# BlackCat's Exploited Vulnerabilities
> [!NOTE]
> This is the list of vulnerabilities that have been observed during intrusions that lead to BlackCat ransomware deployment or data exfiltration and leaks published to BlackCat's Tor Site

### `Citrix`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| NetScaler ADC & Gateway | CVE-2023-4966 ("Citrixbleed") | BlackCat | [therecord.media](https://therecord.media/fidelity-national-financial-ransomware-alphv-black-cat) |

### `ConnectWise`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| ScreenConnect | CVE-2024-1708 & CVE-2024-1709 | BlackCat | [bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/fbi-cisa-warn-us-hospitals-of-targeted-blackcat-ransomware-attacks/) |

### `Linux System Utilities`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| Polkit pkexec| CVE-2021-4034 ("Pwnkit") | BlackCat | [crowdstrike.com](https://www.crowdstrike.com/en-us/blog/anatomy-of-alpha-spider-ransomware/) |

### `Windows & MS Server Products`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| Exchange On-Prem | CVE-2021-34523, CVE-2021-34473, CVE-2021-31207 ("ProxyShell") | BlackCat | [trendmicro.com](https://www.trendmicro.com/en_gb/research/22/d/an-investigation-of-the-blackcat-ransomware.html) |
| Secondary Logon Service | CVE-2016-0099 | BlackCat | [kaspersky.com](https://web.archive.org/web/20231004015829/https://go.kaspersky.com/rs/802-IJN-240/images/Common-TTPs-of-the-modern-ransomware_low-res.pdf) |

### `Pulse Secure / Ivanti`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| Ivanti EPM Cloud Services Appliance (CSA) | CVE-2021-44529 | BlackCat | [crowdstrike.com](https://www.crowdstrike.com/en-us/blog/anatomy-of-alpha-spider-ransomware/) |

### `SonicWall`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| SMA 100 | CVE-2019-7481 | BlackCat | [blackberry.com](https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/blackcat) |

### `VMware`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| vSphere Client | CVE-2021-21972 | BlackCat | [crowdstrike.com](https://www.crowdstrike.com/en-us/blog/anatomy-of-alpha-spider-ransomware/) |

---

#### Sources
| Date Published | Report |
|---|---|
| 29 February 2024 | https://www.crowdstrike.com/en-us/blog/anatomy-of-alpha-spider-ransomware/ |
| 27 February 2024 | https://www.bleepingcomputer.com/news/security/fbi-cisa-warn-us-hospitals-of-targeted-blackcat-ransomware-attacks/ |
| 27 November 2023 | https://therecord.media/fidelity-national-financial-ransomware-alphv-black-cat |
| 31 March 2023 | https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/blackcat |
| 23 June 2022 | https://go.kaspersky.com/rs/802-IJN-240/images/Common-TTPs-of-the-modern-ransomware_low-res.pdf |
| 18 April 2022 | https://www.trendmicro.com/en_gb/research/22/d/an-investigation-of-the-blackcat-ransomware.html |