T1190: Exploit Public-Facing Application
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets. Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion or Exploitation for Client Execution.
If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.
Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
postfix: PT-CR-2715: Postfix_Shellshock_On_Patched_Version: Possible exploitation of the CVE-2014-6271 (Shellshock) vulnerability in Postfix versions where this vulnerability is fixed pt_nad: PT-CR-730: NAD_CVE_On_Vulnerable_Host: PT NAD detected an attempt to exploit a vulnerability network_devices_abnormal_activity: PT-CR-475: Smart_Install_Usage: Possible vulnerability exploitation in Cisco Smart Install process_chains_and_logons: PT-CR-953: Suspicious_Webserver_Process_Chain: Suspicious process start chain for web server utilities unix_mitre_attck_initial_access: PT-CR-288: Unix_Suspicious_Activity_By_Web_User: Suspicious commands were executed on behalf of a web service: commands for local reconnaissance, commands related to security analysis tools, or other commands with the current working directory matching the web server directory vulnerabilities: PT-CR-2065: CVE_2023_46604_ActiveMQ_RCE: Possible exploitation of vulnerability CVE-2023-46604 in Apache ActiveMQ for remote code execution vulnerabilities: PT-CR-2486: Sharepoint_Remote_Code_Execution: Exploitation of vulnerability CVE-2024-38023, CVE-2024-38024, or CVE-2024-38094 in Microsoft SharePoint Server. These vulnerabilities allow an authenticated user with site owner permissions to upload a malicious file to a target SharePoint server and execute API requests that trigger deserialization of the file parameters. By doing so, an attacker can remotely execute arbitrary code. vulnerabilities: PT-CR-2836: CVE_2024_9474_PaloAlto_Command_Injection: Exploitation of vulnerability CVE-2024-9474 that allows users authenticated in Palo Alto Networks PAN-OS to execute commands as root. The vulnerability is often exploited in conjunction with CVE-2024-0012 that allows bypassing Palo Alto Networks authentication. vulnerabilities: PT-CR-2776: CVE_2024_49040_Exchange_Sender_Address_Spoffing: Mismatch of SMTP headers "From" and "Return-Path" in MS Exchange Server transport system events. This may indicate the exploitation of vulnerability CVE-2024-49040 (increasing user trust in a phishing message by replacing the displayed sender address with a legitimate one). vulnerabilities: PT-CR-1994: CVE_2023_22515_Confluence: Exploitation of vulnerability CVE-2023-22515 in Confluence that allows creating administrator accounts without authentication on the server vulnerabilities: PT-CR-2433: CVE_2024_21683_Confluence_RCE: Exploitation of vulnerability CVE-2024-21683 in Confluence. The vulnerability allows an authenticated user to download and execute arbitrary malicious code through the "Add a new language" function in the "Code" macro settings section. vulnerabilities: PT-CR-2281: CVE_2024_23897_Jenkins_Arbitrary_File_Read: Exploitation of the CVE-2024-23897 vulnerability in Jenkins. An attacker can read an arbitrary file via the Jenkins command-line interface by adding the "@" character to the file path. vulnerabilities: PT-CR-2064: Subrule_ActiveMQ_Connect: Connection to the Apache ActiveMQ service vulnerabilities: PT-CR-2943: CVE_2025_24813_Tomcat_RCE: Attempt to exploit the CVE-2025-24813 vulnerability in Apache Tomcat that allows remote arbitrary code execution. Using HTTP PUT, attackers upload a serialized session file to the server and, using a GET request with the name of this file as the value of the JSESSIONID parameter, start the process of deserialization and payload execution. vulnerabilities: PT-CR-2405: CVE_2024_24919_CheckPoint_Information_Disclosure: Exploitation of the CVE-2024-24919 vulnerability that allows attackers to read any files on Check Point firewall devices without authorization. The vulnerability is in Check Point software with the IPSec VPN, Remote Access VPN, and Mobile Access blades enabled. vulnerabilities: PT-CR-2091: CVE_2022_26134_Confluence_RCE: Exploitation of the CVE-2022-26134 vulnerability in Confluence. This allows attackers to inject OGNL code and then remotely execute arbitrary code without authenticating to the server. vulnerabilities: PT-CR-1983: Possible_CVE_2023_20198_Cisco_IOS_XE: Possible exploitation of vulnerability CVE-2023-20198 in Cisco IOS XE associated with privilege escalation by creating a new administrator account vulnerabilities: PT-CR-2942: Subrule_CVE_2025_24813_Tomcat_RCE: Exploitation of the CVE-2025-24813 vulnerability in Apache Tomcat that allows remote arbitrary code execution. Using HTTP PUT, attackers upload a serialized session file to the server and, using a GET request with the name of this file as the value of the JSESSIONID parameter, start the process of deserialization and payload execution. vulnerabilities: PT-CR-2431: Subrule_CVE_2024_21683_Confluence_RCE: Successful POST request to the Confluence function "Add a new language" in the "Code" macro settings section from an authenticated