Query library

runZero includes a substantial library of pre-built queries. These queries can be used to detect vulnerabilities, trigger alerts, and apply changes to assets, such as tags and ownership. These queries are categorized by use case and risk level. Custom queries can also be configured to report vulnerabilities on matching assets and services.

Best Practice #

Name	Type	Severity	Query	US SaaS Link	EU SaaS Link
Google Workspace Account Without MFA	users	Medium	`source:googleworkspace isEnforcedIn2Sv:f`	Link	Link
Active Directory Account Expires Soon	users	Low	`has:accountExpiresTS AND accountExpiresTS:<30days`	Link	Link
Authenticated Web Service Without Encryption	services	Low	`(_asset.protocol:http AND not _asset.protocol:tls) AND ( html.inputs:"password:" OR last.html.inputs:"password:" OR has:http.head.wwwAuthenticate OR has:last.http.head.wwwAuthenticate )`	Link	Link
HTTP Directory Indexing Enabled	services	Low	`_asset.protocol:http AND protocol:http AND has:html.title AND (html.title:="Index of /%" OR html.title:="HFS /%" OR html.title:="Directory listing%")`	Link	Link
Network Time Protocol Service With Skewed Clock	services	Low	`_asset.protocol:ntp and protocol:ntp and has:ntp.skew`	Link	Link
Obsolete SSL Protocol	services	Low	`_asset.protocol:tls AND protocol:"tls" AND tls.supportedVersionNames:"SSL"`	Link	Link
Open Wireless Network	wireless	Low	`auth:open`	Link	Link
SMB Signing Not Required	services	Low	`_asset.protocol:smb AND protocol:smb AND has:smb.signing AND NOT smb.signing:required`	Link	Link
SMB Version 1 Enabled	services	Low	`_asset.protocol:smb1 protocol:smb1`	Link	Link
SNMP Default Community	services	Low	`_asset.protocol:snmp AND protocol:snmp AND has:snmp.defaultCommunities`	Link	Link
Wireless Network Using WEP Encryption	wireless	Low	`enc:wep`	Link	Link
Active Directory Account Password Does Not Expire	users	Info	`passwordNeverExpires:true`	Link	Link

Certificates #

Name	Type	Severity	Query	US SaaS Link	EU SaaS Link
Private Key Is Widely Shared	vulnerabilities	Medium	`source:runzero AND (foreign_id:=rz-ioasm-pubkey-widely-shared OR foreign_id:=rz-ioasm-pubkey-known-private)`	Link	Link
Expired Certificate On TLS Service	services	Low	`_asset.protocol:tls AND tls.notAfterTS:`	Link	Link
Certificate On TLS Service Expires Soon	services	Info	`_asset.protocol:tls AND tls.notAfterTS:<6weeks AND tls.notAfterTS:>now`	Link	Link

Compliance #

Name	Type	Severity	Query	US SaaS Link	EU SaaS Link
Kaspersky Lab Security Software	assets	Info	`edr.name:Kaspersky`	Link	Link
Kaspersky Lab Software	software	Info	`vendor:Kaspersky`	Link	Link
NDAA 2019 Section 889 Equipment	assets	Info	((mac_vendor:zte OR mac_vendor:huawei OR mac_vendor:CRRC OR mac_vendor:dahua OR mac_vendor:hikvision OR mac_vendor:hisilicon OR mac_vendor:panda OR mac_vendor:dawning OR mac_vendor:hangzhou OR mac_vendor:hytera OR mac_vendor:inspur OR mac_vendor:"Aero Engine Corporation of China" OR mac_vendor:"Aviation Industry Corporation of China" OR mac_vendor:"China Aerospace" OR mac_vendor:"China Electronics" OR mac_vendor:"China General Nuclear Power" OR mac_vendor:"China Mobile" OR mac_vendor:"China National Nuclear Power" OR mac_vendor:"China North Industries Group" OR mac_vendor:"China Railway" OR mac_vendor:"China Shipbuilding" OR mac_vendor:"China South Industries Group" OR mac_vendor:"China State Shipbuilding" OR mac_vendor:"China Telecommunications" OR mac_vendor:ztec OR mac_vendor:ztek OR mac_vendor:"z-tec" OR mac_vendor:5shanghai OR mac_vendor:"Hella Sonnen" OR mac_vendor:anhui OR mac_vendor:"technology sdn bhd" OR mac_vendor:azteq) OR (hw:zte OR hw:huawei OR hw:CRRC OR hw:dahua OR hw:hikvision OR hw:hisilicon OR hw:panda OR hw:dawning OR hw:hangzhou OR hw:hytera OR hw:inspur OR hw:"Aero Engine Corporation of China" OR hw:"Aviation Industry Corporation of China" OR hw:"China Aerospace" OR hw:"China Electronics" OR hw:"China General Nuclear Power" OR hw:"China Mobile" OR hw:"China National Nuclear Power" OR hw:"China North Industries Group" OR hw:"China Railway" OR hw:"China Shipbuilding" OR hw:"China South Industries Group" OR hw:"China State Shipbuilding" OR hw:"China Telecommunications" OR hw:ztec OR hw:ztek OR hw:"z-tec" OR hw:5shanghai OR hw:"Hella Sonnen" OR hw:anhui OR hw:"technology sdn bhd" OR hw:azteq))	Link	Link
Secure Networks Act Section 2 Equipment	assets	Info	`(hw:huawei OR hw:="zte%" OR hw:hytera OR hw:hikvision OR hw:dahua OR hw:"china mobile" OR hw:"china telecom" OR hw:"china unicom" OR hw:"pacific networks corp" OR hw:"comnet (usa) llc" OR hw:zhejiang) OR (mac_vendor:huawei OR mac_vendor:="zte%" OR mac_vendor:hytera OR mac_vendor:hikvision OR mac_vendor:dahua OR mac_vendor:"china mobile" OR mac_vendor:"china telecom" OR mac_vendor:"china unicom" OR mac_vendor:"pacific networks corp" OR mac_vendor:"comnet (usa) llc" OR mac_vendor:"zhejiang")`	Link	Link

