May 19, 2022 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • 7 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Critical exposure

CVE-2021-34111 Thecus N4800eco Firmware Command Injection

  • CVSS 9.8

New critical Thecus N4800eco Firmware Command Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2021-37413 GRANDCOM DynWEB before 4.2 contains a SQL Injection vulnerability in the admin login interface.

  • CVSS 9.8

New critical Grandcom Dynweb SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2022-22978 Netapp Active Iq Unified Manager privilege escalation

  • CVSS 9.8
  • Potential privilege escalation to admin/root

New critical Netapp Active Iq Unified Manager privilege escalation (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Nothing flagged in this category for this digest.

View KEV additions

Exploit & PoC activity

Nothing flagged in this category for this digest.

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2020-16209 CVSS 9.8

A malicious attacker could exploit the interface of the Fieldcomm Group HART-IP (release 1.0.0.0) by constructing messages with sufficien...

CVE-2021-32934 CVSS 9.1

The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey fo...

CVE-2021-34111 CVSS 9.8

Thecus 4800Eco was discovered to contain a command injection vulnerability via the username parameter in /adm/setmain.php.

CVE-2021-37413 CVSS 9.8

GRANDCOM DynWEB before 4.2 contains a SQL Injection vulnerability in the admin login interface.

CVE-2022-22978 CVSS 9.8

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfig...

CVE-2022-28927 CVSS 9.8

A remote code execution (RCE) vulnerability in Subconverter v0.7.2 allows attackers to execute arbitrary code via crafted config and url...

CVE-2022-28962 CVSS 9.8

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=delete_client.

View critical disclosures

cvelogic Threat Intelligence