T1595.002: T1595.002

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 21/05/2026 02:35

Essential information

MITRE technique ID: T1595.002
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 21/05/2026 02:35
Author / Source: The MITRE Corporation

Aliases

Vulnerability Scanning

Platforms

PRE

Description

Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use. These scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).

Kill chain phases

Kill chain	Phase
mitre-attack	reconnaissance

Marking (TLP)

External references

OWASP Vuln Scanning
mitre-attack (T1595.002)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (26)

TeamTNT uses

The MITRE Corporation Confidence 100

[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT32 uses SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Dragonfly uses TEMP.IsotopeDYMALLOY

The MITRE Corporation Confidence 100

[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sandworm Team uses ELECTRUMTelebots

The MITRE Corporation Confidence 100

[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Lusca uses TAG-22Charcoal Typhoon

The MITRE Corporation Confidence 100

[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ResumeLooters uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
China-nexus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Saint Bear uses UNC2589Bleeding Bear

The MITRE Corporation Confidence 100

[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT41 uses Wicked PandaBrass Typhoon

The MITRE Corporation Confidence 100

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC5174 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Volatile Cedar uses Lebanese Cedar

The MITRE Corporation Confidence 100

[Volatile Cedar](https://attack.mitre.org/groups/G0123) is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. [Volatile Cedar](https://attack.mitre.org/groups/G0123) has been operating since 2012 and is motivated by political and…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

1–12 of 26

Slippery Snakelet uses

Family
ShellBot uses

Family
Kinsing - S0599 uses

Family
Tsunami uses

Family
VELETRIX uses

Family
Flog uses

Family
RondoDox uses

Family
Fodcha uses
Laret uses

Family
FeedLoad uses
RDAT - S0495 uses

Family
ForestTiger uses

← Previous

Page / 3

1–12 of 33

Inside the FortiBleed Open Directory: A Technical Analysis … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
Invisible Sting: Over 4000 Outdated Routers Compromised by … related

AlienVault Confidence 100 3 CVEs 20 MITREs 1 Malware 23 IOCs 23 Observables
Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 related

AlienVault Confidence 100 1 CVE 10 MITREs 9 IOCs 9 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
9 Year-Old PHP Vulnerability Keeps Swinging As One … related

AlienVault Confidence 100 4 CVEs 19 MITREs 5 Malwares 5 IOCs 5 Observables
Suspected Cyber Espionage Campaign Targeting Global Organizations related

1 CVE 6 MITREs 2 Malwares 25 Observables 1 APT
Discovers Multiyear Sophisticated Chinese DNS Operation related

14 MITREs 10 Observables 1 APT

Vulnerabilities (CVE) (32)

CVE-2021-22986 KEV targets

F5 BIG-IP and BIG-IQ Centralized Management contain a remote code execution vulnerability in the iControl REST interface that allows unauthenticated attackers with …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2024-56145 KEV targets

9.8 Critical

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected …

Attack vector: Network
Published: 02/06/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2024-27199 KEV targets

7.3 High

JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.

Attack vector: NETWORK
Complexity: LOW
Published: 04/03/2024
Modified: 22/04/2026

CWE-23 CWE-22

CVE-2024-51567 KEV targets

10.0 Critical

upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus …

Attack vector: Network
Published: 07/11/2024
Modified: 21/12/2025

Analyzed

CVE-2017-9805 KEV targets

8.1 High

Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to …

Attack vector: NETWORK
Complexity: HIGH
Published: 15/09/2017
Modified: 22/04/2026

CWE-502

CVE-2024-4577 KEV targets

9.8 Critical

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …

Attack vector: Network
Published: 12/06/2024
Modified: 21/12/2025

Received

CVE-2018-6530

targets

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2019-18935 KEV targets

Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-22205 KEV targets

GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2017-11317

targets

CVE-2021-41773 KEV targets

9.8 Critical

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …

Attack vector: Network
Published: 03/11/2021
Modified: 18/02/2026

← Previous

Page / 3

1–12 of 32

T1595 subtechnique-of

Active Scanning MITRE

Course Of Action (1)

Pre-compromise mitigates

Campaign (3)

SharePoint ToolShell Exploitation uses
Anthropic AI-orchestrated Campaign uses
Cutting Edge uses

Contact About Legal notice Privacy policy Terms of use