End-of-Life #

Name	Type	Severity	Query	US SaaS Link	EU SaaS Link
Sangoma FreePBX	software	Critical	`((vendor:=FreePBX AND product:=PBX) OR (vendor:=Sangoma AND product:=FreePBX)) AND ((version:>="2.0.0(%)" AND version:<"3.0.0(%)") OR (version:>="12.0.0(%)" AND version:<"15.0.0(%)"))`	Link	Link
Accellion File Transfer Appliance	assets	High	`hw:"Accellion File Transfer Appliance"`	Link	Link
AutomationDirect MB-GATEWAY	assets	High	`hw:="AutomationDirect Modbus Gateway" OR hw:="Automation Direct Modbus Gateway"`	Link	Link
Cisco Small Business Routers	assets	High	`hw:"Cisco RV0" OR hw:"Cisco RV110W" OR hw:"Cisco RV130" OR hw:"Cisco RV132W" OR hw:"Cisco RV134W" OR hw:"Cisco RV160" OR hw:"Cisco RV215" OR hw:"Cisco RV260" OR hw:"Cisco RV320" OR hw:"Cisco RV325" OR hw:"Cisco RV340" OR hw:"Cisco RV345"`	Link	Link
Cisco Small Business Switches	assets	High	`hw:"Cisco" and type:"switch" and ( hw:"SRW224G4-K9-" OR hw:"SRW2016-K9-" OR hw:"SG500X-" OR hw:"SF300-" OR hw:"SRW208G-K9-" OR hw:"SG300-" OR hw:"SRW2048-K9-" OR hw:"SLM2048PT-" OR hw:"SRW208-K9-" OR hw:"SF302-" OR hw:"SLM2008PT-" OR hw:"SLM224PT-" OR hw:"SF500-" OR hw:"SLM2008T-" OR hw:"SG500-" OR hw:"SG200-" OR hw:"SF200-" OR hw:"SLM224GT-" OR hw:"SLM2016T-")`	Link	Link
End-of-Life Operating System	assets	High	`(os_eol_extended:>0 AND os_eol_extended:`	Link	Link
Zyxel CPE Remote Command Execution	assets	High	`hw:"VMG1312-B10A" OR hw:"VMG1312-B10B" OR hw:"VMG1312-B10E" OR hw:"VMG3312-B10A" OR hw:"VMG3313-B10A" OR hw:"VMG3926-B10B" OR hw:"VMG4325-B10A" OR hw:"VMG4380-B10A" OR hw:"VMG8324-B10A" OR hw:"VMG8924-B10A" OR hw:"SBG3300" OR hw:"SBG3500"`	Link	Link
D-Link DNS Family NAS	assets	Info	`fp.hw.product:="DNS-320L" OR fp.hw.product:="DNS-325" OR fp.hw.product:="DNS-327L" OR fp.hw.product:="DNS-340L"`	Link	Link
Edimax IC-7100 IP Camera	assets	Info	`hw:"EDIMAX IC-71%Camera"`	Link	Link

