Skip to main content

OSINT - Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions

Low
Published: Wed Nov 27 2024 (11/27/2024, 00:00:00 UTC)
Source: CIRCL OSINT Feed
Vendor/Project: type
Product: osint

Description

OSINT - Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions

AI-Powered Analysis

AILast updated: 07/07/2025, 19:40:00 UTC

Technical Analysis

The provided information pertains to an OSINT (Open Source Intelligence) report titled "Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions," associated with the threat actor group "Earth Estries." The report highlights a prolonged cyber intrusion campaign targeting multiple sectors including consulting, managed services providers, NGOs, and telecommunications. The affected countries span a wide geographic range, including Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, Philippines, South Africa, Taiwan, Thailand, the United States, and Vietnam. The nature of the threat is categorized as OSINT with a low severity rating and a 50% certainty level, indicating moderate confidence in the findings. No specific affected product versions or technical exploit details are provided, and no patches or known exploits in the wild have been identified. The campaign appears to involve network activity and external analysis, suggesting reconnaissance and possibly persistent intrusion techniques. The lack of CVEs beyond CVE-2023-46805 and absence of CWE identifiers imply that the threat is more related to espionage or intrusion activity rather than a specific software vulnerability. The technical details are minimal, with only a UUID and a timestamp, limiting deeper technical analysis. Overall, this represents a long-term cyber intrusion campaign by a known threat actor group with a broad international footprint and targeting critical sectors, but with limited technical specifics and low immediate severity.

Potential Impact

For European organizations, the direct impact appears limited based on the current data, as no European countries are explicitly listed among the affected regions. However, the targeted sectors—consulting, managed services providers, NGOs, and telecommunications—are critical to European infrastructure and economy, and these sectors often have global interconnections. If the Earth Estries group extends their operations or if European entities have partnerships or supply chain relationships with affected regions or sectors, there could be indirect risks such as data leakage, espionage, or supply chain compromise. The long-term nature of the intrusions suggests potential for persistent access and information gathering, which could eventually be leveraged for more disruptive or damaging attacks. The low severity rating and absence of known exploits indicate that immediate operational disruption or widespread compromise in Europe is unlikely at this stage. Nonetheless, vigilance is warranted given the evolving nature of threat actor campaigns and the strategic importance of the targeted sectors.

Mitigation Recommendations

Given the lack of specific technical exploit details, mitigation should focus on enhancing detection and response capabilities against advanced persistent threat (APT) behaviors consistent with long-term intrusions. European organizations, especially those in consulting, managed services, NGOs, and telecom sectors, should implement robust network monitoring to detect unusual or persistent network activity, including lateral movement and data exfiltration attempts. Employ threat intelligence sharing platforms to stay informed about Earth Estries tactics, techniques, and procedures (TTPs). Conduct regular security audits and penetration testing to identify and remediate potential entry points. Strengthen supply chain security by vetting third-party providers and ensuring they adhere to strong cybersecurity practices. Implement strict access controls and multi-factor authentication to limit unauthorized access. Finally, establish incident response plans tailored to espionage and intrusion scenarios to enable rapid containment and recovery.

Need more detailed analysis?Get Pro

Technical Details

Uuid
ffea72a3-7935-4078-b769-b872475c5eae
Original Timestamp
1732697965

Indicators of Compromise

Vulnerability

ValueDescriptionCopy
vulnerabilityCVE-2023-46805
vulnerabilityCVE-2024-21887
vulnerabilityCVE-2023-48788
vulnerabilityCVE-2022-3236
vulnerabilityCVE-2021-26855
vulnerabilityCVE-2021-26857
vulnerabilityCVE-2021-26858
vulnerabilityCVE-2021-27065
vulnerabilityCVE-2021-27065
vulnerabilityCVE-2021-26858
vulnerabilityCVE-2021-26857
vulnerabilityCVE-2021-26855
vulnerabilityCVE-2021-26857
vulnerabilityCVE-2021-26858
vulnerabilityCVE-2024-21887

