0:1.2"))` | | F5 Big-IP Remote Code Execution (CVE-2021-22986) | Critical | `os:="F5 Networks BIG-IP" AND ( (osversion:>"12.1" AND osversion:<"12.1.5.3") OR (osversion:>"13.1" AND osversion:<"13.1.3.6") OR (osversion:>"14.1" AND osversion:<"14.1.4") OR (osversion:>"15.1" AND osversion:<"15.1.2.1") OR (osversion:>"16.0" AND osversion:<"16.0.1.1") )` | | Fortinet FortiOS Out-Of-Bound Write Vulnerability (CVE-2024-21762) | Critical | `os:="Fortinet FortiOS" AND ((os_version:>="7.4.0" AND os_version:<"7.4.3") OR (os_version:>="7.2.0" AND os_version:<"7.2.7") OR (os_version:>="7.0.0" AND os_version:<"7.0.14") OR (os_version:>="2.0.0" AND os_version:<"2.0.14") OR (os_version:>="1.2.0" AND os_version:<"1.2.14") OR (os_version:>="1.1.0" AND os_version:<"1.1.7") OR (os_version:>="1.0.0" AND os_version:<"1.0.8"))` | | Fortinet Multiple Products Format String Vulnerability (CVE-2024-23113) | Critical | `(os:="Fortinet FortiOS" AND ((os_version:>="7.4.0" AND os_version:<"7.4.3") OR (os_version:>="7.2.0" AND os_version:<"7.2.7") OR (os_version:>="7.0.0" AND os_version:<"7.0.15"))) OR (os:="Fortinet FortiPAM" AND ((os_version:>="1.0.0" AND os_version:<"1.0.4") OR (os_version:>="1.1.0" AND os_version:<"1.1.3") OR (os_version:="1.2.0")))` | | GitLab Remote Code Execution (CVE-2021-22205) | Critical | `vendor:=GitLab AND product:gitlab AND ((version:>11.9 AND version:<13.8.7) OR (version:>13.9 AND version:<13.9.5) OR (version:>13.10 AND version:<13.10.2))` | | Grandstream GXP1600 Series VoIP Phone RCE (CVE-2026-2329) | Critical | `hw:="Grandstream GXP16__" AND (os_version:>0 AND os_version:<"1.0.7.81")` | | HashiCorp Vault Multiple Vulnerabilities - HCSEC-2025-22 | Critical | `vendor:="HashiCorp" AND product:"Vault" AND ( (version:>=1.20.0 AND version:<1.20.2) OR (version:>=1.19.0 AND version:<1.19.8) OR (version:>=1.18.0 AND version:<1.18.13) OR (version:>0 AND version:<1.16.24))` | | Langflow RCE (CVE-2026-33017) | Critical | `vendor:=Langflow AND product:=Langflow AND (version:>0 AND version:<1.8.2)` | | MikroTik Router OS Directory Traversal Vulnerability (CVE-2018-14847) | Critical | `os:="MikroTik RouterOS" AND (os_version:>"0" AND os_version:<="6.42")` | | Multiple Fortinet Products Buffer Overflow | Critical | `hw:="Fortinet%" AND type:="SIP Gateway" AND ((osversion:="7.2.0") OR (osversion:>"7.0.0" AND osversion:<"7.0.7") OR (osversion:>="6.4.0" AND osversion:<"6.4.11"))` | | Novi Survey Insecure Deserialization Vulnerability | Critical | `vendor:="3rd Millennium" AND product:="Novi Survey" AND (version:>"0" AND version:<"8.9.43676") ` | | PHP 8.1.0 < 8.1.29 Multiple Vulnerabilities | Critical | `os:"Windows" AND _asset.products:apache AND product:PHP AND (version:>8.1 AND version:<8.1.29)` | | PHP 8.2.0 < 8.2.20 Multiple Vulnerabilities | Critical | `os:"Windows" AND _asset.products:apache AND product:PHP AND (version:>8.2 AND version:<8.2.20)` | | PHP 8.3.0 < 8.3.8 Multiple Vulnerabilities | Critical | `os:"Windows" AND _asset.products:apache AND product:PHP AND (version:>8.3 AND version:<8.3.8)` | | Plesk Panel 9.0.X < 9.2.3 Remote Code Execution | Critical | `not os:Windows AND vendor:=parallels AND product:=plesk AND (version:>9.0.0 AND version:<9.5.4)` | | Rejetto HTTP File Server 2 Remote Code Execution | Critical | `vendor:=Rejetto AND product:"HTTP File Server" AND version:>0 AND version:<3` | | Rejetto HTTP File Server 2.0 < 2.3M Remote Code Execution | Critical | `os:Windows AND vendor:=Rejetto AND product:"HTTP File Server" AND version:>=2.0 AND version:<"2.3m" ` | | Rockwell Automation ControlLogix Ethernet RCE (CVE-2025-7353) | Critical | `((_asset.protocol:="cip" OR asset.protocol:="cip-udp") AND protocol:"cip" AND (cip.product:="1756-EN2T/D" OR cip.product:="1756-EN2F/C" OR cip.product:="1756-EN2TR/C" OR cip.product:="1756-EN3TR/B" OR cip.product:="1756-EN2TP/A") AND (cip.revision:>"0" AND (cip.revision:<"12" OR cip.revision:"12.0%"))) OR ((_asset.protocol:="ethernetip" OR asset.protocol:="ethernetip-udp") AND protocol:"ethernetip" AND (ethernetip.product:="1756-EN2T/D" OR ethernetip.product:="1756-EN2F/C" OR ethernetip.product:="1756-EN2TR/C" OR ethernetip.product:="1756-EN3TR/B" OR ethernetip.product:="1756-EN2TP/A") AND (ethernetip.revision:>"0" AND (ethernetip.revision:<"12" OR ethernetip.revision:"12.0%")))` | | SAP NetWeaver (RMI-P4) Insecure Deserialization (CVE-2025-42944) | Critical | `vendor:=SAP AND product:"NetWeaver" AND (version:>0 AND version:<=7.50)` | | Sangoma FreePBX RCE (CVE-2025-57819) | Critical | `((vendor:=FreePBX AND product:=PBX) OR (vendor:=Sangoma AND product:=FreePBX)) AND (version:>0 AND (version:<"15.0.66(%)" OR version:<"16.0.89(%)" OR version:<"17.0.3(%)"))` | | SolarWinds Web Help Desk Multiple Vulnerabilities (2026-01) | Critical | `vendor:=SolarWinds AND product:="Web Help Desk" AND (version:>0 AND version:<12.8.8.2585)` | | SolarWinds Web Help Desk RCE (CVE-2025-26399) | Critical | `vendor:=SolarWinds AND product:="Web Help Desk" AND (version:>0 AND version:<12.8.7.2174)` | | SonicWall SMA1000 < 12.4.3 Remote Code Execution | Critical | `hw:="SonicWall SMA1000" AND (osversion:>0 AND osversion:<12.4.3)` | | SonicWall SonicOS Buffer Overflow Vulnerability (CVE-2020-5135) | Critical | `os:="SonicWall SonicOS" AND (os_version:="7.0.0.0" OR os_version:="6.5.4.7" OR os_version:="6.5.1.12" OR os_version:="6.0.5.3" OR os_version:="6.5.4.v")` | | VMware vCenter Server 7.0 < 7.0 U3t / 8.0 < 8.0 U3d Multiple Vulnerabilities | Critical | `vendor:=VMware AND (product:"vcenter server" OR product:"cloud foundation") AND ((version:>7.0 AND version:<"7.0.3 build-24322018") OR (version:>8.0 AND version:<"8.0.3 build-24322831"))` | | Zyxel Multiple Firewalls Buffer Overflow Vulnerability (CVE-2023-33009) | Critical | `((os:="Zyxel ATP%" OR os:="Zyxel USG Flex%" OR os:="Zyxel USG20W-VPN" OR os:="Zyxel USG20-VPN" OR os:="Zyxel VPN%") AND (os_version:>="4.60" AND os_version:<="5.36")) OR ((os:="Zyxel USG40%" OR os:="Zyxel USG60%") AND (os_version:>="4.60" AND os_version:<="4.73"))` | | Zyxel Multiple Firewalls Buffer Overflow Vulnerability (CVE-2023-33010) | Critical | `(os:="Zyxel ATP%" AND (os_version:>="4.32" AND os_version:<="5.36")) OR (os:="Zyxel