Internet Exposure #

Name	Type	Severity	Query	US SaaS Link	EU SaaS Link
Publicly Exposed Configuration Database Server	services	High	`service_has_public:t AND (_asset.protocols:zookeeper OR _asset.protocols:etcd2 OR _asset.protocols:consul) AND (protocol:zookeeper OR protocol:etcd2 OR protocol:consul)`	Link	Link
Potential External Access To Internal Asset	vulnerabilities	Medium	`source:runzero AND (foreign_id:=rz-query-rz-ioasm-internal-mac OR foreign_id:=rz-query-rz-ioasm-internal-pubkey)`	Link	Link
Potential External Access To Remote Desktop Service	assets	Medium	`has_public:t AND service_has_public:f AND ( ( _asset.protocol:rdp AND protocol:rdp ) OR ( _asset.protocol:vnc AND protocol:vnc ) OR ( _asset.protocol:teamviewer AND protocol:teamviewer ) OR ( _asset.protocol:spice AND protocol:spice ) )`	Link	Link
Publicly Exposed Baseboard Management Controller	assets	Medium	`haspublic:t AND (type:bmc OR protocol:ipmi)`	Link	Link
Publicly Exposed Remote Desktop Gateway	services	Medium	`service_has_public:t AND ( (_asset.protocol:dtls OR _asset.protocol:http) AND ((protocol:dtls OR protocol:http) AND has:rdg.transport) )`	Link	Link
Publicly Exposed Remote Desktop Service	assets	Medium	`service_has_public:t AND ( ( _asset.protocol:rdp AND protocol:rdp ) OR ( _asset.protocol:vnc AND protocol:vnc ) OR ( _asset.protocol:teamviewer AND protocol:teamviewer ) OR ( _asset.protocol:spice AND protocol:spice ) )`	Link	Link
Publicly Exposed SSH Server With Password Authentication	services	Medium	`service_has_public:t AND ( _asset.protocol:ssh AND protocol:ssh AND ssh.authMethods:password )`	Link	Link
Publicly Exposed Windows Management Service	assets	Medium	`service_has_public:t AND ( ( _asset.protocol:smb AND protocol:smb ) OR ( _asset.protocol:epm AND protocol:epm ) OR ( _asset.protocol:wsman AND protocol:wsman ) )`	Link	Link
Potential External Access To Configuration Database Server	services	Low	`has_public:t AND service_has_public:f AND (_asset.protocols:zookeeper OR _asset.protocols:etcd2 OR _asset.protocols:consul) AND (protocol:zookeeper OR protocol:etcd2 OR protocol:consul)`	Link	Link
Potential External Access To Key-Value Database Server	services	Low	`has_public:t AND service_has_public:f AND (_asset.protocols:memcache OR _asset.protocols:redis) AND (protocol:memcache OR protocol:redis)`	Link	Link
Potential External Access To NoSQL Database Server	services	Low	`has_public:t AND service_has_public:f AND (_asset.protocols:mongodb OR _asset.protocols:couchdb OR _asset.protocols:cassandra OR _asset.protocols:elasticsearch OR _asset.protocols:riak OR _asset.protocols:influxdb) AND (protocol:mongodb OR protocol:couchdb OR protocol:cassandra protocol:elasticsearch OR protocol:riak OR protocol:influxdb)`	Link	Link
Potential External Access To Operational Technology Service	services	Low	has_public:t AND service_has_public:f AND (_asset.protocols:bacnet OR _asset.protocols:modbus OR _asset.protocols:dnp3 OR _asset.protocols:opcua OR _asset.protocols:cip OR _asset.protocols:ethernetip OR _asset.protocols:profinet OR _asset.protocols:prosoft OR _asset.protocols:s7comm OR _asset.protocols:fins OR _asset.protocols:comtrol OR _asset.protocols:atg) AND (protocol:bacnet OR protocol:modbus OR protocol:dnp3 OR protocol:opcua OR protocol:cip OR protocol:ethernetip OR protocol:profinet OR protocol:prosoft OR protocol:s7comm OR protocol:fins OR protocol:comtrol OR protocol:atg)	Link	Link
Potential External Access To Relational Database Server	services	Low	`has_public:t AND service_has_public:f AND (_asset.protocols:mysql OR _asset.protocols:postgres OR _asset.protocols:mssql OR _asset.protocols:oracledb) AND (protocol:mysql OR protocol:postgres OR protocol:mssql OR protocol:oracledb)`	Link	Link
Potential External Access To Remote Desktop Gateway	services	Low	`has_public:t AND service_has_public:f AND ( (_asset.protocol:dtls OR _asset.protocol:http) AND ((protocol:dtls OR protocol:http) AND has:rdg.transport) )`	Link	Link
Potential External Access To SSH Server With Password Authentication	services	Low	`has_public:t AND service_has_public:f AND (_asset.protocol:ssh AND protocol:ssh AND ssh.authMethods:password)`	Link	Link
Potential External Access To Windows Management Service	assets	Low	`has_public:t AND service_has_public:f AND ( ( _asset.protocol:smb AND protocol:smb ) OR ( _asset.protocol:epm AND protocol:epm ) OR ( _asset.protocol:wsman AND protocol:wsman ) )`	Link	Link
Publicly Exposed Key-Value Database Server	services	Low	`service_has_public:t AND (_asset.protocols:memcache OR _asset.protocols:redis) AND (protocol:memcache OR protocol:redis)`	Link	Link
Publicly Exposed NoSQL Database Server	services	Low	`service_has_public:t AND (_asset.protocols:mongodb OR _asset.protocols:couchdb OR _asset.protocols:cassandra OR _asset.protocols:elasticsearch OR _asset.protocols:riak OR _asset.protocols:influxdb) AND (protocol:mongodb OR protocol:couchdb OR protocol:cassandra protocol:elasticsearch OR protocol:riak OR protocol:influxdb)`	Link	Link
Publicly Exposed Operational Technology Service	services	Low	service_has_public:t AND (_asset.protocols:bacnet OR _asset.protocols:modbus OR _asset.protocols:dnp3 OR _asset.protocols:opcua OR _asset.protocols:cip OR _asset.protocols:ethernetip OR _asset.protocols:profinet OR _asset.protocols:prosoft OR _asset.protocols:s7comm OR _asset.protocols:fins OR _asset.protocols:comtrol OR _asset.protocols:atg) AND (protocol:bacnet OR protocol:modbus OR protocol:dnp3 OR protocol:opcua OR protocol:cip OR protocol:ethernetip OR protocol:profinet OR protocol:prosoft OR protocol:s7comm OR protocol:fins OR protocol:comtrol OR protocol:atg)	Link	Link
Publicly Exposed Relational Database Server	services	Low	`service_has_public:t AND (_asset.protocols:mysql OR _asset.protocols:postgres OR _asset.protocols:mssql OR _asset.protocols:oracledb) AND (protocol:mysql OR protocol:postgres OR protocol:mssql OR protocol:oracledb)`	Link	Link

Open Access #

Name	Type	Severity	Query	US SaaS Link	EU SaaS Link
Cisco Smart Install Service	services	Critical	`_asset.protocol:ciscosmi protocol:ciscosmi`	Link	Link
Sun Solaris sadmind RPC Service	services	Critical	`_asset.protocol:rpcbind protocol:rpcbind rpcbind.programs:"100232-v10-"`	Link	Link
Unauthenticated Android Debug Bridge	services	Critical	`_asset.protocol:adb AND protocol:adb AND has:adb.access AND adb.access:="allowed"`	Link	Link
Unauthenticated Apache ZooKeeper Database	services	Critical	`_asset.protocol:zookeeper AND protocol:zookeeper AND zk.access:allowed`	Link	Link
Unauthenticated CNCF etcd Database	services	Critical	`_asset.protocol:etcd2 protocol:etcd2 etcd2.access:allowed`	Link	Link
Unauthenticated Distributed Ruby Service	services	Critical	`_asset.protocol:drbd AND protocol:drbd`	Link	Link
Unauthenticated MongoDB Database	services	Critical	`_asset.protocol:mongodb AND protocol:mongodb AND mongodb.auth:open`	Link	Link
Zabbix Agent Without ACL	services	Critical	`_asset.protocol:zabbix-agent AND protocol:zabbix-agent AND NOT zabbix.isLocal:true`	Link	Link
Unauthenticated Apache CouchDB Database	services	High	`_asset.protocol:couchdb AND protocol:couchdb`	Link	Link
Unauthenticated Cassandra Database	services	High	`_asset.protocol:cassandra AND protocol:cassandra`	Link	Link
Unauthenticated Elastic Search Database	services	High	`_asset.protocol:elasticsearch AND protocol:elasticsearch`	Link	Link
Unauthenticated HashiCorp Consul Database	services	High	`_asset.protocol:consul protocol:consul has:consul.config.datacenter`	Link	Link
Unauthenticated InfluxDB Database	services	High	`_asset.protocol:influxdb AND protocol:influxdb`	Link	Link
Unauthenticated Memcached Database	services	High	`_asset.protocol:memcache AND protocol:memcache`	Link	Link
Unauthenticated Redis Database	services	High	`_asset.protocol:redis AND protocol:redis AND has:redis.redisVersion`	Link	Link
Unauthenticated Riak Database	services	High	`(_asset.protocol:riak AND protocol:riak) OR (_asset.protocol:riak-http AND protocol:riak-http)`	Link	Link
Click Modular Router Shell	services	Medium	`_asset.protocol:click protocol:click`	Link	Link
Unauthenticated MongoDB Database (Limited)	services	Medium	`_asset.protocol:mongodb AND protocol:mongodb AND mongodb.auth:limited`	Link	Link
World-Readable NFS Export	services	Medium	`_asset.protocol:mountd AND protocol:="mountd" AND nfs.allowed:"%=*"`	Link	Link