Ip

ValueDescriptionCopy
ip139.59.108.43
Campaign Beta (GHOSTSPIDER)
ip185.105.1.243
Campaign Beta (GHOSTSPIDER)
ip143.198.92.175
Campaign Beta (GHOSTSPIDER)
ip139.99.114.108
Campaign Beta (GHOSTSPIDER)
ip139.59.236.31
Campaign Beta (GHOSTSPIDER)
ip104.194.153.65
Campaign Beta (GHOSTSPIDER)
ip45.125.67.144
Campaign Beta (DEMODEX)
ip43.226.126.164
Campaign Beta (DEMODEX)
ip172.93.165.10
Campaign Beta (DEMODEX)
ip193.239.86.168
Campaign Beta (DEMODEX)
ip146.70.79.18
Campaign Beta (DEMODEX)
ip146.70.79.105
Campaign Beta (DEMODEX)
ip205.189.160.3
Campaign Beta (DEMODEX)
ip96.9.211.27
Campaign Beta (DEMODEX)
ip43.226.126.165
Campaign Beta (DEMODEX)
ip103.75.190.73
Campaign Alpha (related C&C)
ip172.93.165.14
Campaign Alpha (related C&C)
ip91.245.253.27
Campaign Alpha (SNAPPYBEE)
ip158.247.222.165
Campaign Alpha (SNAPPYBEE)
ip23.81.41.166
Campaign Alpha (Open directory C&C)
ip165.154.227.192
Campaign Alpha (frpc)
ip103.91.64.214
Campaign Alpha (DEMODEX)
ip165.154.227.192

Link

ValueDescriptionCopy
linkhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html
linkhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065
linkhttp://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html
linkhttp://packetstormsecurity.com/files/162736/Microsoft-Exchange-ProxyLogon-Collector.html
linkhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858
linkhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857
linkhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855
linkhttp://packetstormsecurity.com/files/161846/Microsoft-Exchange-2019-SSRF-Arbitrary-File-Write.html
linkhttp://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html
linkhttp://packetstormsecurity.com/files/162610/Microsoft-Exchange-2019-Unauthenticated-Email-Download.html
linkhttp://packetstormsecurity.com/files/162736/Microsoft-Exchange-ProxyLogon-Collector.html
linkhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857
linkhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858
linkhttps://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
linkhttp://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html