USG Flex 50W" AND (os_version:>="4.25" AND os_version:<="5.36")) OR (os:="Zyxel USG20W-VPN" AND (os_version:>="4.25" AND os_version:<="5.36")) OR ((os:="Zyxel USG20%" OR os:="Zyxel USG40%" OR os:="Zyxel USG60%") AND (os_version:>="4.50" AND os_version:<="5.36")) OR (os:="Zyxel USG Flex%" AND (os_version:>="4.25" AND os_version:<="4.73" AND not os:="Zyxel USG Flex 50W")) OR (os:="Zyxel VPN%" AND (os_version:>="4.30" AND os_version:<="5.36"))` | | Zyxel Multiple Firewalls OS Command Injection Vulnerability (CVE-2023-28771) | Critical | `((os:="Zyxel ATP%" OR os:="Zyxel USG Flex%" OR os:="Zyxel VPN%") AND (os_version:>="4.60" AND os_version:<="5.35")) OR ((os:="Zyxel %USG100" OR os:="Zyxel %USG300") AND (os_version:>="4.60" AND os_version:<="4.73"))` | | n8n Unauthenticated File Access (CVE-2026-21858) | Critical | `vendor:=n8n AND product:=n8n AND version:>0 AND (version:>=1.65.0 AND version:<1.121.0) ` | | Apple Device Ecosystem Multiple Vulnerabilities (Coruna) | High | `(os:="apple ios" OR os:="apple ipados" ) AND ((osversion:>="17.0" AND osversion:<"17.5") OR (osversion:>="16.0" AND osversion:<"16.7.8") OR (osversion:>="15.0" AND osversion:<"15.7.8") OR (osversion:>="13.0" AND osversion:<"14.7"))` | | Apple Device Ecosystem Multiple Vulnerabilities (DarkSword) | High | `(os:="apple ios" OR os:="apple ipados" OR os:="apple tvos" OR os:="apple macos" OR os:="apple watchos" OR os:="apple visionos") AND osversion:>0 AND ( (osversion:>="26.0" AND osversion:<"26.3") OR (osversion:>="18.0" AND osversion:<"18.7.3") )` | | Apple tvOS < 11.4 Multiple Vulnerabilities | High | `os:"Apple tvOS" AND osversion:>0 AND osversion:<11.4` | | Apple tvOS < 13.3.1 Multiple Vulnerabilities | High | `os:"Apple tvOS" AND osversion:>0 AND osversion:<13.3.1` | | Apple tvOS < 15.2 Multiple Vulnerabilities | High | `os:"Apple tvOS" AND osversion:>0 AND osversion:<15.2` | | Arcserve Unified Data Protection < 10.2 Heap Overflow Vulnerabilities | High | `vendor:=Arcserve AND product:=UDP AND version:>0 AND version:<10.2` | | Atlassian Confluence 5.2 < 7.19.22 Remote Code Execution | High | `vendor:=Atlassian AND product:Confluence AND (version:>=5.2 AND version:<7.19.22)` | | Cisco ConfD SSH Server Remote Code Execution | High | `vendor:="Cisco" AND product:="ConfD" AND ( (version:>"7.0.0.0" AND version:<"7.7.19.1") OR (version:>"8.0.0.0" AND version:<"8.0.17.1") OR (version:>"8.1.0.0" AND version:<"8.1.16.2") OR (version:>"8.2.0.0" AND version:<"8.2.11.1") OR (version:>"8.3.0.0" AND version:<"8.3.8.1") OR (version:>"8.4.0.0" AND version:<"8.4.4.1"))` | | Cisco IOS XE Arbitrary File Upload | High | `os:="Cisco IOS XE" AND hw:"Catalyst" AND ( (osversion:>="17.7.0" AND osversion:<="17.7.1") OR (osversion:>="17.10.0" AND osversion:<="17.10.1") OR (osversion:>="17.8.0" AND osversion:<="17.8.1") OR (osversion:>="17.9.0" AND osversion:<="17.9.5") OR (osversion:>="17.11.0" AND osversion:<="17.11.1") OR (osversion:>="17.12.0" AND osversion:<="17.2.3") OR (osversion:>="17.13.0" AND osversion:<="17.13.1") OR (osversion:>="17.14.0" AND osversion:<="17.14.1") OR (osversion:>="17.11.0" AND