The same handful of mechanisms account for most of the catalog
After the marquee bugs, Tier 1's remaining entries, DotNetNuke, ForgeRock, BQE, Sophos, Tomcat, Citrix ShareFile, SAP, Quest, Atlassian Crowd, Exim, Cisco ASA, Office, don't introduce new lessons. They confirm the few recurring mechanisms behind nearly every exploited vulnerability.
Work through enough of the Known Exploited Vulnerabilities catalog and the bugs stop looking like a thousand unique problems and start looking like a small set of recurring mechanisms applied to a thousand products. A cluster of remaining entries makes the point cleanly: none introduces a new lesson, each is another instance of a pattern this series has already covered. Grouping them by mechanism is more useful than treating each as a one-off, because the defense is per-mechanism, not per-CVE.
Insecure deserialization
- DotNetNuke (DNN) CVE-2017-9822 is a .NET deserialization RCE through a cookie the application unmarshalled without restriction. ForgeRock Access Management CVE-2021-35464 is a pre-authentication Java deserialization RCE (via an outdated Jato/
ParameterParserpath) in an identity-management product. Same footgun as Mirth, Sitecore, and Aspera: untrusted data handed to a type-permissive deserializer. Fix: don’t deserialize untrusted input with object-instantiating serializers; allowlist types.
SQL injection
- BQE BillQuick Web Suite CVE-2021-42258 is a SQL injection that was used to deploy ransomware. Sophos SFOS CVE-2020-12271 is the SQL injection behind the “Asnarök” zero-day campaign against Sophos XG firewalls, used to steal credentials and attempt malware deployment. As with WhatsUp Gold and FortiClient EMS, SQLi on a product backed by a database, especially a security appliance, is frequently a path to data theft or OS command execution. Fix: parameterized queries, and remember a SQLi on a SQL Server-backed product can mean RCE.
File upload, HTTP PUT, and path traversal
- Apache Tomcat CVE-2017-12615 lets an attacker upload a JSP web shell when HTTP PUT is enabled, a configuration mistake more than a code bug. Citrix ShareFile CVE-2021-22941 is an improper-access-control flaw in the storage-zones controller enabling unauthenticated upload and code execution. SAP CRM CVE-2018-2380 is a path traversal, and Quest KACE System Management Appliance CVE-2018-11138 is reachable through an installer-download script. The recurring theme from dotCMS and Oracle EBS: never trust a path or filename from the client, validate the destination, and store uploads where they can’t execute. For Tomcat specifically: don’t enable HTTP PUT on a public server.
Plugin and feature abuse, memory bugs, and the rest
- Atlassian Crowd CVE-2019-11580 abused the
pdkinstalldevelopment plugin, left enabled, to install a malicious plugin and get RCE, a “debug/dev feature in production” mistake like Laravel’s debug mode. Exim CVE-2018-6789 is a buffer overflow in thebase64dfunction reachable pre-authentication over SMTP, the mail server as exposed attack surface. Cisco ASA/FTD CVE-2020-3580 is a cross-site scripting flaw in the WebVPN interface, lower-impact but exploited, a reminder that even XSS on a perimeter device gets used. Microsoft Office CVE-2021-38646 is an RCE in the Access Connectivity Engine, triggered by opening a crafted file, a document-attack-surface case.
The point
These dozen span a CMS, an identity server, a billing app, two firewalls, a web server, a file-sharing controller, an ERP, a management appliance, a mail server, and Office. They have nothing in common as products and almost everything in common as bugs: deserialization, SQL injection, unvalidated uploads and paths, a left-on dev feature, a memory overflow on exposed input. That’s the catalog in miniature. The practical implication is that you don’t defend against a thousand unique vulnerabilities; you defend against a handful of mechanisms, secure deserialization, parameterized queries, validated uploads, disabled dev/debug features, patched memory-unsafe parsers, plus the constants that apply to all of them: keep internet-facing software patched and exposure minimal. Master the mechanisms and the per-product CVEs mostly take care of themselves.
That’s also the through-line of this whole series. The marquee bugs get the names; the long tail confirms that the same few mistakes keep getting made, in product after product, year after year. We track every catalog addition, but we read them as instances of patterns, because that’s how you actually get ahead of them.
Sources
Share
Related field notes
-
Adobe ColdFusion has been getting popped the same ways for 15 years
The KEV catalog holds a long run of ColdFusion bugs: deserialization RCEs, access-control bypasses, and file uploads, from 2013 to 2024. Different CVEs, same handful of weaknesses. If you still run internet-facing ColdFusion, you're operating a perennial target.
-
A new critical Confluence RCE stopped being news. That's the problem.
CVE-2022-26134, CVE-2023-22515, CVE-2023-22518, CVE-2023-22527: Atlassian Confluence Server and Data Center has been mass-exploited so many times that the headline repeats. If you run it on the internet, you're operating one of the most reliably-targeted boxes there is.
-
Drupalgeddon: when a data structure is allowed to name a function to call
Drupal's Form API lets a renderable array carry a callback, that's a feature. Drupalgeddon (CVE-2018-7602) let an attacker put their own callback in, and Drupal called it: exec, passthru, system. Powerful framework metaprogramming plus untrusted input equals RCE.
One email, every weekday morning.
You're in. Check your inbox.