Skip to content

Exploitation

Exploitation v1.0.0

The present state of exploitation of the vulnerability.

Value Definition
None There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability.
PoC One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation.
Active Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting.
{
  "namespace": "ssvc",
  "version": "1.0.0",
  "key": "E",
  "name": "Exploitation",
  "description": "The present state of exploitation of the vulnerability.",
  "values": [
    {
      "key": "N",
      "name": "None",
      "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
    },
    {
      "key": "P",
      "name": "PoC",
      "description": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation."
    },
    {
      "key": "A",
      "name": "Active",
      "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
    }
  ]
}

The intent of this measure is the present state of exploitation of the vulnerability. The intent is not to predict future exploitation but only to acknowledge the current state of affairs. Predictive systems, such as EPSS, could be used to augment this decision or to notify stakeholders of likely changes 1.

Gathering Information About Exploitation

2 presents a method for searching the GitHub repositories of open-source exploit databases. This method could be employed to gather information about whether PoC is true. However, part (3) of PoC would not be represented in such a search, so more information gathering would be needed. For part (3), one approach is to construct a mapping of CWE-IDs which always represent vulnerabilities with well-known methods of exploitation. We provide a list of possible CWE-IDs for this purpose below.

Gathering information for active is a bit harder. If the vulnerability has a name or public identifier (such as a CVE-ID), a search of news websites, Twitter, the vendor's vulnerability description, and public vulnerability databases for mentions of exploitation is generally adequate. However, if the organization has the ability to detect exploitation attempts—for instance, through reliable and precise IDS signatures based on a public PoC—then detection of exploitation attempts also signals that active is the right choice. Determining which vulnerability a novel piece of malware uses may be time consuming, requiring reverse engineering and a lot of trial and error. Additionally, capable incident detection and analysis capabilities are required to make reverse engineering possible. Because most organizations do not conduct these processes fully for most incidents, information about which vulnerabilities are being actively exploited generally comes from public reporting by organizations that do conduct these processes. As long as those organizations also share detection methods and signatures, the results are usually quickly corroborated by the community. For these reasons, we assess public reporting by established security community members to be a good information source for active; however, one should not assume it is complete.

The description for none says that there is no evidence of active exploitation. This framing admits that an analyst may not be able to detect or know about every attack. An analyst should feel comfortable selecting none if they (or their search scripts) have performed searches in the appropriate places for public PoCs and active exploitation (as described above) and found none. Acknowledging that Exploitation values can change relatively quickly, we recommend conducting these searches frequently: if they can be automated to the organization's satisfaction, perhaps once a day (see also Guidance on Communicating Results).

CWE-IDs for PoC

The table below lists CWE-IDs that could be used to mark a vulnerability as PoC if the vulnerability is described by the CWE-ID.

CWE-295

For example, CWE-295, Improper Certificate Validation , and its child CWEs,
describe improper validation of TLS certificates. These CWE-IDs could always be marked as PoC since that meets condition (3) in the definition.