Text

ValueDescriptionCopy
text- Earth Estries, a Chinese APT group, has primarily targeted critical sectors like telecommunications and government entities across the US, Asia-Pacific, Middle East, and South Africa since 2023. - The group employs advanced attack techniques and multiple backdoors, such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, affecting several Southeast Asian telecommunications companies and government entities. - Earth Estries exploits public-facing server vulnerabilities to establish initial access and uses living-off-the-land binaries for lateral movement within networks to deploy malware and conduct long-term espionage. - The group has compromised over 20 organizations, targeting various sectors including telecommunications, technology, consulting, chemical, and transportation industries, as well as government agencies and NGOs in numerous countries. - Earth Estries uses a complex C&C infrastructure managed by different teams, and their operations often overlap with TTPs of other known Chinese APT groups, indicating possible use of shared tools from malware-as-a-service providers
textGame of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
textBlog
textMicrosoft Exchange Server Remote Code Execution Vulnerability
textCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
textPublished
textImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
textStable
textBase
text76
textManipulating Web Input to File System Calls
textAn attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
textProgram must allow for user controlled variables to be applied directly to the filesystem
textDesign: Enforce principle of least privilege. Design: Ensure all input is validated, and does not contain file system commands Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands. Design: For interactive user applications, consider if direct file system interface is necessary, instead consider having the application proxy communication. Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.
text78
textUsing Escaped Slashes in Alternate Encoding
textThis attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
textThe application accepts the backlash character as escape character. The application server does incomplete input data decoding, filtering and validation.
textVerify that the user-supplied data does not use backslash character to escape malicious characters. Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Be aware of the threat of alternative method of data encoding. Regular expressions can be used to filter out backslash. Make sure you decode before filtering and validating the untrusted input data. In the case of path traversals, use the principle of least privilege when determining access rights to file systems. Do not allow users to access directories/files that they should not access. Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process. Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
text126
textPath Traversal
textAn adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \) and/or dots (.)) to reach desired directories or files.
textThe attacker must be able to control the path that is requested of the target. The target must fail to adequately sanitize incoming paths
textDesign: Configure the access control correctly. Design: Enforce principle of least privilege. Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution. Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement. Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host. Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands. Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin. Implementation: Perform input validation for all remote content, including remote and user-generated content. Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables. Implementation: Use indirect references rather than actual file names. Implementation: Use possible permissions on file access when developing and deploying web applications. Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- using an allowlist approach.
text64
textUsing Slashes and URL Encoding Combined to Bypass Validation Logic
textThis attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
textThe application accepts and decodes URL string request. The application performs insufficient filtering/canonicalization on the URLs.
textAssume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input. Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible. Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process. Refer to the RFCs to safely decode URL. Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive. There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).
text79
textUsing Slashes in Alternate Encoding
textThis attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
textThe application server accepts paths to locate resources. The application server does insufficient input data validation on the resource path requested by the user. The access right to resources are not set properly.
textAny security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process. Refer to the RFCs to safely decode URL. When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible. There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx) Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section) Test your path decoding process against malicious input. In the case of path traversals, use the principle of least privilege when determining access rights to file systems. Do not allow users to access directories/files that they should not access. Assume all input is malicious. Create an allowlist that defines all valid input to the application based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.
textMicrosoft Exchange Server Remote Code Execution Vulnerability
textCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
textPublished
textMicrosoft Exchange Server Remote Code Execution Vulnerability
textCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
textPublished
textDeserialization of Untrusted Data
textDraft
textBase
text586
textObject Injection
textAn adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
textThe target application must unserialize data before validation.
textImplementation: Validate object before deserialization process Design: Limit which types can be deserialized. Implementation: Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. Use an allowlist of acceptable classes. Implementation: Keep session state on the server, when possible.
textMicrosoft Exchange Server Remote Code Execution Vulnerability
textCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
textPublished
textServer-Side Request Forgery (SSRF)
textIncomplete
textBase
textMicrosoft Exchange Server Remote Code Execution Vulnerability
textCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
textPublished
textMicrosoft Exchange Server Remote Code Execution Vulnerability
textCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
textPublished
textA command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
textCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
textPublished
textImproper Neutralization of Special Elements used in a Command ('Command Injection')
textDraft
textClass
text248
textCommand Injection
textAn adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.
textThe target application must accept input from the user and then use this input in the construction of commands to be executed. In virtually all cases, this is some form of string input that is concatenated to a constant string defined by the application to form the full command to be executed.
textAll user-controllable input should be validated and filtered for potentially unwanted characters. Using an allowlist for input is desired, but if use of a denylist approach is necessary, then focusing on command related terms and delimiters is necessary. Input should be encoded prior to use in commands to make sure command related characters are not treated as part of the command. For example, quotation characters may need to be encoded so that the application does not treat the quotation as a delimiter. Input should be parameterized, or restricted to data sections of a command, thus removing the chance that the input will be treated as part of the command itself.
text40
textManipulating Writeable Terminal Devices
textThis attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.
textUser terminals must have a permissive access control such as world writeable that allows normal users to control data on other user's terminals.
textDesign: Ensure that terminals are only writeable by named owner user and/or administrator Design: Enforce principle of least privilege
text43
textExploiting Multiple Input Interpretation Layers
textAn attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
textUser input is used to construct a command to be executed on the target system or as part of the file name. Multiple parser passes are performed on the data supplied by the user.
textAn iterative approach to input validation may be required to ensure that no dangerous characters are present. It may be necessary to implement redundant checking across different input validation layers. Ensure that invalid data is rejected as soon as possible and do not continue to work with it. Make sure to perform input validation on canonicalized data (i.e. data that is data in its most standard form). This will help avoid tricky encodings getting past the filters. Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist would not be permitted to enter into the system.
text136
textLDAP Injection
textAn attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.
textThe target application must accept a string as user input, fail to sanitize characters that have a special meaning in LDAP queries in the user input, and insert the user-supplied string in an LDAP query which is then processed.
textStrong input validation - All user-controllable input must be validated and filtered for illegal characters as well as LDAP content. Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the LDAP or application.
text15
textCommand Delimiters
textAn attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
textSoftware's input validation or filtering must not detect and block presence of additional malicious command.
textDesign: Perform allowlist validation against a positive specification for command length, type, and parameters. Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account Implementation: Perform input validation for all remote content. Implementation: Use type conversions such as JDBC prepared statements.
text183
textIMAP/SMTP Command Injection
textAn attacker exploits weaknesses in input validation on IMAP/SMTP servers to execute commands on the server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.
textThe target environment must consist of a web-mail server that the attacker can query and a back-end mail server. The back-end mail server need not be directly accessible to the attacker. The web-mail server must fail to adequately sanitize fields received from users and passed on to the back-end mail server. The back-end mail server must not be adequately secured against receiving malicious commands from the web-mail server.
text75
textManipulating Writeable Configuration Files
textGenerally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.
textConfiguration files must be modifiable by the attacker
textDesign: Enforce principle of least privilege Design: Backup copies of all configuration files Implementation: Integrity monitoring for configuration files Implementation: Enforce audit logging on code and configuration promotion procedures. Implementation: Load configuration from separate process and memory space, for example a separate physical device like a CD
textall
textBackdoor_GHOSTSPIDER_beacon_loader
textall
textBackdoor_GHOSTSPIDER_stager