Rapid Response #

Name	Type	Severity	Query	US SaaS Link	EU SaaS Link
Rapid Response: Redis Multiple Vulnerabilities (October 2025)	software	Critical	`vendor:=Redis AND product:=Redis AND (version:>0 AND ( (version:>=6.2 AND version:<6.2.20) OR (version:>=7.2 AND version:<7.2.11) OR (version:>=7.4 AND version:<7.4.6) OR (version:>=8.0 AND version:<8.0.4) OR (version:>=8.2 AND version:<8.2.2)))`	Link	Link
Rapid Response: Squid Information Disclosure (CVE-2025-62168)	software	Critical	`vendor:="Squid Cache" AND product:=Squid AND (version:>0 AND version:<7.2)`	Link	Link
Rapid Response: Valkey Multiple Vulnerabilities (October 2025)	software	Critical	`(vendor:=valkey OR vendor:="Fedora Project") AND product:=valkey AND (version:>0 AND ( (version:>=7.2 AND version:<7.2.11) OR (version:>=8.0 AND version:<8.0.6) OR (version:>=8.1 AND version:<8.1.4)))`	Link	Link
Rapid Response: F5 CISA Emergency Directive (ED 26-01)	assets	Info	`os:="F5%"`	Link	Link
Rapid Response: Fortinet FortiPAM (CVE-2025-49201)	assets	Info	`os:="Fortinet FortiPAM%"`	Link	Link
Rapid Response: Fortinet FortiSwitch Manager (CVE-2025-49201)	software	Info	`vendor:=Fortinet product:="FortiSwitchManager"`	Link	Link
Rapid Response: Ivanti Endpoint Manager Multiple Vulnerabilities (October 2025)	software	Info	`vendor:=Ivanti product:="Endpoint Manager"`	Link	Link
Rapid Response: Oracle E-Business Suite RCE (CVE-2025-61882)	software	Info	`vendor:=Oracle product:="E-Business Suite"`	Link	Link
Rapid Response: Smartbedded Meteobridge Command Injection (CVE-2025-4008)	services	Info	`_asset.protocol:http AND protocol:http AND http.head.wwwAuthenticate:="Basic realm=%MeteoBridge%"`	Link	Link

