--- title: "Query library" --- **209** queries across **8** categories. ### Best Practice | Name | Severity | Type | Query | |------|----------|------|-------| | Google Workspace Account Without MFA | Medium | users | `source:googleworkspace isEnforcedIn2Sv:f` | | Active Directory Account Expires Soon | Low | users | `has:accountExpiresTS AND accountExpiresTS:<30days` | | Authenticated Web Service Without Encryption | Low | services | `(_asset.protocol:http AND not _asset.protocol:tls) AND ( html.inputs:"password:" OR last.html.inputs:"password:" OR has:http.head.wwwAuthenticate OR has:last.http.head.wwwAuthenticate )` | | HTTP Directory Indexing Enabled | Low | services | `_asset.protocol:=http AND protocol:=http AND has:html.title AND (html.title:="Index of /%" OR html.title:="HFS /%" OR html.title:="Directory listing%")` | | Network Time Protocol Service With Skewed Clock | Low | services | `_asset.protocol:ntp and protocol:ntp and has:ntp.skew` | | Obsolete SSL Protocol | Low | services | `(_asset.protocol:=tls OR _asset.protocol:=ssl2) AND (protocol:="tls" OR protocol:="ssl2") AND tls.supportedVersionNames:"SSL"` | | Open Wireless Network | Low | wireless | `auth:open` | | SMB Signing Not Required | Low | services | `(_asset.protocol:=smb1 OR _asset.protocol:=smb2 OR _asset.protocol:=smb3) AND (protocol:=smb1 OR protocol:=smb2 OR protocol:=smb3) AND has:smb.signing AND NOT smb.signing:required` | | SMB Version 1 Enabled | Low | services | `_asset.protocol:=smb1 protocol:=smb1` | | SNMP Default Community | Low | services | `_asset.protocol:snmp AND protocol:snmp AND has:snmp.defaultCommunities` | | Services Supporting TLS 1.0 | Low | services | `_asset.protocol:=tls AND tls.supportedVersionNames:TLSv1.0` | | Services Supporting TLS 1.1 | Low | services | `_asset.protocol:=tls AND tls.supportedVersionNames:TLSv1.1` | | Services Without HSTS | Low | services | `_asset.protocol:=tls AND protocol:=http protocol:=tls NOT has:http.head.strictTransportSecurity` | | Wireless Network Using WEP Encryption | Low | wireless | `enc:wep` | | Active Directory Account Password Does Not Expire | Info | users | `passwordNeverExpires:true` | ### Certificates | Name | Severity | Type | Query | |------|----------|------|-------| | Private Key Is Widely Shared | Medium | vulnerabilities | `source:runzero AND (foreign_id:=rz-ioasm-pubkey-widely-shared OR foreign_id:=rz-ioasm-pubkey-known-private)` | | Certificate With Insecure Public Key | Low | certificates | `public_key_insecure:true` | | Certificate With Insecure Signature Algorithm | Low | certificates | `signature_algorithm_insecure:true is_ca:false` | | Expired Certificate On TLS Service | Low | services | `_asset.protocol:tls AND tls.notAfterTS:now` | ### Compliance | Name | Severity | Type | Query | |------|----------|------|-------| | CISA BOD 26-02 End-Of-Support Edge Devices | Critical | assets | `(os_eol_extended:>0 AND os_eol_extended:<=now) AND has_public:t AND NOT (type:Server OR type:Desktop OR type:Laptop)` | | Kaspersky Lab Security Software | Info | assets | `edr.name:Kaspersky` | | Kaspersky Lab Software | Info | software | `vendor:=Kaspersky` | | NDAA 2019 Section 889 Equipment | Info | assets | `((mac_vendor:="zte corporation" OR mac_vendor:huawei OR mac_vendor:CRRC OR mac_vendor:dahua OR mac_vendor:hikvision OR mac_vendor:hisilicon OR mac_vendor:panda OR mac_vendor:dawning OR mac_vendor:hangzhou OR mac_vendor:hytera OR mac_vendor:inspur OR mac_vendor:"Aero Engine Corporation of China" OR mac_vendor:"Aviation Industry Corporation of China" OR mac_vendor:"China Aerospace" OR mac_vendor:"China Electronics" OR mac_vendor:"China General Nuclear Power" OR mac_vendor:"China Mobile" OR mac_vendor:"China National Nuclear Power" OR mac_vendor:"China North Industries Group" OR mac_vendor:"China Railway" OR mac_vendor:"China Shipbuilding" OR mac_vendor:"China South Industries Group" OR mac_vendor:"China State Shipbuilding" OR mac_vendor:"China Telecommunications" OR mac_vendor:ztec OR mac_vendor:ztek OR mac_vendor:"z-tec" OR mac_vendor:5shanghai OR mac_vendor:"Hella Sonnen" OR mac_vendor:anhui OR mac_vendor:"technology sdn bhd" OR mac_vendor:azteq) OR (hw:="ZTE%" OR hw:huawei OR hw:CRRC OR hw:dahua OR hw:hikvision OR hw:hisilicon OR hw:panda OR hw:dawning OR hw:hangzhou OR hw:hytera OR hw:inspur OR hw:"Aero Engine Corporation of China" OR hw:"Aviation Industry Corporation of China" OR hw:"China Aerospace" OR hw:"China Electronics" OR hw:"China General Nuclear Power" OR hw:"China Mobile" OR hw:"China National Nuclear Power" OR hw:"China North Industries Group" OR hw:"China Railway" OR hw:"China Shipbuilding" OR hw:"China South Industries Group" OR hw:"China State Shipbuilding" OR hw:"China Telecommunications" OR hw:ztec OR hw:ztek OR hw:"z-tec" OR hw:5shanghai OR hw:"Hella Sonnen" OR hw:anhui OR hw:"technology sdn bhd" OR hw:azteq))` | | Secure Networks Act Section 2 Equipment | Info | assets | `(hw:huawei OR hw:="zte%" OR hw:hytera OR hw:hikvision OR hw:dahua OR hw:"china mobile" OR hw:"china telecom" OR hw:"china unicom" OR hw:"pacific networks corp" OR hw:"comnet (usa) llc" OR hw:zhejiang) OR (mac_vendor:huawei OR mac_vendor:="zte%" OR mac_vendor:hytera OR mac_vendor:hikvision OR mac_vendor:dahua OR mac_vendor:"china mobile" OR mac_vendor:"china telecom" OR mac_vendor:"china unicom" OR mac_vendor:"pacific networks corp" OR mac_vendor:"comnet (usa) llc" OR mac_vendor:"zhejiang")` | ### End-of-Life | Name | Severity | Type | Query | |------|----------|------|-------| | Sangoma FreePBX | Critical | software | `((vendor:=FreePBX AND product:=PBX) OR (vendor:=Sangoma AND product:=FreePBX)) AND ((version:>="2.0.0(%)" AND version:<"3.0.0(%)") OR (version:>="12.0.0(%)" AND version:<"15.0.0(%)"))` | | Accellion File Transfer Appliance | High | assets | `hw:"Accellion File Transfer Appliance"` | | AutomationDirect MB-GATEWAY | High | assets | `hw:="AutomationDirect Modbus Gateway" OR hw:="Automation Direct Modbus Gateway"` | | Cisco Small Business Routers | High | assets | `hw:"Cisco RV0" OR hw:"Cisco RV110W" OR hw:"Cisco RV130" OR hw:"Cisco RV132W" OR hw:"Cisco RV134W" OR hw:"Cisco RV160" OR hw:"Cisco RV215" OR hw:"Cisco RV260" OR hw:"Cisco RV320" OR hw:"Cisco RV325" OR hw:"Cisco RV340" OR hw:"Cisco RV345" ` | | Cisco Small Business Switches | High | assets | `hw:"Cisco" and type:"switch" and ( hw:"SRW224G4-K9-" OR hw:"SRW2016-K9-" OR hw:"SG500X-" OR hw:"SF300-" OR hw:"SRW208G-K9-" OR hw:"SG300-" OR hw:"SRW2048-K9-" OR hw:"SLM2048PT-" OR hw:"SRW208-K9-" OR hw:"SF302-" OR