Prism Platform continuously scans a user’s estate for any issues that are being actively exploited by threat actors in the wild. If any of these vulnerabilities are detected, users are alerted immediately by the platform.

Prism is already monitoring the most common active exploits listed in the joint report by the FBI, NSA and CISA, as well as CVE-2022-41040 and CVE-2022-41082 from this month’s Microsoft Patch Tuesday, which used exploits associated with Microsoft Exchange in the ProxyNotShell attacks.

In this article, we have rounded up the top active exploits that are currently being monitored by Prism.

CVE-2022-40684 – Fortinet

The security flaw (tracked as CVE-2022-40684) is an authentication bypass on the administrative interface that could allow remote threat actors to log into unpatched devices.

CVE-2022-35405 – Zoho ManageEngine PAM360

The critical vulnerability, tracked as CVE-2022-35405, is rated 9.8 out of 10 for severity on the CVSS scoring system, and was patched by Zoho as part of updates released on June 24, 2022. Although the exact nature of the flaw remains unknown, the India-based enterprise solutions company said it addressed the issue by removing the vulnerable components that could lead to the remote execution of arbitrary code.

Zoho has also warned of the public availability of a proof-of-concept (PoC) exploit for the vulnerability, making it imperative that customers move quickly to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus as soon as possible.

CVE-2019-11510 – Pulse Connect Secure

CVE-2019-11510 is a critical arbitrary file disclosure vulnerability in Pulse Connect Secure, the SSL VPN solution from Pulse Secure. Exploitation of the vulnerability is simple, which is why it received a 10.0 rating using the Common Vulnerability Scoring System (CVSS). The flaw could allow a remote, unauthenticated attacker to obtain usernames and plaintext passwords from vulnerable endpoints. This is being actively used by Threat Actors.

CVE-2022-26258 – D-Link 820L

D-Link DIR-820L contains an unspecified vulnerability in Device Name parameter in /lan.asp which allows for remote code execution.

CVE-2021-22205 – GitLab CE/EE

CVE-2021-22205 was initially assigned a CVSSv3 score of 9.9. However, on September 21, 2021 GitLab revised the CVSSv3 score to 10.0. The increase in score was the result of changing the vulnerability from an authenticated issue to an unauthenticated issue. Despite the tiny move in CVSS score, a change from authenticated to unauthenticated has big implications for defenders. There are multiple exploits for this vulnerability and it is being used by Threat Actors.

CVE-2022-24112 – Apache

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX’s data panel.

There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. Threat actors are actively using this exploit. Rootshell recommend checking the version and configuration of the Apache server in use.

CVE-2022-3236 – Sophos firewall RCE bug

Tracked as CVE-2022-3236, the flaw was found in the User Portal and Webadmin of Sophos Firewall, allowing attackers to code execution (RCE). The company says it has released hotfixes for Sophos Firewall versions affected by this security bug (v19.0 MR1 (19.0.1) and older) that will roll out automatically to all instances since automatic updates are enabled by default. “No action is required for Sophos Firewall customers with the ‘Allow automatic installation of hotfixes’ feature enabled on remediated versions (see Remediation section below). Enabled is the default setting,” Sophos explained.

CVE-2022-36804 – Atlassian

The flaw, which was discovered via Atlassian’s bug bounty program, was introduced in version 7.0.0 of both, impacting all versions released running that version through 8.3.0. It’s a command-injection vulnerability in a number of API endpoints that attackers could abuse through specially crafted HTTP requests to execute arbitrary code on vulnerable installations.

CVE-2022-28199 – Cisco DPDK

CVE-2022-28199 (CVSS score: 8.6), the vulnerability stems from a lack of proper error handling in DPDK’s network stack, enabling a remote adversary to trigger a denial-of-service (DoS) condition and cause an impact on data integrity and confidentiality. “If an error condition is observed on the device interface, the device may either reload or fail to receive traffic, resulting in a denial-of-service (DoS) condition.

CVE-2019-16098 – Micro-Star MSI Afterburner

The driver in Micro-Star MSI Afterburner (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code. Rootshell Redforce have seen reports that this vulnerability is being exploited by Threat Actors to disable security products and attempt to deploy Randsomeware.

CVE-2022-27593 – QNAP Photo Station

Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign.

CVE-2022-31474 – Backup Buddy WordPress

This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information

CVE-2022-1388 – F5 Big-IP

On F5 BIG-IP 16.1.x versions prior to, 15.1.x versions prior to, 14.1.x versions prior to, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Threat actors are actively using this exploit.

CVE-2021-22005 – VMware vCenter Server

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file. Threat actors are actively using this exploit.

CVE-2018-2628 – Oracle WebLogic Server

Oracle WebLogic Server contains an unspecified vulnerability which can allow an unauthenticated attacker with T3 network access to compromise the server.

CVE-2019-19781 – Citrix ADC

A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V, KVM, Azure, AWS, GCP, Citrix ADC MPX or Citrix ADC SDX. Threat actors are actively using this exploit.

CVE-2022-36067 – Sandbreak

A critical remote code execution vulnerability in the popular sandbox library vm2. The vulnerability was disclosed to the project owners and was rapidly patched in version 3.9.11. GitHub has issued CVE-2022-36067 for this critical vulnerability and the maximum CVSS score of 10.0.

vm2 is a widely used JavaScript sandbox – according to the NPM package manager, it has more than 16 million monthly downloads and offers an isolated environment where applications can run untrusted code. A threat actor who exploits this vulnerability will be able to bypass the vm2 sandbox environment and run shell commands on the machine hosting the sandbox.

Sandboxes serve different purposes in modern applications, such as examining attached files in email servers, providing an additional security layer in web browsers, or isolating running applications in certain operating systems. Given the nature of the use cases for sandboxes, it’s clear that the vm2 vulnerability can have dire consequences for applications that use it.


Security appliance vendor Fortinet has become the subject of a bug report by its own FortiGuard Labs after the discovery of a critical-rated flaw in three of its products. CVE-2022-40684 is rated 9.6/10 on the Common Vulnerability Scoring System (CVSS), meaning it is considered a critical flaw worthy of immediate attention. FortiGuard’s advisory explains why the flaw scored so highly, revealing it’s an authentication bypass present in FortiOS, FortiProxy, and FortiSwitchManager. The flaw could allow “an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.”