Vulnerability #

Name	Type	Severity	Query	US SaaS Link	EU SaaS Link
Adobe Commerce & Magento Session Takeover With Unconfirmed RCE (CVE-2025-54236)	software	Critical	`vendor:=Adobe AND product:=Magento AND (version:>0 AND version:<="2.4.9-alpha2")`	Link	Link
AirPlay Protocol Remote Code Execution (AirBorne)	assets	Critical	hw:="apple%" AND protocol:airplay AND ( (os:="apple macos" AND ((osversion:>"13.0" AND osversion:<"13.7.5") OR (osversion:>"14.0" AND osversion:<"14.7.5") OR (osversion:>"15.0" AND osversion:<"15.4"))) OR (os:="apple ipados" AND ((osversion:>"17.0" AND osversion:<"17.7.6") OR (osversion:>"18.0" AND osversion:<"18.4"))) OR ((os:="apple tvos" OR os:="apple audioos") AND osversion:>0 AND osversion:<"18.4") OR (os:="apple ios" AND osversion:>0 AND osversion:<"18.4") OR (os:="apple visionos" AND osversion:>0 AND osversion:<"2.4") )	Link	Link
Apache 2.4.49 < 2.4.51 Information Disclosure	software	Critical	`_asset.protocol:http product:HTTPD AND version:>=2.4.49 AND version:<2.4.51`	Link	Link
Apache ActiveMQ Remote Code Execution (CVE-2023-46604)	software	Critical	`_asset.protocol:activemq AND product:ActiveMQ AND ((version:>0 AND version:<5.15.16) OR (version:>=5.16.0 AND version:<5.16.7) OR (version:>=5.17.0 AND version:<5.17.6) OR (version:>=5.18.0 AND version:<5.18.3))`	Link	Link
Apache Solr Log4Shell Remote Code Execution	software	Critical	`vendor:=Apache AND product:Solr AND ((version:>=7.4.0 AND version:<7.7.3) OR (version:>=8.0.0 AND version:<8.11.0))`	Link	Link
Apache Tomcat 10.1.0-M1 < 10.1.34 Multiple Vulnerabilities	software	Critical	`product:Tomcat AND (version:>10.1.0-M1 AND version:<10.1.34)`	Link	Link
Apache Tomcat 11.0.0-M1 < 11.0.2 Multiple Vulnerabilities	software	Critical	`product:Tomcat AND (version:>11.0.0-M1 AND version:<11.0.2)`	Link	Link
Apache Tomcat 9.0.0-M1 < 9.0.98 Multiple Vulnerabilities	software	Critical	`product:Tomcat AND (version:>9.0.0-M1 AND version:<9.0.98)`	Link	Link
Apple tvOS < 16.2 Multiple Vulnerabilities	assets	Critical	`os:"Apple tvOS" AND osversion:>0 AND osversion:<16.2`	Link	Link
Atlassian Confluence 8.0 < 8.5.4 Remote Code Execution	software	Critical	`vendor:=Atlassian AND product:Confluence AND (version:>=8.0 AND version:<8.5.4)`	Link	Link
Atlassian Confluence Cross-Site Scripting (CVE-2024-4367)	software	Critical	`vendor:=Atlassian AND product:Confluence AND ( (version:>0 AND version:<7.19.25) OR (version:>=7.20.0 AND version:<8.5.11) OR (version:>=8.6.0 AND version:<8.9.3))`	Link	Link
Atlassian Confluence Path Traversal (CVE-2019-3396)	software	Critical	`vendor:=Atlassian AND product:Confluence AND NOT type:=Mobile AND ( (version:>0 AND version:<6.6.12) OR (version:>=6.7.0 AND version:<6.12.3) OR (version:>=6.13.0 AND version:<6.13.3) OR (version:>=6.14.0 AND version:<6.14.2))`	Link	Link
Atlassian Confluence Privilege Escalation (CVE-2023-22515)	software	Critical	`vendor:=Atlassian AND product:Confluence AND ( (version:>=8.0 AND version:<8.3.3) OR (version:>=8.4.0 AND version:<8.4.3) OR (version:>=8.5.0 AND version:<8.5.2))`	Link	Link
Atlassian Confluence Remote Code Execution (CVE-2021-26084)	software	Critical	`vendor:=Atlassian AND product:Confluence AND ( (version:>0 AND version:<6.13.23) OR (version:>=6.14.0 AND version:<7.4.11) OR (version:>=7.5.0 AND version:<7.11.6) OR (version:>=7.12.0 AND version:<7.12.5))`	Link	Link
Atlassian Confluence Remote Code Execution (CVE-2022-26134)	software	Critical	`vendor:=Atlassian AND product:Confluence AND ( (version:>=1.3.0 AND version:<7.4.17) OR (version:>=7.13.0 AND version:<7.13.7) OR (version:>=7.14.0 AND version:<7.14.3) OR (version:>=7.15.0 AND version:<7.15.2) OR (version:>=7.16.0 AND version:<7.16.4) OR (version:>=7.17.0 AND version:<7.17.4) OR (version:>=7.18.0 AND version:<7.18.1) OR )`	Link	Link
Atlassian Confluence Server-Side Request Forgery (CVE-2019-3395)	software	Critical	`vendor:=Atlassian AND product:Confluence AND ( (version:>0 AND version:<6.6.7) OR (version:>=6.7.0 AND version:<6.8.5) OR (version:>=6.9.0 AND version:<6.9.3))`	Link	Link
Broadcom VMware ESXi Guest Escape	assets	Critical	`os:"vmware esxi" AND ((os_version:>0 AND os_version:<6) OR (os_version:>6 AND os_version:<"6.7.0 build-24514018") OR (os_version:>7 AND os_version:<"7.0.3 build-24585291") OR (os_version:>8 AND os_version:<"8.0.2") OR (os_version:>"8.0.2" AND os_version:<"8.0.2 build-24585300") OR (os_version:>"8.0.3" AND os_version:<"8.0.3 build-24585383"))`	Link	Link
Broadcom VMware ESXi VM Escape	assets	Critical	`os:"vmware esxi" AND ((os_version:>7 AND os_version:<"7.0.3 build-24784741") OR (os_version:>8 AND (os_version:<"8.0.2 build-24789317" OR os_version:<"8.0.3 build-24784735")))`	Link	Link
Cacti < 1.2.23 Remote Code Execution	software	Critical	`_asset.products:Cacti AND vendor:Cacti AND product:Cacti AND (version:>0 AND version:<1.2.23)`	Link	Link
Cleo Harmony < 5.8.0.21 Unrestricted File Upload/Download	software	Critical	`vendor:=Cleo AND product:harmony AND (version:>0 AND version:<5.8.0.21)`	Link	Link
Cleo Lexicom < 5.8.0.21 Unrestricted File Upload/Download	software	Critical	`vendor:=Cleo AND product:lexicom AND (version:>0 AND version:<5.8.0.21)`	Link	Link
Cleo VLTrader < 5.8.0.21 Unrestricted File Upload/Download	software	Critical	`vendor:=Cleo AND product:vltrader AND (version:>0 AND version:<5.8.0.21)`	Link	Link