hw:"SLM2008PT-" OR hw:"SLM224PT-" OR hw:"SF500-" OR hw:"SLM2008T-" OR hw:"SG500-" OR hw:"SG200-" OR hw:"SF200-" OR hw:"SLM224GT-" OR hw:"SLM2016T-")` | | End-of-Life Operating System | High | assets | `(os_eol_extended:>0 AND os_eol_extended:0 AND version:>=2 AND version:<5.1)` | ### Internet Exposure | Name | Severity | Type | Query | |------|----------|------|-------| | Publicly Exposed Configuration Database Server | High | services | `service_has_public:t AND (_asset.protocols:zookeeper OR _asset.protocols:etcd2 OR _asset.protocols:consul) AND (protocol:zookeeper OR protocol:etcd2 OR protocol:consul)` | | Potential External Access To Internal Asset | Medium | vulnerabilities | `source:runzero AND (foreign_id:=rz-query-rz-ioasm-internal-mac OR foreign_id:=rz-query-rz-ioasm-internal-pubkey)` | | Potential External Access To Remote Desktop Service | Medium | assets | `has_public:t AND service_has_public:f AND ( ( _asset.protocol:rdp AND protocol:rdp ) OR ( _asset.protocol:vnc AND protocol:vnc ) OR ( _asset.protocol:teamviewer AND protocol:teamviewer ) OR ( _asset.protocol:spice AND protocol:spice ) )` | | Publicly Exposed Baseboard Management Controller | Medium | assets | `haspublic:t AND (type:bmc OR protocol:ipmi)` | | Publicly Exposed Remote Desktop Gateway | Medium | services | `service_has_public:t AND ( (_asset.protocol:dtls OR _asset.protocol:http) AND ((protocol:dtls OR protocol:http) AND has:rdg.transport) )` | | Publicly Exposed Remote Desktop Service | Medium | assets | `service_has_public:t AND ( ( _asset.protocol:rdp AND protocol:rdp ) OR ( _asset.protocol:vnc AND protocol:vnc ) OR ( _asset.protocol:teamviewer AND protocol:teamviewer ) OR ( _asset.protocol:spice AND protocol:spice ) )` | | Publicly Exposed SSH Server With Password Authentication | Medium | services | `service_has_public:t AND ( _asset.protocol:ssh AND protocol:ssh AND ssh.authMethods:password )` | | Publicly Exposed Windows Management Service | Medium | assets | `service_has_public:t AND ( ( _asset.protocol:smb AND protocol:smb ) OR ( _asset.protocol:epm AND protocol:epm ) OR ( _asset.protocol:wsman AND protocol:wsman ) )` | | Potential External Access To Configuration Database Server | Low | services | `has_public:t AND service_has_public:f AND (_asset.protocols:zookeeper OR _asset.protocols:etcd2 OR _asset.protocols:consul) AND (protocol:zookeeper OR protocol:etcd2 OR protocol:consul)` | | Potential External Access To Key-Value Database Server | Low | services | `has_public:t AND service_has_public:f AND (_asset.protocols:memcache OR _asset.protocols:redis) AND (protocol:memcache OR protocol:redis)` | | Potential External Access To NoSQL Database Server | Low | services | `has_public:t AND service_has_public:f AND (_asset.protocols:mongodb OR _asset.protocols:couchdb OR _asset.protocols:cassandra OR _asset.protocols:elasticsearch OR _asset.protocols:riak OR _asset.protocols:influxdb) AND (protocol:mongodb OR protocol:couchdb OR protocol:cassandra protocol:elasticsearch OR protocol:riak OR protocol:influxdb)` | | Potential External Access To Operational Technology Service | Low | services | `has_public:t AND service_has_public:f AND (_asset.protocols:bacnet OR _asset.protocols:modbus OR _asset.protocols:dnp3 OR _asset.protocols:opcua OR _asset.protocols:cip OR _asset.protocols:ethernetip OR _asset.protocols:profinet OR _asset.protocols:prosoft OR _asset.protocols:s7comm OR _asset.protocols:fins OR _asset.protocols:comtrol OR _asset.protocols:atg) AND (protocol:bacnet OR protocol:modbus OR protocol:dnp3 OR protocol:opcua OR protocol:cip OR protocol:ethernetip OR protocol:profinet OR protocol:prosoft OR protocol:s7comm OR protocol:fins OR protocol:comtrol OR protocol:atg)` | | Potential External Access To Relational Database Server | Low | services | `has_public:t AND service_has_public:f AND (_asset.protocol:=mysql OR _asset.protocol:=mysqlx OR _asset.protocol:=postgresql OR _asset.protocol:=mssql OR _asset.protocol:=oracledb) AND (protocol:=mysql OR protocol:=mysqlx OR protocol:=postgresql OR protocol:=mssql OR protocol:=oracledb)` | | Potential External Access To Remote Desktop Gateway | Low | services | `has_public:t AND service_has_public:f AND ( (_asset.protocol:dtls OR _asset.protocol:http) AND ((protocol:dtls OR protocol:http) AND has:rdg.transport) )` | | Potential External Access To SSH Server With Password Authentication | Low | services | `has_public:t AND service_has_public:f AND (_asset.protocol:ssh AND protocol:ssh AND ssh.authMethods:password)` | | Potential External Access To Windows Management Service | Low | assets | `has_public:t AND service_has_public:f AND ( ( _asset.protocol:smb AND protocol:smb ) OR ( _asset.protocol:epm AND protocol:epm ) OR ( _asset.protocol:wsman AND protocol:wsman ) )` | | Publicly Exposed Key-Value Database Server | Low | services | `service_has_public:t AND (_asset.protocols:memcache OR _asset.protocols:redis) AND (protocol:memcache OR protocol:redis)` | | Publicly Exposed NoSQL Database Server | Low | services | `service_has_public:t AND (_asset.protocols:mongodb OR _asset.protocols:couchdb OR _asset.protocols:cassandra OR _asset.protocols:elasticsearch OR _asset.protocols:riak OR _asset.protocols:influxdb) AND (protocol:mongodb OR protocol:couchdb OR protocol:cassandra protocol:elasticsearch OR protocol:riak OR protocol:influxdb)` | | Publicly Exposed Operational Technology Service | Low | services | `service_has_public:t AND (_asset.protocols:bacnet OR _asset.protocols:modbus OR _asset.protocols:dnp3 OR _asset.protocols:opcua OR _asset.protocols:cip OR _asset.protocols:ethernetip OR _asset.protocols:profinet OR _asset.protocols:prosoft OR _asset.protocols:s7comm OR _asset.protocols:fins OR _asset.protocols:comtrol OR _asset.protocols:atg) AND (protocol:bacnet OR protocol:modbus OR protocol:dnp3 OR protocol:opcua OR protocol:cip OR protocol:ethernetip OR protocol:profinet OR protocol:prosoft OR protocol:s7comm OR protocol:fins OR protocol:comtrol OR protocol:atg)` | | Publicly Exposed Relational Database Server | Low | services | `service_has_public:t AND ( _asset.protocol:=mysql OR _asset.protocol:=mysqlx OR _asset.protocol:=postgresql OR _asset.protocol:=mssql OR _asset.protocol:=oracledb) AND (protocol:=mysql OR protocol:=mysql OR protocol:=postgresql OR protocol:=mssql OR protocol:=oracledb)` | ### Open Access | Name | Severity | Type | Query | |------|----------|------|-------| | Cisco Smart Install Service | Critical | services | `_asset.protocol:ciscosmi protocol:ciscosmi` | | Sun Solaris