CWE-ID CWE name In NVD's CWE Slice? Possible PoC? How could vulnerabilities containing this CWE be exploited? Tools Links to tools
20 Improper Input Validation yes no nan nan nan
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') yes yes directory/path traversal "../" Panoptic; Burp Suite https://github.com/lightos/Panoptic; https://portswigger.net/burp
59 Improper Link Resolution Before File Access ('Link Following') yes yes symlink attack No specialized resources are required to execute this type of attack. The only requirement is the ability to create the necessary symbolic link. https://capec.mitre.org/data/definitions/132.html
73 External Control of File Name or Path no no nan nan nan
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') yes no nan nan nan
77 Improper Neutralization of Special Elements used in a Command ('Command Injection') yes yes command injection Commix https://github.com/commixproject/commix
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') yes yes OS command injection Commix; Burp Suite https://github.com/commixproject/commix; https://portswigger.net/burp
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') yes yes cross-site scripting attack XSSER; Pybelt; XSStrike https://github.com/epsylon/xsser; https://github.com/Ekultek/Pybelt; https://github.com/s0md3v/XSStrike
88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') yes yes argument/parameter injection Argument Injection Hammer https://github.com/nccgroup/argumentinjectionhammer
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') yes yes malicious SQL command injection SQLMap; BBQSQL; JSQL injection; NoSQLMap https://github.com/sqlmapproject/sqlmap; https://github.com/CiscoCXSecurity/bbqsql; https://github.com/ron190/jsql-injection; https://github.com/codingo/NoSQLMap
91 XML Injection (aka Blind XPath Injection) yes yes inject XML code into a web input, XML file or stream XXExploiter https://github.com/luisfontes19/xxexploiter
94 Improper Control of Generation of Code ('Code Injection') yes no nan nan nan
115 Misinterpretation of Input no no nan nan nan
116 Improper Encoding or Escaping of Output yes no nan nan nan
119 Improper Restriction of Operations within the Bounds of a Memory Buffer yes no nan nan nan
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') yes no nan nan nan
122 Heap-based Buffer Overflow no no nan nan nan
125 Out-of-bounds Read yes no nan nan nan
129 Improper Validation of Array Index yes no nan nan nan
131 Incorrect Calculation of Buffer Size yes no nan nan nan
134 Use of Externally-Controlled Format String yes no nan nan nan
178 Improper Handling of Case Sensitivity yes no nan nan nan
190 Integer Overflow or Wraparound yes no nan nan nan
191 Integer Underflow (Wrap or Wraparound) yes no nan nan nan
193 Off-by-one Error yes no nan nan nan
194 Unexpected Sign Extension no no nan nan nan
200 Exposure of Sensitive Information to an Unauthorized Actor yes no nan nan nan
201 Insertion of Sensitive Information Into Sent Data no no nan nan nan
203 Observable Discrepancy yes no nan nan nan
209 Generation of Error Message Containing Sensitive Information yes yes read/capture sensitive information contained in error message OWASP ZAP; Burp Suite https://www.zaproxy.org/; https://portswigger.net/burp
212 Improper Removal of Sensitive Information Before Storage or Transfer yes no nan nan nan
252 Unchecked Return Value yes no nan nan nan
257 Storing Passwords in a Recoverable Format no no nan nan nan
264 Permissions, Privileges, and Access Controls no no nan nan nan
269 Improper Privilege Management yes no nan nan nan
273 Improper Check for Dropped Privileges yes no nan nan nan
275 Permission Issues no no nan nan nan
276 Incorrect Default Permissions yes yes try to access data or privileges you normally should not have access to No specialized resources are required to execute this type of attack. In order to discover unrestricted resources, the attacker does not need special tools or skills. They only have to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly. https://capec.mitre.org/data/definitions/1.html
280 Improper Handling of Insufficient Permissions or Privileges no no nan nan nan
281 Improper Preservation of Permissions yes no nan nan nan
284 Improper Access Control no no nan nan nan
287 Improper Authentication yes no nan nan nan
290 Authentication Bypass by Spoofing yes no nan nan nan
294 Authentication Bypass by Capture-replay yes yes capture-replay attack Wireshark; smartsniff https://www.wireshark.org/; https://www.nirsoft.net/utils/smsniff.html
295 Improper Certificate Validation yes no nan nan nan
305 Authentication Bypass by Primary Weakness no no nan nan nan
306 Missing Authentication for Critical Function yes no nan nan nan
307 Improper Restriction of Excessive Authentication Attempts yes yes brute force attack THC Hydra; John the Ripper; L0phtCrack; Hashcat https://github.com/vanhauser-thc/thc-hydra; https://github.com/openwall/john; https://gitlab.com/l0phtcrack/l0phtcrack; https://hashcat.net/hashcat/
311 Missing Encryption of Sensitive Data yes no nan nan nan
312 Cleartext Storage of Sensitive Information yes yes find sensitive data stored in system OWASP ZAP; Burp Suite https://www.zaproxy.org/; https://portswigger.net/burp
319 Cleartext Transmission of Sensitive Information yes yes capture traffic and extract sensitive information Wireshark; Smartsniff https://www.wireshark.org/; https://www.nirsoft.net/utils/smsniff.html