ConnectWise ScreenConnect < 23.9.8 Remote Code Execution	software	Critical	`vendor:ConnectWise AND product:ScreenConnect AND (version:>0 AND version:<23.9.8)`	Link	Link
Elastic Kibana 8.15.0 < 8.17.3 Remote Code Execution	software	Critical	`vendor:Elastic AND product:kibana AND (version:>8.14 AND version:<8.17.3)`	Link	Link
Elasticsearch < 1.2 Remote Code Execution	software	Critical	`vendor:elastic AND product:search AND ( (version:>0 AND version:<1.2 AND NOT version:"0:%") OR (version:"0:%" AND version:>"0:0" AND version:<"0:1.2"))`	Link	Link
F5 Big-IP Remote Code Execution (CVE-2021-22986)	assets	Critical	`os:="F5 Networks BIG-IP" AND ( (osversion:>"12.1" AND osversion:<"12.1.5.3") OR (osversion:>"13.1" AND osversion:<"13.1.3.6") OR (osversion:>"14.1" AND osversion:<"14.1.4") OR (osversion:>"15.1" AND osversion:<"15.1.2.1") OR (osversion:>"16.0" AND osversion:<"16.0.1.1") )`	Link	Link
Fortra GoAnywhere MFT License Servlet Deserialization Vulnerability (CVE-2025-10035)	software	Critical	`vendor:=Fortra AND (product:="Goanywhere Managed File Transfer" OR product:="GoAnywhere MFT%") AND (version:>0 AND version:<7.8.4 AND NOT version:=7.6.3)`	Link	Link
GitLab Remote Code Execution (CVE-2021-22205)	software	Critical	`vendor:=GitLab AND product:gitlab AND ((version:>11.9 AND version:<13.8.7) OR (version:>13.9 AND version:<13.9.5) OR (version:>13.10 AND version:<13.10.2))`	Link	Link
HPE iLO 4 Authentication Bypass	assets	Critical	`os:"iLO 4" and os_version:>0 AND os_version:<=2.53`	Link	Link
HashiCorp Vault Multiple Vulnerabilities - HCSEC-2025-22	software	Critical	`vendor:="HashiCorp" AND product:"Vault" AND ( (version:>=1.20.0 AND version:<1.20.2) OR (version:>=1.19.0 AND version:<1.19.8) OR (version:>=1.18.0 AND version:<1.18.13) OR (version:>0 AND version:<1.16.24))`	Link	Link
Microsoft OMI WSMAN Authentication Bypass	services	Critical	_asset.protocol:wsman AND wsman.productVendor:="Open Management Infrastructure" AND (wsman.productVersion:=0.% or wsman.productVersion:=1.0.% or wsman.productVersion:=1.1.% or wsman.productVersion:1.2.% or wsman.productVersion:=1.3.% or wsman.productVersion:=1.4.% or wsman.productVersion:=1.5.% or wsman.productVersion:=1.6.0-% or wsman.productVersion:=1.6.1-% or wsman.productVersion:=1.6.2-% or wsman.productVersion:=1.6.3-% or wsman.productVersion:=1.6.4-% or wsman.productVersion:=1.6.5-% or wsman.productVersion:=1.6.6-% or wsman.productVersion:=1.6.7-% or wsman.productVersion:=1.6.8-0)	Link	Link
Multiple Fortinet Products Buffer Overflow	assets	Critical	`hw:="Fortinet%" AND type:="SIP Gateway" AND ((osversion:="7.2.0") OR (osversion:>"7.0.0" AND osversion:<"7.0.7") OR (osversion:>="6.4.0" AND osversion:<"6.4.11"))`	Link	Link
PHP 8.1.0 < 8.1.29 Multiple Vulnerabilities	software	Critical	`os:"Windows" AND _asset.products:apache AND product:PHP AND (version:>8.1 AND version:<8.1.29)`	Link	Link
PHP 8.2.0 < 8.2.20 Multiple Vulnerabilities	software	Critical	`os:"Windows" AND _asset.products:apache AND product:PHP AND (version:>8.2 AND version:<8.2.20)`	Link	Link
PHP 8.3.0 < 8.3.8 Multiple Vulnerabilities	software	Critical	`os:"Windows" AND _asset.products:apache AND product:PHP AND (version:>8.3 AND version:<8.3.8)`	Link	Link
Palo Alto Networks PAN-OS Authentication Bypass	assets	Critical	`os:="Palo Alto Networks PAN-OS" AND (osversion:>"11.1.6-h1" AND osversion:<11.2.4-h4) AND (osversion:>"10.2.13-h3" AND osversion:<11.1.6-h1) AND (osversion:>"10.1.14-h9" AND osversion:<"10.2.13-h3") AND (osversion:>"10.1.0" AND osversion:<"10.1.14-h9")`	Link	Link
Plesk Panel 9.0.X < 9.2.3 Remote Code Execution	software	Critical	`not os:Windows AND vendor:=parallels AND product:=plesk AND (version:>9.0.0 AND version:<9.5.4)`	Link	Link
Rejetto HTTP File Server 2 Remote Code Execution	software	Critical	`vendor:Rejetto AND product:"HTTP File Server" AND version:>0 AND version:<3`	Link	Link
Rejetto HTTP File Server 2.0 < 2.3M Remote Code Execution	software	Critical	`os:Windows AND vendor:Rejetto AND product:"HTTP File Server" AND version:>=2.0 AND version:<"2.3m"`	Link	Link
Rockwell Automation ControlLogix Ethernet RCE (CVE-2025-7353)	services	Critical	`(_asset.protocol:="ethernetip" OR asset.protocol:="ethernetip-udp") AND protocol:"ethernetip" AND (ethernetip.product:="1756-EN2T/D" OR ethernetip.product:="1756-EN2F/C" OR ethernetip.product:="1756-EN2TR/C" OR ethernetip.product:="1756-EN3TR/B" OR ethernetip.product:="1756-EN2TP/A") AND ethernetip.revision:>"0" AND (ethernetip.revision:<"12" OR ethernetip.revision:"12.0%")`	Link	Link
Roundcube Webmail Remote Code Execution	software	Critical	`vendor:=Roundcube AND product:=Webmail AND ((version:>=1.5 AND version:<1.5.10) OR (version:>=1.6 AND version:<1.6.11))`	Link	Link
SAP NetWeaver (RMI-P4) Insecure Deserialization (CVE-2025-42944)	software	Critical	`vendor:=SAP AND product:"NetWeaver" AND (version:>0 AND version:<=7.50)`	Link	Link
Sangoma FreePBX RCE (CVE-2025-57819)	software	Critical	`((vendor:=FreePBX AND product:=PBX) OR (vendor:=Sangoma AND product:=FreePBX)) AND (version:>0 AND (version:<"15.0.66(%)" OR version:<"16.0.89(%)" OR version:<"17.0.3(%)"))`	Link	Link
SolarWinds Web Help Desk RCE (CVE-2025-26399)	software	Critical	`vendor:=SolarWinds AND (product:="Web Help Desk" OR product:="webhelpdesk") AND (version:>0 AND version:<12.8.7.2174)`	Link	Link
SonicWall SMA1000 < 12.4.3 Remote Code Execution	assets	Critical	`hw:="SonicWall SMA1000" AND (osversion:>0 AND osversion:<12.4.3)`	Link	Link
