216.73.217.22

T1495: T1495

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 04/05/2026 16:30

Essential information

MITRE technique ID
T1495
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
04/05/2026 16:30
Author / Source
The MITRE Corporation

Aliases

Firmware Corruption

Platforms

windows macos linux Network Devices

Description

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards. In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in [Data Destruction](https://attack.mitre.org/techniques/T1485).

Kill chain phases

Kill chainPhase
mitre-attack impact

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (7)

  • Ke3chang uses APT15Mirage
    The MITRE Corporation Confidence 100

    [Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • IRGC uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 22:06 · Modified 20/12/2025 22:06
  • Salt Typhoon uses
    The MITRE Corporation Confidence 100

    [Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • MUSTANG PANDA uses BRONZE PRESIDENTSTATELY TAURUS
    The MITRE Corporation Confidence 100

    [Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 22/05/2026 04:12
  • Lazarus uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 21:17 · Modified 29/05/2026 12:20
  • Vect uses
    Ransomware.Live Confidence 100

    No description available

    First seen 01/01/1970 · Last seen 16/11/5138 Published 06/01/2026 21:23 · Modified 04/05/2026 16:30
  • Bigpanzi uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 02:47 · Modified 21/12/2025 02:47

Malware (29)

  • Cobalt Strike uses
    Family
    Published 16/12/2024 14:25 · Modified 16/12/2024 14:25
  • Vect uses
    Family
    Published 30/04/2026 23:40 · Modified 30/04/2026 23:40
  • Bad Rabbit
  • GREF
  • HorseShell
  • Uyghur Telegram uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 01:20 · Modified 21/12/2025 01:20
  • MyKings uses
    Family
    Published 14/04/2026 08:54 · Modified 14/04/2026 08:54
  • Ninja
  • Mirai uses
    Family
    Published 21/05/2026 23:03 · Modified 21/05/2026 23:03
  • BotenaGo
  • Maui
  • OS X
  • FlyGram
  • MIPS32 MSB
  • CosmicStrand
  • Chalubo uses
    Family
    Published 04/06/2024 15:58 · Modified 04/06/2024 15:58
  • BigPanzi uses
    Family
    Published 28/02/2025 10:35 · Modified 28/02/2025 10:35
  • BadBazaar uses
    Family
    Published 28/01/2026 18:26 · Modified 28/01/2026 18:26
  • Devman uses
    Family
    Published 30/04/2026 23:40 · Modified 30/04/2026 23:40
  • Beastmode
  • Totbrick uses
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
  • V3G4
  • Gopuram
  • Samurai
  • Android
  • HiddenAds
  • TINYSHELL uses
    Family
    Published 17/04/2026 18:32 · Modified 17/04/2026 18:32
  • Moobot
  • Geacon

Reports (2)

Vulnerabilities (CVE) (41)

CVE-2019-5591 KEV

Fortinet FortiOS contains a default configuration vulnerability that may allow an unauthenticated attacker on the same subnet to intercept sensitive information by …

Published
03/11/2021
Modified
20/12/2025
CVE-2021-44228 KEV
10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector
Network
Published
10/12/2021
Modified
27/05/2026
CVE-2023-46805 KEV
8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector
Network
Published
10/01/2024
Modified
27/05/2026
CVE-2021-34473 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.

Published
03/11/2021
Modified
29/05/2026
CVE-2022-26134 KEV

Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code …

Published
02/06/2022
Modified
27/05/2026
CVE-2024-21887 KEV
9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector
Network
Published
10/01/2024
Modified
27/05/2026
CVE-2023-20198 KEV
10.0 Critical

Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker …

Attack vector
Network
Published
16/10/2023
Modified
21/12/2025
CVE-2021-33766 KEV

Microsoft Exchange Server contains an information disclosure vulnerability which can allow an unauthenticated attacker to steal email traffic from target.

Published
18/01/2022
Modified
20/12/2025
CVE-2020-8515 KEV

DrayTek Vigor3900, Vigor2960, and Vigor300B routers contain an unspecified vulnerability that allows for remote code execution.

Published
03/11/2021
Modified
20/12/2025
CVE-2023-20273 KEV
7.2 High

Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the …

Attack vector
Network
Published
23/10/2023
Modified
21/12/2025
CVE-2021-45105
5.9 Medium

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an …

Attack vector
Network
Complexity
High
Published
18/12/2021
Modified
29/05/2026
CVE-2021-31207 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.

Published
03/11/2021
Modified
20/12/2025
CVE-2021-45046 KEV

Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern …

Published
01/05/2023
Modified
20/12/2025
CVE-2018-13379 KEV

Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files …

Published
03/11/2021
Modified
20/12/2025
CVE-2019-0708 KEV

Microsoft Remote Desktop Services, formerly known as Terminal Service, contains an unspecified vulnerability that allows an unauthenticated attacker to connect to the …

Published
03/11/2021
Modified
29/05/2026
CVE-2021-34523 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Published
03/11/2021
Modified
20/12/2025
CVE-2020-12812 KEV

Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the …

Published
03/11/2021
Modified
20/12/2025
CVE-2024-3400 KEV
10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector
Network
Published
12/04/2024
Modified
21/12/2025
CVE-2021-34470
8.0 High

Microsoft Exchange Server Elevation of Privilege Vulnerability

Attack vector
ADJACENT_NETWORK
Published
14/07/2021
Modified
20/12/2025
CVE-2021-31196 KEV

Microsoft Exchange Server contains an information disclosure vulnerability that allows for remote code execution.

Published
21/08/2024
Modified
20/12/2025
CVE-2015-2051 KEV
8.8 High

D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.

Attack vector
Adjacent
Complexity
LOW
Published
23/02/2015
Modified
22/04/2026
CVE-2021-33768
8.0 High

Microsoft Exchange Server Elevation of Privilege Vulnerability

Attack vector
ADJACENT_NETWORK
Published
14/07/2021
Modified
20/12/2025
CVE-2018-0171 KEV
9.8 Critical

Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected …

Attack vector
NETWORK
Published
03/11/2021
Modified
14/01/2026
CVE-2021-31206
7.6 High

Microsoft Exchange Server Remote Code Execution Vulnerability

Attack vector
NETWORK
Published
14/07/2021
Modified
20/12/2025
CVE-2020-15415 KEV

DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell …

Published
30/09/2024
Modified
20/12/2025

Campaign (1)

  • 2025 Poland Wiper Attacks uses

Course Of Action (3)

  • Boot Integrity mitigates
  • Update Software mitigates
  • Privileged Account Management mitigates