MITRE ATT&CK Technique
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar) For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-04-18T17:59:24.739Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to exploit a weakness in an '
'Internet-facing host or system to initially access a network. '
'The weakness in the system can be a software bug, a temporary '
'glitch, or a misconfiguration.\n'
'\n'
'Exploited applications are often websites/web servers, but '
'can also include databases (like SQL), standard services '
'(like SMB or SSH), network device administration and '
'management protocols (like SNMP and Smart Install), and any '
'other system with Internet-accessible open sockets.(Citation: '
'NVD CVE-2016-6662)(Citation: CIS Multiple SMB '
'Vulnerabilities)(Citation: US-CERT TA18-106A Network '
'Infrastructure Devices 2018)(Citation: Cisco Blog Legacy '
'Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi '
'infrastructure, adversaries may exploit exposed OpenSLP '
'services; they may alternatively exploit exposed VMware '
'vCenter servers.(Citation: Recorded Future ESXiArgs '
'Ransomware 2023)(Citation: Ars Technica VMWare Code Execution '
'Vulnerability 2021) Depending on the flaw being exploited, '
'this may also involve [Exploitation for Defense '
'Evasion](https://attack.mitre.org/techniques/T1211) or '
'[Exploitation for Client '
'Execution](https://attack.mitre.org/techniques/T1203).\n'
'\n'
'If an application is hosted on cloud-based infrastructure '
'and/or is containerized, then exploiting it may lead to '
'compromise of the underlying instance or container. This can '
'allow an adversary a path to access the cloud or container '
'APIs (e.g., via the [Cloud Instance Metadata '
'API](https://attack.mitre.org/techniques/T1552/005)), exploit '
'container host access via [Escape to '
'Host](https://attack.mitre.org/techniques/T1611), or take '
'advantage of weak identity and access management policies.\n'
'\n'
'Adversaries may also exploit edge network infrastructure and '
'related appliances, specifically targeting devices that do '
'not support robust host-based defenses.(Citation: Mandiant '
'Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n'
'\n'
'For websites and databases, the OWASP top 10 and CWE top 25 '
'highlight the most common web-based '
'vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top '
'25)',
'external_references': [{'external_id': 'T1190',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1190'},
{'description': 'Christey, S., Brown, M., Kirby, D., '
'Martin, B., Paller, A.. (2011, '
'September 13). 2011 CWE/SANS Top 25 '
'Most Dangerous Software Errors. '
'Retrieved April 10, 2019.',
'source_name': 'CWE top 25',
'url': 'https://cwe.mitre.org/top25/index.html'},
{'description': 'CIS. (2017, May 15). Multiple '
'Vulnerabilities in Microsoft Windows '
'SMB Server Could Allow for Remote '
'Code Execution. Retrieved April 3, '
'2018.',
'source_name': 'CIS Multiple SMB Vulnerabilities',
'url': 'https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/'},
{'description': 'Dan Goodin . (2021, February 25). '
'Code-execution flaw in VMware has a '
'severity rating of 9.8 out of 10. '
'Retrieved April 8, 2025.',
'source_name': 'Ars Technica VMWare Code Execution '
'Vulnerability 2021',
'url': 'https://arstechnica.com/information-technology/2021/02/armed-with-exploits-hackers-on-the-prowl-for-a-critical-vmware-vulnerability/'},
{'description': 'German Hoeffner, Aaron Soehnen and '
'Gianni Perez. (2023, February 7). '
'ESXiArgs Ransomware Targets '
'Publicly-Exposed ESXi OpenSLP '
'Servers. Retrieved March 26, 2025.',
'source_name': 'Recorded Future ESXiArgs Ransomware '
'2023',
'url': 'https://www.recordedfuture.com/blog/esxiargs-ransomware-targets-vmware-esxi-openslp-servers'},
{'description': 'Greenberg, A. (2022, November 10). '
'Russia’s New Cyberwarfare in Ukraine '
'Is Fast, Dirty, and Relentless. '
'Retrieved March 22, 2023.',
'source_name': 'Wired Russia Cyberwar',
'url': 'https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/'},
{'description': 'Marvi, A. et al.. (2023, March 16). '
'Fortinet Zero-Day and Custom Malware '
'Used by Suspected Chinese Actor in '
'Espionage Operation. Retrieved March '
'22, 2023.',
'source_name': 'Mandiant Fortinet Zero Day',
'url': 'https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem'},
{'description': 'National Vulnerability Database. '
'(2017, February 2). CVE-2016-6662 '
'Detail. Retrieved April 3, 2018.',
'source_name': 'NVD CVE-2016-6662',
'url': 'https://nvd.nist.gov/vuln/detail/CVE-2016-6662'},
{'description': 'National Vulnerability Database. '
'(2017, September 24). CVE-2014-7169 '
'Detail. Retrieved April 3, 2018.',
'source_name': 'NVD CVE-2014-7169',
'url': 'https://nvd.nist.gov/vuln/detail/CVE-2014-7169'},
{'description': 'Omar Santos. (2020, October 19). '
'Attackers Continue to Target Legacy '
'Devices. Retrieved October 20, 2020.',
'source_name': 'Cisco Blog Legacy Device Attacks',
'url': 'https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954'},
{'description': 'OWASP. (2018, February 23). OWASP '
'Top Ten Project. Retrieved April 3, '
'2018.',
'source_name': 'OWASP Top 10',
'url': 'https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project'},
{'description': 'US-CERT. (2018, April 20). Russian '
'State-Sponsored Cyber Actors '
'Targeting Network Infrastructure '
'Devices. Retrieved October 19, 2020.',
'source_name': 'US-CERT TA18-106A Network '
'Infrastructure Devices 2018',
'url': 'https://us-cert.cisa.gov/ncas/alerts/TA18-106A'}],
'id': 'attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'initial-access'}],
'modified': '2025-10-24T17:48:41.788Z',
'name': 'Exploit Public-Facing Application',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Praetorian',
'Yossi Weizman, Azure Defender Research Team',
'Don Le, Stifel Financial'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Containers',
'ESXi',
'IaaS',
'Linux',
'macOS',
'Network Devices',
'Windows'],
'x_mitre_version': '2.8'}