SonicWall SSLVPN Authentication Bypass (CVE-2024-53704)	assets	Critical	`os:SonicOS AND ( (osversion:>"6.0" AND osversion:<"6.5.5.1-6n") OR (osversion:>"7.0" AND osversion:<"7.0.1-5165") OR (osversion:>"7.1" AND osversion:<"7.1.3-7015") OR (hw:TZ80 AND osversion:>"8.0" AND osversion:<"8.0.0-8037"))`	Link	Link
Squid URN Handling Buffer Overflow (CVE-2025-54574)	software	Critical	`vendor:"Squid Cache" and product:"Squid" and version:>0 AND version:<6.4`	Link	Link
VMware vCenter Server 7.0 < 7.0 U3t / 8.0 < 8.0 U3d Multiple Vulnerabilities	software	Critical	`vendor:vmware AND (product:"vcenter server" OR product:"cloud foundation") AND ((version:>7.0 AND version:<"7.0.3 build-24322018") OR (version:>8.0 AND version:<"8.0.3 build-24322831"))`	Link	Link
Apache Tomcat 10.1.0-M1 < 10.1.43 Multiple Vulnerabilities	software	High	`product:Tomcat AND (version:>10.1.0-M1 AND version:<10.1.43)`	Link	Link
Apache Tomcat 10.1.0-M1 < 10.1.44 HTTP/2 MadeYouReset DoS	software	High	`product:Tomcat AND (version:>10.1.0-M1 AND version:<10.1.44)`	Link	Link
Apache Tomcat 11.0.0-M1 < 11.0.10 Multiple Vulnerabilities	software	High	`product:Tomcat AND (version:>11.0.0-M1 AND version:<11.0.10)`	Link	Link
Apache Tomcat 11.0.0-M1 < 11.0.9 Multiple Vulnerabilities	software	High	`product:Tomcat AND (version:>11.0.0-M1 AND version:<11.0.9)`	Link	Link
Apache Tomcat 9.0.0-M1 < 9.0.107 Multiple Vulnerabilities	software	High	`product:Tomcat AND (version:>9.0.0-M1 AND version:<9.0.107)`	Link	Link
Apache Tomcat 9.0.0-M1 < 9.0.108 HTTP/2 MadeYouReset DoS	software	High	`product:Tomcat AND (version:>9.0.0-M1 AND version:<9.0.108)`	Link	Link
Apache Tomcat Partial PUT Deserialization Vulnerability	software	High	`_asset.products:"Tomcat" AND product:"Tomcat" AND ((version:>=11.0.0 AND version:<11.0.3) OR (version:>=10.1.0 AND version:<10.1.35) OR (version:>=9.0.0 AND version:<9.0.99))`	Link	Link
Apple tvOS < 11.4 Multiple Vulnerabilities	assets	High	`os:"Apple tvOS" AND osversion:>0 AND osversion:<11.4`	Link	Link
Apple tvOS < 13.3.1 Multiple Vulnerabilities	assets	High	`os:"Apple tvOS" AND osversion:>0 AND osversion:<13.3.1`	Link	Link
Apple tvOS < 15.2 Multiple Vulnerabilities	assets	High	`os:"Apple tvOS" AND osversion:>0 AND osversion:<15.2`	Link	Link
Arcserve Unified Data Protection < 10.2 Heap Overflow Vulnerabilities	software	High	`(vendor:=Arcserve OR vendor:="Arcserve (USA)") AND (product:=UDP OR product:="Arcserve Unified Data Protection") AND version:>0 AND version:<10.2`	Link	Link
Atlassian Confluence 5.2 < 7.19.22 Remote Code Execution	software	High	`vendor:=Atlassian AND product:Confluence AND (version:>=5.2 AND version:<7.19.22)`	Link	Link
Cisco ConfD SSH Server Remote Code Execution	software	High	`vendor:="Cisco" AND product:="ConfD" AND ( (version:>"7.0.0.0" AND version:<"7.7.19.1") OR (version:>"8.0.0.0" AND version:<"8.0.17.1") OR (version:>"8.1.0.0" AND version:<"8.1.16.2") OR (version:>"8.2.0.0" AND version:<"8.2.11.1") OR (version:>"8.3.0.0" AND version:<"8.3.8.1") OR (version:>"8.4.0.0" AND version:<"8.4.4.1"))`	Link	Link
Cisco IOS XE Arbitrary File Upload	assets	High	os:="Cisco IOS XE" AND hw:"Catalyst" AND ( (osversion:>="17.7.0" AND osversion:<="17.7.1") OR (osversion:>="17.10.0" AND osversion:<="17.10.1") OR (osversion:>="17.8.0" AND osversion:<="17.8.1") OR (osversion:>="17.9.0" AND osversion:<="17.9.5") OR (osversion:>="17.11.0" AND osversion:<="17.11.1") OR (osversion:>="17.12.0" AND osversion:<="17.2.3") OR (osversion:>="17.13.0" AND osversion:<="17.13.1") OR (osversion:>="17.14.0" AND osversion:<="17.14.1") OR (osversion:>="17.11.0" AND osversion:<="17.11.99") )	Link	Link
Commvault Command Center Remote Code Execution	software	High	`vendor:="Commvault" AND product:="Command Center" AND version:>"11.38.0" AND version:<"11.38.20"`	Link	Link
ConnectWise ScreenConnect < 25.2.4 ViewState Code Injection	software	High	`vendor:=ConnectWise AND product:=ScreenConnect AND (version:>0 AND version:<25.2.4)`	Link	Link
Dell EMC Unity, UnityVSA, And Unity XT	assets	High	`os:"EMC Unity" AND osversion:>0 AND osversion:<5.5.0.0.0.5.259`	Link	Link
DrayTek Vigor2960/Vigor300B Command Injection	assets	High	`(hw:"DrayTek Vigor2960" OR hw:"DrayTek Vigor300b" OR hw:"DrayTek Vigor 2960" OR hw:"DrayTek Vigor 300b") AND osversion:>0 AND osversion:<"1.5.1.5"`	Link	Link
Eclipse Jetty 12.0 < 12.0.25 HTTP/2 MadeYouReset DoS	software	High	`(vendor:=Eclipse OR vendor:="Mort Bay") AND product:Jetty AND (version:>12 AND version:<12.0.25)`	Link	Link
Erlang OTP SSH Server Remote Code Execution	software	High	`_asset.protocols:ssh AND vendor:="Erlang" AND product:="SSH" AND ((version:>=5.2.0 AND version:<5.2.10) OR (version:>4.0.0.0 AND version:<4.15.3.12) OR (version:>5.1.0.0 AND version:<5.1.4.7))`	Link	Link
Langflow Authentication Bypass	software	High	`_asset.protocol:http AND vendor:=Langflow AND product:=Langflow AND (version:>0 AND version:<1.3.0)`	Link	Link
Lantronix Xport Authentication Bypass	assets	High	`hw:lantronix AND ((os:="Lantronix XPort%" AND not os:="Lantronix XPort Edge%") OR (lantronix.type:="XE" OR lantronix.type:="SE" OR lantronix.type:="AR" OR lantronix.type:="EH"))`	Link	Link
Multiple Vulnerabilities In Microsoft SQL Server	software	High	`vendor:=Microsoft AND (product:="SQL Server" OR product:="SQL Server 20%") AND ((version:>=13.0.0 AND version:<13.0.7055.9) OR (version:>=14.0.0 AND version:<14.0.3495.9) OR (version:>=15.0.0 AND version:<15.0.4435.7) OR (version:>=16.0.0 AND version:<16.0.4200.1))`	Link	Link
