T1595.002: T1595.002

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 02/10/2020 18:55 · Modified 21/05/2026 02:35

Essential information

MITRE technique ID: T1595.002
Confidence: 100/100
Revoked: No
Published: 02/10/2020 18:55
Modified: 21/05/2026 02:35
Author / Source: The MITRE Corporation

Aliases

Vulnerability Scanning

Platforms

PRE

Description

Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use. These scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).

Kill chain phases

Kill chain	Phase
mitre-attack	reconnaissance

Marking (TLP)

External references

OWASP Vuln Scanning
mitre-attack (T1595.002)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (26)

TeamTNT uses

The MITRE Corporation Confidence 100

[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT32 uses SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Dragonfly uses TEMP.IsotopeDYMALLOY

The MITRE Corporation Confidence 100

[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sandworm Team uses ELECTRUMTelebots

The MITRE Corporation Confidence 100

[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Lusca uses TAG-22Charcoal Typhoon

The MITRE Corporation Confidence 100

[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ResumeLooters uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
China-nexus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Saint Bear uses UNC2589Bleeding Bear

The MITRE Corporation Confidence 100

[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT41 uses Wicked PandaBrass Typhoon

The MITRE Corporation Confidence 100

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC5174 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Volatile Cedar uses Lebanese Cedar

The MITRE Corporation Confidence 100

[Volatile Cedar](https://attack.mitre.org/groups/G0123) is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. [Volatile Cedar](https://attack.mitre.org/groups/G0123) has been operating since 2012 and is motivated by political and…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

1–12 of 26

Slippery Snakelet uses

Family
ShellBot uses

Family
Kinsing - S0599 uses

Family
Tsunami uses

Family
VELETRIX uses

Family
Flog uses

Family
RondoDox uses

Family
Fodcha uses
Laret uses

Family
AryStinger uses

Family
FeedLoad uses
RDAT - S0495 uses

Family

← Previous

Page / 3

1–12 of 34

Inside the FortiBleed Open Directory: A Technical Analysis … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
Invisible Sting: Over 4000 Outdated Routers Compromised by … related

AlienVault Confidence 100 3 CVEs 20 MITREs 1 Malware 23 IOCs 23 Observables
Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 related

AlienVault Confidence 100 1 CVE 10 MITREs 9 IOCs 9 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
9 Year-Old PHP Vulnerability Keeps Swinging As One … related

AlienVault Confidence 100 4 CVEs 19 MITREs 5 Malwares 5 IOCs 5 Observables
Suspected Cyber Espionage Campaign Targeting Global Organizations related

1 CVE 6 MITREs 2 Malwares 25 Observables 1 APT
Discovers Multiyear Sophisticated Chinese DNS Operation related

14 MITREs 10 Observables 1 APT

Vulnerabilities (CVE) (35)

CVE-2021-41773 KEV targets

9.8 Critical

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …

Attack vector: Network
Published: 03/11/2021
Modified: 18/02/2026

CVE-2025-11837 targets

8.1 High

An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the …

Attack vector: NETWORK
EPSS: 0.0013 (P33.0%)
Published: 02/01/2026
Modified: 17/06/2026

Awaiting Analysis

CVE-2020-14882 KEV targets

Oracle WebLogic Server contains an unspecified vulnerability, which is assessed to allow for remote code execution, based on this vulnerability being related …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

CVE-2023-42793 KEV targets

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.

Attack vector: Network
Published: 04/10/2023
Modified: 29/05/2026

CVE-2026-0257 KEV targets

4.7 Medium

Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions …

Attack vector: NETWORK
Complexity: LOW
Published: 13/05/2026
Modified: 10/06/2026

CWE-565 Awaiting Analysis

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2024-9047 targets

9.8 Critical

The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. …

Attack vector: NETWORK
Published: 12/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-34362 KEV targets

9.8 Critical

Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. …

Attack vector: Network
Published: 02/06/2023
Modified: 21/12/2025

CVE-2022-47945 targets

9.8 Critical

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated …

Attack vector: NETWORK
Published: 23/12/2022
Modified: 19/01/2026

CVE-2024-27198 KEV targets

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.

Attack vector: Network
Published: 07/03/2024
Modified: 21/12/2025

← Previous

Page / 3

13–24 of 35

T1595 subtechnique-of

Active Scanning MITRE

Course Of Action (1)

Pre-compromise mitigates

Campaign (3)

SharePoint ToolShell Exploitation uses
Anthropic AI-orchestrated Campaign uses
Cutting Edge uses

Contact About Legal notice Privacy policy Terms of use