T1190 — Exploit Public-Facing Application

Technique

T1190

Tactics

Initial Access

MISP citations

0

KEV CVEs mapped

157

Community rules

146

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1190

MITRE description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar) For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2025-5777
• CVE-2025-53770
• CVE-2025-49706
• CVE-2025-49704
• CVE-2025-4428
• CVE-2025-4427
• CVE-2025-42999
• CVE-2025-42599
• CVE-2025-35939
• CVE-2025-34028
• CVE-2025-25257
• CVE-2025-23006
• CVE-2025-22457
• CVE-2025-1316
• CVE-2025-0282
• CVE-2025-0108
• CVE-2024-57727
• CVE-2024-55550
• CVE-2024-4879
• CVE-2024-48248
• CVE-2024-4577
• CVE-2024-4358
• CVE-2024-38475
• CVE-2024-34102
• CVE-2024-27198
• CVE-2024-21893
• CVE-2024-21887
• CVE-2024-21762
• CVE-2024-20953
• CVE-2024-20353
• CVE-2024-13161
• CVE-2024-13160
• CVE-2024-13159
• CVE-2024-0769
• CVE-2023-7101
• CVE-2023-49103
• CVE-2023-48788
• CVE-2023-48365
• CVE-2023-46805
• CVE-2023-46604
• CVE-2023-44487
• CVE-2023-42793
• CVE-2023-38950
• CVE-2023-38205
• CVE-2023-38203
• CVE-2023-38035
• CVE-2023-36851
• CVE-2023-36847
• CVE-2023-36846
• CVE-2023-36845
• CVE-2023-36844
• CVE-2023-3519
• CVE-2023-35081
• CVE-2023-35078
• CVE-2023-34362
• CVE-2023-33246
• CVE-2023-29492
• CVE-2023-29300
• CVE-2023-29298
• CVE-2023-27997
• CVE-2023-27524
• CVE-2023-27350
• CVE-2023-26360
• CVE-2023-26359
• CVE-2023-22952
• CVE-2023-22518
• CVE-2023-22515
• CVE-2023-20887
• CVE-2023-20198
• CVE-2023-0669
• CVE-2022-47966
• CVE-2022-43939
• CVE-2022-42948
• CVE-2022-42475
• CVE-2022-40684
• CVE-2022-39197
• CVE-2022-36804
• CVE-2022-35914
• CVE-2022-29464
• CVE-2022-28810
• CVE-2022-26501
• CVE-2022-26500
• CVE-2022-26258
• CVE-2022-26134
• CVE-2022-24086
• CVE-2022-23131
• CVE-2022-22965
• CVE-2022-22963
• CVE-2022-22947
• CVE-2022-20821
• CVE-2022-20708
• CVE-2022-20700
• CVE-2022-1040
• CVE-2022-0028
• CVE-2021-45382
• CVE-2021-44529
• CVE-2021-44515
• CVE-2021-44228
• CVE-2021-44077
• CVE-2021-40655
• CVE-2021-40539
• CVE-2021-39226
• CVE-2021-39144
• CVE-2021-37415
• CVE-2021-36380
• CVE-2021-35464
• CVE-2021-35394
• CVE-2021-34523
• CVE-2021-34473
• CVE-2021-3129
• CVE-2021-31166
• CVE-2021-27860
• CVE-2021-27104
• CVE-2021-27103
• CVE-2021-27102
• CVE-2021-27065
• CVE-2021-26858
• CVE-2021-26085
• CVE-2021-22986
• CVE-2021-22893
• CVE-2021-22205
• CVE-2021-22204
• CVE-2021-22017
• CVE-2021-22005
• CVE-2021-21975
• CVE-2021-21973
• CVE-2021-21972
• CVE-2020-5902
• CVE-2020-29557
• CVE-2020-17530
• CVE-2020-15505
• CVE-2020-0688
• CVE-2019-18935
• CVE-2019-17558
• CVE-2019-1653
• CVE-2019-11634
• CVE-2019-0604
• CVE-2018-7600
• CVE-2018-6789
• CVE-2018-4939
• CVE-2018-15961
• CVE-2018-13379
• CVE-2018-11776
• CVE-2017-9822
• CVE-2017-9805
• CVE-2017-5638
• CVE-2017-12637
• CVE-2016-4437
• CVE-2016-10033
• CVE-2014-7169
• CVE-2014-6271
• CVE-2013-0632
• CVE-2013-0631
• CVE-2013-0629
• CVE-2013-0625
• CVE-2010-2861
• CVE-2009-3960

Detection coverage

SigmaHQ community rules

• CVE-2010-5278 Exploitation Attempt (emerging-threats)
• Rejetto HTTP File Server RCE (emerging-threats)
• Fortinet CVE-2018-13379 Exploitation (emerging-threats)
• Oracle WebLogic Exploit (emerging-threats)
• Pulse Secure Attack CVE-2019-11510 (emerging-threats)
• Citrix Netscaler Attack CVE-2019-19781 (emerging-threats)
• Confluence Exploitation CVE-2019-3398 (emerging-threats)
• CVE-2020-0688 Exploitation Attempt (emerging-threats)
• CVE-2020-0688 Exchange Exploitation via Web Log (emerging-threats)
• CVE-2020-0688 Exploitation via Eventlog (emerging-threats)
• CVE-2020-10148 SolarWinds Orion API Auth Bypass (emerging-threats)
• Exploited CVE-2020-10189 Zoho ManageEngine (emerging-threats)
• DNS RCE CVE-2020-1350 (emerging-threats)
• Oracle WebLogic Exploit CVE-2020-14882 (emerging-threats)
• TerraMaster TOS CVE-2020-28188 (emerging-threats)
• Cisco ASA FTD Exploit CVE-2020-3452 (emerging-threats)
• CVE-2020-5902 F5 BIG-IP Exploitation Attempt (emerging-threats)
• Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 (emerging-threats)
• Arcadyan Router Exploitations (emerging-threats)
• Oracle WebLogic Exploit CVE-2021-2109 (emerging-threats)
• CVE-2021-21972 VSphere Exploitation (emerging-threats)
• CVE-2021-21978 Exploitation Attempt (emerging-threats)
• VMware vCenter Server File Upload CVE-2021-22005 (emerging-threats)
• Fortinet CVE-2021-22123 Exploitation (emerging-threats)
• Pulse Connect Secure RCE Attack CVE-2021-22893 (emerging-threats)

Showing 25 of 146 community rules — the full set is tagged attack.t1190 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.