SAP NetWeaver Visual Composer Metadata Uploader Arbitrary File Upload	software	High	`vendor:="SAP" AND product:"NetWeaver" AND (version:>7.0 AND version:<7.55)`	Link	Link
Samsung MagicINFO Path Traversal Vulnerability	software	High	`vendor:="Samsung" AND product:"MagicINFO Server" AND version:>0 AND version:<"21.1052"`	Link	Link
Solr 5.0.0 < 8.4.0 Remote Code Execution	software	High	`vendor:=Apache AND product:Solr AND (version:>=5.0.0 AND version:<8.4.0)`	Link	Link
SysAid Help Desk XML Entity Remote Code Execution	software	High	`vendor:="SysAid" AND product:"Help Desk" AND version:>0 AND version:<24.4.60`	Link	Link
Trimble Cityworks File Deserialization Vulnerability	software	High	`vendor:="Trimble" AND product:="Cityworks" AND version:>0 AND version:<"23.10"`	Link	Link
VMware ESXi OpenSLP Heap Buffer Overflow	assets	High	fp.os.product:"ESX" and port:427 and ( fp.os.version:="1.%" or fp.os.version:="2.%" or fp.os.version:="3.%" or fp.os.version:="4.%" or fp.os.version:="5.%" or fp.os.version:="6.0%" or fp.os.version:="6.5.0 build-4564106" or fp.os.version:="6.5.0 build-4887370" or fp.os.version:="6.5.0 build-5146843" or fp.os.version:="6.5.0 build-5146846" or fp.os.version:="6.5.0 build-5224529" or fp.os.version:="6.5.0 build-5310538" or fp.os.version:="6.5.0 build-5969300" or fp.os.version:="6.5.0 build-5969303" or fp.os.version:="6.5.0 build-6765664" or fp.os.version:="6.5.0 build-7273056" or fp.os.version:="6.5.0 build-7388607" or fp.os.version:="6.5.0 build-7967591" or fp.os.version:="6.5.0 build-8285314" or fp.os.version:="6.5.0 build-8294253" or fp.os.version:="6.5.0 build-8935087" or fp.os.version:="6.5.0 build-9298722" or fp.os.version:="6.5.0 build-10175896" or fp.os.version:="6.5.0 build-10390116" or fp.os.version:="6.5.0 build-10719125" or fp.os.version:="6.5.0 build-10868328" or fp.os.version:="6.5.0 build-10884925" or fp.os.version:="6.5.0 build-11925212" or fp.os.version:="6.5.0 build-13004031" or fp.os.version:="6.5.0 build-13635690" or fp.os.version:="6.5.0 build-13873656" or fp.os.version:="6.5.0 build-13932383" or fp.os.version:="6.5.0 build-14320405" or fp.os.version:="6.5.0 build-14874964" or fp.os.version:="6.5.0 build-14990892" or fp.os.version:="6.5.0 build-15256468" or fp.os.version:="6.5.0 build-15177306" or fp.os.version:="6.5.0 build-15256549" or fp.os.version:="6.5.0 build-16207673" or fp.os.version:="6.5.0 build-16389870" or fp.os.version:="6.5.0 build-16576879" or fp.os.version:="6.5.0 build-16576891" or fp.os.version:="6.5.0 build-16901156" or fp.os.version:="6.5.0 build-17097218" or fp.os.version:="6.5.0 build-17167537" or fp.os.version:="6.7.0 build-8169922" or fp.os.version:="6.7.0 build-8941472" or fp.os.version:="6.7.0 build-9214924" or fp.os.version:="6.7.0 build-9484548" or fp.os.version:="6.7.0 build-10176752" or fp.os.version:="6.7.0 build-10176879" or fp.os.version:="6.7.0 build-10302608" or fp.os.version:="6.7.0 build-10764712" or fp.os.version:="6.7.0 build-11675023" or fp.os.version:="6.7.0 build-13004448" or fp.os.version:="6.7.0 build-12986307" or fp.os.version:="6.7.0 build-13006603" or fp.os.version:="6.7.0 build-13473784" or fp.os.version:="6.7.0 build-13644319" or fp.os.version:="6.7.0 build-13981272" or fp.os.version:="6.7.0 build-14141615" or fp.os.version:="6.7.0 build-14320388" or fp.os.version:="6.7.0 build-15018017" or fp.os.version:="6.7.0 build-15160134" or fp.os.version:="6.7.0 build-15160138" or fp.os.version:="6.7.0 build-15999342" or fp.os.version:="6.7.0 build-15820472" or fp.os.version:="6.7.0 build-16075168" or fp.os.version:="6.7.0 build-16316930" or fp.os.version:="6.7.0 build-16701467" or fp.os.version:="6.7.0 build-16713306" or fp.os.version:="6.7.0 build-16773714" or fp.os.version:="6.7.0 build-17167699" or fp.os.version:="6.7.0 build-17098360" or fp.os.version:="6.7.0 build-17167734" or fp.os.version:="7.0.0%" or fp.os.version:="7.0.1 build-16850804" or fp.os.version:="7.0.1 build-17119627" or fp.os.version:="7.0.1 build-17168206" or fp.os.version:="7.0.1 build-17325020")	Link	Link
AirPlay SDK Remote Code Execution (AirBorne)	software	Medium	`vendor:=Apple AND product:="airplay sdk%" AND ((version:>2.0 AND version:<2.7.1) OR (version:>3.0 AND version:<3.6.0.126))`	Link	Link
GitLab SAML Authentication Bypass	software	Medium	`vendor:=GitLab AND product:gitlab AND ((version:>17.9 AND version:<17.9.2) OR (version:>17.8 AND version:<17.8.5) OR (version:>17.7 AND version:<17.7.7))`	Link	Link
OpenSSH 9.1p1 Double-Free	services	Medium	`_asset.protocol:ssh AND protocol:ssh AND (_service.product:="OpenBSD:OpenSSH:9.1" OR _service.product:="OpenBSD:OpenSSH:9.1p1")`	Link	Link
Plex Media Server 1.41.7.X To 1.42.0.X < 1.42.1 Undisclosed Vulnerability (CVE-2025-34158)	software	Medium	`vendor:=Plex AND product:"Media Server" AND (version:>0 AND version:<"1.42.1")`	Link	Link
lighttpd Web Server Out-of-Bounds Memory Read	services	Medium	`product:lighttpd (_service.product:=lighttpd:lighttpd:1.4.0% OR _service.product:=lighttpd:lighttpd:1.4.1% OR _service.product:=lighttpd:lighttpd:1.4.2% OR _service.product:=lighttpd:lighttpd:1.4.3% OR _service.product:=lighttpd:lighttpd:1.4.4%)`	Link	Link

Updated August 20, 2025

Previous: Rapid responses Next: Vulnerability templates