osversion:<="17.11.99") )` | | Commvault Command Center Remote Code Execution | High | `vendor:="Commvault" AND product:="Command Center" AND version:>"11.38.0" AND version:<"11.38.20"` | | DrayTek Vigor2960/Vigor300B Command Injection | High | `(hw:"DrayTek Vigor2960" OR hw:"DrayTek Vigor300b" OR hw:"DrayTek Vigor 2960" OR hw:"DrayTek Vigor 300b") AND osversion:>0 AND osversion:<"1.5.1.5"` | | Erlang OTP SSH Server Remote Code Execution | High | `_asset.protocols:ssh AND vendor:="Erlang" AND product:="SSH" AND ((version:>=5.2.0 AND version:<5.2.10) OR (version:>4.0.0.0 AND version:<4.15.3.12) OR (version:>5.1.0.0 AND version:<5.1.4.7))` | | Fortra GoAnywhere MFT License Servlet Deserialization Vulnerability (CVE-2025-10035) | High | `vendor:=Fortra AND product:="GoAnywhere Managed File Transfer" AND (version:>0 AND version:<7.8.4 AND NOT version:=7.6.3)` | | HPE OneView Remote Code Execution (CVE-2025-37164) | High | `((vendor:="HP" AND product:="Oneview") OR (vendor:="HPE" AND product:="OneView")) AND version:>0 AND version:<10.20` | | Langflow Authentication Bypass | High | `_asset.protocol:=http AND vendor:=Langflow AND product:=Langflow AND (version:>0 AND version:<1.3.0)` | | Monsta FTP RCE (CVE-2025-34299) | High | `vendor:="Monsta Limited" AND product:="Monsta FTP" AND version:>0 AND version:<2.11.3` | | Roundcube Webmail Remote Code Execution | High | `vendor:=Roundcube AND product:=Webmail AND ((version:>=1.5 AND version:<1.5.10) OR (version:>=1.6 AND version:<1.6.11))` | | SAP NetWeaver Visual Composer Metadata Uploader Arbitrary File Upload | High | `vendor:="SAP" AND product:"NetWeaver" AND (version:>7.0 AND version:<7.55)` | | Samsung MagicINFO Path Traversal Vulnerability | High | `vendor:="Samsung" AND product:"MagicINFO Server" AND version:>0 AND version:<"21.1052"` | | Solr 5.0.0 < 8.4.0 Remote Code Execution | High | `vendor:=Apache AND product:Solr AND (version:>=5.0.0 AND version:<8.4.0)` | | SysAid Help Desk XML Entity Remote Code Execution | High | `vendor:="SysAid" AND product:"Help Desk" AND version:>0 AND version:<24.4.60` | | Trimble Cityworks File Deserialization Vulnerability | High | `vendor:="Trimble" AND product:="Cityworks" AND version:>0 AND version:<"23.10"` | | VMware ESXi OpenSLP Heap Buffer Overflow | High | `os:="VMware ESX%" and port:427 and ( os_version:="1.%" or os_version:="2.%" or os_version:="3.%" or os_version:="4.%" or os_version:="5.%" or os_version:="6.0%" or os_version:="6.5.0 build-4564106" or os_version:="6.5.0 build-4887370" or os_version:="6.5.0 build-5146843" or os_version:="6.5.0 build-5146846" or os_version:="6.5.0 build-5224529" or os_version:="6.5.0 build-5310538" or os_version:="6.5.0 build-5969300" or os_version:="6.5.0 build-5969303" or os_version:="6.5.0 build-6765664" or os_version:="6.5.0 build-7273056" or os_version:="6.5.0 build-7388607" or os_version:="6.5.0 build-7967591" or os_version:="6.5.0 build-8285314" or os_version:="6.5.0 build-8294253" or os_version:="6.5.0 build-8935087" or os_version:="6.5.0 build-9298722" or os_version:="6.5.0 build-10175896" or