“The study uniquely bridges the gap between vulnerability management and identity security – two areas often treated separately in cybersecurity but are deeply interconnected.”
~ Jai Dargan, Hydden CEO
Introduction
Security practitioners rely heavily on annual reports published by leading incident response organizations like Mandiant, CrowdStrike, IBM, Palo Alto Networks, and Verizon to analyze cybersecurity threats and trends. These reports provide valuable insights into the threat landscape based on thousands of incident response engagements worldwide.
One of the key questions that any CISO will ask its security team after a breach is, “how did the attackers get in?” This is obviously important because it’s one of the key questions asked during an incident response process. But it also may determine where security teams may need to spend future budget to prevent similar attacks from reoccurring. When zooming out and looking at thousands of cyberattacks that occur within a single year, we observed discrepancies on what the #1 reported initial access vector is. In many annual threat reports, the #1 initial access vector reported is Exploited Vulnerabilities. In several other reports, the #1 initial access vector is identity-oriented vulnerabilities. We wanted to closely examine these discrepancies to answer the following questions:
- If the #1 initial access vector reported is Exploits, what direct and indirect identity impact categories exist for that access vector?
- Is there a measurable increased risk to identities when a threat actor exploits a vulnerability?
While each of the reports may categorize and present their findings differently, they consistently highlight key metrics around attack vectors, threat actor behaviors, and industry targeting that helps security teams understand and prepare for emerging threats. By examining these reports collectively, we can identify patterns and trends that shape our understanding of the current threat landscape.
Summary & Key Findings
Our research reveals that post-exploit activity often has one or more downstream impacts on identities. This is either direct (occurring from the exploited device itself), or indirect (occurring from another system after lateral movement/privilege escalation occurs). We associate post-exploit activity that impacts identities to one of these five categories:
- Performing identity reconnaissance directly from the exploited device
- Creating new accounts
- Abusing existing accounts
- Performing direct lateral movement or further privilege escalation
- Performing direct credential theft from the exploited device
To make it clear when one of these categories of activity typically occurs, the visual below outlines an example attack lifecycle through an identity centric lens.
Figure 1: Simplified attack lifecycle and identity impact categories
The identity specific implications often naturally widens as threat actors gain further access to victim organizations. We do not claim that these post-exploit actions occur 100% of the time from every exploited device – but these implications often become part of a full attack lifecycle.
This research paper focuses on exploring and analyzing the summarized incident data where exploits were the initial access vector, with the intention to prove that exploited vulnerabilities directly contribute to an increase in identity risks. These findings will help organizations understand that exploits and identity attacks often have an interrelationship and should be considered when comparing reported #1 initial access vectors. This will help identity security teams prove why it’s critical to have a full understanding of all systems and applications their organization manages and be mindful of vulnerabilities that may impact these systems. Additionally, for organizations who have separate vulnerability management and identity security teams, regular communication is necessary to evaluate these risks cooperatively. Let’s dig into the data.
Key Findings:
- Passwords are still not going away anytime soon. Vendors should continue implementing strong MFA types for local authentication accounts
- Malicious account creation events were found in many of the 2023 CVEs we examined, indicating creation and deletion events combined with examining other account event activity may help with early IOC formation
- Network and Edge equipment are the largest category impacted by exploited vulnerabilities
Examining the Findings of Third-Party Reports
The following major reports were utilized for their findings and analysis of the overall threat landscape:
- Mandiant’s M-Trends 2024 Report – Exploits marked as the #1 initial access vector.
Figure 2: Mandiant M-Trends 2024
Note the identity-related initial infection vectors and their total aggregate percentage in Figure 1. If we add up the known identity-oriented infection vectors (Phishing + Phishing Social Media, Stolen Credentials, and Brute Force) from the Mandiant image, we have a total percentage of 34%. That is quite close to the 38% figure we see reported for Exploits.
Figure 3: Alternative view Identity Threats vs Exploits vs Other. Note, we exclude prior compromise in the total % count because it is not clear from the Mandiant report if this figure relates to some RAT that provides access to a previously compromised client or use of valid credentials, for example - Palo Alto Networks Unit42 2024 Incident Response Report – indicated “In the past year, attackers’ initial access most often started with a software vulnerability. The largest attack campaigns began with successful exploitation of internet facing systems.”
- IBM X-Force Threat Intelligence Index 2024 Report – Phishing and Valid Accounts individually are individually tied for the top initial access vector, over Exploit public-facing application.
