basicsecurity.net
Proof, not just disclosure.
Threats / Outcomes / Lateral reach
3 Outcome 3 of 5 · past your segmentation

Lateral reach

The trust boundaries and network segmentation you’ve been relying on don’t hold. These are the known-exploited flaws that let an attacker pivot from a forgotten edge device or low-value host into the systems that actually matter — and the named crews that make the jump.

1,455records reach this outcomenarrative_reach · KEV corpus
13carry a named actornarrative_coverage (confirmed)
319ransomware-associatedCISA KEV flag
Application / othermost common surfaceoutcome_surface
1 Front door2 Keys to the kingdom3 Lateral reach4 Data at risk5 Lights out
13
of 1,455 records here carry advisory-named attribution
When this outcome is tied to a named crew already using it against peer organizations, the business story stops being hypothetical and becomes a forecast.
Basis · narrative_coverage (confirmed actor)
319
are flagged for ransomware use
CISA’s known-ransomware-campaign flag, on the records that reach lateral movement — the pivot ransomware crews need on their way to the payload.
Basis · CISA KEV ransomware flag
14%
reach data-at-risk or lights-out from here
The share of records that achieve this outcome and carry an attacker on to exfiltration or disruption — the fund-this tail, where “patch this” becomes “fund this.”
Basis · narrative_furthest (stages 4+5)
01

Headline story

— the highest-newsworthiness path reaching this outcome
Headline story · newsworthiness 9.4 · Server / web platform
Microsoft Exchange Server vulnerability
Microsoft Exchange Server remote code execution vulnerability exploited in ransomware campaigns. SSRF vector enables unauthenticated attackers to execute arbitrary code with system privileges.
CISA KEVRansomware-confirmedAPT40Path 1 → 2 → 3 → 4
02

More records reaching lateral reach

— ranked by newsworthiness, click through to the full record
CVE-2026-41940 · WebPros · Server / web platform
WebPros cPanel & WHM and WP2 (WordPress Squared) vulnerability
WebPros cPanel & WHM and WP2 contain an authentication bypass vulnerability allowing unauthenticated remote attackers to gain unauthorized access to hosting control panels.
CISA KEVRansomwareReaches stage 3
CVE-2024-27199 · JetBrains · Application / other
JetBrains TeamCity vulnerability
JetBrains TeamCity contains a relative path traversal vulnerability enabling limited admin actions. Actively exploited in ransomware campaigns.
CISA KEVRansomwareReaches stage 3
CVE-2024-1708 · ConnectWise · Application / other
ConnectWise ScreenConnect vulnerability
ConnectWise ScreenConnect contains a path traversal vulnerability (CWE-22) enabling remote code execution and unauthorized access to sensitive data. Active exploitation and ransomware campaigns documented.
CISA KEVRansomwareReaches stage 3
CVE-2026-1731 · BeyondTrust · Application / other
BeyondTrust Remote Support (RS) and Privileged Access (PRA) vulnerability
BeyondTrust Remote Support and Privileged Remote Access contain an unauthenticated OS command injection vulnerability allowing remote attackers to execute arbitrary system commands and compromise affected systems.
CISA KEVRansomwareReaches stage 4
CVE-2021-26084 · Atlassian · Server / web platform
Atlassian Confluence Server and Data Center vulnerability
Atlassian Confluence Server and Data Center are vulnerable to unauthenticated OGNL injection, allowing remote code execution. This vulnerability has been actively exploited in ransomware campaigns.
CISA KEVRansomwareAPT40Reaches stage 3
CVE-2021-26855 · Microsoft · Server / web platform
Microsoft Exchange Server vulnerability
Microsoft Exchange Server remote code execution vulnerability enabling unauthenticated attackers to execute arbitrary code through the ProxyLogon exploit chain.
CISA KEVRansomwareHAFNIUMReaches stage 3

Records where 3 ∈ _narr_stages(r), ordered by _heat(r); the lead is shown above. Counts recomputed deterministically per build.

03

What this outcome targets

— records reaching lateral reach, by attack surface
Application / other
705
Operating system / kernel
270
Edge / remote-access infra
221
Server / web platform
117
Browser
109
Hypervisor / virtualization
33

From build_insights().outcome_surface — the surface×outcome heat-grid, sliced to outcome 3 (reach-to-3). Counts recomputed deterministically per build; basis labeled per the corpus, never per edge.

04

Who drives this outcome

— named, advisory-backed actors reaching lateral reach
APT40 State-sponsored (PRC)

The CISA-led joint advisory AA24-190A names APT40 (tracked in ATT&CK as Leviathan) as a PRC Ministry of State Security group that rapidly weaponizes newly public vulnerabilities, naming the ProxyShell Exchange chain, Log4Shell, and Atlassian Confluence CVEs alongside the group.

Reaches this outcome on 5 records · full dossier →

HAFNIUM State-sponsored (PRC)

CISA's AA21-062A and the Microsoft Threat Intelligence Center attribute the ProxyLogon Exchange exploitation chain to HAFNIUM (now tracked as Silk Typhoon), a state-sponsored group assessed to operate out of the PRC, naming both the group and the Exchange CVEs.

Reaches this outcome on 4 records · full dossier →

Akira Ransomware

The #StopRansomware joint advisory AA24-109A reports that Akira ransomware affiliates gain initial access through Cisco VPN appliances lacking MFA, naming the group and the Cisco ASA/FTD CVEs they exploit to do so.

Reaches this outcome on 2 records · full dossier →

Volt Typhoon State-sponsored (PRC)

CISA, NSA and FBI's AA24-038A attributes pre-positioning on US critical-infrastructure IT networks to Volt Typhoon, naming the group's exploitation of public-facing appliance vulnerabilities including the Ivanti Connect Secure (CVE-2024-21887) and Fortinet FortiOS (CVE-2022-42475) CVEs.

Reaches this outcome on 2 records · full dossier →

Coverage finding  Named-actor attribution is established for 13 of 1,455 records reaching this outcome. The other 1,442 are facts-only (KEV / EPSS / ransomware cited) with attribution pending triage — absence of a named crew is not absence of risk, only absence of attribution. Only tier == "confirmed" (advisory-backed) actors appear above; reported/inferred links never headline an outcome.
05

When this outcome got exploited

— KEV additions per year that reach lateral reach
2021
283 · 41 deep
2022
488 · 63 deep
2023
163 · 19 deep
2024
172 · 31 deep
2025
231 · 33 deep
2026
118 · 20 deep

Violet = records added to CISA KEV that year reaching outcome 3; red overlay = the share that carried on to data-at-risk or lights-out. From build_insights().outcome_timeline, sliced to this outcome.