os_version:="6.5.0 build-10390116" or os_version:="6.5.0 build-10719125" or os_version:="6.5.0 build-10868328" or os_version:="6.5.0 build-10884925" or os_version:="6.5.0 build-11925212" or os_version:="6.5.0 build-13004031" or os_version:="6.5.0 build-13635690" or os_version:="6.5.0 build-13873656" or os_version:="6.5.0 build-13932383" or os_version:="6.5.0 build-14320405" or os_version:="6.5.0 build-14874964" or os_version:="6.5.0 build-14990892" or os_version:="6.5.0 build-15256468" or os_version:="6.5.0 build-15177306" or os_version:="6.5.0 build-15256549" or os_version:="6.5.0 build-16207673" or os_version:="6.5.0 build-16389870" or os_version:="6.5.0 build-16576879" or os_version:="6.5.0 build-16576891" or os_version:="6.5.0 build-16901156" or os_version:="6.5.0 build-17097218" or os_version:="6.5.0 build-17167537" or os_version:="6.7.0 build-8169922" or os_version:="6.7.0 build-8941472" or os_version:="6.7.0 build-9214924" or os_version:="6.7.0 build-9484548" or os_version:="6.7.0 build-10176752" or os_version:="6.7.0 build-10176879" or os_version:="6.7.0 build-10302608" or os_version:="6.7.0 build-10764712" or os_version:="6.7.0 build-11675023" or os_version:="6.7.0 build-13004448" or os_version:="6.7.0 build-12986307" or os_version:="6.7.0 build-13006603" or os_version:="6.7.0 build-13473784" or os_version:="6.7.0 build-13644319" or os_version:="6.7.0 build-13981272" or os_version:="6.7.0 build-14141615" or os_version:="6.7.0 build-14320388" or os_version:="6.7.0 build-15018017" or os_version:="6.7.0 build-15160134" or os_version:="6.7.0 build-15160138" or os_version:="6.7.0 build-15999342" or os_version:="6.7.0 build-15820472" or os_version:="6.7.0 build-16075168" or os_version:="6.7.0 build-16316930" or os_version:="6.7.0 build-16701467" or os_version:="6.7.0 build-16713306" or os_version:="6.7.0 build-16773714" or os_version:="6.7.0 build-17167699" or os_version:="6.7.0 build-17098360" or os_version:="6.7.0 build-17167734" or os_version:="7.0.0%" or os_version:="7.0.1 build-16850804" or os_version:="7.0.1 build-17119627" or os_version:="7.0.1 build-17168206" or os_version:="7.0.1 build-17325020")` | | Veeam Backup & Replication Multiple Vulnerabilities (2026-03) | High | `vendor:=Veeam AND (product:="Backup & Replication" OR product:="Veeam Backup & Replication") AND ((version:>=12.3 AND version:<12.3.2.4465) OR (version:>=13.0 AND version:<13.0.1.2067))` | | Veeam Backup & Replication RCE Multiple Vulnerabilities (2025-10) | High | `vendor:=Veeam AND (product:="Backup & Replication" OR product:="Veeam Backup & Replication") AND (version:>0 AND version:>=12 AND version:<12.3.2.4165)` | | AirPlay SDK Remote Code Execution (AirBorne) | Medium | `vendor:=Apple AND product:="AirPlay SDK" AND ((version:>2.0 AND version:<2.7.1) OR (version:>3.0 AND version:<3.6.0.126))` | | Apache Tomcat Partial PUT Deserialization Vulnerability | Medium | `_asset.products:"Tomcat" AND product:"Tomcat" AND ((version:>=11.0.0 AND version:<11.0.3) OR (version:>=10.1.0 AND version:<10.1.35) OR (version:>=9.0.0 AND version:<9.0.99))` | | Dell EMC