Datetime

ValueDescriptionCopy
datetime2024-07-25T17:34:00+00:00
datetime2021-03-03T00:15:00+00:00
datetime2024-07-25T17:53:00+00:00
datetime2021-03-03T00:15:00+00:00
datetime2024-07-25T17:53:00+00:00
datetime2021-03-03T00:15:00+00:00
datetime2024-02-15T20:18:00+00:00
datetime2021-03-03T00:15:00+00:00
datetime2024-07-25T17:53:00+00:00
datetime2021-03-03T00:15:00+00:00
datetime2024-07-25T17:53:00+00:00
datetime2021-03-03T00:15:00+00:00
datetime2024-06-10T16:21:00+00:00
datetime2024-01-12T17:15:00+00:00

Float

ValueDescriptionCopy
float7.8
float7.8
float7.8
float9.1
float7.8
float7.8
float9.1

Cpe

ValueDescriptionCopy
cpecpe:2.3:a:microsoft:exchange_server:2013:sp1:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_21:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2010:sp3:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:sp1:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_22:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2010:sp3:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:sp1:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_22:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_21:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_22:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2010:sp3:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:sp1:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_22:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2010:sp3:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:sp1:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_22:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*
cpecpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:22.1:r1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:22.2:r1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r16.1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r16:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r15:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r15.2:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:22.2:-:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:22.2:r1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:22.1:r1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r15:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r16:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:22.5:r2.1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:22.4:r2.1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:22.3:r1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:22.4:r1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:22.1:r6:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:22.6:-:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r13.1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r8.2:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r8.1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r4.2:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r4.1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r3.1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r2:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r3:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r4:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r5:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r6:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r7:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r8:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r9:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r10:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r11:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r12:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r13:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r14:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r17:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:22.3:r3:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:22.6:r1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:22.5:r1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:22.4:r1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:22.3:r1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.1:r18:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:22.1:r6:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:22.2:r3:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:22.4:r2:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:22.4:r2.1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:22.5:r2.1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r2:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r3:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r4:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r4.1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r4.2:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r4.3:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r5:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r6:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r7:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r8:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r8.1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r8.2:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r9:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r9.1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r10:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r11:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r11.3:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r11.4:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r11.5:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r12:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r12.1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r13:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r13.1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r14:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r17:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r17.1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.1:r18:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:22.6:r2:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:22.6:r1:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*
cpecpe:2.3:a:ivanti:policy_secure:9.0:*:*:*:*:*:*:*

Weakness

ValueDescriptionCopy
weaknessCWE-22
weaknessCWE-15
weaknessCWE-22
weaknessCWE-23
weaknessCWE-264
weaknessCWE-272
weaknessCWE-285
weaknessCWE-346
weaknessCWE-348
weaknessCWE-59
weaknessCWE-715
weaknessCWE-73
weaknessCWE-74
weaknessCWE-77
weaknessCWE-171
weaknessCWE-172
weaknessCWE-173
weaknessCWE-180
weaknessCWE-181
weaknessCWE-20
weaknessCWE-21
weaknessCWE-22
weaknessCWE-697
weaknessCWE-707
weaknessCWE-73
weaknessCWE-74
weaknessCWE-22
weaknessCWE-171
weaknessCWE-172
weaknessCWE-173
weaknessCWE-177
weaknessCWE-20
weaknessCWE-21
weaknessCWE-22
weaknessCWE-697
weaknessCWE-707
weaknessCWE-73
weaknessCWE-74
weaknessCWE-171
weaknessCWE-173
weaknessCWE-180
weaknessCWE-181
weaknessCWE-185
weaknessCWE-20
weaknessCWE-200
weaknessCWE-21
weaknessCWE-22
weaknessCWE-697
weaknessCWE-707
weaknessCWE-73
weaknessCWE-74
weaknessCWE-502
weaknessCWE-502
weaknessCWE-918
weaknessCWE-77
weaknessCWE-77
weaknessCWE-77
weaknessCWE-171
weaknessCWE-179
weaknessCWE-181
weaknessCWE-183
weaknessCWE-184
weaknessCWE-20
weaknessCWE-697
weaknessCWE-707
weaknessCWE-74
weaknessCWE-77
weaknessCWE-78
weaknessCWE-20
weaknessCWE-77
weaknessCWE-90
weaknessCWE-138
weaknessCWE-140
weaknessCWE-146
weaknessCWE-154
weaknessCWE-157
weaknessCWE-184
weaknessCWE-185
weaknessCWE-697
weaknessCWE-713
weaknessCWE-77
weaknessCWE-78
weaknessCWE-93
weaknessCWE-77
weaknessCWE-346
weaknessCWE-349
weaknessCWE-353
weaknessCWE-354
weaknessCWE-713
weaknessCWE-77
weaknessCWE-99