sadmind RPC Service | Critical | services | `_asset.protocol:=rpcbind protocol:=rpcbind rpcbind.programs:"100232-v10-"` | | Unauthenticated Android Debug Bridge | Critical | services | `_asset.protocol:=adb AND protocol:=adb AND has:adb.access AND adb.access:="allowed"` | | Unauthenticated Apache ZooKeeper Database | Critical | services | `_asset.protocol:zookeeper AND protocol:zookeeper AND zk.access:allowed` | | Unauthenticated CNCF etcd Database | Critical | services | `_asset.protocol:etcd2 protocol:etcd2 etcd2.access:allowed` | | Unauthenticated Distributed Ruby Service | Critical | services | `_asset.protocol:=drbd AND protocol:=drbd` | | Unauthenticated MongoDB Database | Critical | services | `_asset.protocol:=mongodb AND protocol:=mongodb AND mongodb.auth:open` | | Zabbix Agent Without ACL | Critical | services | `_asset.protocol:=zabbix-agent AND protocol:=zabbix-agent AND NOT zabbix.isLocal:true` | | Unauthenticated Apache CouchDB Database | High | services | `_asset.protocol:=couchdb AND protocol:=couchdb` | | Unauthenticated Cassandra Database | High | services | `_asset.protocol:=cassandra AND protocol:=cassandra` | | Unauthenticated Elastic Search Database | High | services | `_asset.protocol:elasticsearch AND protocol:elasticsearch` | | Unauthenticated HashiCorp Consul Database | High | services | `_asset.protocol:consul protocol:consul has:consul.config.datacenter` | | Unauthenticated InfluxDB Database | High | services | `_asset.protocol:=influxdb AND protocol:=influxdb AND has:influxdb.databases` | | Unauthenticated Memcached Database | High | services | `_asset.protocol:memcache AND protocol:memcache` | | Unauthenticated Redis Database | High | services | `_asset.protocol:redis AND protocol:redis AND has:redis.redisVersion` | | Unauthenticated Riak Database | High | services | `(_asset.protocol:riak AND protocol:riak) OR (_asset.protocol:riak-http AND protocol:riak-http)` | | Click Modular Router Shell | Medium | services | `_asset.protocol:=click protocol:=click` | | Unauthenticated MongoDB Database (Limited) | Medium | services | `_asset.protocol:mongodb AND protocol:mongodb AND mongodb.auth:limited` | | World-Readable NFS Export | Medium | services | `_asset.protocol:=mountd AND protocol:="mountd" AND nfs.allowed:"%=*"` | ### Rapid Response | Name | Severity | Type | Query | |------|----------|------|-------| | Rapid Response: Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2026-20963) | Critical | software | `vendor:=Microsoft AND ( (product:="SharePoint Server 2016" AND (version:>=16.0.4107.1002 AND version:<16.0.5535.1001)) OR (product:="SharePoint Server 2019" AND (version:>=16.0.10711.37301 AND version:<16.0.10417.20083)) OR (product:="SharePoint Server Subscription Edition" AND (version:>=16.0.0.1 AND version:<16.0.19127.20442)) )` | | Rapid Response: Cisco Integrated Management Controller Multiple Vulnerabilities (2026-04) | Info | software | `vendor:=Cisco AND product:="Integrated Management Controller"` | | Rapid Response: Cisco Smart Software Manager On-Prem Multiple Vulnerabilities (2026-04) | Info | services | `_asset.protocol:http AND protocol:http AND html.title:="On-Prem License Workspace"` | | Rapid Response: Citrix Hypervisor Multiple Vulnerabilities (2026-04) | Info | assets | `os:="Citrix XenServer"` | | Rapid Response: CrowdStrike Falcon LogScale Unauthenticated Path Traversal (CVE-2026-40050) | Info | services | `_asset.protocol:http AND protocol:http AND (http.head.server:="Humio-%" OR last.http.head.server:="Humio-%")` | | Rapid Response: Fortinet FortiClient Endpoint Management Server API Auth Bypass (CVE-2026-35616) | Info | services | `_asset.protocol:http AND protocol:http AND favicon.ico.image.mmh3:=-800551065` | | Rapid Response: Fortinet FortiSandbox Multiple Vulnerabilities (2026-04) | Info | assets | `os:="Fortinet FortiSandbox%"` | | Rapid Response: LiteLLM Proxy Multiple Vulnerabilities (2026-04) | Info | services | `_asset.protocol:http AND protocol:http AND (html.title:="LiteLLM%" OR last.html.title:="LiteLLM%")` | | Rapid Response: Progress ShareFile Storage Zones Controller Multiple Vulnerabilities (2026-04) | Info | software | `(vendor:="Progress Software" OR vendor:=Citrix OR vendor:=ShareFile) AND (product:="ShareFile Storage Zones Controller" OR product:="ShareFile StorageZones Controller")` | ### Vulnerability | Name | Severity | Type | Query | |------|----------|------|-------| | Adobe Commerce & Magento Session Takeover With Unconfirmed RCE (CVE-2025-54236) | Critical | software | `vendor:=Adobe AND product:=Magento AND (version:>0 AND version:<="2.4.9-alpha2")` | | AirPlay Protocol Remote Code Execution (AirBorne) | Critical | assets | `hw:="apple%" AND protocol:airplay AND ( (os:="apple macos" AND ((osversion:>"13.0" AND osversion:<"13.7.5") OR (osversion:>"14.0" AND osversion:<"14.7.5") OR (osversion:>"15.0" AND osversion:<"15.4"))) OR (os:="apple ipados" AND ((osversion:>"17.0" AND osversion:<"17.7.6") OR (osversion:>"18.0" AND osversion:<"18.4"))) OR ((os:="apple tvos" OR os:="apple audioos") AND osversion:>0 AND osversion:<"18.4") OR (os:="apple ios" AND osversion:>0 AND osversion:<"18.4") OR (os:="apple visionos" AND osversion:>0 AND osversion:<"2.4") )` | | Apache 2.4.49 < 2.4.51 Information Disclosure | Critical | software | `_asset.protocol:=http product:HTTPD AND version:>=2.4.49 AND version:<2.4.51` | | Apache ActiveMQ Remote Code Execution (CVE-2023-46604) | Critical | software | `_asset.protocol:=activemq AND product:ActiveMQ AND ((version:>0 AND version:<5.15.16) OR (version:>=5.16.0 AND version:<5.16.7) OR (version:>=5.17.0 AND version:<5.17.6) OR (version:>=5.18.0 AND version:<5.18.3))` | | Apache Solr Log4Shell Remote Code Execution | Critical | software | `vendor:=Apache AND product:Solr AND ((version:>=7.4.0 AND version:<7.7.3) OR (version:>=8.0.0 AND version:<8.11.0))` | | Apache Tomcat 10.1.0-M1 < 10.1.34 Multiple Vulnerabilities | Critical | software | `product:Tomcat AND (version:>10.1.0-M1 AND version:<10.1.34)` | | Apache Tomcat 11.0.0-M1 < 11.0.2 Multiple Vulnerabilities | Critical | software | `product:Tomcat AND (version:>11.0.0-M1 AND version:<11.0.2)` | | Apache Tomcat 9.0.0-M1 < 9.0.98 Multiple Vulnerabilities | Critical | software | `product:Tomcat AND (version:>9.0.0-M1 AND version:<9.0.98)` | | Apple tvOS < 16.2 Multiple Vulnerabilities | Critical | assets | `os:"Apple tvOS" AND osversion:>0 AND osversion:<16.2` | | Apple tvOS < 18.6 Multiple Vulnerabilities | Critical | assets | `os:"Apple tvOS" AND osversion:>0 