321 Use of Hard-coded Cryptographic Key no no nan nan nan
326 Inadequate Encryption Strength yes no nan nan nan
327 Use of a Broken or Risky Cryptographic Algorithm yes no nan nan nan
330 Use of Insufficiently Random Values yes yes brute force attack THC Hydra; John the Ripper; L0phtCrack; Hashcat https://github.com/vanhauser-thc/thc-hydra; https://github.com/openwall/john; https://gitlab.com/l0phtcrack/l0phtcrack; https://hashcat.net/hashcat/
331 Insufficient Entropy yes yes brute force attack/predictive programs hashcat; php_mt_seed https://hashcat.net/hashcat/; https://github.com/openwall/php_mt_seed
335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) yes no nan nan nan
337 Predictable Seed in Pseudo-Random Number Generator (PRNG) no no nan nan nan
338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) yes no nan nan nan
345 Insufficient Verification of Data Authenticity yes no nan nan nan
346 Origin Validation Error yes no nan nan nan
347 Improper Verification of Cryptographic Signature yes no nan nan nan
352 Cross-Site Request Forgery (CSRF) yes yes CSRF Burp Suite; XSRFProbe https://portswigger.net/burp; https://github.com/0xInfection/XSRFProbe
354 Improper Validation of Integrity Check Value yes no nan nan nan
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') yes no nan nan nan
367 Time-of-check Time-of-use (TOCTOU) Race Condition yes no nan nan nan
369 Divide By Zero yes no nan nan nan
384 Session Fixation yes no nan nan nan
388 7PK - Errors no no nan nan nan
400 Uncontrolled Resource Consumption yes no nan nan nan
401 Missing Release of Memory after Effective Lifetime yes no nan nan nan
404 Improper Resource Shutdown or Release yes no nan nan nan
405 Asymmetric Resource Consumption (Amplification) no no nan nan nan
407 Inefficient Algorithmic Complexity yes no nan nan nan
415 Double Free yes no nan nan nan
416 Use After Free yes no nan nan nan
425 Direct Request ('Forced Browsing') yes yes forcibly navigate to unintended (by the system) URLs Dirbuster; Dirstalk https://sourceforge.net/projects/dirbuster/; https://github.com/stefanoj3/dirstalk
426 Untrusted Search Path yes yes malicious dll injection/loading evildll; evilldll-gen https://github.com/CrackerCat/evildll; https://gist.github.com/klezVirus/e24c94d7061f5736e2452eee022f4011
427 Uncontrolled Search Path Element yes yes malicious dll injection/loading evildll; evilldll-gen https://github.com/CrackerCat/evildll; https://gist.github.com/klezVirus/e24c94d7061f5736e2452eee022f4011
428 Unquoted Search Path or Element yes yes insert malicious input into unquoted search path Metasploit https://www.metasploit.com/
434 Unrestricted Upload of File with Dangerous Type yes yes uploading of malicious file (program lacks restrictions to prevent this from occuring) No specialized resources are required to execute this type of attack. https://capec.mitre.org/data/definitions/1.html
436 Interpretation Conflict yes no nan nan nan
441 Unintended Proxy or Intermediary ('Confused Deputy') no no nan nan nan
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') yes yes HTTP smuggling Smuggler https://github.com/defparam/smuggler
451 User Interface (UI) Misrepresentation of Critical Information no no nan nan nan
459 Incomplete Cleanup yes no nan nan nan
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') yes no nan nan nan
476 NULL Pointer Dereference yes no nan nan nan
494 Download of Code Without Integrity Check yes no nan nan nan
502 Deserialization of Untrusted Data yes no nan nan nan
521 Weak Password Requirements yes yes brute force attack THC Hydra; John the Ripper; L0phtCrack; Hashcat https://github.com/vanhauser-thc/thc-hydra; https://github.com/openwall/john; https://gitlab.com/l0phtcrack/l0phtcrack; https://hashcat.net/hashcat/
522 Insufficiently Protected Credentials yes yes search for exposed credentials, capture traffic, or brute force (context-dependent) Context-dependent, may utilize traffic sniffing tools, tools for discovering sensitive information, or brute forcing tools https://www.wireshark.org/; https://www.nirsoft.net/utils/smsniff.html; https://www.zaproxy.org/; https://portswigger.net/burp; https://github.com/vanhauser-thc/thc-hydra; https://github.com/openwall/john; https://gitlab.com/l0phtcrack/l0phtcrack; https://hashcat.net/hashcat/
532 Insertion of Sensitive Information into Log File yes yes access log files and search them for sensitive information OWASP ZAP; Burp Suite - along with the ability to access log files https://www.zaproxy.org/; https://portswigger.net/burp
552 Files or Directories Accessible to External Parties yes no nan nan nan
565 Reliance on Cookies without Validation and Integrity Checking yes no nan nan nan
592 Authentication Bypass Issues no no nan nan nan
601 URL Redirection to Untrusted Site ('Open Redirect') yes no nan nan nan
602 Client-Side Enforcement of Server-Side Security no no nan nan nan
610 Externally Controlled Reference to a Resource in Another Sphere yes no nan nan nan
611 Improper Restriction of XML External Entity Reference yes yes XML external entity injection XXExploiter https://github.com/luisfontes19/xxexploiter
613 Insufficient Session Expiration yes no nan nan nan
617 Reachable Assertion yes no nan nan nan
639 Authorization Bypass Through User-Controlled Key yes yes modify key values to change what data attacker has access to, insecure direct object vulnerability exploit AuthZ for burpsuite https://portswigger.net/bappstore/4316cc18ac5f434884b2089831c7d19e