Yara

ValueDescriptionCopy
yararule Backdoor_GHOSTSPIDER_beacon_loader { meta: author = "Trend Micro Research" strings: $clr = { C7 45 ?? 43 4C 52 43 C7 45 ?? 72 65 61 74 C7 45 ?? 65 49 6E 73 C7 45 ?? 74 61 6E 63 } $chunk1 = { C1 EA ?? 0F B6 D2 8B 34 95 ?? ?? ?? ?? 8B 55 ?? C1 EA ?? 8B 14 95 ?? ?? ?? ?? C1 E9 ?? 0F B6 F9 33 34 BD ?? ?? ?? ?? 8B 7D ?? 89 75 ?? 31 55 ?? 0F B6 55 ?? 8B 75 ?? 33 34 95 ?? ?? ?? ?? 8B D3 33 B0 ?? ?? ?? ?? } $chunk2 = { 41 0F B6 1B 41 8B C2 99 41 F7 F9 48 63 C2 0F B6 4C 05 ?? 44 03 C1 44 03 C3 } condition: uint16(0) == 0x5a4d and filesize < 300KB and ( $clr and any of ($chunk*) ) }
yararule Backdoor_GHOSTSPIDER_stager { meta: author = "Trend Micro Research" strings: $s1 = "new_comp" ascii wide $s2 = "del_comp" ascii wide $s3 = "new_client" ascii wide $s4 = "del_client" ascii wide $s5 = "new_base" ascii wide $s6 = "del_base" ascii wide $cookie = "phpsessid=%s; b=%d; path=/; expires=%s" ascii wide condition: uint16(0) == 0x5a4d and filesize < 300KB and ( $cookie and 2 of ($s*) ) }

Hash

ValueDescriptionCopy
hash1a38303fb392ccc5a88d236b4f97ed404a89c1617f34b96ed826e7bb7257e296
hash05840de7fa648c41c60844c4e5d53dbb3bc2a5250dcb158a95b77bc0f68fa870
hashb2b617e62353a672626c13cc7ad81b27f23f91282aad7a3a0db471d84852a9ac
hash6d64643c044fe534dbb2c1158409138fcded757e550c6f79eada15e69a7865bc
hash25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b
hash9ba31dc1e701ce8039a9a272ef3d55aa6df66984a322e0d309614a5655e7a85c
hash16c8afd3b35c76a476851f4994be180f0cd72c7b250e493d3eb8c58619587266
hash2fd4a49338d79f4caee4a60024bcd5ecb5008f1d5219263655ef49c54d9acdec
DEMODEX PowerShell dropper
hashfba149eb5ef063bc6a2b15bd67132ea798919ed36c5acda46ee9b1118b823098
SNAPPYBEE payload
hashfc3be6917fd37a083646ed4b97ebd2d45734a1e154e69c9c33ab00b0589a09e5
SNAPPYBEE loader

File

ValueDescriptionCopy
filedbindex.dat
fileimfsbDLL.dll
fileDgApi.dll
fileimfsbDLL.dll
fileDgApi.dll
file%WINDIR%\System32\SstpCfs.dll
file%WINDIR%\System32\drivers\dumpfiskfss.sys
fileonedrived.ps1
DEMODEX PowerShell dropper
fileNortonLog.txt
SNAPPYBEE payload
fileWINMM.dll
SNAPPYBEE loader

X509 fingerprint-sha256

ValueDescriptionCopy
x509-fingerprint-sha2562b5e7b17fc6e684ff026df3241af4a651fc2b55ca62f8f1f7e34ac8303db9a31

Threat ID: 6842e9ce71f4d251b5c75966

Added to database: 6/6/2025, 1:14:54 PM

Last enriched: 7/7/2025, 7:40:00 PM

Last updated: 8/11/2025, 12:36:43 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats