basicsecurity.net
Proof, not just disclosure.
Threats / Outcomes / Data at risk
4 Outcome 4 of 5 · exfiltration

Data at risk

This is breach notification, regulatory exposure, and the loss of customer data or intellectual property. These are the known-exploited flaws that let an attacker read, copy, or exfiltrate the data that defines your liability — the deep tail that turns “patch this” into “fund this.”

208records reach this outcomenarrative_reach · KEV corpus
2carry a named actornarrative_coverage (confirmed)
89ransomware-associatedCISA KEV flag
Application / othermost common surfaceoutcome_surface
1 Front door2 Keys to the kingdom3 Lateral reach4 Data at risk5 Lights out
2
of 208 records here carry advisory-named attribution
When this outcome is tied to a named crew already using it against peer organizations, the business story stops being hypothetical and becomes a forecast.
Basis · narrative_coverage (confirmed actor)
89
are flagged for ransomware use
CISA’s known-ransomware-campaign flag, on the records that reach data exfiltration — the pivot ransomware crews need on their way to the payload.
Basis · CISA KEV ransomware flag
13%
of all known-exploited records reach this far
This is the deepest, smallest tail of the catalog — the records whose attack path carries all the way to your liability. Small in count, outsized in consequence.
Basis · narrative_reach / corpus total
01

Headline story

— the highest-newsworthiness path reaching this outcome
Headline story · newsworthiness 12.0 · Edge / remote-access infra
Citrix NetScaler session-token disclosure CVE-2023-4966
An unauthenticated attacker reads valid session tokens straight out of NetScaler ADC/Gateway memory — then logs in as your users, MFA and all.
CISA KEVRansomware-confirmedLockBit 3.0 affiliatesPath 1 → 2 → 4 → 5
02

More records reaching data at risk

— ranked by newsworthiness, click through to the full record
CVE-2021-34473 · Microsoft · Server / web platform
Microsoft Exchange Server vulnerability
Microsoft Exchange Server remote code execution vulnerability exploited in ransomware campaigns. SSRF vector enables unauthenticated attackers to execute arbitrary code with system privileges.
CISA KEVRansomwareAPT40Reaches stage 4
CVE-2026-1731 · BeyondTrust · Application / other
BeyondTrust Remote Support (RS) and Privileged Access (PRA) vulnerability
BeyondTrust Remote Support and Privileged Remote Access contain an unauthenticated OS command injection vulnerability allowing remote attackers to execute arbitrary system commands and compromise affected systems.
CISA KEVRansomwareReaches stage 4
CVE-2025-61884 · Oracle · Application / other
Oracle E-Business Suite vulnerability
Oracle E-Business Suite Runtime component in Oracle Configurator contains an unauthenticated server-side request forgery vulnerability enabling remote exploitation.
CISA KEVRansomwareReaches stage 5
CVE-2026-24423 · SmarterTools · Application / other
SmarterTools SmarterMail vulnerability
SmarterMail's ConnectToHub API method lacks authentication for critical functions, allowing unauthenticated attackers to redirect the service to malicious servers and execute arbitrary OS commands.
CISA KEVRansomwareReaches stage 4
CVE-2025-52691 · SmarterTools · Application / other
SmarterTools SmarterMail vulnerability
SmarterMail contains an unrestricted file upload vulnerability allowing unauthenticated attackers to upload arbitrary files, potentially enabling remote code execution on mail servers.
CISA KEVRansomwareReaches stage 4
CVE-2023-21529 · Microsoft · Server / web platform
Microsoft Exchange Server vulnerability
Microsoft Exchange Server deserialization vulnerability allows authenticated attackers to execute arbitrary code remotely via untrusted data processing.
CISA KEVRansomwareReaches stage 4

Records where 4 ∈ _narr_stages(r), ordered by _heat(r); the lead is shown above. Counts recomputed deterministically per build.

03

What this outcome targets

— records reaching data at risk, by attack surface
Application / other
100
Edge / remote-access infra
44
Operating system / kernel
35
Server / web platform
23
Hypervisor / virtualization
5
Browser
1

From build_insights().outcome_surface — the surface×outcome heat-grid, sliced to outcome 4 (reach-to-4). Counts recomputed deterministically per build; basis labeled per the corpus, never per edge.

04

Who drives this outcome

— named, advisory-backed actors reaching data at risk
APT40 State-sponsored (PRC)

The CISA-led joint advisory AA24-190A names APT40 (tracked in ATT&CK as Leviathan) as a PRC Ministry of State Security group that rapidly weaponizes newly public vulnerabilities, naming the ProxyShell Exchange chain, Log4Shell, and Atlassian Confluence CVEs alongside the group.

Reaches this outcome on 1 record · full dossier →

LockBit 3.0 affiliates Ransomware

CISA, FBI, and MS-ISAC jointly attribute active exploitation of Citrix Bleed to LockBit 3.0 affiliates, who use the stolen sessions to land, escalate, and deploy ransomware — naming it in a dedicated #StopRansomware advisory.4

Reaches this outcome on 1 record

Coverage finding  Named-actor attribution is established for 2 of 208 records reaching this outcome. The other 206 are facts-only (KEV / EPSS / ransomware cited) with attribution pending triage — absence of a named crew is not absence of risk, only absence of attribution. Only tier == "confirmed" (advisory-backed) actors appear above; reported/inferred links never headline an outcome.
05

When this outcome got exploited

— KEV additions per year that reach data at risk
2021
41 · 41 deep
2022
63 · 63 deep
2023
20 · 20 deep
2024
31 · 31 deep
2025
33 · 33 deep
2026
20 · 20 deep

Violet = records added to CISA KEV that year reaching outcome 4; red overlay = the share that carried on to data-at-risk or lights-out. From build_insights().outcome_timeline, sliced to this outcome.