user. This may indicate the exploitation of vulnerability CVE-2024-21683, which allows arbitrary code to be executed on the Confluence server host. vulnerabilities: PT-CR-2455: CVE_2024_4577_PHP_CGI_RCE: Exploitation of vulnerability CVE-2024-4577 in PHP for Windows where PHP is used in CGI mode. The vulnerability allows an unauthorized attacker to remotely execute arbitrary code on a web server. At the time of developing this rule, the attack can be reproduced only in Windows operating systems with Chinese (both simplified and traditional) or Japanese languages installed. The vulnerability is due to incorrect handling of Unicode character 0xAD (soft hyphen) that is interpreted as a regular hyphen by the CGI engine. This allows attackers to specify additional command line arguments starting with a hyphen for PHP vulnerabilities: PT-CR-1917: CMS_1C_Bitrix_Race_Landing_Exploit: Possible exploitation of vulnerability of the landing module of the site content management system (CMS) 1C-Bitrix: Site Management vulnerabilities: PT-CR-2873: CVE_2024_47575_FortiJump_FortiManager_RCE: An unregistered device was added to the FortiManager centralized management system. This may indicate the exploitation of the CVE-2024-47575 vulnerability, which allows remote code execution on the FortiManager server. An attacker can use crafted requests to execute unauthorized code via FGFM with system privileges. vulnerabilities: PT-CR-2293: CVE_2024_27198_TeamCity_Authentication_Bypass: Exploitation of vulnerability CVE-2024-27198 in TeamCity. The vulnerability allows an attacker to bypass authentication to create a new TeamCity user with administrator permissions or access token for a user. This can be used to remotely execute commands. vulnerabilities: PT-CR-2247: CVE_2023_27350_PaperCut_Authentication_Bypass: Suspicious process start chain for PaperCut NG/MF application. This may indicate exploitation of the CVE-2023-27350 vulnerability and malicious code execution using the built-in PaperCut NG/MF functionality: printing scripts and integration with third-party tools for authorization network_devices_compromise: PT-CR-575: Smart_Install_Exploitation_Tool_Usage: Use of Smart Install Exploitation Tool is detected network_devices_compromise: PT-CR-571: Cisco_IOS_Change_Config_By_SNMP: A configuration file was modified from an untrusted host on a device network_devices_compromise: PT-CR-576: CheckPoint_SmartConsole_Connection: A connection with the CheckPoint SmartConsole utility from an untrusted host is detected mitre_attck_execution: PT-CR-649: Suspicious_Child_From_Webserver_Process: A user started a process from a parent web server process mitre_attck_execution: PT-CR-645: Recon_Via_Webserver_Process: A user started a process from a parent process microsoft_exchange: PT-CR-1476: Exchange_ProxyNotShell: The ProxyNotShell vulnerability from the Metasploit package was exploited pt_application_firewall: PT-CR-1896: PTAF_Path_Traversal_Detected: PT AF detected an attempted Path Traversal attack pt_application_firewall: PT-CR-1882: PTAF_XSS_Attack_Detected: PT AF detected an attempted cross-site scripting (XSS) attack pt_application_firewall: PT-CR-639: PTAF_Alert_Detected: A PT AF rule was triggered pt_application_firewall: PT-CR-1897: PTAF_LFI_Detected: PT AF detected an attempted exploitation of the LFI vulnerability (Local File Inclusion) pt_application_firewall: PT-CR-637: PTAF_Reflected_File_Download_Detected: PT AF detected a reflected file download (RFD) attack pt_application_firewall: PT-CR-1907: PTAF_CVE_Detected: PT AF detected a vulnerability exploitation attempt pt_application_firewall: PT-CR-1884: PTAF_SQL_Injection_Detected: PT AF detected an attempted SQL injection attack
Detection
| ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection strings or known payloads. For example, monitor for successively chained functions that adversaries commonly abuse (i.e. gadget chaining) through unsafe deserialization to exploit publicly facing applications for initial access. |
|---|
| ID | DS0015 | Data source and component | Application Log: Application Log Content | Description | Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. |
|---|
Mitigation
| ID | M1016 | Name | Vulnerability Scanning | Description | Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure. |
|---|
| ID | M1026 | Name | Privileged Account Management | Description | Use least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system. |
|---|
| ID | M1030 | Name | Network Segmentation | Description | Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure. |
|---|
| ID | M1048 | Name | Application Isolation and Sandboxing | Description | Application isolation will limit what other processes and system features the exploited target can access. |
|---|
| ID | M1050 | Name | Exploit Protection | Description | Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application. |
|---|
| ID | M1051 | Name | Update Software | Description | Update software regularly by employing patch management for externally exposed applications. |
|---|