Figure 4: IBM X-Force Threat Intelligence Index 2024 - Verizon 2024 Data Breach Investigations Report – the “ways-in analysis” indicates credentials and phishing taking the top two places but exploit vuln nearly tying with phishing.
Figure 5: Verizon 2024 Data Breach Investigations Report – Select ways-in enumerations in non-Error, non-Misuse breaches (n=6963)
Datasets & Analysis
This report focuses exclusively on data from 2023 and 2024. For 2023 data, we looked at CISAs 2023 Top Routinely Exploited Vulnerabilities which includes the top 15 routinely exploited vulnerabilities and was published on November 12th, 2024. For 2024 data, we wanted to remain consistent by only analyzing Known Exploited Vulnerabilities (KEVs) and focusing primarily on KEVs that had a CVSS3.1 score of 9.8 or above. We did this with the free version of VulnCheck combined with CVE_Prioritizer. We understand that scoring is a widely debated topic in the industry and may not represent the KEVs that may be most frequently utilized by threat actors. If you’re interested in more information in the datasets and our selection criteria, you can view that in Appendix 1.
Our analysis process involved performing research from documented open-source intelligence and case studies on the respective CVEs from the datasets. Our research process involved capturing the following information:
- Authentication or authorization components
- CWEs associated with each CVE
- Documented actions we see threat actors performing on the exploited device
- Opportunities for identity specific detections
If you’re interested in more information about our analysis process, see Appendix 2.
Top 15 Exploited Vulnerabilities of 2023
Our research and analysis into the Top 15 Exploited Vulnerabilities from 2023 as reported by CISA revealed that 100% of these exploited vulnerabilities have one or more direct or indirect downstream impacts on identities. From our research we made the following observations:
- Patch recommendations are frequently paired with password reset recommendations due to post-exploit activity observed. In several instances this is written as outright guidance vs assumed as part of remediation efforts:
- CVE-2023-4966 – “Due to the lack of available log records or other artifacts of exploitation activity, as a precaution, organizations should consider rotating credentials for identities…”
- CVE-2023-34362 – “Reset service account credentials for affected systems and MOVEit Service Account
- CVE-2023-49103 – “ownCloud also recommends to change the following secrets: ownCloud admin password, Mail server credentials, database credentials, object-store/s3 access-key”
- In 66% of these CVEs, we observe direct credential theft occurring on the exploited device or the installation of additional tools to steal credentials
- In 46% of these CVEs, we observe threat actors leveraging built-in commands or installing third party tools to perform AD reconnaissance operations on victim networks
- In 40% of these CVEs, we found documented evidence of new accounts being created on the exploited device by threat actors
- The most interesting account creation event we found was related to CVE-2023-42793, where it was observed that North Korean nation-state threat actors created an account named ‘KRTBGT’ to impersonate the legitimate windows account name ‘KRBTGT’
- In addition to creation events, threat actors additionally may delete these accounts at a later point in time as a part of cleanup efforts
This research reveals to us that passwords are still not going away anytime soon. We hope that vendors continue moving in the direction of requiring MFA (and secure, strong MFA types) for local authentication accounts. We were also surprised by the fact that malicious account creation events were found in nearly half of the 15 CVEs examined. Additionally, account creation and deletion events combined with examining other account event activity may help with early IOC creation.
Top Common Weakness Enumeration (CWE) Analysis of 2023
From the dataset, CWE-20 appears most frequently, with all remaining CWEs related to each CVE only appearing once. See Appendix 3 for how this data was derived. Taken from a mayhem.security blog:
“CWE-20 Improper Input Validation in a web application can allow an attacker to supply malicious user input that is then executed by the vulnerable web application. Improper input validation can be used to bypass security mechanisms, such as authentication and authorization controls. It can also be used to inject malicious code into the web application, which can be executed by the server or client.”
Top Software Category: Network and Edge equipment represents the largest category of vendors impacted by exploited vulnerabilities from the 2023 data.
Other Observations: Threat actors are quick to target data stores of value. In many cases a vulnerable system itself may have sensitive data useful to exfiltrate. This is most prominent with CVE-2023-34362 and CVE-2023-22515 – we expect to see this consistency again in the 2024 data. Lastly, 60% of these CVEs have a known ransomware strain that can be associated with use of the CVE.
50 Exploited Vulnerabilities of 2024
When looking at this larger dataset, an interesting datapoint was uncovered when examining and categorizing the KEVs based on enabler ‘type’ information. See Appendix 1 for how this data was derived. While many researchers may categorize the CVE based on the Technical Weakness (CWE), a different approach is to analyze how CWEs of various types essentially enable ‘X’. We took our highest rated EPSS scored CVE with a CVSS score of 10 to illustrate our categorization process – CVE-2024-3400.
The description here indicates: “A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.”
Instead of only analyzing the CWE association, an interesting pivot was to leverage the description to determine what is enabled via the software vulnerability and then categorize that enabler. We leveraged a word analysis process to determine common enablers across the 50 KEVs we closely examined. Additionally, we were eager to see how many of these vulnerabilities we could directly connect to an authentication or authorization component.
- 48% of CVEs examined we categorized as having an unauthenticated remote code execution (RCEs) or Arbitrary Code Execution (ACE) element. These are critical security vulnerabilities where attackers can execute code on a system without the need to authenticate (log in) to the system without prior access or credentials
- 30% of CVEs examined we categorized as having a bypass authentication element. In this case, an attacker exploits a flaw in the authentication process to gain access to the system
- The remaining 22% made up a variety for the ‘type’ – with Forged SAML, Authentication Missing, and SQL Injection making up 54% of this remaining figure
This information indicates that software manufacturers must continue to incorporate rigorous security testing into their software development lifecycle – and especially in relation to authN/authZ requirements. When examining downstream identity impact categories for the 2024 data these two findings rose to the top:
- In 46% of the KEVs examined, visibility into anomalous account activity events or account creation/deletion events occurring on an exploited device could act as early IOCs for organizations
- In 30% of the KEVs examined, there is observed direct credential theft occurring from exploited devices. This mostly comprised of existing accounts or tokens associated with the exploited device which would then be leveraged for lateral movement/privilege escalation.
While not exclusively the case, in several instances we observe the existing account abuse category being an enabler for credential theft from exploited devices. Identity reconnaissance activity was not observed widely in the 50 KEVs we examined.
Top Common Weakness Enumeration (CWE) Analysis of 2024
The description for our top CWE for 2024 itself has a privilege escalation impact component. See Appendix 3 for how this data was derived.
CWE-78 – “Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage.”
Top Software Category: Network and Edge equipment once again represents the largest category of vendors impacted by exploited vulnerabilities from the 2024 data examined.
Other Observations: CVEs are often chained together on applicable devices, whenever possible. We observed 4 instances of this within the dataset and expect there are likely more instances than what we found. We continue to see a theme of ‘data store’ related exploited vulnerabilities that quickly enables a threat actor to steal sensitive data from an organization directly without a need for conducting further operations (if they so choose). Lastly, only 24% of these CVEs have a known ransomware strain that can be associated with use of the CVE. From this we do not conclude that ransomware use is declining per-se, but that it is used selectively or opportunistically. Reflecting on the 2023 data from CISA – we wonder how much of an influence “known_ransomware = yes” has on the rankings for a calculated top 15.
Examples of Multi-Category Impact
In several cases, we identify CVEs in the 2023 data that can be associated with multiple identity impact categories. One example is CVE-2022-47966 where we observe the following post-exploit actions reported by CISA:
- “Actors achieved root level access on the web server and created a local user account named Azure with administrative privileges”
- “The Azure user successfully accessed and dumped credentials stored in the process memory of LSASS for the active directory domain
- “The legitimate ConnectWise ScreenConnect was utilized to connect to the ServiceDesk system, download mimikatz.exe, and execute malicious payloads to steal credentials”
- “Azure user account downloaded nmap.exe and npcap.exe to continue network and credential gathering efforts”
We find evidence of other account creation events connected to this CVE from Rapid7:
- “The attacker proceeded to add an account named guest to the local administrators group”
Another interesting example from 2024 data is CVE-2024-29973. This vulnerability is often chained together with other CVEs and together they can be associated with multiple identity impact categories:
- Creation of a ‘backdoor’ account named NsaRescueAngel
- Credential exposure for the ‘backdoor’ account
- Credential exposure (session tokens) for all authenticated users including administrators
- Escalation of local privileges to root
Detection and Mitigation Strategies
Based on our research findings, we recommend security teams take the following actions to improve their detection and mitigation approach for these risks:
- Develop a comprehensive “inventory” of identities across all systems
- Have a thorough understanding of all local, federated, and non-human identities that exist anywhere within the organization
- This must be inclusive of legacy systems and any COTS software
- Regularly communicate with those who are approving and implementing new software at your organization to ensure coverage stays up to date
- Implement continuous monitoring on critical systems
- Comprehensive logging of account creation, deletion, and modification events on all critical systems, especially network and edge devices
- Configure alerts for anomalous account activity on systems with known vulnerabilities
- Monitor for existing account abuse. This can include activity such as credential theft attempts and identity reconnaissance activities.
- Strengthen authentication requirements
- Require strong MFA for all local authentication accounts
- Implement strict password policies and regular rotation schedules for service accounts
- Implement passwordless authentication where possible to reduce credential theft risks
- Minimize the number of “backdoor” accounts that exist with local authentication
- Improve vulnerability and identity security collaboration
- Create shared dashboards that combine vulnerability insights with identity telemetry
- Develop joint incident response playbooks that address both vulnerability exploitation and identity compromise scenarios
- Update detection rules and IOCs
- Create detection rules for suspicious account creation patterns identified in this research (e.g., accounts with names similar to system accounts, abuse of existing account events)
- Ensure you consider leveraging both atomic and stateful detection logic for any manual identity oriented rule creation
- Consider incorporating behavioral detection mechanisms for high privileged built-in accounts
Conclusion
Annual incident response reports from major cybersecurity vendors often share conflicting information on what the #1 initial access vector is. This makes it challenging for organizations to decide what area might be a more critical investment area – vulnerability management or identity risk management.
Our research reveals that when the #1 initial access vector is reported as exploits – there is conclusive evidence organizations face an immediate increase in identity threats. These threats are often direct (occurring on the exploited device itself) and indirect (occurring later from downstream impacted systems). When closely examining KEVs and any associated public threat actor activity relating to these KEVs, organizations can determine and categorize identity impact areas. They can also measure how frequently they see identity-specific types of post-exploit activity occurring when looking at a specific dataset.
Many organizations may see these top initial access vectors as independent and unrelated. When security leaders examine these reports and see that the #1 initial access vector reported is exploits, organizations should understand that exploits contribute towards increased identity threats. This research proves that there is an interrelationship. From our analysis of the datasets, exploited vulnerabilities are often a launchpad for identity-oriented attacks. Simply put, vulnerable software often allows a threat actor to partially or fully compromise a system and leverage that device to conduct identity-oriented attacks. In many of the exploited vulnerabilities observed from the datasets, part of the execution of the exploit itself has a privilege escalation component. Once the vulnerability is exploited, the threat actor can immediately begin executing code in the context of a highly privileged user. The figure to the right outlines commonly observed post-exploit identity activity patterns from 2023 and 2024 datasets. In most cases, based on system/application types observed from the related CVEs examined, EDR solutions would be ineffective in detecting the earliest signs of compromise from an affected device. Once the device is compromised, we observe that threat actors are opportunistic about conducting further operations to reach their desired objectives.
Identity security teams must have a full understanding of all systems and applications their organization manages and be mindful of vulnerabilities that may impact these systems. For large organizations who have separate vulnerability management and identity security teams – they should regularly communicate and evaluate these risks cooperatively. That is why it has become critical for Attack Surface Management solutions to combine vulnerability insights with full visibility into the identities that exist in all systems or applications. By leveraging real-time continuous discovery of identities and their associated event telemetry, organizations can detect the earliest signs of identity compromise within an attack lifecycle. This can ultimately help prevent threat actors from further advancing their attacks and compromising organizations.
Background on Hydden Threat Research Team
At Hydden, the Threat Research Lab team spends time looking at all forms of identity related threats. We examine front-line public incident data that involve identities being compromised. We also review aggregated data from major annual incident response and threat reports from organizations that are typically the first responders to the largest cyberattacks that occur each year around the world.
Any identity related threats or case studies which have an identity component are tracked, and this information is then shared with our broader teams to help influence focus areas within our product. We also track year-over-year changes with these reports, which helps us with identifying any shifting patterns within the data.
Resources & Acknowledgments
Most of our CVE review process included review of case studies and detailed advisories connected to each respective CVE from a variety of sources. We would like to thank VulnCheck and the creators of CVE_Prioritizer, which were primary enablers for this research. We would also like to thank those organizations and researchers who provided detailed coverage for CVEs for us to evaluate. We found and leveraged coverage most frequently from Crowdstrike, Palo Alto Networks, Mandiant, Rapid7, CISA and Microsoft. Lastly, we acknowledge and thank any individual contributors who provided both discovery and disclosure information on any of the referenced vulnerabilities. We have included CVSS 3.1 scoring and EPSS scoring of all the vulnerabilities we examined to help organizations who review this research.
https://github.com/TURROKS/CVE_Prioritizer
For the benefit of defenders and makers of security products, it would be encouraging to see the security community embrace more frequent publishing of anonymized case studies of incidents, like those that we see from the dfir report.
If you have commentary, suggested modifications, or would like to contribute towards collaborative research on this topic or topics like this, please reach out to us at [email protected]
Appendix 1
Datasets
For the 2023 data, it includes three CVEs IDs that were not issued in 2023. It is quite common to see a handful (or more) exploited vulnerabilities from prior years be used in the following years when threat actors have found success and determine that there is continued opportunity to use them. 66% of these CVEs had a CVSS3.1 score of 9.8 or above.
For the 2024 data, we leveraged VulnCheck and their API sandbox to download a complete copy of the entire VulnCheck KEV. Since these files are JSON formatted, we leveraged a python script to convert the data to a CSV file and then filtered the data based on date_added to only include data from 2024. Unlike our 2023 dataset, we wanted to focus exclusively on CVEs that were issued in 2024 and known to be exploited by threat actors. This resulted in a list of over 300+ CVEs for 2024 alone.
To narrow the dataset further to a total of 50 for analysis, we leveraged the tool CVE_Prioritizer combined with our VulnCheck API key to gather some additional information on each of the CVEs in 2024 that are known to be exploited, such as the CVSS score and EPSS score. We then filtered the data by the CVSS and EPSS scores. This allowed us to include in scope all 2024 KEVs that were scored 9.9 or above and around 1/3rd of the highest EPSS scored 9.8 CVEs. The full list of CVEs we examined can be found in Appendix 3.
Figure 6: Use of CVE_Prioritizer against Top 15 for 2023 Data – A tool we’d highly recommend organizations utilize. All credit to Mario Rojas, Bader Alrowaiei, and Zeva.
Appendix 2
Data Analysis Approach
Our initial approach to analysis was to take the Top 15 KEVs from 2023 and the 300+ KEVs for the 2024 data and leverage an LLM for analysis. We provided the LLMs with comprehensive examples of identity risks and then instructed the LLM to categorize any of these that could be found based on CVE description details found on NVD.NIST.GOV and other public websites referencing these CVEs. Overall, our attempts to leverage both ChatGPT and Claude seemed to produce some promising results in small datasets but resulted in problems when trying to do a larger analysis. We also observed instances of misinformation when trying to use these tools to do proper CWE association. This overall made us distrust the use of LLMs for important aspects of this research
Figure 7: Attempted large scale analysis of 2024 data in Claude (using Sonnet 3.5). A continual need to say “yes” to proceed with analysis of the next set of CVEs. The same thing occurred with ChatGPT.
Figure 8: Inaccuracies in CVE lookups via ChatGPT and their associated CWEs
For these reasons, we did not trust any results provided by the LLM without manual verification. For this research, we only leveraged ChatGPT/Claude to:
- Create an appropriate software category for each affected vendor
- Help research additional documented case studies of specific CVEs
- Help create some of the visuals
We considered factoring in other elements from VulnCheck as a part of our filtering when choosing 50 KEVs from 2024 to analyze – such as number of reported exploitation links and number of XDB entries. We believe that in the future we could incorporate the existing scoring combined with KEVs that have the widest public coverage.
One other thing we would like to incorporate that could affect the KEVs we examine would be the known total number of known affected devices at the time of CVE publishing or known POC exploit. While many affected systems may not be discoverable or publicly accessible, we believe this figure could still influence the KEVs we examine. We will consider incorporating these factors, when possible, for our future analysis.
Appendix 3
Referenced CVE Dataset
| cve_id | priority | epss | cvss |
| CVE-2023-3519 | Priority 1+ | 0.96277 | 9.8 |
| CVE-2023-4966 | Priority 1+ | 0.9529 | 9.4 |
| CVE-2023-20198 | Priority 1+ | 0.88344 | 10 |
| CVE-2023-20273 | Priority 1+ | 0.07472 | 7.2 |
| CVE-2023-27997 | Priority 1+ | 0.10651 | 9.8 |
| CVE-2023-34362 | Priority 1+ | 0.97131 | 9.8 |
| CVE-2023-22515 | Priority 1+ | 0.96973 | 9.8 |
| CVE-2021-4428 | Priority 4 | 0.00138 | 2.7 |
| CVE-2023-2868 | Priority 1+ | 0.07893 | 9.4 |
| CVE-2022-47966 | Priority 1+ | 0.97524 | 9.8 |
| CVE-2023-27350 | Priority 1+ | 0.9687 | 9.8 |
| CVE-2020-1472 | Priority 1+ | 0.96963 | 5.5 |
| CVE-2023-42793 | Priority 1+ | 0.97485 | 9.8 |
| CVE-2023-23397 | Priority 1+ | 0.8836 | 9.8 |
| CVE-2023-49103 | Priority 1+ | 0.95284 | 10 |
| CVE-2024-3400 | Priority 1+ | 0.96476 | 10 |
| CVE-2024-1709 | Priority 1+ | 0.94971 | 10 |
| CVE-2024-1212 | Priority 1+ | 0.94095 | 10 |
| CVE-2024-45519 | Priority 1+ | 0.76384 | 10 |
| CVE-2024-51567 | Priority 1+ | 0.4013 | 10 |
| CVE-2024-45409 | Priority 1+ | 0.16407 | 10 |
| CVE-2024-8522 | Priority 1+ | 0.02759 | 10 |
| CVE-2024-2389 | Priority 1+ | 0.00447 | 10 |
| CVE-2024-51378 | Priority 1+ | 0.00211 | 10 |
| CVE-2024-25600 | Priority 1+ | 0.00154 | 10 |
| CVE-2024-1597 | Priority 1+ | 0.00124 | 10 |
| CVE-2024-8529 | Priority 1+ | 0.00087 | 10 |
| CVE-2024-29895 | Priority 1+ | 0.00066 | 10 |
| CVE-2024-10081 | Priority 1+ | 0.00053 | 10 |
| CVE-2024-51568 | Priority 1+ | 0.00046 | 10 |
| CVE-2024-25925 | Priority 1+ | 0.00043 | 10 |
| CVE-2024-37099 | Priority 1+ | 0.00043 | 10 |
| CVE-2024-9014 | Priority 1+ | 0.00896 | 9.9 |
| CVE-2024-27956 | Priority 1+ | 0.0022 | 9.9 |
| CVE-2024-34102 | Priority 1+ | 0.9733 | 9.8 |
| CVE-2024-7593 | Priority 1+ | 0.97247 | 9.8 |
| CVE-2024-27198 | Priority 1+ | 0.97238 | 9.8 |
| CVE-2024-0012 | Priority 1+ | 0.97192 | 9.8 |
| CVE-2024-5910 | Priority 1+ | 0.97 | 9.8 |
| CVE-2024-23897 | Priority 1+ | 0.96767 | 9.8 |
| CVE-2024-40711 | Priority 1+ | 0.96736 | 9.8 |
| CVE-2024-4040 | Priority 1+ | 0.96631 | 9.8 |
| CVE-2024-27348 | Priority 1+ | 0.96337 | 9.8 |
| CVE-2024-4577 | Priority 1+ | 0.9632 | 9.8 |
| CVE-2024-4879 | Priority 1+ | 0.96288 | 9.8 |
| CVE-2024-23692 | Priority 1+ | 0.95687 | 9.8 |
| CVE-2024-5217 | Priority 1+ | 0.95575 | 9.8 |
| CVE-2024-36401 | Priority 1+ | 0.95173 | 9.8 |
| CVE-2024-4358 | Priority 1+ | 0.92624 | 9.8 |
| CVE-2024-29973 | Priority 1+ | 0.92324 | 9.8 |
| CVE-2024-38856 | Priority 1+ | 0.91853 | 9.8 |
| CVE-2024-6670 | Priority 1+ | 0.9039 | 9.8 |
| CVE-2024-32113 | Priority 1+ | 0.89266 | 9.8 |
| CVE-2024-55956 | Priority 1+ | 0.89127 | 9.8 |
| CVE-2024-47575 | Priority 1+ | 0.88627 | 9.8 |
| CVE-2024-45507 | Priority 1+ | 0.5798 | 9.8 |
| CVE-2024-22320 | Priority 1+ | 0.46072 | 9.8 |
| CVE-2024-0204 | Priority 1+ | 0.39552 | 9.8 |
| CVE-2024-10924 | Priority 1+ | 0.23017 | 9.8 |
| CVE-2024-21410 | Priority 1+ | 0.10687 | 9.8 |
| CVE-2024-3272 | Priority 1+ | 0.06985 | 9.8 |
| CVE-2024-8877 | Priority 1+ | 0.04253 | 9.8 |
| CVE-2024-4885 | Priority 1+ | 0.04097 | 9.8 |
| CVE-2024-9537 | Priority 1+ | 0.03641 | 9.8 |
| CVE-2024-28986 | Priority 1+ | 0.02618 | 9.8 |
