Keys to the kingdom
One foothold becomes domain, cloud-tenant, or administrative control. The blast radius is everything you own. These are the known-exploited flaws that an attacker turns from a single compromised asset into the whole environment — and the named crews that do it.
Headline story
— the highest-newsworthiness path reaching this outcomeMore records reaching keys to the kingdom
— ranked by newsworthiness, click through to the full recordRecords where 2 ∈ _narr_stages(r), ordered by _heat(r); the lead is shown above. Counts recomputed deterministically per build.
What this outcome targets
— records reaching keys to the kingdom, by attack surfaceFrom build_insights().outcome_surface — the surface×outcome heat-grid, sliced to outcome 2 (reach-to-2). Counts recomputed deterministically per build; basis labeled per the corpus, never per edge.
Who drives this outcome
— named, advisory-backed actors reaching keys to the kingdomThe CISA-led joint advisory AA24-190A names APT40 (tracked in ATT&CK as Leviathan) as a PRC Ministry of State Security group that rapidly weaponizes newly public vulnerabilities, naming the ProxyShell Exchange chain, Log4Shell, and Atlassian Confluence CVEs alongside the group.
Reaches this outcome on 5 records · full dossier →
CISA's AA21-062A and the Microsoft Threat Intelligence Center attribute the ProxyLogon Exchange exploitation chain to HAFNIUM (now tracked as Silk Typhoon), a state-sponsored group assessed to operate out of the PRC, naming both the group and the Exchange CVEs.
Reaches this outcome on 4 records · full dossier →
The #StopRansomware joint advisory AA24-109A reports that Akira ransomware affiliates gain initial access through Cisco VPN appliances lacking MFA, naming the group and the Cisco ASA/FTD CVEs they exploit to do so.
Reaches this outcome on 2 records · full dossier →
CISA, NSA and FBI's AA24-038A attributes pre-positioning on US critical-infrastructure IT networks to Volt Typhoon, naming the group's exploitation of public-facing appliance vulnerabilities including the Ivanti Connect Secure (CVE-2024-21887) and Fortinet FortiOS (CVE-2022-42475) CVEs.
Reaches this outcome on 2 records · full dossier →
CISA, FBI, and MS-ISAC jointly attribute active exploitation of Citrix Bleed to LockBit 3.0 affiliates, who use the stolen sessions to land, escalate, and deploy ransomware — naming it in a dedicated #StopRansomware advisory.4
Reaches this outcome on 1 record
tier == "confirmed" (advisory-backed) actors appear above; reported/inferred links never headline an outcome.When this outcome got exploited
— KEV additions per year that reach keys to the kingdomViolet = records added to CISA KEV that year reaching outcome 2; red overlay = the share that carried on to data-at-risk or lights-out. From build_insights().outcome_timeline, sliced to this outcome.