basicsecurity.net
Proof, not just disclosure.
Threats / Outcomes / Lights out
5 Outcome 5 of 5 · disruption & extortion

Lights out

Downtime, ransom demands, safety risk wherever firmware and OT are in play, and reputational damage that outlasts the outage. These are the known-exploited flaws that let an attacker halt your operations or hold them for ransom — the deepest, smallest, most consequential tail.

31records reach this outcomenarrative_reach · KEV corpus
1carry a named actornarrative_coverage (confirmed)
18ransomware-associatedCISA KEV flag
Application / othermost common surfaceoutcome_surface
1 Front door2 Keys to the kingdom3 Lateral reach4 Data at risk5 Lights out
1
of 31 records here carry advisory-named attribution
When this outcome is tied to a named crew already using it against peer organizations, the business story stops being hypothetical and becomes a forecast.
Basis · narrative_coverage (confirmed actor)
18
are flagged for ransomware use
CISA’s known-ransomware-campaign flag, on the records that reach operational disruption — the pivot ransomware crews need on their way to the payload.
Basis · CISA KEV ransomware flag
2%
of all known-exploited records reach this far
This is the deepest, smallest tail of the catalog — the records whose attack path carries all the way to your liability. Small in count, outsized in consequence.
Basis · narrative_reach / corpus total
01

Headline story

— the highest-newsworthiness path reaching this outcome
Headline story · newsworthiness 12.0 · Edge / remote-access infra
Citrix NetScaler session-token disclosure CVE-2023-4966
An unauthenticated attacker reads valid session tokens straight out of NetScaler ADC/Gateway memory — then logs in as your users, MFA and all.
CISA KEVRansomware-confirmedLockBit 3.0 affiliatesPath 1 → 2 → 4 → 5
02

More records reaching lights out

— ranked by newsworthiness, click through to the full record
CVE-2025-61884 · Oracle · Application / other
Oracle E-Business Suite vulnerability
Oracle E-Business Suite Runtime component in Oracle Configurator contains an unauthenticated server-side request forgery vulnerability enabling remote exploitation.
CISA KEVRansomwareReaches stage 5
CVE-2023-35082 · Ivanti · Edge / remote-access infra
Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core vulnerability
Ivanti Endpoint Manager Mobile and MobileIron Core contain an authentication bypass vulnerability (CWE-287) allowing unauthorized access to restricted functionality. Actively exploited in ransomware campaigns.
CISA KEVRansomwareReaches stage 5
CVE-2017-10271 · Oracle · Server / web platform
Oracle WebLogic Server vulnerability
Oracle WebLogic Server remote code execution vulnerability enabling unauthenticated attackers to execute arbitrary code on affected systems.
CISA KEVRansomwareReaches stage 5
CVE-2023-34362 · Progress · Application / other
Progress MOVEit Transfer vulnerability
Progress MOVEit Transfer contains an unauthenticated SQL injection vulnerability allowing attackers to access the database, infer its structure, and execute arbitrary SQL commands to alter or delete data.
CISA KEVRansomwareReaches stage 5
CVE-2019-0604 · Microsoft · Server / web platform
Microsoft SharePoint vulnerability
Microsoft SharePoint fails to validate application package source markup, allowing remote code execution in the SharePoint application pool and farm account context.
CISA KEVRansomwareReaches stage 5
CVE-2021-22986 · F5 · Edge / remote-access infra
F5 BIG-IP and BIG-IQ Centralized Management vulnerability
F5 BIG-IP and BIG-IQ Centralized Management contain an unauthenticated remote code execution vulnerability in the iControl REST interface allowing attackers to execute commands, manipulate files, and disable services.
CISA KEVRansomwareReaches stage 5

Records where 5 ∈ _narr_stages(r), ordered by _heat(r); the lead is shown above. Counts recomputed deterministically per build.

03

What this outcome targets

— records reaching lights out, by attack surface
Application / other
15
Edge / remote-access infra
8
Operating system / kernel
4
Server / web platform
3
Hypervisor / virtualization
1

From build_insights().outcome_surface — the surface×outcome heat-grid, sliced to outcome 5 (reach-to-5). Counts recomputed deterministically per build; basis labeled per the corpus, never per edge.

04

Who drives this outcome

— named, advisory-backed actors reaching lights out
LockBit 3.0 affiliates Ransomware

CISA, FBI, and MS-ISAC jointly attribute active exploitation of Citrix Bleed to LockBit 3.0 affiliates, who use the stolen sessions to land, escalate, and deploy ransomware — naming it in a dedicated #StopRansomware advisory.4

Reaches this outcome on 1 record

Coverage finding  Named-actor attribution is established for 1 of 31 records reaching this outcome. The other 30 are facts-only (KEV / EPSS / ransomware cited) with attribution pending triage — absence of a named crew is not absence of risk, only absence of attribution. Only tier == "confirmed" (advisory-backed) actors appear above; reported/inferred links never headline an outcome.
05

When this outcome got exploited

— KEV additions per year that reach lights out
2021
8 · 8 deep
2022
6 · 6 deep
2023
5 · 5 deep
2024
5 · 5 deep
2025
5 · 5 deep
2026
2 · 2 deep

Violet = records added to CISA KEV that year reaching outcome 5; red overlay = the share that carried on to data-at-risk or lights-out. From build_insights().outcome_timeline, sliced to this outcome.