AND osversion:<18.6` | | Apple tvOS < 26 Multiple Vulnerabilities | Critical | assets | `os:"Apple tvOS" AND osversion:>0 AND osversion:<26` | | Atlassian Confluence 8.0 < 8.5.4 Remote Code Execution | Critical | software | `vendor:=Atlassian AND product:Confluence AND (version:>=8.0 AND version:<8.5.4)` | | Atlassian Confluence Cross-Site Scripting (CVE-2024-4367) | Critical | software | `vendor:=Atlassian AND product:Confluence AND ( (version:>0 AND version:<7.19.25) OR (version:>=7.20.0 AND version:<8.5.11) OR (version:>=8.6.0 AND version:<8.9.3)) ` | | Atlassian Confluence Path Traversal (CVE-2019-3396) | Critical | software | `vendor:=Atlassian AND product:Confluence AND NOT type:=Mobile AND ( (version:>0 AND version:<6.6.12) OR (version:>=6.7.0 AND version:<6.12.3) OR (version:>=6.13.0 AND version:<6.13.3) OR (version:>=6.14.0 AND version:<6.14.2))` | | Atlassian Confluence Privilege Escalation (CVE-2023-22515) | Critical | software | `vendor:=Atlassian AND product:Confluence AND ( (version:>=8.0 AND version:<8.3.3) OR (version:>=8.4.0 AND version:<8.4.3) OR (version:>=8.5.0 AND version:<8.5.2))` | | Atlassian Confluence Remote Code Execution (CVE-2021-26084) | Critical | software | `vendor:=Atlassian AND product:Confluence AND ( (version:>0 AND version:<6.13.23) OR (version:>=6.14.0 AND version:<7.4.11) OR (version:>=7.5.0 AND version:<7.11.6) OR (version:>=7.12.0 AND version:<7.12.5)) ` | | Atlassian Confluence Remote Code Execution (CVE-2022-26134) | Critical | software | `vendor:=Atlassian AND product:Confluence AND ( (version:>=1.3.0 AND version:<7.4.17) OR (version:>=7.13.0 AND version:<7.13.7) OR (version:>=7.14.0 AND version:<7.14.3) OR (version:>=7.15.0 AND version:<7.15.2) OR (version:>=7.16.0 AND version:<7.16.4) OR (version:>=7.17.0 AND version:<7.17.4) OR (version:>=7.18.0 AND version:<7.18.1) OR )` | | Atlassian Confluence Server-Side Request Forgery (CVE-2019-3395) | Critical | software | `vendor:=Atlassian AND product:Confluence AND ( (version:>0 AND version:<6.6.7) OR (version:>=6.7.0 AND version:<6.8.5) OR (version:>=6.9.0 AND version:<6.9.3))` | | Broadcom VMware ESXi Guest Escape | Critical | assets | `os:"vmware esxi" AND ((os_version:>0 AND os_version:<6) OR (os_version:>6 AND os_version:<"6.7.0 build-24514018") OR (os_version:>7 AND os_version:<"7.0.3 build-24585291") OR (os_version:>8 AND os_version:<"8.0.2") OR (os_version:>"8.0.2" AND os_version:<"8.0.2 build-24585300") OR (os_version:>"8.0.3" AND os_version:<"8.0.3 build-24585383"))` | | Broadcom VMware ESXi VM Escape | Critical | assets | `os:"vmware esxi" AND ((os_version:>7 AND os_version:<"7.0.3 build-24784741") OR (os_version:>8 AND (os_version:<"8.0.2 build-24789317" OR os_version:<"8.0.3 build-24784735")))` | | Cacti < 1.2.23 Remote Code Execution | Critical | software | `_asset.products:Cacti AND vendor:=Cacti AND product:Cacti AND (version:>0 AND version:<1.2.23)` | | Cisco Secure Firewall Management Center Multiple Vulnerabilities (2026-03) | Critical | assets | `os:="Cisco FMC%" AND os_version:>0 AND ((os_version:>="6.4.0.13" AND os_version:<="6.4.0.18") OR (os_version:>="7.0.0" AND os_version:<"7.0.9") OR (os_version:>="7.1.0" AND os_version:<"7.2.11") OR (os_version:>="7.3.0" AND os_version:<"7.4.6") OR (os_version:>="7.6.0" AND os_version:<"7.6.5") OR (os_version:>="7.7.0" AND os_version:<"7.7.12") OR (os_version:="10.0.0"))` | | Cisco Small Business RV Series Routers Stack-Based Buffer Overflow Vulnerability (CVE-2022-20700) | Critical | assets | `((hw:="Cisco RV160%" OR hw:="Cisco RV260%") AND (os_version:>0 AND os_version:<="1.0.01.05")) OR ((hw:="Cisco RV340%" OR hw:="Cisco RV345%") AND (os_version:>0 AND os_version:<="1.0.03.24"))` | | Cisco Small Business RV Series VPN Routers Remote Code Execution Vulnerability (CVE-2022-20699) | Critical | assets | `(hw:="Cisco RV340%" OR hw:="Cisco RV345%") AND (os_version:>0 AND os_version:<="1.0.03.24")` | | Cleo Harmony < 5.8.0.21 Unrestricted File Upload/Download | Critical | software | `vendor:=Cleo AND product:harmony AND (version:>0 AND version:<5.8.0.21)` | | Cleo Lexicom < 5.8.0.21 Unrestricted File Upload/Download | Critical | software | `vendor:=Cleo AND product:lexicom AND (version:>0 AND version:<5.8.0.21)` | | Cleo VLTrader < 5.8.0.21 Unrestricted File Upload/Download | Critical | software | `vendor:=Cleo AND product:vltrader AND (version:>0 AND version:<5.8.0.21)` | | ConnectWise ScreenConnect < 23.9.8 Remote Code Execution | Critical | software | `vendor:=ConnectWise AND product:ScreenConnect AND (version:>0 AND version:<23.9.8)` | | Elastic Kibana 8.15.0 < 8.17.3 Remote Code Execution | Critical | software | `vendor:=Elastic AND product:kibana AND (version:>8.14 AND version:<8.17.3)` | | Elasticsearch < 1.2 Remote Code Execution | Critical | software | `vendor:=Elastic AND (product:=Search OR product:=Elasticsearch) AND ( (version:>0 AND version:<1.2 AND NOT version:"0:%") OR (version:"0:%" AND version:>"0:0" AND version:<"0:1.2"))` | | F5 Big-IP Remote Code Execution (CVE-2021-22986) | Critical | assets | `os:="F5 Networks BIG-IP" AND ( (osversion:>"12.1" AND osversion:<"12.1.5.3") OR (osversion:>"13.1" AND osversion:<"13.1.3.6") OR (osversion:>"14.1" AND osversion:<"14.1.4") OR (osversion:>"15.1" AND osversion:<"15.1.2.1") OR (osversion:>"16.0" AND osversion:<"16.0.1.1") )` | | Fortinet FortiOS Out-Of-Bound Write Vulnerability (CVE-2024-21762) | Critical | assets | `os:="Fortinet FortiOS" AND ((os_version:>="7.4.0" AND os_version:<"7.4.3") OR (os_version:>="7.2.0" AND os_version:<"7.2.7") OR (os_version:>="7.0.0" AND os_version:<"7.0.14") OR (os_version:>="2.0.0" AND os_version:<"2.0.14") OR (os_version:>="1.2.0" AND os_version:<"1.2.14") OR (os_version:>="1.1.0" AND os_version:<"1.1.7") OR (os_version:>="1.0.0" AND os_version:<"1.0.8"))` | | Fortinet Multiple Products Format String Vulnerability (CVE-2024-23113) | Critical | assets | `(os:="Fortinet FortiOS" AND ((os_version:>="7.4.0" AND os_version:<"7.4.3") OR (os_version:>="7.2.0" AND os_version:<"7.2.7") OR (os_version:>="7.0.0" AND os_version:<"7.0.15"))) OR (os:="Fortinet FortiPAM" AND ((os_version:>="1.0.0" AND os_version:<"1.0.4") OR (os_version:>="1.1.0" AND os_version:<"1.1.3") OR (os_version:="1.2.0")))` | | Fortra GoAnywhere MFT License Servlet Deserialization Vulnerability (CVE-2025-10035) | Critical | software | `vendor:=Fortra AND product:="GoAnywhere Managed File Transfer" AND (version:>0 AND version:<7.8.4 AND NOT version:=7.6.3)` | | GitLab Remote Code Execution (CVE-2021-22205) | Critical | software | `vendor:=GitLab AND product:gitlab AND ((version:>11.9 AND version:<13.8.7) OR (version:>13.9 AND version:<13.9.5) OR (version:>13.10 AND version:<13.10.2))` | | Grandstream GXP1600 Series VoIP Phone RCE (CVE-2026-2329) | Critical | assets | `hw:="Grandstream GXP16__" AND (os_version:>0 AND os_version:<"1.0.7.81")` | | HPE OneView Remote Code Execution (CVE-2025-37164) | Critical | software | `vendor:="HPE" AND product:="OneView" AND version:>0 AND version:<=10.20` | | HPE iLO 4 Authentication Bypass | Critical | assets | `os:"iLO 4" and os_version:>0 AND os_version:<2.53` | | HashiCorp Vault Multiple Vulnerabilities - HCSEC-2025-22 | Critical | software | `vendor:="HashiCorp" AND product:"Vault" AND ( (version:>=1.20.0 AND version:<1.20.2) OR (version:>=1.19.0 AND version:<1.19.8) OR (version:>=1.18.0 AND version:<1.18.13) OR (version:>0 AND version:<1.16.24))` | | IPMI 1.5 Legacy Null Authentication | Critical | services | `_asset.protocols:ipmi AND ipmi.passAuth:none` | | IPMI Cipher Zero Authentication Bypass (CVE-2013-4782) | Critical | services | `_asset.protocols:ipmi AND has:ipmi.cipherZero` | | IPMI RAKP+ Weak Or Default Passwords (CVE-2013-4786) | Critical | services | `_asset.protocols:ipmi AND has:ipmi.rakp.cracked` | | Langflow RCE (CVE-2026-33017) | Critical | software | `vendor:=Langflow AND product:=Langflow AND (version:>0 AND version:<1.8.2)` | | Microsoft OMI WSMAN Authentication Bypass | Critical | services | `_asset.protocol:wsman AND wsman.productVendor:="Open Management Infrastructure" AND (wsman.productVersion:=0.% or wsman.productVersion:=1.0.% or wsman.productVersion:=1.1.% or wsman.productVersion:1.2.% or wsman.productVersion:=1.3.% or wsman.productVersion:=1.4.% or wsman.productVersion:=1.5.% or wsman.productVersion:=1.6.0-% or wsman.productVersion:=1.6.1-% or wsman.productVersion:=1.6.2-% or wsman.productVersion:=1.6.3-% or wsman.productVersion:=1.6.4-% or wsman.productVersion:=1.6.5-% or wsman.productVersion:=1.6.6-% or wsman.productVersion:=1.6.7-% or wsman.productVersion:=1.6.8-0)` | | MikroTik Router OS Directory Traversal Vulnerability (CVE-2018-14847) | Critical | assets | `os:="MikroTik RouterOS" AND (os_version:>"0" AND os_version:<="6.42")` | | Monsta FTP RCE (CVE-2025-34299) | Critical | software | `vendor:="Monsta Limited" AND product:="Monsta FTP" AND version:>0 AND version:<2.11.3` | | Multiple Fortinet Products Authentication Bypass (CVE-2025-59718 and CVE-2025-59719) | Critical | assets | `os:="Fortinet FortiOS" AND os_version:>0 AND ((os_version:>="7.6.0" AND os_version:<="7.6.3") OR (os_version:>="7.4.0" AND os_version:<="7.4.8") OR (os_version:>="7.2.0" AND os_version:<="7.2.11") OR (os_version:>="7.0.0" AND os_version:<="7.0.17"))` | | Multiple Fortinet Products Buffer Overflow | Critical | assets | `hw:="Fortinet%" AND type:="SIP Gateway" AND ((osversion:="7.2.0") OR (osversion:>"7.0.0" AND osversion:<"7.0.7") OR (osversion:>="6.4.0" AND osversion:<"6.4.11"))` | | Novi Survey Insecure Deserialization Vulnerability | Critical | software | `vendor:="3rd Millennium" AND product:="Novi Survey" AND (version:>"0" AND version:<"8.9.43676") ` | | PHP 8.1.0 < 8.1.29 Multiple Vulnerabilities | Critical | software | `os:"Windows" AND _asset.products:apache AND product:PHP AND (version:>8.1 AND version:<8.1.29)` | | PHP 8.2.0 < 8.2.20 Multiple Vulnerabilities | Critical | software | `os:"Windows" AND _asset.products:apache AND product:PHP AND (version:>8.2 AND version:<8.2.20)` | | PHP 8.3.0 < 8.3.8 Multiple Vulnerabilities | Critical | software | `os:"Windows" AND _asset.products:apache AND product:PHP AND (version:>8.3 AND version:<8.3.8)` | | Palo Alto Networks PAN-OS Authentication Bypass | Critical | assets | `os:="Palo Alto Networks PAN-OS" AND (osversion:>"11.1.6-h1" AND osversion:<11.2.4-h4) AND (osversion:>"10.2.13-h3" AND osversion:<11.1.6-h1) AND (osversion:>"10.1.14-h9" AND osversion:<"10.2.13-h3") AND (osversion:>"10.1.0" AND osversion:<"10.1.14-h9")` | | Plesk Panel 9.0.X < 9.2.3 Remote Code Execution | Critical | software | `not os:Windows AND vendor:=parallels AND product:=plesk AND (version:>9.0.0 AND version:<9.5.4)` | | Redis Multiple Vulnerabilities (2025-10) | Critical | software | `vendor:=Redis AND product:=Redis AND (version:>0 AND ( (version:>=6.2 AND version:<6.2.20) OR (version:>=7.2 AND version:<7.2.11) OR (version:>=7.4 AND version:<7.4.6) OR (version:>=8.0 AND version:<8.0.4) OR (version:>=8.2 AND version:<8.2.2)))` | | Rejetto HTTP File Server 2 Remote Code Execution | Critical | software | `vendor:=Rejetto AND product:"HTTP File Server" AND version:>0 AND version:<3` | | Rejetto HTTP File Server 2.0 < 2.3M Remote Code Execution | Critical | software | `os:Windows AND vendor:=Rejetto AND product:"HTTP File Server" AND version:>=2.0 AND version:<"2.3m" ` | | Rockwell Automation ControlLogix Ethernet RCE (CVE-2025-7353) | Critical | services | `((_asset.protocol:="cip" OR asset.protocol:="cip-udp") AND protocol:"cip" AND (cip.product:="1756-EN2T/D" OR cip.product:="1756-EN2F/C" OR cip.product:="1756-EN2TR/C" OR cip.product:="1756-EN3TR/B" OR cip.product:="1756-EN2TP/A") AND (cip.revision:>"0" AND (cip.revision:<"12" OR cip.revision:"12.0%"))) OR ((_asset.protocol:="ethernetip" OR asset.protocol:="ethernetip-udp") AND protocol:"ethernetip" AND (ethernetip.product:="1756-EN2T/D" OR ethernetip.product:="1756-EN2F/C" OR ethernetip.product:="1756-EN2TR/C" OR ethernetip.product:="1756-EN3TR/B" OR ethernetip.product:="1756-EN2TP/A") AND (ethernetip.revision:>"0" AND (ethernetip.revision:<"12" OR ethernetip.revision:"12.0%")))` | | Roundcube Webmail Remote Code Execution | Critical | software | `vendor:=Roundcube AND product:=Webmail AND ((version:>=1.5 AND version:<1.5.10) OR (version:>=1.6 AND version:<1.6.11))` | | SAP NetWeaver (RMI-P4) Insecure Deserialization (CVE-2025-42944) | Critical | software | `vendor:=SAP AND product:"NetWeaver" AND (version:>0 AND version:<=7.50)` | | Sangoma FreePBX RCE (CVE-2025-57819) | Critical | software | `((vendor:=FreePBX AND product:=PBX) OR (vendor:=Sangoma AND product:=FreePBX)) AND (version:>0 AND (version:<"15.0.66(%)" OR version:<"16.0.89(%)" OR version:<"17.0.3(%)"))` | | SolarWinds Web Help Desk Multiple Vulnerabilities (2026-01) | Critical | software | `vendor:=SolarWinds AND product:="Web Help Desk" AND (version:>0 AND version:<12.8.8.2585)` | | SolarWinds Web Help Desk RCE (CVE-2025-26399) | Critical | software | `vendor:=SolarWinds AND product:="Web Help Desk" AND (version:>0 AND