Unity, UnityVSA, And Unity XT | Medium | `os:"EMC Unity" AND osversion:>0 AND osversion:<5.5.0.0.0.5.259` | | Fortinet FortiVoice SQL Injection (CVE-2025-58692) | Medium | `hw:="Fortinet%" AND type:="SIP Gateway" AND ((osversion:>"7.2.0" AND osversion:<"7.2.3") OR (osversion:>"7.0.0" AND osversion:<"7.0.8"))` | | Lantronix Xport Authentication Bypass | Medium | `hw:lantronix AND ((os:="Lantronix XPort%" AND not os:="Lantronix XPort Edge%") OR (lantronix.type:="XE" OR lantronix.type:="SE" OR lantronix.type:="AR" OR lantronix.type:="EH"))` | | Multiple Fortinet Products Unauthenticated RCE (CVE-2025-25249) | Medium | `os:="Fortinet FortiOS" AND os_version:>0 AND ((os_version:>="7.6.0" AND os_version:<="7.6.3") OR (os_version:>="7.4.0" AND os_version:<="7.4.8") OR (os_version:>="7.2.0" AND os_version:<="7.2.11") OR (os_version:>="7.0.0" AND os_version:<="7.0.17") OR (os_version:>="6.4.0" AND os_version:<="6.4.16"))` | | Multiple Vulnerabilities In Microsoft SQL Server (2025-07) | Medium | `vendor:=Microsoft AND (product:="SQL Server" OR product:="SQL Server 20%") AND ((version:>=13.0.0 AND version:<13.0.6460.7 AND NOT version:="13.0.6460") OR (version:>=14.0.0 AND version:<14.0.3495.9 AND NOT version:="14.0.3495") OR (version:>=15.0.0 AND version:<15.0.4435.7 AND NOT version:="15.0.4435") OR (version:>=16.0.0 AND version:<16.0.4200.1 AND NOT version:="16.0.4200"))` | | Redis Multiple Vulnerabilities (2025-10) | Medium | `vendor:=Redis AND product:=Redis AND (version:>0 AND ( (version:>=6.2 AND version:<6.2.20) OR (version:>=7.2 AND version:<7.2.11) OR (version:>=7.4 AND version:<7.4.6) OR (version:>=8.0 AND version:<8.0.4) OR (version:>=8.2 AND version:<8.2.2)))` | | Valkey Multiple Vulnerabilities (2025-10) | Medium | `(vendor:=valkey OR vendor:="Fedora Project") AND product:=valkey AND (version:>0 AND ( (version:>=7.2 AND version:<7.2.11) OR (version:>=8.0 AND version:<8.0.6) OR (version:>=8.1 AND version:<8.1.4)))` | | lighttpd Web Server Out-of-Bounds Memory Read | Medium | `product:lighttpd (_service.product:=lighttpd:lighttpd:1.4.0% OR _service.product:=lighttpd:lighttpd:1.4.1% OR _service.product:=lighttpd:lighttpd:1.4.2% OR _service.product:=lighttpd:lighttpd:1.4.3% OR _service.product:=lighttpd:lighttpd:1.4.4%)` | | ConnectWise ScreenConnect < 25.2.4 ViewState Code Injection | Low | `vendor:=ConnectWise AND product:=ScreenConnect AND (version:>0 AND version:<25.2.4)` | | Squid URN Handling Buffer Overflow (CVE-2025-54574) | Low | `vendor:="Squid Cache" AND product:=Squid AND (version:>0 AND version:<6.4)` | Findings are created through three sources: 1. **Query-based**: These findings are identified through specific queries defined within the system (see list below). 2. **Nuclei-generated**: These findings result from scans where default credentials and vulnerability checks are enabled, leveraging Nuclei templates (see [templates](em-templates.md)). 3. **KEV (Known Exploited Vulnerabilities)**: These findings are triggered when a discovered vulnerability is present on the CISA Known Exploited Vulnerabilities (KEV) catalog or VulnCheck KEV.