basicsecurity.net
Proof, not just disclosure.
Threats / Outcomes / Keys to the kingdom
2 Outcome 2 of 5 · privilege & identity takeover

Keys to the kingdom

One foothold becomes domain, cloud-tenant, or administrative control. The blast radius is everything you own. These are the known-exploited flaws that an attacker turns from a single compromised asset into the whole environment — and the named crews that do it.

1,609records reach this outcomenarrative_reach · KEV corpus
14carry a named actornarrative_coverage (confirmed)
326ransomware-associatedCISA KEV flag
Application / othermost common surfaceoutcome_surface
1 Front door2 Keys to the kingdom3 Lateral reach4 Data at risk5 Lights out
14
of 1,609 records here carry advisory-named attribution
When this outcome is tied to a named crew already using it against peer organizations, the business story stops being hypothetical and becomes a forecast.
Basis · narrative_coverage (confirmed actor)
326
are flagged for ransomware use
CISA’s known-ransomware-campaign flag, on the records that reach identity takeover — the pivot ransomware crews need on their way to the payload.
Basis · CISA KEV ransomware flag
13%
reach data-at-risk or lights-out from here
The share of records that achieve this outcome and carry an attacker on to exfiltration or disruption — the fund-this tail, where “patch this” becomes “fund this.”
Basis · narrative_furthest (stages 4+5)
Story of the weekA leak in the front door: how Citrix Bleed became a ransomware crew’s favorite way inAn unauthenticated attacker reads valid session tokens straight out of a NetScaler appliance’s memory — then logs in as your users, MFA and all. A named ransomware group industrialized it. Here is the whole path, with a source for every claim.Read the cited story → Human-authored · cited
01

Headline story

— the highest-newsworthiness path reaching this outcome
Headline story · newsworthiness 12.0 · Edge / remote-access infra
Citrix NetScaler session-token disclosure CVE-2023-4966
An unauthenticated attacker reads valid session tokens straight out of NetScaler ADC/Gateway memory — then logs in as your users, MFA and all.
CISA KEVRansomware-confirmedLockBit 3.0 affiliatesPath 1 → 2 → 4 → 5
02

More records reaching keys to the kingdom

— ranked by newsworthiness, click through to the full record
CVE-2021-34473 · Microsoft · Server / web platform
Microsoft Exchange Server vulnerability
Microsoft Exchange Server remote code execution vulnerability exploited in ransomware campaigns. SSRF vector enables unauthenticated attackers to execute arbitrary code with system privileges.
CISA KEVRansomwareAPT40Reaches stage 4
CVE-2026-41940 · WebPros · Server / web platform
WebPros cPanel & WHM and WP2 (WordPress Squared) vulnerability
WebPros cPanel & WHM and WP2 contain an authentication bypass vulnerability allowing unauthenticated remote attackers to gain unauthorized access to hosting control panels.
CISA KEVRansomwareReaches stage 3
CVE-2024-27199 · JetBrains · Application / other
JetBrains TeamCity vulnerability
JetBrains TeamCity contains a relative path traversal vulnerability enabling limited admin actions. Actively exploited in ransomware campaigns.
CISA KEVRansomwareReaches stage 3
CVE-2024-1708 · ConnectWise · Application / other
ConnectWise ScreenConnect vulnerability
ConnectWise ScreenConnect contains a path traversal vulnerability (CWE-22) enabling remote code execution and unauthorized access to sensitive data. Active exploitation and ransomware campaigns documented.
CISA KEVRansomwareReaches stage 3
CVE-2026-1731 · BeyondTrust · Application / other
BeyondTrust Remote Support (RS) and Privileged Access (PRA) vulnerability
BeyondTrust Remote Support and Privileged Remote Access contain an unauthenticated OS command injection vulnerability allowing remote attackers to execute arbitrary system commands and compromise affected systems.
CISA KEVRansomwareReaches stage 4
CVE-2021-26084 · Atlassian · Server / web platform
Atlassian Confluence Server and Data Center vulnerability
Atlassian Confluence Server and Data Center are vulnerable to unauthenticated OGNL injection, allowing remote code execution. This vulnerability has been actively exploited in ransomware campaigns.
CISA KEVRansomwareAPT40Reaches stage 3

Records where 2 ∈ _narr_stages(r), ordered by _heat(r); the lead is shown above. Counts recomputed deterministically per build.

03

What this outcome targets

— records reaching keys to the kingdom, by attack surface
Application / other
768
Operating system / kernel
330
Edge / remote-access infra
233
Browser
123
Server / web platform
122
Hypervisor / virtualization
33

From build_insights().outcome_surface — the surface×outcome heat-grid, sliced to outcome 2 (reach-to-2). Counts recomputed deterministically per build; basis labeled per the corpus, never per edge.

04

Who drives this outcome

— named, advisory-backed actors reaching keys to the kingdom
APT40 State-sponsored (PRC)

The CISA-led joint advisory AA24-190A names APT40 (tracked in ATT&CK as Leviathan) as a PRC Ministry of State Security group that rapidly weaponizes newly public vulnerabilities, naming the ProxyShell Exchange chain, Log4Shell, and Atlassian Confluence CVEs alongside the group.

Reaches this outcome on 5 records · full dossier →

HAFNIUM State-sponsored (PRC)

CISA's AA21-062A and the Microsoft Threat Intelligence Center attribute the ProxyLogon Exchange exploitation chain to HAFNIUM (now tracked as Silk Typhoon), a state-sponsored group assessed to operate out of the PRC, naming both the group and the Exchange CVEs.

Reaches this outcome on 4 records · full dossier →

Akira Ransomware

The #StopRansomware joint advisory AA24-109A reports that Akira ransomware affiliates gain initial access through Cisco VPN appliances lacking MFA, naming the group and the Cisco ASA/FTD CVEs they exploit to do so.

Reaches this outcome on 2 records · full dossier →

Volt Typhoon State-sponsored (PRC)

CISA, NSA and FBI's AA24-038A attributes pre-positioning on US critical-infrastructure IT networks to Volt Typhoon, naming the group's exploitation of public-facing appliance vulnerabilities including the Ivanti Connect Secure (CVE-2024-21887) and Fortinet FortiOS (CVE-2022-42475) CVEs.

Reaches this outcome on 2 records · full dossier →

LockBit 3.0 affiliates Ransomware

CISA, FBI, and MS-ISAC jointly attribute active exploitation of Citrix Bleed to LockBit 3.0 affiliates, who use the stolen sessions to land, escalate, and deploy ransomware — naming it in a dedicated #StopRansomware advisory.4

Reaches this outcome on 1 record

Coverage finding  Named-actor attribution is established for 14 of 1,609 records reaching this outcome. The other 1,595 are facts-only (KEV / EPSS / ransomware cited) with attribution pending triage — absence of a named crew is not absence of risk, only absence of attribution. Only tier == "confirmed" (advisory-backed) actors appear above; reported/inferred links never headline an outcome.
05

When this outcome got exploited

— KEV additions per year that reach keys to the kingdom
2021
311 · 41 deep
2022
552 · 63 deep
2023
187 · 20 deep
2024
186 · 31 deep
2025
245 · 33 deep
2026
128 · 20 deep

Violet = records added to CISA KEV that year reaching outcome 2; red overlay = the share that carried on to data-at-risk or lights-out. From build_insights().outcome_timeline, sliced to this outcome.