version:<12.8.7.2174)` | | SonicWall SMA1000 < 12.4.3 Remote Code Execution | Critical | assets | `hw:="SonicWall SMA1000" AND (osversion:>0 AND osversion:<12.4.3)` | | SonicWall SSLVPN Authentication Bypass (CVE-2024-53704) | Critical | assets | `os:SonicOS AND ( (osversion:>"6.0" AND osversion:<"6.5.5.1-6n") OR (osversion:>"7.0" AND osversion:<"7.0.1-5165") OR (osversion:>"7.1" AND osversion:<"7.1.3-7015") OR (hw:TZ80 AND osversion:>"8.0" AND osversion:<"8.0.0-8037"))` | | SonicWall SonicOS Buffer Overflow Vulnerability (CVE-2020-5135) | Critical | assets | `os:="SonicWall SonicOS" AND (os_version:="7.0.0.0" OR os_version:="6.5.4.7" OR os_version:="6.5.1.12" OR os_version:="6.0.5.3" OR os_version:="6.5.4.v")` | | SonicWall SonicOS Improper Access Control Vulnerability (CVE-2024-40766) | Critical | assets | `hw:="SonicWall%" AND ((os_version:>0 AND os_version:<"5.9.2.14-13o") OR (os_version:>"6.0" AND os_version:<"6.5.4.15.116n") OR (os_version:>"7.0" AND os_version:<"7.0.1-5035") OR (os_version:>"6.0" AND os_version:<"6.5.2.8-2n" AND (hw:"SM9800" OR hw:"NSsp 12400" OR hw:"NSsp 12800")))` | | Squid Information Disclosure (CVE-2025-62168) | Critical | software | `vendor:="Squid Cache" AND product:=Squid AND (version:>0 AND version:<7.2)` | | Squid URN Handling Buffer Overflow (CVE-2025-54574) | Critical | software | `vendor:="Squid Cache" AND product:=Squid AND (version:>0 AND version:<6.4)` | | UniFi Network Application Multiple Vulnerabilities (2026-03) | Critical | software | `vendor:=Ubiquiti AND product:="UniFi Network" AND version:>0 AND (version:<9.0.118 OR (version:>=10.1.0 AND version:<10.1.89) OR (version:>=10.2.0 AND version:<10.2.97))` | | VMware vCenter Server 7.0 < 7.0 U3t / 8.0 < 8.0 U3d Multiple Vulnerabilities | Critical | software | `vendor:=VMware AND (product:"vcenter server" OR product:"cloud foundation") AND ((version:>7.0 AND version:<"7.0.3 build-24322018") OR (version:>8.0 AND version:<"8.0.3 build-24322831"))` | | Valkey Multiple Vulnerabilities (2025-10) | Critical | software | `(vendor:=valkey OR vendor:="Fedora Project") AND product:=valkey AND (version:>0 AND ( (version:>=7.2 AND version:<7.2.11) OR (version:>=8.0 AND version:<8.0.6) OR (version:>=8.1 AND version:<8.1.4)))` | | Veeam Backup & Replication Multiple Vulnerabilities (2026-03) | Critical | software | `vendor:=Veeam AND (product:="Backup & Replication" OR product:="Veeam Backup & Replication") AND ((version:>=12.3 AND version:<12.3.2.4465) OR (version:>=13.0 AND version:<13.0.1.2067))` | | Veeam Backup & Replication RCE Multiple Vulnerabilities (2025-10) | Critical | software | `vendor:=Veeam AND (product:="Backup & Replication" OR product:="Veeam Backup & Replication") AND (version:>0 AND version:>=12 AND version:<12.3.2.4165)` | | Zyxel Multiple Firewalls Buffer Overflow Vulnerability (CVE-2023-33009) | Critical | assets | `((os:="Zyxel ATP%" OR os:="Zyxel USG Flex%" OR os:="Zyxel USG20W-VPN" OR os:="Zyxel USG20-VPN" OR os:="Zyxel VPN%") AND (os_version:>="4.60" AND os_version:<="5.36")) OR ((os:="Zyxel USG40%" OR os:="Zyxel USG60%") AND (os_version:>="4.60" AND os_version:<="4.73"))` | | Zyxel Multiple Firewalls Buffer Overflow Vulnerability (CVE-2023-33010) | Critical | assets | `(os:="Zyxel ATP%" AND (os_version:>="4.32" AND os_version:<="5.36")) OR (os:="Zyxel USG Flex 50W" AND (os_version:>="4.25" AND os_version:<="5.36")) OR (os:="Zyxel USG20W-VPN" AND (os_version:>="4.25" AND os_version:<="5.36")) OR ((os:="Zyxel USG20%" OR os:="Zyxel USG40%" OR os:="Zyxel USG60%") AND (os_version:>="4.50" AND os_version:<="5.36")) OR (os:="Zyxel USG Flex%" AND (os_version:>="4.25" AND os_version:<="4.73" AND not os:="Zyxel USG Flex 50W")) OR (os:="Zyxel VPN%" AND (os_version:>="4.30" AND os_version:<="5.36"))` | | Zyxel Multiple Firewalls OS Command Injection Vulnerability (CVE-2023-28771) | Critical | assets | `((os:="Zyxel ATP%" OR os:="Zyxel USG Flex%" OR os:="Zyxel VPN%") AND (os_version:>="4.60" AND os_version:<="5.35")) OR ((os:="Zyxel %USG100" OR os:="Zyxel %USG300") AND (os_version:>="4.60" AND os_version:<="4.73"))` | | Zyxel Multiple Firewalls Path Traversal Vulnerability (CVE-2024-11667) | Critical | assets | `(os:="Zyxel ATP%" AND (os_version:>="5.00" AND os_version:<"5.39")) OR (os:="Zyxel USG20W-VPN" AND (os_version:>="5.10" AND os_version:<"5.39")) OR (os:="Zyxel USG Flex 50W" AND (os_version:>="5.10" AND os_version:<"5.39")) OR (os:="Zyxel USG Flex%" AND (os_version:>="5.00" AND os_version:<"5.39"))` | | n8n Unauthenticated File Access (CVE-2026-21858) | Critical | software | `vendor:=n8n AND product:=n8n AND version:>0 AND (version:>=1.65.0 AND version:<1.121.0) ` | | Apache Tomcat 10.1.0-M1 < 10.1.43 Multiple Vulnerabilities | High | software | `product:Tomcat AND (version:>10.1.0-M1 AND version:<10.1.43)` | | Apache Tomcat 10.1.0-M1 < 10.1.44 HTTP/2 MadeYouReset DoS | High | software | `product:Tomcat AND (version:>10.1.0-M1 AND version:<10.1.44)` | | Apache Tomcat 11.0.0-M1 < 11.0.10 Multiple Vulnerabilities | High | software | `product:Tomcat AND (version:>11.0.0-M1 AND version:<11.0.10)` | | Apache Tomcat 11.0.0-M1 < 11.0.9 Multiple Vulnerabilities | High | software | `product:Tomcat AND (version:>11.0.0-M1 AND version:<11.0.9)` | | Apache Tomcat 9.0.0-M1 < 9.0.107 Multiple Vulnerabilities | High | software | `product:Tomcat AND (version:>9.0.0-M1 AND version:<9.0.107)` | | Apache Tomcat 9.0.0-M1 < 9.0.108 HTTP/2 MadeYouReset DoS | High | software | `product:Tomcat AND (version:>9.0.0-M1 AND version:<9.0.108)` | | Apache Tomcat Partial PUT Deserialization Vulnerability | High | software | `_asset.products:"Tomcat" AND product:"Tomcat" AND ((version:>=11.0.0 AND version:<11.0.3) OR (version:>=10.1.0 AND version:<10.1.35) OR (version:>=9.0.0 AND version:<9.0.99))` | | Apple Device Ecosystem Multiple Vulnerabilities (Coruna) | High | assets | `(os:="apple ios" OR os:="apple ipados" ) AND ((osversion:>="17.0" AND osversion:<"17.5") OR (osversion:>="16.0" AND osversion:<"16.7.8") OR (osversion:>="15.0" AND osversion:<"15.7.8") OR (osversion:>="13.0" AND osversion:<"14.7"))` | | Apple Device Ecosystem Multiple Vulnerabilities (DarkSword) | High | assets | `(os:="apple ios" OR os:="apple ipados" OR os:="apple tvos" OR os:="apple macos" OR os:="apple watchos" OR os:="apple visionos") AND osversion:>0 AND ( (osversion:>="26.0" AND osversion:<"26.3") OR (osversion:>="18.0" AND osversion:<"18.7.3") )` | | Apple tvOS < 11.4 Multiple Vulnerabilities | High | assets | `os:"Apple tvOS" AND osversion:>0 AND osversion:<11.4` | | Apple tvOS < 13.3.1 Multiple Vulnerabilities | High | assets | `os:"Apple tvOS" AND osversion:>0 AND osversion:<13.3.1` | | Apple tvOS < 15.2 Multiple Vulnerabilities | High | assets | `os:"Apple tvOS" AND osversion:>0 AND osversion:<15.2` | | Arcserve Unified Data Protection < 10.2 Heap Overflow Vulnerabilities | High | software | `vendor:=Arcserve AND product:=UDP AND version:>0 AND version:<10.2` | | Atlassian Confluence 5.2 < 7.19.22 Remote Code Execution | High | software | `vendor:=Atlassian AND product:Confluence AND (version:>=5.2 AND version:<7.19.22)` | | Cisco ConfD SSH Server Remote Code Execution | High | software | `vendor:="Cisco" AND product:="ConfD" AND ( (version:>"7.0.0.0" AND version:<"7.7.19.1") OR (version:>"8.0.0.0" AND version:<"8.0.17.1") OR (version:>"8.1.0.0" AND version:<"8.1.16.2") OR (version:>"8.2.0.0" AND version:<"8.2.11.1") OR (version:>"8.3.0.0" AND version:<"8.3.8.1") OR (version:>"8.4.0.0" AND version:<"8.4.4.1"))` | | Cisco IOS XE Arbitrary File Upload | High | assets | `os:="Cisco IOS XE" AND hw:"Catalyst" AND ( (osversion:>="17.7.0" AND osversion:<="17.7.1") OR (osversion:>="17.10.0" AND osversion:<="17.10.1") OR (osversion:>="17.8.0" AND osversion:<="17.8.1") OR (osversion:>="17.9.0" AND osversion:<="17.9.5") OR (osversion:>="17.11.0" AND osversion:<="17.11.1") OR (osversion:>="17.12.0" AND osversion:<="17.2.3") OR (osversion:>="17.13.0" AND osversion:<="17.13.1") OR (osversion:>="17.14.0" AND osversion:<="17.14.1") OR (osversion:>="17.11.0" AND osversion:<="17.11.99") )` | | Commvault Command Center Remote Code Execution | High | software | `vendor:="Commvault" AND product:="Command Center" AND version:>"11.38.0" AND version:<"11.38.20"` | | ConnectWise ScreenConnect < 25.2.4 ViewState Code Injection | High | software | `vendor:=ConnectWise AND product:=ScreenConnect AND (version:>0 AND version:<25.2.4)` | | Dell EMC Unity, UnityVSA, And Unity XT | High | assets | `os:"EMC Unity" AND osversion:>0 AND osversion:<5.5.0.0.0.5.259` | | DrayTek Vigor2960/Vigor300B Command Injection | High | assets | `(hw:"DrayTek Vigor2960" OR hw:"DrayTek Vigor300b" OR hw:"DrayTek Vigor 2960" OR hw:"DrayTek Vigor 300b") AND osversion:>0 AND osversion:<"1.5.1.5"` | | Eclipse Jetty 12.0 < 12.0.25 HTTP/2 MadeYouReset DoS | High | software | `(vendor:=Eclipse OR vendor:="Mort Bay") AND product:Jetty AND (version:>12 AND version:<12.0.25)` | | Erlang OTP SSH Server Remote Code Execution | High | software | `_asset.protocols:ssh AND vendor:="Erlang" AND product:="SSH" AND ((version:>=5.2.0 AND version:<5.2.10) OR (version:>4.0.0.0 AND version:<4.15.3.12) OR (version:>5.1.0.0 AND version:<5.1.4.7))` | | Fortinet FortiVoice SQL Injection (CVE-2025-58692) | High | assets | `hw:="Fortinet%" AND type:="SIP Gateway" AND ((osversion:>"7.2.0" AND osversion:<"7.2.3") OR (osversion:>"7.0.0" AND osversion:<"7.0.8"))` | | IPMI RAKP+ Password Hash Disclosure (CVE-2013-4786) | High | services | `_asset.protocols:ipmi AND has:ipmi.rakp.hashes` | | ISC BIND Multiple Vulnerabilities (2025-10) | High | software | `vendor:=ISC AND product:=BIND AND (version:>0 AND ( (version:>=9 AND version:<9.11.0) OR (version:>=9.11.0 AND version:<=9.16.50) OR (version:>=9.18.0 AND version:<=9.18.39) OR (version:>=9.20.0 AND version:<=9.20.13) OR (version:>=9.21.0 AND version:<=9.21.12) OR (version:>="9.11.3-S1" AND version:<="9.16.50-S1") OR (version:>="9.18.11-S1" AND version:<="9.18.39-S1") OR (version:>="9.20.9-S1" AND version:<="9.20.13-S1")))` | | Langflow Authentication Bypass | High | software | `_asset.protocol:=http AND vendor:=Langflow AND product:=Langflow AND (version:>0 AND version:<1.3.0)` | | Lantronix Xport Authentication Bypass | High | assets | `hw:lantronix AND ((os:="Lantronix XPort%" AND not os:="Lantronix XPort Edge%") OR (lantronix.type:="XE" OR lantronix.type:="SE" OR lantronix.type:="AR" OR lantronix.type:="EH"))` | | MongoDB Pre-Authentication Memory Leak (CVE-2025-14847) | High | software | `(vendor:=MongoDB AND (product:=MongoDB OR product:="MongoDB MongoDB")) AND (version:>0 AND ( (version:>=3.6.0 AND version:<3.7) OR (version:>=4.0.0 AND version:<4.1) OR (version:>=4.2.0 AND version:<4.3) OR (version:>=4.4.0 AND version:<4.4.30) OR (version:>=5.0.0 AND version:<5.0.32) OR (version:>=6.0.0 AND version:<6.0.27) OR (version:>=7.0.0 AND version:<7.0.28) OR (version:>=8.0.0 AND version:<8.0.17) OR (version:>=8.2.0 AND version:<8.2.3)))` | | Multiple Fortinet Products Unauthenticated RCE (CVE-2025-25249) | High | assets | `os:="Fortinet FortiOS" AND os_version:>0 AND ((os_version:>="7.6.0" AND os_version:<="7.6.3") OR (os_version:>="7.4.0" AND os_version:<="7.4.8") OR (os_version:>="7.2.0" AND os_version:<="7.2.11") OR (os_version:>="7.0.0" AND os_version:<="7.0.17") OR (os_version:>="6.4.0" AND os_version:<="6.4.16"))` | | Multiple Vulnerabilities In Microsoft SQL Server (2025-07) | High | software | `vendor:=Microsoft AND (product:="SQL Server" OR product:="SQL Server 20%") AND ((version:>=13.0.0 AND version:<13.0.6460.7 AND NOT version:="13.0.6460") OR (version:>=14.0.0 AND version:<14.0.3495.9 AND NOT version:="14.0.3495") OR (version:>=15.0.0 AND version:<15.0.4435.7 AND NOT version:="15.0.4435") OR (version:>=16.0.0 AND version:<16.0.4200.1 AND NOT version:="16.0.4200"))` | | PowerDNS Recursor Multiple Vulnerabilities (2025-10) | High | software | `vendor:=PowerDNS AND product:=Recursor AND (version:>0 AND ( (version:>=5.1 AND version:<5.1.8) OR (version:>=5.2 AND version:<5.2.6) OR (version:>=5.3 AND version:<5.3.1)))` | | SAP NetWeaver Visual Composer Metadata Uploader Arbitrary File Upload | High | software | `vendor:="SAP" AND product:"NetWeaver" AND (version:>7.0 AND version:<7.55)` | | Samsung MagicINFO Path Traversal Vulnerability | High | software | `vendor:="Samsung" AND product:"MagicINFO Server" AND version:>0 AND version:<"21.1052"` | | Solr 5.0.0 < 8.4.0 Remote Code Execution | High | software | `vendor:=Apache AND product:Solr AND (version:>=5.0.0 AND version:<8.4.0)` | | SysAid Help Desk XML Entity Remote Code Execution | High | software | `vendor:="SysAid" AND product:"Help Desk" AND version:>0 AND version:<24.4.60` | | Trimble Cityworks File Deserialization Vulnerability | High | software | `vendor:="Trimble" AND product:="Cityworks" AND version:>0 AND version:<"23.10"` | | VMware ESXi OpenSLP Heap Buffer Overflow | High | assets | `os:="VMware ESX%" and port:427 and ( os_version:="1.%" or os_version:="2.%" or os_version:="3.%" or os_version:="4.%" or os_version:="5.