640 Weak Password Recovery Mechanism for Forgotten Password yes no nan nan nan
662 Improper Synchronization yes no nan nan nan
665 Improper Initialization yes no nan nan nan
667 Improper Locking yes no nan nan nan
668 Exposure of Resource to Wrong Sphere yes no nan nan nan
669 Incorrect Resource Transfer Between Spheres yes no nan nan nan
670 Always-Incorrect Control Flow Implementation yes no nan nan nan
672 Operation on a Resource after Expiration or Release yes no nan nan nan
674 Uncontrolled Recursion yes no nan nan nan
681 Incorrect Conversion between Numeric Types yes no nan nan nan
682 Incorrect Calculation yes no nan nan nan
697 Incorrect Comparison yes no nan nan nan
703 Improper Check or Handling of Exceptional Conditions no no nan nan nan
704 Incorrect Type Conversion or Cast yes no nan nan nan
706 Use of Incorrectly-Resolved Name or Reference yes no nan nan nan
732 Incorrect Permission Assignment for Critical Resource yes no nan nan nan
749 Exposed Dangerous Method or Function no no nan nan nan
754 Improper Check for Unusual or Exceptional Conditions yes no nan nan nan
755 Improper Handling of Exceptional Conditions yes no nan nan nan
759 Use of a One-Way Hash without a Salt no no nan nan nan
763 Release of Invalid Pointer or Reference yes no nan nan nan
770 Allocation of Resources Without Limits or Throttling yes no nan nan nan
772 Missing Release of Resource after Effective Lifetime yes no nan nan nan
776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') yes yes XML entity expansion XXExploiter https://github.com/luisfontes19/xxexploiter
787 Out-of-bounds Write yes no nan nan nan
789 Memory Allocation with Excessive Size Value no no nan nan nan
798 Use of Hard-coded Credentials yes yes discover and use hardcoded credentials Context-dependent, may use password cracking tools, binary analysis tools, or may not require any tools (just knowledge of the default hard-coded credentials) https://github.com/vanhauser-thc/thc-hydra; https://github.com/openwall/john; https://gitlab.com/l0phtcrack/l0phtcrack; https://hashcat.net/hashcat/; https://www.powergrep.com/
823 Use of Out-of-range Pointer Offset no no nan nan nan
824 Access of Uninitialized Pointer yes no nan nan nan
829 Inclusion of Functionality from Untrusted Control Sphere yes no nan nan nan
834 Excessive Iteration yes no nan nan nan
835 Loop with Unreachable Exit Condition ('Infinite Loop') yes no nan nan nan
838 Inappropriate Encoding for Output Context yes no nan nan nan
843 Access of Resource Using Incompatible Type ('Type Confusion') yes no nan nan nan
862 Missing Authorization yes no nan nan nan
863 Incorrect Authorization yes no nan nan nan
908 Use of Uninitialized Resource yes no nan nan nan
909 Missing Initialization of Resource yes no nan nan nan
913 Improper Control of Dynamically-Managed Code Resources yes no nan nan nan
916 Use of Password Hash With Insufficient Computational Effort yes yes brute force THC Hydra; John the Ripper; L0phtCrack; Hashcat https://github.com/vanhauser-thc/thc-hydra; https://github.com/openwall/john; https://gitlab.com/l0phtcrack/l0phtcrack; https://hashcat.net/hashcat/
917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression La yes no nan nan nan
918 Server-Side Request Forgery (SSRF) yes yes SSRF SSRFmap; Burp Suite https://github.com/swisskyrepo/SSRFmap; https://portswigger.net/web-security/ssrf
920 Improper Restriction of Power Consumption yes no nan nan nan
922 Insecure Storage of Sensitive Information yes no nan nan nan
924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel yes no nan nan nan
1021 Improper Restriction of Rendered UI Layers or Frames yes no nan nan nan
1188 Insecure Default Initialization of Resource yes yes use default credentials Context-dependent, but may not need any tools (for example, try to use default credentials or access resources that typically require permissions) - knowledge of the system (and its defaults) helps nan
1236 Improper Neutralization of Formula Elements in a CSV File yes yes CSV injection No specialized resources are required to execute this type of attack, it is more based on payloads. https://gitlab.com/pentest-tools/PayloadsAllTheThings/-/tree/master/CSV%20Injection; https://owasp.org/www-community/attacks/CSV_Injection
1284 Improper Validation of Specified Quantity in Input yes no nan nan nan
1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') yes yes prototype pollution DOM Invader (Burp Suite) https://portswigger.net/burp/documentation/desktop/tools/dom-invader
1333 Inefficient Regular Expression Complexity yes yes ReDoS or exponential backtracking ReScue https://2bdenny.github.io/ReScue/
NVD-noinfo There is insufficient information about the issue to classify it; details are unkown or unspecified. yes no nan nan nan
NVD-Other NVD is only using a subset of CWE for mapping instead of the entire CWE, and the weakness type is not covered by that subset. yes no nan nan nan


  1. Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Idris Adjerid, and Michael Roytman. Exploit prediction scoring system (epss). Digital Threats, Jul 2021. URL: https://doi.org/10.1145/3436242, doi:10.1145/3436242

  2. Allen D Householder, Jeff Chrabaszcz, Trent Novelly, David Warren, and Jonathan M Spring. Historical analysis of exploit availability timelines. In Workshop on Cyber Security Experimentation and Test. Virtual conference, 2020. USENIX.