%" or os_version:="6.0%" or os_version:="6.5.0 build-4564106" or os_version:="6.5.0 build-4887370" or os_version:="6.5.0 build-5146843" or os_version:="6.5.0 build-5146846" or os_version:="6.5.0 build-5224529" or os_version:="6.5.0 build-5310538" or os_version:="6.5.0 build-5969300" or os_version:="6.5.0 build-5969303" or os_version:="6.5.0 build-6765664" or os_version:="6.5.0 build-7273056" or os_version:="6.5.0 build-7388607" or os_version:="6.5.0 build-7967591" or os_version:="6.5.0 build-8285314" or os_version:="6.5.0 build-8294253" or os_version:="6.5.0 build-8935087" or os_version:="6.5.0 build-9298722" or os_version:="6.5.0 build-10175896" or os_version:="6.5.0 build-10390116" or os_version:="6.5.0 build-10719125" or os_version:="6.5.0 build-10868328" or os_version:="6.5.0 build-10884925" or os_version:="6.5.0 build-11925212" or os_version:="6.5.0 build-13004031" or os_version:="6.5.0 build-13635690" or os_version:="6.5.0 build-13873656" or os_version:="6.5.0 build-13932383" or os_version:="6.5.0 build-14320405" or os_version:="6.5.0 build-14874964" or os_version:="6.5.0 build-14990892" or os_version:="6.5.0 build-15256468" or os_version:="6.5.0 build-15177306" or os_version:="6.5.0 build-15256549" or os_version:="6.5.0 build-16207673" or os_version:="6.5.0 build-16389870" or os_version:="6.5.0 build-16576879" or os_version:="6.5.0 build-16576891" or os_version:="6.5.0 build-16901156" or os_version:="6.5.0 build-17097218" or os_version:="6.5.0 build-17167537" or os_version:="6.7.0 build-8169922" or os_version:="6.7.0 build-8941472" or os_version:="6.7.0 build-9214924" or os_version:="6.7.0 build-9484548" or os_version:="6.7.0 build-10176752" or os_version:="6.7.0 build-10176879" or os_version:="6.7.0 build-10302608" or os_version:="6.7.0 build-10764712" or os_version:="6.7.0 build-11675023" or os_version:="6.7.0 build-13004448" or os_version:="6.7.0 build-12986307" or os_version:="6.7.0 build-13006603" or os_version:="6.7.0 build-13473784" or os_version:="6.7.0 build-13644319" or os_version:="6.7.0 build-13981272" or os_version:="6.7.0 build-14141615" or os_version:="6.7.0 build-14320388" or os_version:="6.7.0 build-15018017" or os_version:="6.7.0 build-15160134" or os_version:="6.7.0 build-15160138" or os_version:="6.7.0 build-15999342" or os_version:="6.7.0 build-15820472" or os_version:="6.7.0 build-16075168" or os_version:="6.7.0 build-16316930" or os_version:="6.7.0 build-16701467" or os_version:="6.7.0 build-16713306" or os_version:="6.7.0 build-16773714" or os_version:="6.7.0 build-17167699" or os_version:="6.7.0 build-17098360" or os_version:="6.7.0 build-17167734" or os_version:="7.0.0%" or os_version:="7.0.1 build-16850804" or os_version:="7.0.1 build-17119627" or os_version:="7.0.1 build-17168206" or os_version:="7.0.1 build-17325020")` | | AirPlay SDK Remote Code Execution (AirBorne) | Medium | software | `vendor:=Apple AND product:="AirPlay SDK" AND ((version:>2.0 AND version:<2.7.1) OR (version:>3.0 AND version:<3.6.0.126))` | | Cisco IOS XR Open Port Vulnerability (CVE-2022-20821) | Medium | assets | `((hw:="Cisco NCS%" OR hw:="Cisco 8201" OR hw:="Cisco 8202" OR hw:="Cisco 8208" OR hw:="Cisco 8212" OR hw:="Cisco 8218") AND tcp_port:=6379)` | | GitLab SAML Authentication Bypass | Medium | software | `vendor:=GitLab AND product:gitlab AND ((version:>17.9 AND version:<17.9.2) OR (version:>17.8 AND version:<17.8.5) OR (version:>17.7 AND version:<17.7.7))` | | Juniper Junos OS EX Series Missing Authentication For Critical Function Vulnerability (CVE-2023-36847) | Medium | assets | `hw:="Juniper EX%" AND os:="Juniper Junos OS" AND ((os_version:>"0" AND os_version:<"20.4R3-S8") OR (os_version:>="21.1" AND os_version:<"21.2R3-S6") OR (os_version:>="21.3" AND os_version:<"21.3R3-S5") OR (os_version:>="21.4" AND os_version:<"21.4R3-S4") OR (os_version:>="22.1" AND os_version:<"22.1R3-S3") OR (os_version:>="22.2" AND os_version:<"22.2R3-S1") OR (os_version:>="22.3" AND os_version:<"22.3R2-S2") OR (os_version:>="22.4" AND os_version:<"22.4R2-S1"))` | | Juniper Junos OS SRX Series Missing Authentication For Critical Function Vulnerability (CVE-2023-36846) | Medium | assets | `hw:="Juniper SRX%" AND os:="Juniper Junos OS" AND ((os_version:>"0" AND os_version:<"20.4R3-S8") OR (os_version:>="21.1R1" AND os_version:<"21.2R3-S6") OR (os_version:>="21.3" AND os_version:<"21.3R3-S5") OR (os_version:>="21.4" AND os_version:<"21.4R3-S5") OR (os_version:>="22.1" AND os_version:<"22.1R3-S3") OR (os_version:>="22.2" AND os_version:<"22.2R3-S2") OR (os_version:>="22.3" AND os_version:<"22.3R2-S2") OR (os_version:>="22.4" AND os_version:<"22.4R2-S1"))` | | Juniper Junos OS SRX Series Missing Authentication For Critical Function Vulnerability (CVE-2023-36851) | Medium | assets | `hw:="Juniper SRX%" AND os:="Juniper Junos OS" AND ((os_version:>="21.2" AND os_version:<"21.2R3-S8") OR (os_version:>="21.4" AND os_version:<"21.4R3-S6") OR (os_version:>="22.1" AND os_version:<"22.1R3-S5") OR (os_version:>="22.2" AND os_version:<"22.2R3-S3") OR (os_version:>="22.3" AND os_version:<"22.3R3-S2") OR (os_version:>="22.4" AND os_version:<"22.4R2-S2") OR (os_version:>="23.2" AND os_version:<"23.2R1-S2"))` | | Microsoft SharePoint Improper Authentication Vulnerability (CVE-2025-49705) | Medium | software | `vendor:=Microsoft AND product:="SharePoint Server%" AND ((version:>=16.0.4366.1000 AND version:<16.0.5508.1000) OR (version:>=16.0.10338.12107 AND version:<16.0.10417.20059) OR (version:>=16.0.14326.20620 AND version:<16.0.18526.20424))` | | OpenSSH 9.1p1 Double-Free | Medium | services | `_asset.protocol:=ssh AND protocol:=ssh AND (_service.product:="OpenBSD:OpenSSH:9.1" OR _service.product:="OpenBSD:OpenSSH:9.1p1")` | | Plex Media Server 1.41.7.X To 1.42.0.X < 1.42.1 Undisclosed Vulnerability (CVE-2025-34158) | Medium | software | `vendor:=Plex AND product:"Media Server" AND (version:>0 AND version:<"1.42.1")` | | lighttpd Web Server Out-of-Bounds Memory Read | Medium | services | `product:lighttpd (_service.product:=lighttpd:lighttpd:1.4.0% OR _service.product:=lighttpd:lighttpd:1.4.1% OR _service.product:=lighttpd:lighttpd:1.4.2% OR _service.product:=lighttpd:lighttpd:1.4.3% OR _service.product:=lighttpd:lighttpd:1.4.4%)` | runZero includes a substantial library of pre-built queries. These queries can be used to detect vulnerabilities, trigger alerts, and apply changes to assets, such as tags and ownership. These queries are categorized by use case and risk level. Custom queries can also be configured to report vulnerabilities on matching assets and services.